Cybersecurity Career Paths: from touring musician to purple teaming at Meta – Neko Papez, Brian Contos, Jayson Grace – ESW #378
Full Audio
View Show IndexSegments
1. Cybersecurity Career Paths: from touring musician to purple teaming at Meta – Jayson Grace – ESW #378
Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well.
Segment Resources:
- CyberSecEval 3: Advancing the Evaluation of Cybersecurity Risks and Capabilities in Large Language Models
- The [TTPForge] (https://github.com/facebookincubator/TTPForge) is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
- ForgeArmory provides TTPs that can be used with the TTPForge
- Wired, by Lily Hay Newman: Facebook's ‘Red Team X’ Hunts Bugs Beyond the Social Network's Walls
- MOSE (Master Of SErvers) is a post exploitation tool for configuration management servers.
- BSides SF 2024 - Beyond Quick Cash: Rethinking Bug Bounties for Greater Impact
- BSides LV 2023 - [GF - Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention - https://www.youtube.com/watch?v=-MT0tNi2vvc
Guest
Jayson is a principal software architect at Dreadnode. Previously, he built and led Meta’s Purple Team and Sandia National Laboratories’ corporate Red Team. He’s spent time as a red teamer, purple teamer, pentester, tool developer, system administrator, and DevOps engineer. Jayson is passionate about empowering engineers to create and maintain secure deployments. He also has a serious automation problem that he’s working through in therapy.
Host
2. Cybersecurity best practices are the worst, AI indegestion, real time doxxing – ESW #378
This week in the enterprise security news, we've got:
- Torq, Tamnoon, and Defect Dojo raise funding
- Checkmarx acquires ZAP
- Commvault acquires Clumio
- Would you believe San Francisco is NOT the most funded metro area for cybersecurity?
- Auto-doxxing Smart glasses are now possible
- Meta gets fined $100M for storing plaintext passwords
- AI coding assistants might not be living up to expectations
- Worst Practices
- Dumpster fires and truth bombs
All that and more, on this episode of Enterprise Security Weekly!
Hosts
- 1. FUNDING: Torq’s $70M Series C, Tamnoon’s $12M Series A, and Defect Dojo’s $7M Series A
This week's security funding news:
- Torq Announces $70M Series C to Double Down on Generative AI for Security Operations Platform, Bringing Total 2024 Funding to $112M
- Tamnoon Raises $12M Series A Fueling First Hybrid Human-AI Managed Cloud Security Remediation Service
- DefectDojo secures $7M to expand security automation platform - SiliconANGLE
- 2. ACQUISITIONS: ZAP Has Joined Forces With Checkmarx
I'm behind the times - I thought ZAP was still just an OWASP project!
They grow up so fast.
- 3. ACQUISITIONS: Commvault Accelerates Cyber Resilience Capabilities for AWS with Acquisition of Clumio
I need someone to help me understand how anyone is making money off of AWS backups. Isn't that feature already built in?
- 4. FUNDING RESEARCH: Top 10 Global Metro Areas for Cyber Funding by Stage
Spoiler: San Francisco is NOT #1 in total funding or in Seed funding.
I've never seen funding by geography broken down by funding stage, so this is VERY interesting to see. Metro areas that do a lot of early stage funding, don't necessarily do late stage finding, and vice versa.
- 5. DYSTOPIA – I-XRAY Enables Real Time doxxing with Meta Smart Glasses
- Video from glasses is streamed to AI software, which detects faces in real time.
- Detected faces are searched using PimEyes, which finds the person's face on the Internet
- The internet results lead to the individual's name, phone numbers, address, and other personal information.
- The whole process can be fully automated and takes seconds.
In fact, it's fast enough, that it's possible to pretend to recognize someone you see in public, and gaslight them into believing you've met before. All possible because you know things you shouldn't know the moment you meet a stranger!
On the one hand, this could be invaluable for safety in certain scenarios. Unfortunately, it's dual use, so it's just as invaluable to a stalker.
- 6. FINES: Meta Handed $100 Million Fine in Ireland Over Password Storage
If Meta is storing tons of plaintext passwords, what's everyone else doing???
- 7. CRIMES: Crooked Cops, Stolen Laptops & the Ghost of UGNazi – Krebs on Security
Absolute bonkers story - where cybercrimes and IRL crimes meet.
- 8. CRIMES: US charges British man over ‘hack-to-trade’ scheme
Fairly low-tech, but clever method of profiting off some very basic hacking. Strategic insider trading.
- 9. ESSAYS: Before Preaching, Stop Punching Yourself
This essay/rant on security awareness month is chef's kiss
- 10. AI INDEGESTION: Devs gaining little (if anything) from AI coding assistants
Somewhat unsurprising. AI is probably great for people that don't know how to code, or are trying to learn. These amateurs probably don't use coding assistants though, they're likely leveraging ChatGPT or other consumer-focused GenAI tools.
Professional developers, on the other hand, don't need help with writing code itself, but to figure out WHAT to code and HOW. Once the design work is figured out, the coding part is fairly straightforward.
Results seem to differ quite a bit, depending on who you ask, it looks like.
- a study shows that there are perceived benefits from AI coding assistants, but no measurable benefits
- developer burnout also doesn't seem to be affected
- also, it seems other organizations have found more creative ways of using AI, like measuring code quality
- while some find it just as time consuming to review AI-generated code as it would have been to write it themselves.
- however, AI is rapidly improving, so all these results could be drastically different just a few months from now
- 11. WORST PRACTICES: NIST proposes barring some of the most nonsensical password rules
- 12. DUMPSTER FIRES: Live Stream: Integrity vs. Opportunity: Navigating Ethical Dilemmas in Business
If CISOs on the take is already a common practice, how would this harm the industry, buyers, sellers, investors, and even the average individual?
I missed this one when it first came out (thanks to Jennifer Minella for bringing this to my attention). This is a great discussion between Bryson Bort and Robert Hansen that is largely a reaction to Cyberstarts' Sunrise program and the Calcalistech article about it.
Note: the Calcalistech article is now returning a 404, but Archive.org remembers.
- 13. TRUTH BOMBS: rekdt on Twitter
"My CISO to the board: We're tracking AI powered Attacks and Quantum Computing threats
My Board: And rekdt, what is Security Architecture working on?
Me: I just notified our internal teams they haven't remediated their deployed public S3 buckets"
Emphasizing Wendy Nather's points about CISO distractions, this really is a problem. Maybe one of our biggest problems.
- 14. SQUIRREL: Montana man faces sentencing for cloning giant sheep to breed large sheep for captive trophy hunts
Cloning sheep, as you do.
- 15. SQUIRREL: Host Coffee Recommendations
NOTE: these are not affiliate links, we're not making any money off them
- Darwin and Tyler: Lavazza Super Crema Whole Bean
- Adrian: Kicking Horse Coffee, Kick Ass, Dark Roast, Whole Bean
3. Secure the Browser & Vulnerability and Exposure Management – Brian Contos, Neko Papez – ESW #378
The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access.
This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them!
Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics.
Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/
This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them!
Sponsored By
Guests
With two IPOs & eight acquisitions, Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as a security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.
Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA, and CIA Director. Brian writes for Forbes and regularly presents at conferences like Black Hat, RSA, OWASP, and BSides.
Neko Papez has a background in cybersecurity strategy, product marketing, account management, account development, and sales. With experience at leading enterprise security and big data analytics companies like Menlo Security, Proofpoint, Domo, and Online Image, Neko has a proven track record of implementing successful security strategies across multiple verticals and driving impactful thought leadership initiatives across enterprises. Neko’s maniacal focus on driving innovative change has been key in successful threat prevention strategies across enterprise security teams while ensuring seamless user experiences.
Host
