Enterprise Security WeeklySubscribe
Security Strategy, Plan, Budget, AI benefits/risks, Acquisition, AI/ML, Penetration Testing, Automated penetration testing, Vulnerability Management, Phishing

Cybersecurity Career Paths: from touring musician to purple teaming at Meta – Neko Papez, Brian Contos, Jayson Grace – ESW #378

Full Audio

View Show Index

Segments

1. Cybersecurity Career Paths: from touring musician to purple teaming at Meta – Jayson Grace – ESW #378

Our latest in a series of interviews discussing cybersecurity career paths, today we talk to Jayson Grace his path into cybersecurity and his experience building red teams at national labs and purple teams at Meta. We also talk about his community impact, giving talks and building open source tools. Jayson just left Meta for an AI safety startup named Dreadnode, which we'll discuss as well.

Segment Resources:

Guest

Principle Software Architect (by the time of the interview) at Dreadnode

Jayson is a principal software architect at Dreadnode. Previously, he built and led Meta’s Purple Team and Sandia National Laboratories’ corporate Red Team. He’s spent time as a red teamer, purple teamer, pentester, tool developer, system administrator, and DevOps engineer. Jayson is passionate about empowering engineers to create and maintain secure deployments. He also has a serious automation problem that he’s working through in therapy.

Host

Principal Researcher at The Defenders Initiative

2. Cybersecurity best practices are the worst, AI indegestion, real time doxxing – ESW #378

This week in the enterprise security news, we've got:

  1. Torq, Tamnoon, and Defect Dojo raise funding
  2. Checkmarx acquires ZAP
  3. Commvault acquires Clumio
  4. Would you believe San Francisco is NOT the most funded metro area for cybersecurity?
  5. Auto-doxxing Smart glasses are now possible
  6. Meta gets fined $100M for storing plaintext passwords
  7. AI coding assistants might not be living up to expectations
  8. Worst Practices
  9. Dumpster fires and truth bombs

All that and more, on this episode of Enterprise Security Weekly!

Hosts

Principal Researcher at The Defenders Initiative
  1. 1. FUNDING: Torq’s $70M Series C, Tamnoon’s $12M Series A, and Defect Dojo’s $7M Series A

    This week's security funding news:

  2. 2. ACQUISITIONS: ZAP Has Joined Forces With Checkmarx

    I'm behind the times - I thought ZAP was still just an OWASP project!

    They grow up so fast.

  3. 3. ACQUISITIONS: Commvault Accelerates Cyber Resilience Capabilities for AWS with Acquisition of Clumio

    I need someone to help me understand how anyone is making money off of AWS backups. Isn't that feature already built in?

  4. 4. FUNDING RESEARCH: Top 10 Global Metro Areas for Cyber Funding by Stage

    Spoiler: San Francisco is NOT #1 in total funding or in Seed funding.

    I've never seen funding by geography broken down by funding stage, so this is VERY interesting to see. Metro areas that do a lot of early stage funding, don't necessarily do late stage finding, and vice versa.

  5. 5. DYSTOPIA – I-XRAY Enables Real Time doxxing with Meta Smart Glasses
    1. Video from glasses is streamed to AI software, which detects faces in real time.
    2. Detected faces are searched using PimEyes, which finds the person's face on the Internet
    3. The internet results lead to the individual's name, phone numbers, address, and other personal information.
    4. The whole process can be fully automated and takes seconds.

    In fact, it's fast enough, that it's possible to pretend to recognize someone you see in public, and gaslight them into believing you've met before. All possible because you know things you shouldn't know the moment you meet a stranger!

    On the one hand, this could be invaluable for safety in certain scenarios. Unfortunately, it's dual use, so it's just as invaluable to a stalker.

  6. 6. FINES: Meta Handed $100 Million Fine in Ireland Over Password Storage

    If Meta is storing tons of plaintext passwords, what's everyone else doing???

  7. 7. CRIMES: Crooked Cops, Stolen Laptops & the Ghost of UGNazi – Krebs on Security

    Absolute bonkers story - where cybercrimes and IRL crimes meet.

  8. 8. CRIMES: US charges British man over ‘hack-to-trade’ scheme

    Fairly low-tech, but clever method of profiting off some very basic hacking. Strategic insider trading.

  9. 9. ESSAYS: Before Preaching, Stop Punching Yourself

    This essay/rant on security awareness month is chef's kiss

  10. 10. AI INDEGESTION: Devs gaining little (if anything) from AI coding assistants

    Somewhat unsurprising. AI is probably great for people that don't know how to code, or are trying to learn. These amateurs probably don't use coding assistants though, they're likely leveraging ChatGPT or other consumer-focused GenAI tools.

    Professional developers, on the other hand, don't need help with writing code itself, but to figure out WHAT to code and HOW. Once the design work is figured out, the coding part is fairly straightforward.

    Results seem to differ quite a bit, depending on who you ask, it looks like.

    • a study shows that there are perceived benefits from AI coding assistants, but no measurable benefits
    • developer burnout also doesn't seem to be affected
    • also, it seems other organizations have found more creative ways of using AI, like measuring code quality
    • while some find it just as time consuming to review AI-generated code as it would have been to write it themselves.
    • however, AI is rapidly improving, so all these results could be drastically different just a few months from now
  11. 11. WORST PRACTICES: NIST proposes barring some of the most nonsensical password rules
  12. 12. DUMPSTER FIRES: Live Stream: Integrity vs. Opportunity: Navigating Ethical Dilemmas in Business

    If CISOs on the take is already a common practice, how would this harm the industry, buyers, sellers, investors, and even the average individual?

    I missed this one when it first came out (thanks to Jennifer Minella for bringing this to my attention). This is a great discussion between Bryson Bort and Robert Hansen that is largely a reaction to Cyberstarts' Sunrise program and the Calcalistech article about it.

    Note: the Calcalistech article is now returning a 404, but Archive.org remembers.

  13. 13. TRUTH BOMBS: rekdt on Twitter

    "My CISO to the board: We're tracking AI powered Attacks and Quantum Computing threats

    My Board: And rekdt, what is Security Architecture working on?

    Me: I just notified our internal teams they haven't remediated their deployed public S3 buckets"

    Emphasizing Wendy Nather's points about CISO distractions, this really is a problem. Maybe one of our biggest problems.

  14. 14. SQUIRREL: Montana man faces sentencing for cloning giant sheep to breed large sheep for captive trophy hunts

    Cloning sheep, as you do.

  15. 15. SQUIRREL: Host Coffee Recommendations

    NOTE: these are not affiliate links, we're not making any money off them

Lead Product Manager at Monad
VP Traceable.ai, Cyber Angel Investor and Advisor at 90 Degree Ventures

3. Secure the Browser & Vulnerability and Exposure Management – Brian Contos, Neko Papez – ESW #378

The way we use browsers has changed, so has the way we need to secure them. Using a secure enterprise browser to execute content away from the endpoint, inside a secure cloud browser is a dramatically more effective and cost-effective approach to protect users and secure access.

This segment is sponsored by Menlo Security. Visit https://securityweekly.com/menloisw to learn more about them!

Sevco is a cloud-native vulnerability and exposure management platform built atop asset intelligence to enable rapid risk prioritization, mitigation, validation, and metrics.

Segment Resources: Customer Testimonials: https://www.sevcosecurity.com/testimonials/ Product Videos: https://www.sevcosecurity.com/sevcoshorts/

This segment is sponsored by Sevco Security. Visit https://securityweekly.com/sevcoisw to learn more about them!

Sponsored By

Sevco SecurityMenlo Security

Guests

Chief Strategy Officer at Sevco Security

With two IPOs & eight acquisitions, Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as a security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.

Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA, and CIA Director. Brian writes for Forbes and regularly presents at conferences like Black Hat, RSA, OWASP, and BSides.

Sr. Product Marketing Manager at Menlo Security

Neko Papez has a background in cybersecurity strategy, product marketing, account management, account development, and sales. With experience at leading enterprise security and big data analytics companies like Menlo Security, Proofpoint, Domo, and Online Image, Neko has a proven track record of implementing successful security strategies across multiple verticals and driving impactful thought leadership initiatives across enterprises. Neko’s maniacal focus on driving innovative change has been key in successful threat prevention strategies across enterprise security teams while ensuring seamless user experiences.

Host

Brainstem Hacker and InfoSec Enthusiast at Redacted

Related