Enterprise Security Weekly

What does a mature SecOps team look like? There is pressure to do more with less staff, increase efficiency and reduce costs. JP Bourget's experience has led him to believe that the answer isn't a tool upgrade, it's better planning, architecture, and process.

In this interview, we'll discuss some of the common mistakes SecOps teams make, and where to start when building the SOC of the future.

It feels like forever ago, but in the mid-2010s, we collectively realized, as an industry, that prevention was never going to be enough. Some attacks were always going to make their way through. Then ransomware got popular and really drove this point home. Detection engineering is a tough challenge, however.

Where do we start? Which attacks should we build detections for? How much of the MITRE ATT&CK matrix do we need to cover? How often do these detections need to be reviewed and updated? Wait, are any of our detections even working?

In this interview with Michael Mumcuoglu, we'll discuss where SecOps teams get it wrong. We'll discuss common pitfalls, and strategies for building more resilient and effective detections.

Again, as an industry, we need to understand why ransomware attacks keep going unnoticed, despite attackers using routine techniques and tools that we see over and over and over again.

Session Resources:

• Rethinking Threat Exposure Management: A Unified Approach to Reducing Risk

This week, JP Bourget from Blue Cycle is with us to discuss Building the SOC of the Future

Then, Michael Mumcuoglu (Moom-cuoglu) from CardinalOps joins us to talk about improving detection engineering.

In the enterprise security news,

Google bets $32B on a Wiz Kid Cybereason is down a CEO, but $120M richer EPSS version 4 is out Github supply chain attacks all over A brief history of supply chain attacks Why you might want to wait out the Agentic AI trend Zyxel wants you to throw away their (old) products HP printers are quantum resilient (and no one cares) A giant rat is my hero All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Penetration tests are probably the most common and recognized cybersecurity consulting services. Nearly every business above a certain size has had at least one pentest by an external firm.

Here's the thing, though - the average ransomware attack looks an awful lot like the bog standard pentest we've all been purchasing or delivering for years. Yet thousands of orgs every year fall victim to these attacks. What's going on here? Why are we so bad at stopping the very thing we've been training against for so long?

This Interview with Phillip Wylie will provide some insight into this! Spoiler: a lot of the issues we had 10, even 15 years ago remain today.

Segment resources:

• Phillip's talk, Optimal Offensive Security Programs from Dia de los Hackers last fall

It takes months to get approvals and remediate cloud issues. It can take months to fix even critical vulnerabilities! How could this be? I thought the cloud was the birthplace of agile/DevOps, and everything speedy and scalable in IT? How could cloud security be struggling so much?

In this interview we chat with Marina Segal, the founder and CEO of Tamnoon - a company she founded specifically to address these problems.

Segment Resources:

1. Gartner prediction: By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. This highlights the growing importance of CNAPP solutions. https://www.wiz.io/academy/cnapp-vs-cspm

2. Cloud security skills gap: Even well-intentioned teams may inadvertently leave their systems vulnerable due to the cybersecurity skills shortage. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/

3. CNAPP market growth: The CNAPP market is expected to grow from $10.74 billion in 2025 to $59.88 billion by 2034, indicating a significant increase in demand for these solutions. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/

4. Challenges in Kubernetes security: CSPMs and CNAPPs may have gaps in addressing Kubernetes-specific security issues, which could be relevant to the skills gap discussion. https://www.armosec.io/blog/kubernetes-security-gap-cspm-cnapp/

5. Addressing the skills gap: Investing in training to bridge the cybersecurity skills gap and leveraging CNAPP platforms that combine advanced tools are recommended strategies. https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges

6. Tamnoon's State of Remediation 2025 report

In this week's enterprise security news,

1. Knostic raises funding
2. The real barriers to AI adoption for security folks
3. What AI is really getting used for in the wild
4. Early stage startup code bases are almost entirely AI generated
5. Hacking your employer never seems to go well
6. should the CISO be the chief resiliency officer?
7. proof we still need more women in tech

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

2025 brings us close to an interesting milestone - ransomware attacks, in their current, enterprise-focused form, are almost a decade old. These attacks are so common today, it's impossible to report on all of them. There are signs of hope, however - ransomware payments are significantly down. There are also signs defenders are getting more resilient, and are recovering more quickly from these attacks.

Today, with Intel471's Mike Mitchell, we'll discuss what defenders need to know to protect against today's ransomware attacks. He'll share some stories and anecdotes from his experiences with customers. He'll also share some tips, and tricks for successful hunts, and how to catch attacks before even your tools trigger alerts.

Segment Resources:

• https://intel471.com/blog/how-ransomware-may-trend-in-2025

And now, for something completely different!

I've always urged the importance for practitioners to understand the underlying technology that they're challenged with defending. When we're yelling at the Linux admins and DevOps folks to "just patch it", what does that process entail? How do those patches get applied? When and how are they released in the first place?

This is often one of the sticking points when security folks get nervous about "going open source", as if 90% of the code in their environments doesn't already come from some open source project. It's a legitimate concern however - without a legal contract, and some comfort level that a paid support team is actually going to fix critical vulnerabilities, how do we develop trust or a relationship with an open source project?

In this interview, benny Vasquez, the Chair of the board of directors for AlmaLinux, will fill in some of the gaps for us, and help us understand how an open source project can not only be trusted, but in many cases may be more responsive to security teams' needs than a commercial vendor.

Segment Resources:

• benny's 'highly scientific' survey on cloud vs on-prem usage across AlmaLinux users

In the enterprise security news,

1. Why is a consulting firm raising a $75M Series B?
2. A TON of Cybereason drama just dropped
3. Skybox Security shuts down after 23 years
4. The chilling effect on security leaders is HERE, and what that means
5. IT interest in on-prem, does NOT mean they’re quitting the cloud
6. Updates on the crazy Bybit heist
7. the state of MacOS malware
8. Skype is shutting down
9. Mice with CRISPR’ed woolly mammoth fur is NOT the real life Jurassic Park anyone was expecting

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

In 2011, Marc Andreessen predicted that software would eat the world. Specifically, the prediction was that software companies would take over the economy and disrupt all industries. The economic prediction has mostly come true, with 9 out of 10 of the most highly valued companies being tech companies. The industry disruption didn't materialize in some cases, and outright failed in others.

Healthcare seems to be one of these 'disruption-resistant' areas. Ed joins us today to discuss why that might be, and what the paths towards securing the healthcare industry might look like.

Segment Resources: Ed's podcast, Risk Never Sleeps

We get a visit from Tanya Janca to discuss her latest book, Alice and Bob Learn Secure Coding!

Segment Resources:

• Tanya's latest book on Amazon
• Tanya's previous book, Alice and Bob Learn Application Security on Amazon
• Tanya's website, She Hacks Purple

This week, in the enterprise security news,

1. we’ve got some funding and acquisitions!
2. ransomware payments are DOWN 35%
3. infostealers on Macs are UP 101%
4. Bybit got hit by a $1.5B heist and shrugged it off
5. A SaaS report says AI is having no impact on pricing
6. Microsoft’s CEO says AI is generating no value
7. Google is dropping SMS as a second factor
8. Google creates a 4th state of matter instead of fixing Teams
9. What it’s like to be named “Null”

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB).

In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation.

• How the Change Healthcare breach can prompt real cybersecurity change

'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends.

Segment Resources:

• Microsoft Defender for Cloud Natively Integrates with Endor Labs
• 2024 Dependency Management Report
• How to pick the right SAST tool

In the enterprise security news,

1. Change Healthcare’s HIPAA fine is vanishingly small
2. How worried should we be about the threat of AI models?
3. What about the threat of DeepSeek?
4. And the threat of employees entering sensitive data into GenAI prompts?
5. The myth of trillion-dollar cybercrime losses are alive and well!
6. Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity
7. Thanks to the UK for letting everyone know about end-to-end encryption for iCloud!
8. What is the most UNHINGED thing you've ever seen a security team push on employees?

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

We've got a few compelling topics to discuss within SecOps today. First, Tim insists it's possible to automate a large amount of SecOps work, without the use of generative AI. Not only that, but he intends to back it up by tracking the quality of this automated work with an ISO standard unknown to cybersecurity.

I've often found useful lessons and wisdom outside security, so I get excited when someone borrows from another, more mature industry to help solve problems in cyber. In this case, we'll be talking about Acceptable Quality Limits (AQL), an ISO standard quality assurance framework that's never been used in cyber.

Segment Resources:

• Introducing AQL for cyber.
• AQL - How we do it
• An AQL 'calculator' you can play around with

We couldn't decide what to talk to Allie about, so we're going with a bit of everything. Don't worry - it's all related and ties together nicely.

• First, we'll discuss AI and automation in the SOC - Allie is covering this trend closely, and we want to know if she's seeing any results yet here.
• Next, we'll discover SecOps data management - the blood that delivers oxygen to the SOC muscles.
• Finally, we'll discuss MITRE's recent EDR evaluations - there was some contention around some vendors claiming to ace the test and we're going to get the tea on what's really going on here!

For each of these three topics, these are the blog posts they correspond with if you want to learn more:

1. Generative AI Will Not Fulfill Your Autonomous SOC Hopes (Or Even Your Demo Dreams)
2. If You’re Not Using Data Pipeline Management For Security And IT, You Need To
3. Go Beyond The MITRE ATT&CK Evaluation To The True Cost Of Alert Volumes

In this week's enterprise security news, we've got

1. 5 acquisitions
2. Tines gets funding
3. new tools and DFIR reports to check out
4. A legal precedent that could hurt AI companies
5. AI garbage is in your code repos
6. the dark side of security leadership
7. HIPAA fines are broken
8. Salt Typhoon is having a great time
9. Don't use ChatGPT for legal advice!!!!!

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Spoiler: it's probably in your pocket or sitting on the table in front of you, right now!

Modern smartphones are conveniently well-suited for identity verification. They have microphones, cameras, depth sensors, and fingerprint readers in some cases. With face scanning quickly becoming the de facto technology used for identity verification, it was a no-brainer for Nametag to build a solution around mobile devices to address employment scams.

Segment Resources:

• Company website
• Aaron's book, Loyal

Listeners of the show are probably aware (possibly painfully aware) that I spend a lot of time analyzing breaches to understand how failures occurred. Every breach story contains lessons organizations can learn from to avoid suffering the same fate. A few details make today's breach story particularly interesting:

• It was a Chinese APT
• Maybe the B or C team? They seemed to be having a hard time
• Their target was a blind spot for both the defender AND the attacker

Segment Resources:

• https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
• https://www.theregister.com/2024/09/18/chinesespiesfoundonushqfirm_network/

This week, in the enterprise security news,

1. Semgrep raises a lotta money
2. CYE acquires Solvo
3. Sophos completes the Secureworks acquisition
4. SailPoint prepares for IPO
5. Summarizing the 2024 cybersecurity market
6. Lawyers that specialize in keeping breach details secret
7. Scientists torture AI
8. Make sure to offboard your S3 buckets
9. extinguish fires with bass

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber.

Segment Resources:

• 2023 State of Inclusion Benchmark in Cybersecurity
• 2024 Cyber Talent Study by N2K and WiCyS
• WiCyS Programs

This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess.

First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories.

DeepSeek Primer

I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive.

Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to:

• the company
• the open source models released by the company
• the SaaS service (https://chat.deepseek.com)
• the mobile app (which is effectively just a front end for #3)
• the API (which is what the mobile app and SaaS service are built on top of)

From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this).

But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place).

This week in the enterprise security weekly news, we discuss

1. funding and acquisitions
2. Understanding the Semgrep license drama
3. Ridiculous vulnerabilities everywhere:
4. vulns to take down your entire city’s cell service
5. vulns to mess with your Subarus
6. vulns in Microsoft 365 authentication
7. cybersecurity regulations are worthless
8. Facebook is banning people for mentioning Linux
9. Vigilantes on Github
10. Mastercard DNS error
11. Qubes OS
12. Turning a "No" into a conversation

All that and more, on this episode of Enterprise Security Weekly!

Visit https://www.securityweekly.com/esw for all the latest episodes!

HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming.

At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before.

Segment Resources:

• https://www.hackerone.com/ai/snap-ai-red-teaming
• https://www.hackerone.com/thought-leadership/ai-safety-red-teaming

This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach.

In this week's enterprise security news,

1. the first cybersecurity IPO in 3.5 years!
2. new companies
3. new tools
4. the fate of CISA and the cyber safety review board
5. things we learned about AI in 2024
6. is the humanless SOC possible?
7. NGFWs have some surprising vulnerabilities
8. what did generative music sound like in 1996?

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Today's data landscape is undergoing a seismic shift with increasing regulatory pressures, rapid acceleration to the cloud, and AI adoption. Join BigID's CEO and Co-Founder, Dimitri Sirota, to learn how organizations can adopt a holistic approach to their data security and compliance strategy to keep up with the revolution in data, transforming their data into a competitive advantage.

This segment is sponsored by BigID! Start protecting your sensitive data wherever your data lives at https://securityweekly.com/bigid.

I've been so excited to see the external attack surface management (EASM) market take off in the past few years. This market category focuses exclusively on security issues exposed to the public Internet - issues ANYONE can see.

All organizations have exposure management problems, but industries that are traditionally underfunded when it comes to cybersecurity and IT are particularly worse off. We see breaches in these industries every day - industries like manufacturing, healthcare, and education. Of course, exposure issues don't stop at the network boundary - all organizations have internal exposures to worry about as well.

With all the breaches we see every week, we've become somewhat desensitized to them. Is it possible to address even just the most critical exposures (a fraction of 1% of all vulnerabilities) in one of the most underfunded industries? In this episode, we dive into how a small school system in New Mexico took on this challenge.

This week in the enterprise news - Cymulate acquires CYNC Secure, Tidal Cyber acquires Zero-Shot, Amazon ransomware attack, and more!

Visit https://www.securityweekly.com/esw for all the latest episodes!