The Cyber Ranch Podcast

What the heck are ASPM (Application Security Posture Management) and CTEM (Continuous Threat & Exposure Management)? What do they promise, and what do they deliver? Both involve DevOps in the classic sense of Devs and Ops needing to come together quickly and accurately to manage security issues in a way that does not waste time for either the DevOps gang OR the security gang. By now, y'all should know that we here at the 'Ranch don't endorse the term 'DevSecOps' because, well, Sec should be integral, not a separate call-out. And most definitely do most shops need an overhaul on process, roles, gates, etc. when it comes to DevOps. But a powerful tool that can reduce the wasted time and cut back on the stupid that results from being blind and/or overloaded is a valuable, valuable thing. Listen to this week's episode where Allan Alford is joined by Tomer Schwartz from Dazz to tackle this topic and get into some tooling conversations as well. The two talk about: * Gartner alphabet soup * Noise to signal ratios * Single panes (pains?) of glass * Is there an actual and useful place for AI in all this? * UVM - How is it related? Is it dead? Was it absorbed? Is it alive and separate? Available here, or wherever you get your podcasts: https://lnkd.in/gAKAyzM6 Thanks to Dazz for letting us borrow Tomer Schwartz, and for sponsoring this episode! https://dazz.io if you want to learn more about them. #informationsecurity #cybersecurity #infosec #ciso

21 Questions - unique questions asked of 10 guests LIVE! at RSA. the answers are VERY compelling. This week's The Cyber Ranch Podcast is a good one! It's Part 1 of 2, and features the following folks and questions: Dr. Deanna Caputo “How do you measure and articulate risk to the business?” “People, process or technology?” Carlos Guerrero “How do we foster community in cybersecurity?” Elliott Franklin “Governance, Risk Management, and Compliance – Which of the three is most important?” “What does progress look like in cybersecurity?” Corey Bodzin “With regards to AI & LLM, what is the impact to infrastructure?” Evgeniy Kharam “How integral is Identity & Access Management to the cybersecurity mission?” “How well is traditional DLP technology meeting its mission and what else can we do?” Gary Hayslip “What does RSA mean to you?” Kelly Shortridge “What does progress mean to you in cybersecurity?” “What is the end goal of cybersecurity?” George Kamide & George A. “What are you getting out of RSA?” Kevin Jackson “What are we doing wrong in cybersecurity?” Give it a listen here, or wherever you get your podcasts: ************ https://lnkd.in/g4XNfiN6 ************* Sponsored by my dear friends at Semperis, whose AD/Entra ID security and recovery solutions should be looked at by all AD/Entra ID users... Y'all be good now! #informationsecurity #cybersecurity #infosec #ciso

Our Top 5 Most Popular Episodes by Listenership: 5 - Geopolitics, APTs and Cybersecurity with Dan Holden: https://lnkd.in/gbRvW9bt 4 - Board Reporting Metrics Pt. 2 w/ Andy Ellis: https://lnkd.in/gWBfdUkc 3 - Tired Topics in Cybersecurity - Part One with Rich Mason and Michael Santarcangelo: https://lnkd.in/g-c2q_4E 2 - Can We Even Measure Risk? with Andy Ellis and Chris Roberts - EXPLICIT (Chris uses some naughty language): https://lnkd.in/g5BxpTzK 1 - Board Reporting Metrics Pt. 1 w/ Andy Ellis: https://lnkd.in/gTUHZHrA #informationsecurity #cybersecurity #infosec #ciso

Guess which is higher: the number of exploits above the OS or the number below the OS? You probably guessed wrong. We sure did! See the below graphic for an "Aha!" moment. CPUs, BIOS, Firmware, embedded old, old versions of Linux, FPGAs, UEFI, PXE... Allan Alford invited Yuriy Bulygin, CEO at Eclypsium, Inc., to this week's episode oto talk about all the problems that lurk below the OS and what we can do about them. DISCLAIMER: Allan is Eclypsium's CISO. We asked Yuriy to be on the show, not the other way around. Yuriy is a subject matter expert, as you will see when you give the show a listen! We cover: - The history of CPU exploits (Fun lessons for me!) - Unauthorized code in chips in network gear - The various hacks available at this layer - The role of SBOM in all this - The open source CHIPSEC project, which is a super cool way to help defend against this stuff. Check it out here, or wherever you get your podcasts: https://lnkd.in/gWEHG6Hf #informationsecurity #cybersecurity #infosec #ciso

What are the rules about vendors on the show? 1. They have to add value where even practitioners might not be able to. 2. They CANNOT sell! Adam Bateman over at Push Security came out this week and DELIVERED! LinkedIn, you helped fuel this show too! https://lnkd.in/gWEHG6Hf Adam is CEO and Co-Founder at Push Security, based in the UK. Adam started off as a red teamer himself, and then went on to build and lead the detection and response division of another firm that specialized in state-sponsored attacks! Adam came up in the world of offensive security, and it shows in his thinking. He co-founded Push to protect SaaS-native companies, whose data resides in a bazillion places, protected by a bazillion identities. Or maybe just by SSO. But probably a mix. ½ a bazillion known SaaS apps using SSO and another ½ a bazillion using who knows what identity methods? Questions Allan Alford asks Adam, based partly on an earlier thread here on LinkedIn: * In one sense, vulnerable Internet-facing credentials have ALWAYS been a problem. In other words, Identity is not the new perimeter, but is a rather old one. What are your thoughts? * What is happening in the wild? What do the attacks actually look like? * Allan Alford Consulting subscribes to over twenty SaaS applications, and Allan is literally a one-man company. How many SaaS apps are used by the average enterprise? What percentage of those are in the SSO fold? This is truly scary. * How do we get everything behind SSO? How do we get SSO locked down and secure? * What’s our best possible world? Everything behind SSO with a Yubikey? Next best is everything behind SSO with Smartphone MFA app? * Back to this perimeter thing: J. David Christensen, CISSP agrees with the idea that identity is not a new perimeter. He says it has always been THE perimeter! Jamir F. agreed. Robert Mitchell points out that if and identity provider can be compromised, then identity is the M&M defense after all (hard shell, soft center). Our friend Abhishek Singh says authZ and authN combine to form Zero Trust. Once you have zero trust, he says, like it or lump it, identity becomes the attack surface. What are your thoughts on that formula? We found it to be a rather tidy summation, as did our other friend Dan Holden. Thoughts? * Lastly, when we talk identity, we always feel the need to point out that humans are just some of the identities crawling our digital world. Are the solutions we’re crafting for humans using SaaS also good for machine accounts? Application accounts? API-to-API connections? Sponsored by our good friends at Push Security - check then out at: https://lnkd.in/gmTh7U4s #informationsecurity #cybersecurity #infosec #ciso

Thanks freely given to all our listeners!

What's the best part of attending Black Hat? What's the history of Black Hat? What's the next big thing in cybersecurity? What is important in cybersecurity? What are we getting wrong in cybersecurity? Allan Alford dawns his black hat at Black Hat to ask these questions and many more of some of the finest practitioners and vendors our community has to offer In hallways, at a party, on the floor... Allan recorded everyone everywhere, leveraging some impressive noise-cancelling recording gear if we say so ourselves. Check out this week's episode, available wherever you get your podcasts or at https://lnkd.in/gWEHG6Hf Enjoy the list of interviewees (and time stamps) below: 1:02 - Dani Woolf (She/Her), Founder & CEO at Audience 1st 3:06 - Daniel Blackford, Manager of Threat Research @ Proofpoint 6:48 - Dean Sysman, CEO @ Axonius 8:19 - Deepen Desai, Global CISO & Head of Security Research @ ZScaler 15:39 - G Mark Hardy Hardy, host of the CISO Tradecraft Podcast 18:42 - Glen Pendley, CTO @ Tenable 23:54 - Kayne McGladrey, Field CISO @ Hyperproof 24:52 - Leigh Honeywell, CEO @ Tall Poppy 25:52 - Masha Sedova, CEO @ Elevate Security 28:47 - Nate Warfield, Director of Research @ Eclypsium 31:43 - Richard Berthao, Cybersecurity Leader, Planner, and Innovator 32:41 - Rob Labbé, CEO and CISO in Residence for the Mining and Metals ISAC Sponsored by our good friends at Seraphic Security. Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic. Check them out at https://lnkd.in/g78_YXx3 #informationsecurity  #cybersecurity #infosec #ciso #blackhat2023 #blackhat #blackhatusa

What are your tips for cloud security remediation? How do you manage the task without pulling your hair out? How do you weed out duplicates? How do you smooth our the relationships of the team members when friction arises? Cloud security remediation can be hugely impactful to the relationships between Dev, Sec and Ops. It can also require a lot of finesse, grit, devotion, commitment, and the ability to overcome frustration. And then there are lateral issues like drift management... Tunde Oni-Daniel is a serious player in our industry and is also super crafty about how he goes about all this stuff. AND his passion for the subject is contagious. Check out the the latest show where Allan Alford interview Tunde about these topics and more! Also available at https://lnkd.in/gWEHG6Hf as per usual. Sponsored by our good friends at Dazz. Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself. NOTE: Dazz comes up in the conversation this time, as Tunde is an enthusiastic Dazz user. It's not an ad, we promise! We just point out in a couple of places where they really are the right solution for the particular problem. #informationsecurity  #cybersecurity #infosec #ciso