ESW #313 – Pablo Zurro, Travis Howerton
Full Audio
View Show IndexSegments
1. The Practice of Pen Testing: 2023 Survey Results Revealed – Pablo Zurro – ESW #313
Fortra's Core Security has conducted it's fourth annual survey of cybersecurity professionals on the usage and perception of pen testing. The data collected provides visibility into the full spectrum of pen testing’s role, helping to determine how these services, tools, and skills must evolve.
Segment Resources: https://www.fortra.com/resources/guides/2023-pen-testing-report
This segment is sponsored by Fortra's Core Security. Visit https://securityweekly.com/fortracoresecurity to learn more about them!
Announcements
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape. We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register. Visit securityweekly.com/cybersecuritysummit to learn more and register today!
Guest
Pablo Zurro leads product management for Core Security’s cyber threat prevention solutions. He has a passion for creating great products, translating customer needs, and turning them into new features. With more than 10 years of experience in the software industry Pablo aims to help Build a Better IT by making our products the best fit for user’s needs.
Hosts
2. The Rise of RegOps: The Need for Compliance Automation – Travis Howerton – ESW #313
Compliance with cyber security frameworks such as NIST, PCI, HIPAA, etc. have largely been driven by paper-based processes in Word and Excel. With the rise of cloud computing, containers, and ephemeral systems, paper-based processes can no longer keep up with the speed of business and compliance has become the new bottleneck to progress for highly regulated industries such as government, finance, and energy sector. This session will cover how RegScale is leading a RegOps movement to bring the principles of DevOps to compliance with the world’s first real-time GRC system that enables compliance as code via NIST OSCAL. RegOps seeks to shift compliance left to make it real-time, continuous, and complete so that paperwork is always up to date, self-updating, and takes less manual resources to manage.
Segment Resources: Website – https://www.regscale.com Documentation/Learn More – https://regscale.readme.io
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Guest
Travis is the Co-Founder and Chief Executive Officer of RegScale. Before joining the RegScale team, Travis was the Global Director for Strategic Programs at Bechtel Corporation, where he led the merger,s include Deputy Director for the IT Services Division at Oak Ridge National Laboratory, Chief Technology Officer for the National Nuclear Security Administration, Chief Information Officer for the Y-12 Site Office, and several senior executive assignments in the U.S. Department of Energy. An accomplished public speaker and author, Travis has been cited in over 50 publi cost savings, and transformation programs at Consolidated Nuclear Security. His former rolecations and serves as a board member for organizations, including East TN Economic Council (ETEC) and Oak Ridge Public Schools Education Foundation (ORPSEF).
Hosts
3. Flood of new startups coming out of stealth, new newsletters, hiding breaches – ESW #313
In this news segment, we discuss the art of branding/naming security companies, some new cars just out of stealth, 5 startups just out of Y Combinator, and Cybereason's $100M round from Softbank. We also talk new features (Semgrep's new GPT-4 use case), new newsletters, and new reports. We break down Nexx's broken vulnerability disclosure program and its broken products. We also discuss the FDA's new ability to block device certification for security reasons. Android announces rules to make it easier for consumers to delete accounts and remove data when they uninstall apps. IT and Security professionals everywhere are asked not to report breaches, but in some countries more than others. CISOs are more prone to drinking problems, and finally, for our squirrel stories, we discuss a crazy app called Newnew and new ideas in prosthetics.
Announcements
As a member of the Security Weekly community, we are pleased to offer you 20% off your InfoSec World 2023 tickets! Join a community of over 2,000 security professionals and innovators at InfoSec World on September 25th through 27th at Disney’s Coronado Springs Resort. Experience world-class learning and networking through enlightening keynotes, informative panel discussions, interactive breakout sessions, hands-on workshops, and more.
Register today at securityweekly.com/infosecworld2023 using code ISW23-SECWEEK20!
Hosts
- 1. FUNDING: Cybereason Secures $100 Million in Funding Led by SoftBank Corp.
At one point, Cybereason and Crowdstrike could have been considered competitors. Last week, Crowdstrike's venture arm puts $100M+ into an investment, and this week Cybereason raises a $100M round from Softbank.
It's a stark reminder of how crazy Crowdstrike's success has been, compared to the rest of the NGAV/EDR field.
- 2. FUNDING: Strivacity, which helps companies build secure login flows, nabs $20M
$20M Series A-2 round led by SignalFire (also, TenEleven, Kevin Mandia, Jack Huffard). Founders' previous roles were at Mandiant and SecureAuth.
- 3. FUNDING: RazorSecure receives £1.3m funding
- 4. FUNDING: Cybeats Announces Private Placement and Closing of First Tranche
Outside of the movie "The Big Short", I've never heard the term "tranche" used until now.
- 5. NEW COMPANIES: Drip7
Not quite user awareness training, but definitely overlaps with UAT. Looks more general purpose and modeled after DuoLingo's mobile UI/UX.
- 6. NEW COMPANIES: DefensX
A new remote web browser play. In 2023???
- 7. NEW COMPANIES: Blyss
"Blyss uses homomorphic encryption to secure user data"
"Create S3-like buckets. Store any key-value data. Then perform completely private retrievals."
- 8. NEW COMPANIES: EdgeBit
"Real-time supply chain security, enabling security teams to target and coordinate vulnerability remediation without toil."
- 9. NEW COMPANIES: Infisical
"An open-source end-to-end encrypted platform to sync secrets and configs across your team and infrastructure."
- 10. NEW COMPANIES: 0pass
"Passwordless Workforce IAM"
- 11. ACQUISITIONS: Cradlepoint Acquires Ericom and its Cloud-Based Enterprise Security Solution
- 12. NEW FEATURES: We put GPT-4 in Semgrep to point out false positives & fix code
It is very cool to see product folks homing in on what AI LLMs are very, very good at. Mimicry, details, consistency are all things ChatGPT can easily do all day, at scale. Of course, I'd recommend spot checking results often, and especially any time the LLM model changes.
Exciting to see how quickly AI is being used to automate the stuff humans hate doing manually. Lots of easy wins out there.
- 13. NEW NEWSLETTER: Matt Jay’s VulnerableU
Matt Johansen has lived several security lives in a relatively short amount of time and has a lot of wisdom to share. He has a new newsletter and I highly recommend it for any blue teamers, or anyone interested in keeping up with InfoSec trends and norms.
- 14. NEWSLETTER: Threat Prompt #12 – Lies from an Inscrutable Blackbox
Threat Prompt is a newsletter that focuses on the intersection of generative AI and cybersecurity. Lots of good food for thought in this issue, that will help you better form and align (heh) your AI threat models.
- 15. REPORTS: ThinkstScapes 2022 Q4 Edition
The latest edition of ThinkstScapes is out and has some great summaries of research released in Q4 2022. It's even multi-mode! You can read through the 24 page PDF, or listen to the 20 minute audio summary.
At the low price of nothing, it's a nice resource. No paywall, no reg form - just an mp3 file and a pdf. Kudos to the Thinkst Labs team (Jacob and Casey) for putting these together every quarter.
- 16. REPORTS: Opportunity Cost and Missed Chances in Optimizing Cybersecurity
An interesting report from Kelly Shortridge and Josiah Dykstra (coincidentally, the speakers adjacent to my talk at the last USENIX Enigma conference) that explores how we could/should be thinking about deploying security's finite resources. There are a lot of things we could do, but at what cost? Every choice we make restricts subsequent choices, and you have to look at the big picture to ensure they're the right ones.
- 17. DUMPSTER FIRE: Smart Garage Company Fixes Vulnerability by Breaking Customers’ Devices
No one asked for more examples of how to handle vulnerability disclosure and remediation badly, but here we are.
- 18. REGULATIONS: FDA will refuse new medical devices for cybersecurity reasons on Oct. 1
IT'S HAPPENING!
It is a long time coming, but finally, there's some real traction in enforcing medical device cybersecurity requirements. Cybersecurity and safety are closely linked, but particularly so when we're talking about devices connected to human bodies.
- 19. CYBERINSURANCE: Insurance as Crime Governance: Comparing Kidnap for Ransom and Ransomware
- 20. TAKEDOWNS: Genesis Market No Longer Feeds The Evil Cookie Monster
One of the biggest markets for buying and selling credentials - especially stolen tokens/OAuth keys (hence the title of the takedown: Operation Cookie Monster)
Some good analysis here of the market itself and related malware. Good to see this level of sharing and coordination between law enforcement, private industry, and even volunteers/community efforts.
- 21. CYBERCRIME: Estonian National Charged with Helping Russian Military Acquire U.S. Electronics, Including Radar Components; Sought-Computer Hacking Software
I've included this story for one reason that made me chuckle. This guy, Shevlyakov went through all this trouble to try to acquire a Metasploit Pro license, which cracks me up, because Metasploit Framework is free. Do you really need to risk sanctions to avoid having to use the CLI??
- 22. PRIVACY: Giving Users More Transparency and Control Over Account Data
I LOVE this. Basically, my understanding is that Android is pushing for users to not only uninstall apps from their phones, but also delete their accounts and all SaaS-stored data at the same time!
Lots of services make it a pain to remove your data and/or account and it needs to stop.
- 23. ESSAY: Embracing Quantum Security: Defense in Depth Strategies for a Post-Quantum World
A great primer on quantum computing and the security implications from Mike Privette - the same guy behind Security, Funded, the newsletter that informs a lot of the funding stories we cover.
This is excellent timing, as we have a Quantum Special edition of ESW coming out during RSA week, where we interview two of IBM Quantum's best and brightest about both quantum computing and post-quantum cryptography! Be sure to check that episode out on April 27th.
- 24. TOOLS: Firefox Monitor
Database of breaches that notifies you & tells you if your data is included in the breach. I wasn't aware of this service from Mozilla before now.
- 25. TRENDS: IT and security pros pressured to keep quiet about data breaches – Help Net Security
Equal parts alarming and unsurprising for me. 71% of IT/security professionals in the US say they've been told to keep a breach quiet, and 44% in the UK. I wonder if this survey was completed before or after the Joe Sullivan case went to court?
I imagine regulations have to pull these numbers down, or we'll likely see a LOT of heavy SEC/FTC fines in the near future. Possibly more whistleblowers also.
- 26. TRENDS: Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024
Now THESE are proper predictions. Some interesting ones in here.
- Through 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs to minimize operational friction and maximize control adoption.
- By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10% of organizations will have successfully weaponized privacy as a competitive advantage.
- By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.
- By 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility – up from 41% in 2022.
- By 2025, 50% of cybersecurity leaders will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.
- By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors.
- By 2026, 70% of boards will include one member with cybersecurity expertise.
- Through 2026, more than 60% of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today.
- 27. TRENDS: Cybersecurity threats affect CISOs health; drives drinking due stress – ET CISO
Not surprising, but important to get the conversation out into the open so we can address it.
- 28. TRENDS: Lloyd’s of London exposes divisions over booming cyber insurance mark…
The reasoning sounds solid - Lloyd's is trying to avoid systemic risk by creating exceptions for "state actions", which they're pitching as equivalent to acts of (cyber)war. The question is whether that's a fair comparison, and whether insurers will abuse this clause if Lloyd's convinces them to add it. Attribution is famously difficult, making KYC, ransom payments, and now insurance policy payouts increasingly difficult to navigate for those impacted by cyber attacks.
My understanding is that Lloyd's has a lot of pull in cyberinsurance, so the outcome of this could have a big impact in how likely policyholders are to get payouts.
- 29. AI TRENDS: ChatGPT is about to revolutionize the economy. We need to decide what that looks like.
TIP: Use an Incognito window to read. Also, shaaaaaaade:
"Some of the people whose jobs are most vulnerable: writers, web and digital designers, financial quantitative analysts, and—just in case you were thinking of a career change—blockchain engineers."
- 30. AI TRENDS: The AI copilot for lawyers will soon be available… by email! (Spellbook)
Things are moving... fast.
- 31. EVENTS: 401 Cybersecurity Vendors Exhibiting at RSAC
Is this a record? Seems like a record. I wonder how many of these 401 companies can really afford to be at RSAC. I mean, they probably paid for everything nearly a year ago, but RSAC pricing has to hurt for those struggling to raise the next round right now.
I plan to wander the expo floor, and I'm curious to see how many unattended 'ghost' booths we'll see (either due to acquisition, or lack of funding).
- 32. SQUIRREL: These prosthetics break the mold with third thumbs, spikes, and superhero skins
I LOVE prosthetics tech. If I ever decided to leave InfoSec, it would probably be to get into robotics and designing prosthetics. Not just for folks missing limbs/mobility, but also to enhance and go beyond our bodies current abilities!
Am I outing myself as "that guy that tries to bring in all the groceries in one trip"? You bet I am.
- 33. SQUIRREL: The app that lets you pay to control another person’s life
This is definitely a bizarre one, but the title is a bit hyperbolic.
This isn't a far stretch from a creator prompting their audience to give them feedback in their YouTube comments, or Elon Musk saying he'll "respect the outcome of a Twitter poll". You're voting on decisions that the creator has already decided to let the public vote on, and even then, they don't have to abide by the results. I think calling it harmless is a stretch, but saying it lets you "control another person's life" is a HUGE stretch.