POPULARITY
The world of cloud security is evolving at breakneck speed. Are traditional tools and strategies enough to combat the sophisticated threats of tomorrow? In this episode, we're joined by Elad Koren, Vice President of Product Management from Palo Alto Networks, to explore the dynamic journey of cloud security.Elad shares his insights on how the landscape has shifted, moving beyond the era of CSPM and CNAPP as standalone solutions. We delve into why a cloud-aware Security Operations Center (SOC) is no longer a luxury but a necessity, and what "runtime security" truly means in today's complex, multi-cloud environments.The conversation also tackles the double-edged sword of Artificial Intelligence, how it's empowering both attackers with new capabilities and defenders with advanced tools. Elad discusses the critical considerations for organizations undergoing digital transformation, the importance of AI governance, and provides actionable advice for companies at all stages of their cloud adoption journey, from securing code from day one to building holistic visibility across their entire infrastructure.Guest Socials - Elad's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-Cloud Security Podcast- Youtube- Cloud Security Newsletter - Cloud Security BootCampIf you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity PodcastQuestions asked:(00:00) Introduction(01:38) How has Cloud Security Evolved?(04:21) Why CNAPP is not enough anymore?(07:13) What is runtime security?(07:54) Impact of AI on Cloud Security(11:41) What to include in your cybersecurity program in 2025?(16:47) The Fun SectionThank you to this episode's sponsor - PaloAlto Networks Resources discussed during the episode:PaloAlto Networks RSAC Announcement 1PaloAlto Networks RSAC Announcement 2
The cloud security landscape may have just shifted — and we're here to break it down.In this special panel episode, host Ashish Rajan is joined by an all-star group of cloud and cybersecurity experts to discuss one of the most important conversations in cloud security today: the changing nature of security architecture, SOC readiness, and how teams must evolve in a multi-cloud world.Guests include:Chris Hughes – CEO at Acqui & host of Resilient CyberJames Berthoty – Cloud and AppSec engineer, known for sharp vendor analysis and engineering-first content and Latio TechMike Privette – Founder of Return on Security, expert in cybersecurity economicsFrancis Odum – Founder of Software Analyst Cyber ResearchWe Cover:Why cloud security is now beyond CSPM and CNAPPThe impact of major market moves on enterprise cloud strategyWhat vendor lock-in really means in a multi-cloud eraHow runtime and real-time security are taking center stageThe rise of AI-SPM and AI-powered SOCsWhat CISOs and practitioners should actually be doing nowGuest Socials: David's LinkedinPodcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-Cloud Security Podcast- Youtube- Cloud Security Newsletter - Cloud Security BootCampIf you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity PodcastQuestions asked:(00:00) Introduction(02:05) A bit about our panelists(04:24) Current Cloud Security Landscape(09:36) Challenges with Multi-Cloud Security(18:06) Runtime Security for Cloud(23:34) Can SOC deal with CNAPP Alerts(26:23) CISO planning their cybersecurity program(32:38) Regulatory requirements in public sector(36:27) Success Metrics for Modern Cloud Security Program
Guest: James Campbell, CEO, Cado Security Chris Doman, CTO, Cado Security Topics: Cloud Detection and Response (CDR) vs Cloud Investigation and Response Automation(CIRA) ... what's the story here? There is an “R” in CDR, right? Can't my (modern) SIEM/SOAR do that? What about this becoming a part of modern SIEM/SOAR in the future? What gets better when you deploy a CIRA (a) and your CIRA in particular (b)? Ephemerality and security, what are the fun overlaps? Does “E” help “S” or hurts it? What about compliance? Ephemeral compliance sounds iffy… Cloud investigations, what is special about them? How does CSPM intersect with this? Is CIRA part of CNAPP? A secret question, need to listen for it! Resources: EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win? EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics Cloud security incidents (Rami McCarthy) Cado resources
Send us a textIn this episode of Relating to DevSecOps, Ken Toler and Mike McCabe dive deep into Google's blockbuster acquisition of Wiz.io for a reported $32 billion. They explore the implications for cloud security, the consolidation of the DevSecOps tooling landscape, and how this move compares to Google's previous acquisitions like Mandiant and Chronicle. The duo debates the future of multi-cloud strategies, platform fatigue, and whether Wiz will remain the darling of the security community—or get lost in the labyrinth of Google Cloud products. With sharp insights and a dash of hot takes, they paint a picture of a cloud security ecosystem at a pivotal turning point
Penetration tests are probably the most common and recognized cybersecurity consulting services. Nearly every business above a certain size has had at least one pentest by an external firm. Here's the thing, though - the average ransomware attack looks an awful lot like the bog standard pentest we've all been purchasing or delivering for years. Yet thousands of orgs every year fall victim to these attacks. What's going on here? Why are we so bad at stopping the very thing we've been training against for so long? This Interview with Phillip Wylie will provide some insight into this! Spoiler: a lot of the issues we had 10, even 15 years ago remain today. Segment resources: Phillip's talk, Optimal Offensive Security Programs from Dia de los Hackers last fall It takes months to get approvals and remediate cloud issues. It can take months to fix even critical vulnerabilities! How could this be? I thought the cloud was the birthplace of agile/DevOps, and everything speedy and scalable in IT? How could cloud security be struggling so much? In this interview we chat with Marina Segal, the founder and CEO of Tamnoon - a company she founded specifically to address these problems. Segment Resources: Gartner prediction: By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. This highlights the growing importance of CNAPP solutions. https://www.wiz.io/academy/cnapp-vs-cspm Cloud security skills gap: Even well-intentioned teams may inadvertently leave their systems vulnerable due to the cybersecurity skills shortage. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ CNAPP market growth: The CNAPP market is expected to grow from $10.74 billion in 2025 to $59.88 billion by 2034, indicating a significant increase in demand for these solutions. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ Challenges in Kubernetes security: CSPMs and CNAPPs may have gaps in addressing Kubernetes-specific security issues, which could be relevant to the skills gap discussion. https://www.armosec.io/blog/kubernetes-security-gap-cspm-cnapp/ Addressing the skills gap: Investing in training to bridge the cybersecurity skills gap and leveraging CNAPP platforms that combine advanced tools are recommended strategies. https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges Tamnoon's State of Remediation 2025 report In this week's enterprise security news, Knostic raises funding The real barriers to AI adoption for security folks What AI is really getting used for in the wild Early stage startup code bases are almost entirely AI generated Hacking your employer never seems to go well should the CISO be the chief resiliency officer? proof we still need more women in tech All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-398
Penetration tests are probably the most common and recognized cybersecurity consulting services. Nearly every business above a certain size has had at least one pentest by an external firm. Here's the thing, though - the average ransomware attack looks an awful lot like the bog standard pentest we've all been purchasing or delivering for years. Yet thousands of orgs every year fall victim to these attacks. What's going on here? Why are we so bad at stopping the very thing we've been training against for so long? This Interview with Phillip Wylie will provide some insight into this! Spoiler: a lot of the issues we had 10, even 15 years ago remain today. Segment resources: Phillip's talk, Optimal Offensive Security Programs from Dia de los Hackers last fall It takes months to get approvals and remediate cloud issues. It can take months to fix even critical vulnerabilities! How could this be? I thought the cloud was the birthplace of agile/DevOps, and everything speedy and scalable in IT? How could cloud security be struggling so much? In this interview we chat with Marina Segal, the founder and CEO of Tamnoon - a company she founded specifically to address these problems. Segment Resources: Gartner prediction: By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. This highlights the growing importance of CNAPP solutions. https://www.wiz.io/academy/cnapp-vs-cspm Cloud security skills gap: Even well-intentioned teams may inadvertently leave their systems vulnerable due to the cybersecurity skills shortage. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ CNAPP market growth: The CNAPP market is expected to grow from $10.74 billion in 2025 to $59.88 billion by 2034, indicating a significant increase in demand for these solutions. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ Challenges in Kubernetes security: CSPMs and CNAPPs may have gaps in addressing Kubernetes-specific security issues, which could be relevant to the skills gap discussion. https://www.armosec.io/blog/kubernetes-security-gap-cspm-cnapp/ Addressing the skills gap: Investing in training to bridge the cybersecurity skills gap and leveraging CNAPP platforms that combine advanced tools are recommended strategies. https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges Tamnoon's State of Remediation 2025 report In this week's enterprise security news, Knostic raises funding The real barriers to AI adoption for security folks What AI is really getting used for in the wild Early stage startup code bases are almost entirely AI generated Hacking your employer never seems to go well should the CISO be the chief resiliency officer? proof we still need more women in tech All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-398
It takes months to get approvals and remediate cloud issues. It can take months to fix even critical vulnerabilities! How could this be? I thought the cloud was the birthplace of agile/DevOps, and everything speedy and scalable in IT? How could cloud security be struggling so much? In this interview we chat with Marina Segal, the founder and CEO of Tamnoon - a company she founded specifically to address these problems. Segment Resources: Gartner prediction: By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. This highlights the growing importance of CNAPP solutions. https://www.wiz.io/academy/cnapp-vs-cspm Cloud security skills gap: Even well-intentioned teams may inadvertently leave their systems vulnerable due to the cybersecurity skills shortage. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ CNAPP market growth: The CNAPP market is expected to grow from $10.74 billion in 2025 to $59.88 billion by 2034, indicating a significant increase in demand for these solutions. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ Challenges in Kubernetes security: CSPMs and CNAPPs may have gaps in addressing Kubernetes-specific security issues, which could be relevant to the skills gap discussion. https://www.armosec.io/blog/kubernetes-security-gap-cspm-cnapp/ Addressing the skills gap: Investing in training to bridge the cybersecurity skills gap and leveraging CNAPP platforms that combine advanced tools are recommended strategies. https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges Tamnoon's State of Remediation 2025 report Show Notes: https://securityweekly.com/esw-398
It takes months to get approvals and remediate cloud issues. It can take months to fix even critical vulnerabilities! How could this be? I thought the cloud was the birthplace of agile/DevOps, and everything speedy and scalable in IT? How could cloud security be struggling so much? In this interview we chat with Marina Segal, the founder and CEO of Tamnoon - a company she founded specifically to address these problems. Segment Resources: Gartner prediction: By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. This highlights the growing importance of CNAPP solutions. https://www.wiz.io/academy/cnapp-vs-cspm Cloud security skills gap: Even well-intentioned teams may inadvertently leave their systems vulnerable due to the cybersecurity skills shortage. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ CNAPP market growth: The CNAPP market is expected to grow from $10.74 billion in 2025 to $59.88 billion by 2034, indicating a significant increase in demand for these solutions. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/ Challenges in Kubernetes security: CSPMs and CNAPPs may have gaps in addressing Kubernetes-specific security issues, which could be relevant to the skills gap discussion. https://www.armosec.io/blog/kubernetes-security-gap-cspm-cnapp/ Addressing the skills gap: Investing in training to bridge the cybersecurity skills gap and leveraging CNAPP platforms that combine advanced tools are recommended strategies. https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges Tamnoon's State of Remediation 2025 report Show Notes: https://securityweekly.com/esw-398
本記事では、CSPM・CNAPPは実際にどのような目的で運用され、どのような導入効果が得られているのか、「Cloudbase」の利用企業の事例をもとに、3つのユースケースをご紹介します。
Alan and Sam discuss why it is important to have Cloud Security Posture Management (CSPM) solutions in place. Alan goes through the general benefits of CSPM, enhancements since its release and dives into Microsoft Defender for Cloud. Topics that are covered are: What is Cloud Security Posture Management and why it is important What is Microsoft Defender for Cloud's approach to CSPM What is Microsoft Cloud Security Benchmark what are the pricing tiers for CSPM What did you think of this episode? Give us some feedback via our contact form, Or leave us a voice message in the bottom right corner of our site.Read transcript
Send us a textWhat if Artificial General Intelligence (AGI) could be the job creator of the century? Buckle up for a hilarious yet thought-provoking exploration of this bold idea as we dissect the potential economic impact of AGI development alongside Chris, who aspires to up his Blue Sky game inspired by his brother Tim. We dive into compelling articles like the one from CRN, spotlighting Palo Alto Networks' maneuver to streamline their product offerings into a singular platform akin to the Apple ecosystem. This opens up the age-old debate about vendor lock-in, and we can't help but chuckle at the similarities with Cisco's approach. We'll also navigate through the labyrinth of product names, specifically Palo Alto's Prisma, and the challenges of achieving true platform integration.Cloud security is a jungle of acronyms and complexity, but fear not—we've got our machetes ready! Join us as we untangle the web of CSPM, CNAP, CIEM, and CASB, piecing together the puzzle of multi-cloud environments highlighted by a Fortinet report. While we question some of the report's methodologies, it undeniably underscores a trend towards centralized security dashboards. With businesses of all sizes grappling with diverse cloud security challenges, we set the stage for an upcoming segment about our own company's stance in this arena. Expect a mix of skepticism, humor, and serious conversation as we navigate this intricate landscape.Finally, we journey into the realm of AGI and job creation, challenging the narrative of inevitable AI-driven job losses. We speculate on the logistics behind such job creation, pondering the international AI race, and throwing in some humor about genetically modified apples for good measure. We wrap up with some playful banter about Tim's personal details and offer heartfelt thanks to our listeners. We hope you subscribe, follow us on social media, and visit our website for the full scoop. Our discussion is as juicy as a genetically modified apple, and you won't want to miss a bite!Wake up babe, a new apple just dropped:https://www.kissabel.com/Check out the Fortnightly Cloud Networking Newshttps://docs.google.com/document/d/1fkBWCGwXDUX9OfZ9_MvSVup8tJJzJeqrauaE6VPT2b0/Visit our website and subscribe: https://www.cables2clouds.com/Follow us on Twitter: https://twitter.com/cables2cloudsFollow us on YouTube: https://www.youtube.com/@cables2clouds/Follow us on TikTok: https://www.tiktok.com/@cables2cloudsMerch Store: https://store.cables2clouds.com/Join the Discord Study group: https://artofneteng.com/iaatj
Episode 65 features Marina Segal, a friend, former colleague, and now co-founder and CEO of her VC-backed start-up, Tamnoon (www.tamnoon.io). I first met and worked with Marina Segal at Dome9 and, subsequently, Check Point Software. Marina is a shrewd and highly experienced executive with a strong background in Security Governance, Risk, and Compliance. In this age of AI, automation, and BOTs, she and her team have created an interesting value proposition with a human touch. I hope you enjoy the discussion. *PLEASW NOTE*Correction* Midway through the broadcast I refer to CNAPP as a 'horizontal vertical' solution and I meant to say CSPM, not CNAPP. My bad. Thanks!
In this episode, recorded at Kubecon NA in Salt Lake City, we spoke about about Kubernetes security with Shauli Rozen, co-founder and CEO of ARMO Security. From the challenges of runtime protection to the potential of CADR (Cloud Application Detection and Response), Shauli breaks down the gaps in traditional CSPM tools and how Kubernetes plays a central role in cloud security strategy. The episode gets into the "Four C's" of cloud security: Cloud, Cluster, Container, Code, why runtime data, powered by eBPF, is critical for modern security solutions, the rise of CADR and how Kubernetes is reshaping the landscape of DevOps and security collaboration. Guest Socials: Shauli's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:46) A bit about Shauli and ARMO (02:26) Bit about open source project Kubescape (03:59) What is Runtime Security in Kubernetes? (06:50) CDR and Application Security (08:57) What is ADR and CADR? (09:55) How is CADR different to ASPM + DAST? (12:18) Kubernetes Usage and eBPF (15:35) Does your CSPM do coverage for Kubernetes? (16:24) What to include in 2025 Cybersecurity Roadmap? (19:09) Does everyone need CADR? (21:35) Who is looking at the Kubernetes Security Logs? (23:17) The future of Kubernetes Security (25:26) The Fun Section
For those who manage short-term rentals, which tools and pieces of software do you use to keep things organized and running smoothly? In today's episode of the #DoorGrowShow, property management growth expert Jason Hull brings on Jacob Mueller, founder of Renjoy to talk about using technology to help manage short-term rentals. You'll Learn [01:36] The creation of Renjoy [16:55] Software and systems for STR [25:38] Building out systems using Airtable [34:20] Strategic planning systems Tweetables “One of the things that's different about short term rentals is that it's constantly changing.” “You have to be on top of your game. You can't just do the same thing you've been doing.” “It's kind of like you've got a swiss army knife or one of those multi tools, and it's not the same as having a toolbox of high quality.” “The only thing I want to share with all the property managers out there is keep on doing the hard work.” Resources DoorGrow and Scale Mastermind DoorGrow Academy DoorGrow on YouTube DoorGrowClub DoorGrowLive TalkRoute Referral Link Transcript [00:00:00] Jason: It's kind of like you've got a swiss army knife or one of those multi tools, and it's not the same as having a toolbox of high quality. [00:00:08] Jacob: That's exactly right. To be able to have like specific specialized tools, you then have to know what you're doing to accumulate those tools and have them all talking and speaking to each other, but if you do it right, very powerful. [00:00:21] Jason: Welcome DoorGrow Property Managers to the DoorGrow Show. If you are a property management entrepreneur that wants to add doors, make a difference, increase revenue, help others, impact lives, and you are interested in growing in business and life, and you're open to doing things a bit differently, then you are a DoorGrow property manager. DoorGrow property managers love the opportunities, daily variety, unique challenges, and freedom that property management brings. Many in real estate think you're crazy for doing it. You think they're crazy for not because you realize that property management is the ultimate high trust gateway to real estate deals, relationships, and residual income. At DoorGrow, we are on a mission to transform property management business owners and their businesses. We want to transform the industry, eliminate the BS, build awareness, change perception, expand the market, and help the best property management entrepreneurs win. I'm your host, property management growth expert, Jason Hull, the founder and CEO of DoorGrow. [00:01:22] Now, let's get into the show. All right. Today's guest, I'm hanging out with Jacob Mueller from Renjoy. Jacob, welcome to the DoorGrow show. [00:01:33] Jacob: Thanks. It's a pleasure to be here. Jason. [00:01:36] Jason: Glad to have you. So Jacob, give us a little bit of your background in maybe entrepreneurism and how you eventually got connected maybe to rentals, property management, and and then we can get into Renjoy. [00:01:51] Jacob: Sure. Well, I won't give you the full backstory. It goes all the way back to a college class I took, but I really started getting into real estate right at the perfect time, beginning of ZIRP, zero interest rate era. And I was actually a commercial broker for a little while. I did about six months of leasing and realized I did not enjoy that. [00:02:09] And so then I transitioned to a residential property management firm based out of Denver that focused on investors. When I joined them, Atlas Real Estate, they're in, I don't know, five or six states now. But when I joined them, they were only in Colorado. They managed maybe 2, 500 doors and I was kind of their regional broker in Colorado Springs, which is where I am. [00:02:30] And they are now, I think north of 10, 000 units under management and have grown tremendously on the management side. But I learned a ton from these folks. I learned how to flip property. I learned to invest in real estate. I learned a lot. And so that's kind of where my real estate investing career started. [00:02:46] That was about four or five years ago. And since then I've acquired single family homes some small multi units. And then I've also diversified in my income streams from just long term tenants to also short term tenants. And that's kind of where the story of Renjoy begins. One of my clients and I worked with, as a broker, happened to have quite a few Airbnbs, short term rentals. [00:03:09] And he was buying properties like every six months. And I was trying to figure out how is this guy, he's my age, how's this, you know, 28 year old buying so many properties so quickly back to back? So I started learning about his process and his insights into the industry. And I thought, man, this guy's got, a peg on this industry. [00:03:25] And of course, during ZIRP, Airbnbs were easy, making money was easy, everybody was doing it. And so I saw this interesting opportunity, decided to partner with this client of mine, and another client actually. And we formed Renjoy together with our own portfolio to start. [00:03:40] Jason: Nice. Okay. So what is Renjoy? [00:03:45] Jacob: Yeah, so Renjoy is kind of an unintended consequence. [00:03:48] It was not our plan. It's a short term rental property management business. But when we first started the company, it was just to manage our own portfolios. And people started asking us to manage theirs because short term rentals and long term rentals are complex and difficult and a lot of work. And so owners are constantly looking to handover management for these things. [00:04:09] Jason: Yeah. And that can be a challenge. You know, with those short term rentals. I mean, everything has to move quick, right? You're having to check and adjust prices every day to make sure you're getting the, you know, the best rate possible. You need to communicate like immediately all the time with all the guests and then, you know, then like you're trying to figure out how to make sure you're getting as many people through this property as possible But not getting it damaged and then maintenance stuff hasn't dealt with like super fast Or people get really frustrated and upset and so it's a difficult game and then for you know for people managing short term rentals It's almost like a cleaning talent acquisition business more than it is a property management business And so, how does Renjoy help with this stuff? [00:05:02] Jacob: Yeah. Yeah. There's so many ways we can go with this, Jason. A lot of what you were saying, you know, resonates with me. I think there's an increased complexity on the stakeholder relationships that we have as a manager. All property managers have this complexity where they have their tenant who is a stakeholder. [00:05:18] They need a tenant to pay rent. And they also need to have properties with which to have a tenant pay rent on. And so all of the property managers have this balance they have to walk between these stakeholders. They have to serve their tenants and they have to serve their landlords, their property owners. We're the same, but one of the challenges is our tenants leave us reviews. [00:05:38] Every single time they stay and so there's this increased out of, shall we say, accountability almost on how we manage our relationship with this key stakeholder, the guests that are coming to the properties, the tenants, but also the owners too. And then this all leads to the same challenges all property managers have, which is balancing meeting your tenant's requests for service, for maintenance, kind of meeting their expectations while also keeping costs as low as possible and trying to meet the owner's expectations. And you have to constantly balance that when you're thinking about maintenance and your service level agreements and how they can get impacted by the occupant versus the owner. [00:06:16] So that's one thing that's really complex. But there's a lot of things we can get into with short term rentals. We are a full service short term rental management company. This is another pretty big distinction between long term rental property managers and short term is that the suite of services provided varies quite a bit from one short term rental manager to another. [00:06:36] Not to say that long term rental managers are all the same, but generally speaking, there's a pretty similar core group of services that all long term property managers provide for their clients. [00:06:47] Jason: Got it. So, Is Renjoy a service that those that listening that are running a property management business are you their competitor or is there a way that they can work with you or how does that work? [00:07:00] Jacob: Great question. I do not believe we're competitors. We don't do long term rental property management and we refer out for that. And so we actually kind of have a lot of good relationships with our property managers, mutual referring relationships, actually, in the markets in which we serve. [00:07:16] Jason: So what you're saying is long term residential property managers, if they're not wanting to deal with the complexity of short term property management, is there a way they can sort of partner with you and maybe get paid? [00:07:28] Jacob: Absolutely. Yeah. We have a referral program. And for everybody who signs a contract with us, it's a thousand bucks. Easy peasy. And if the property manager happens to also be a practicing broker, we actually do work to execute exclusive right to lists in our property management agreements, which is assignable. [00:07:46] And so we just assign, should that client that you've referred to us choose to list their property, we can actually reassign that exclusive right to list back to you as the property manager slash broker. [00:07:56] Jason: Got it. Okay. So that's an additional benefit. They can keep the real estate deals. [00:08:00] Jacob: That's right. [00:08:01] Jason: Got it. [00:08:03] Okay. So for those that are investors listening and, you know, we have a lot of property managers and they should be investors as well if they believe in real estate investing, right. And they're servicing people doing it. So they're probably investors as well. If their primary focus is longterm residential management, but they're wanting to, you know, get a couple of short term properties in their market, but they don't want to do short term management. And they're buying these properties. Why should they choose you to do it instead of having the side job or why do investors tend to choose you instead of doing it themselves? [00:08:38] Jacob: Yeah. That's a good question. In general, actually, Jason, what I would say is if you are depending on your life and what all you have going on in your life, generally speaking, I recommend folks who are buying their first Airbnb to run it themselves because there's just a lot of things you need to learn and understand. [00:08:55] And I actually would say the same thing about long term rentals. I would say you as the homeowner or the property owner should try to manage it yourself. Because then you understand the challenges that, you know, your property manager might face and you know what to look for in a good property manager. [00:09:09] Same thing applies for short term rental management as well. So if your listeners are looking at acquiring their first one, my recommendation is do it first of all. And then second of all, learn the ropes, do it yourself, understand the challenges and the complexities, and then go and shop around for a manager because it's expensive to switch. [00:09:28] Jason: Yeah. Yeah. So my wife and I, we got a short term rental so that we can do client events at it and stuff like this. And, and so we'll bring clients in and we'll use that and then in the like in between we'll just we'll use short term rental it and send it out for other people to use right and so, but even with this one property like to make this to manage it well, we've got a whole suite of tools in order to like make this efficient and, you know, sarah my wife she runs it and she went through a whole university and a course and like all this stuff to like, learn how, learn the game and learn how to do photos different than typical real estate photos and like all this stuff. [00:10:11] And so, you know, to figure everything out to get this working and it's working really well, but. It just seems like a lot. It seems like a lot of stuff. So what competitive advantage do you feel like Renjoy like affords over people that eventually they figure out how to do all this stuff. They've got all these tools, but it still takes a bunch of time and they don't want to do it. [00:10:30] Jacob: Yeah, I know. That's right. It is actually very complex. It's also not static. One of the things that's different about short term rentals is that it's constantly changing. For acquiring the guests, meeting the demand out there, capturing the existing demand for short term lodging, you have to be on top of your game. [00:10:47] You can't just do the same thing you've been doing. In fact, we see quite a few property owners now who are kind of getting off that ZIRP high, you know, 2020, 2021, 2022, when people were spending like crazy, and now their properties aren't cash flowing very well. They're not capturing the demand that's in their market nearly as well because the game has changed. [00:11:04] They're saying, Hey, I'm doing everything the same I did before, but my revenue is going down. I don't understand why. [00:11:10] The reality is, you have to compete you're competing with actually folks like us who have this professionalization of the industry, which I think is going on right now in short term rentals. [00:11:20] And one of the big challenges with an individual owner operator is not only do you have to message your guests promptly, you have to make sure they check in, check out okay. You have to check for damages after the stay, you have to organize the cleaning, you have to organize the house or the maintenance, you have to do all that. [00:11:35] But on top of that, the big thing that I see people miss is that you have to be on your pricing every day. I mean, you have to not just use algorithmic based pricing with some of these tools like Price Labs or Wheelhouse or something like that. You have to be doing it every day. And when you're looking at your pricing every day, you can't just look at your property. [00:11:53] You have to compare it to all your comp sets and see, hey, who's booked on these, you know, next 10 days and at what rates and where do I sit in that comp set and what do I need to do to my prices today to capture the existing demand before somebody else in my comp set captures that, that guest or that demand. [00:12:11] And it's very hands on. And so one of the big advantages of a property manager like us is we have, you know, two people full time looking at pricing for every property. [00:12:20] Jason: So, and how many properties do you guys over right now? [00:12:24] Jacob: We manage about 165. [00:12:27] Jason: Yeah. And so with 165, you, two people are able to handle all the pricing checks and updates on a daily basis. [00:12:34] Jacob: That's right. Because not every property is unique, right? We have comp sets. So if you have Let's say 15 two bedroom, one bath units that are all, let's say, basements or, you know, attached ADUs, and they're all in the same geographical area, we could do a lot of pricing at the same time for all 15 of those units because we're trying to capture that segment of the demand. [00:12:56] Jason: Got it. Got it. Okay. So, so for those that are listening, they're managing short term rentals. And maybe they're not doing that, that one missing piece very effectively. What would you recommend that they do? [00:13:11] Jacob: You have to, I mean, I think you have to do that, right? I mean, big part of the value proposition of a property manager for short term rentals. [00:13:18] This is key for all your listeners who are thinking about buying a short term rental too. Short term rental property managers are expensive. And so, you want to ensure whichever manager you choose to hire is going to exceed or excel or expand beyond what you might otherwise earn in revenue to offset that cost. [00:13:35] And so, if there's a property manager out there doing short term rentals and they don't have a sophisticated pricing strategy, I would say your value proposition is very weak because you're going to charge, you know, a large percentage of commission on what's already coming in without necessarily increasing the amount of revenue coming in to offset that cost for your property owners. [00:13:53] And I think you're going to end up in a tight spot when your owners aren't making enough money. And another manager can increase or boost their earnings. So I would say get on it. There's no reason not to. There's a lot of access to global talent who knows how to do this kind of stuff. So it's not a lack of talent or even that they're terribly expensive. [00:14:11] You can get a pretty good program implemented. Okay. [00:14:15] Jason: Well then let's allow you to poison the well a little bit against any of your competitors. So let's talk about then what, how do you find and vet a good short term rental management company? I mean, everybody, when they hear what I do, if I'm at a cocktail party or an event or anything, I hear people all the time. [00:14:34] Oh, I had some rental properties, but man, it was a nightmare. And I got rid of them. And I'm like, maybe you should've just got a property manager, but in short term, like if they're not cash flowing, or it's not making money, or it's not working out it could sometimes be the property manager. [00:14:50] Especially based on what you're saying. So what would be the biggest initial filter? Would it be that? Would it be, Hey, how often are you checking the pricing on the property? And what's your pricing strategy? [00:14:59] Jacob: You know, it's tough because you can, you know, with anybody, they can tell you whatever they want. [00:15:03] You have to like verify. And so I would always say there are a lot of like basic ground rules, questions similar to what you're saying, Jason, where, Hey, tell me about your pricing strategy. Tell me about how you will price my property. Tell me about how you'll handle work orders when things come up. Like tell me about your communication strategy with guests. [00:15:22] Tell me about your philosophy on refunding for issues or how you handle cancellations or how do you handle damages? Like all of these like key components, you'll weed out a lot of crummy property managers that way. Actually, if you just go through, Hey, here's the 15 core things you got to do just to be a worthwhile candidate for property management for me. Here's the 15 main things, but to go beyond that's when you have to start doing things like show me your Airbnb account that has all your reviews and going through that list and pick, you know, out of the last three months, find a bunch of reviews and ask them to explain what happened on those poor reviews. [00:15:59] Hey, this guest said this thing happened. What all what happened on your end? And just literally do your due diligence on guest reviews to see how the guest stakeholders are impacted by this manager. And then furthermore, try to find another owner. There's kind of a reputation game here where you need to understand, Hey, has this owner been with you a long time? [00:16:19] Why are they with you? Are they happy with you? Have they considered transitioning to another manager? Kind of a lot of stuff you would expect. And it is a lot of due diligence, I will say, but I think it has a very large impact on the performance of your property. [00:16:32] Jason: Yeah, no, I think that's significant. [00:16:35] So you've kind of built a platform for your business, correct? With Renjoy. And so tell us a little bit about that. How is that unique? Maybe some others listening might get inspired if they're doing short term management, but explain how what kind of your, maybe that's your competitive advantage. [00:16:55] Jacob: I would say it is. And this actually, I think Jason would apply for all of your audience, even long term rental property managers. One of the things that we've been thinking really carefully about with our business as we're growing is who owns our data our property data, our guest data, our owner data, like where's that data being held. [00:17:16] And if it's being held by a third party, like our property management software provider, in our case, guesty, in your case, you know, at folio or whatever, when you think carefully about where that data is going, you have to ask yourself, am I okay with this third party data provider being the one who's going to initiate, you know, improvements to how we interact with our data? [00:17:39] Am I okay with them developing all those features and all that kind of stuff? Or do I want to have control over that based off of my needs and what I see in the market? [00:17:46] Jason: Yeah. [00:17:47] Jacob: And I'm not saying this is for everybody, but because we are more, I would say, tech focused and tech forward as a company, we've decided to keep that data in house. [00:17:56] And so, we use a third party tool called Airtable. I'm sure some of your audience members will be familiar with this tool. All right. [00:18:02] Jason: Airtable geek. [00:18:03] Jacob: Oh yeah, we love it. [00:18:04] Jason: We run our business off of it. [00:18:05] Jacob: Yeah, exactly. Yeah, exactly. We do too. And so, we use our property management software because you need it. [00:18:12] Right. We use it to handle our reservation data, all the calendars kind of, it's where we actually push all of our listings to market them to acquire the guests and all of our reservation data flows through there as well. But it all flows from our property management software tool into airtable. And some of it flows back and forth. But what it allows us to do is we can pull in all of our work orders from another software. We can pull in all of our accounting from another software. We can pull in whatever kind of data we want into Airtable. And we can relate the data in ways that you wouldn't otherwise be able to do, if you're using a single tool. [00:18:46] For example, Guesty, our property management software has work orders in it. It has review management in it. It has accounting in it. It has everything in it. But the problem is If you use the full suite of services within your main software provider, your property management software provider, typically, each of those ancillary services are not best in class. [00:19:08] And so, you're constrained on what you can do with the tool that you have. And we very much want to be constrained with, you know, our own kind of creativity and our own ability to create efficiency in our business [00:19:20] Jason: It's kind of like you've got a swiss army knife or one of those multi tools, and it's not the same as having a toolbox of high quality. [00:19:28] Jacob: That's exactly right. Yeah, but it's complicated and it's costly I mean you have to be able to have like specific specialized tools. You then have to know what you're doing to accumulate those tools and have them all talking and speaking to each other, but if you do it right, very powerful. [00:19:44] Jason: Got it. Okay. So, and you're using guest CSPM software and then you've paired it up sort of with Airtable, it's feeding data into Airtable and then because you have it in Airtable, you're able to probably notice patterns more, run reports with the data. You then can create automations and things that happen from, you know, Airtable, maybe, are you using Zapier? [00:20:08] Jacob: Oh, of course. Yeah. We use Zapier and make as well for certain things. We also do have a little bit of Python scripting, but that's, it's very powerful. [00:20:17] Jason: That's getting really nerdy. [00:20:19] Jacob: So yeah, it's not me. Let's put it that way. It's not me doing it. [00:20:23] Jason: Right. [00:20:24] Jacob: But let me give you an example, Jason, of how these things work together and are really powerful. [00:20:28] So we have a lot of our housekeepers are actually in house now. They're W 2s. They're paid hourly. One of the big challenges is You can't have a manager inspect every single turnover. I mean, we've had like 72 cleans in a single day on Labor Day weekend. So there's no way you can cost effectively have somebody inspect every single clean. [00:20:49] Like it's just not possible. [00:20:51] Jason: Right. [00:20:51] Jacob: And so how do you hold cleaners accountable? How do you actually rank them? How do you know whether they're doing a good job or not? Other than after the fact, the next guest says, "Hey, this place is terrible." [00:21:00] Jason: Right. [00:21:01] Jacob: What we actually do is we do that. When the review is generated. [00:21:05] From a guest stay. Okay, now if that review mentions any kind of cleanliness issue or whatever, the review is an object in Airtable, then gets linked to the person, that is the cleaner, who is also in Airtable, and we can say, hey, who cleaned before this review? And we can actually tag that review and tie it to the cleaner, the person, and we can rank them. [00:21:26] And so we can say this person has an overall ranking of 4. 9 out of 5 on their cleanings over the last however many cleans. We can actually go back and look at every single turnover they did and what was the guest report afterwards. And by that, we can eliminate cleaners who are not doing a good job. [00:21:43] Anybody below 4. 9, you just eliminate and then you refill that pipeline. And Yeah, by having that connection, it's really powerful. That accountability happens way faster. That's what you're trying to do. If you're trying to speed it up, [00:21:55] Jason: right? Because you have the data, you've got the timestamp of the review. [00:21:59] You can then check who was the cleaner before this review and, you know, and. You know, figure that out and then you can link to the cleaner and then you've got a database of all your cleaners I'm sure in air table and all the cleaners in Airtable. You've got these Cross links to all their reviews that are affiliated with them And then you've got a rating that you can see and so each cleaner is rated in your system yeah. [00:22:24] Yeah, so you're connecting the reviews to the cleaners [00:22:27] So you with that data you're able to make much faster decisions as to whether, and it's not just like, you know, the really noisy, greasy, squeaky wheels that you're kind of paying attention to. Wow. This cleaner is really horrible. Who did this? [00:22:42] You know, you're able to just look at it almost like a spreadsheet and see, all right, these cleaners are performing at the top. These are not so much. We're going to send more work to these ones, maybe less than these ones are gone. [00:22:53] Jacob: Yeah, that's right. You gamify it too. They enjoy it. I mean, it's a little bit of a friendly competition too. [00:22:58] Cause what we do is we display with a dashboard. Hey, who are the top 10 cleaners this month? Or like, it's actually live dashboard. So like, Hey, who are the top 10 cleaners? You know, we have 35 or 40 cleaners. And so, you know, if you're not on the top 10, you know, you're not on the top 10, but those who are on the top 10 are constantly competing with each other to be the best. [00:23:17] And there's a lot of shuffling going on. So yeah, [00:23:20] Jason: I love that. That's great. [00:23:22] Jacob: That's just one example. There's a lot of things where if you own the data, you can connect it and gain insights in ways you would not otherwise gain from a lot of tools because the people who build the software are not managing property. [00:23:35] So, they don't know what you're trying to understand about your property. They just say, Oh, you need accounting? Here's some accounting. It's like, well, but they don't understand the complexities around trust accounting and how I'm spending money on behalf of the owner. So, they don't make it easy for me to send and receive invoices within their accounting software. [00:23:50] I have to do that outside. Then I have to reconcile it with their trust accounting module. It's like, they just don't understand what you're doing. And so, their tools are often pretty, pretty weak. [00:23:59] Jason: Okay, cool. Yeah, I love Airtable, man. We geek out on it. We use it for our client success database. We use it for our planning system. [00:24:09] We built DoorGrowOS in it. We built our applicant tracking system and hiring system in it. And built a bunch of stuff in it. So if you're a property manager and you're using Airtable, then let me know, like reach out to me. I'd be curious to see what kind of things other property managers are doing in order to you know, leverage Airtable. [00:24:30] And how they're using this in their business. I know there's some out there doing it. I've seen it in some of the groups and they're leveraging Airtable to keep track of things. So. All right airtable is really cool. Basically for those that aren't familiar with Airtable, it on the surface, it looks like a Google sheet sort of, but the difference is It's beyond just spreadsheets. It's a database software and really it's now considered no code software because to have software, you need input, you need data storage, and then you need output and so you can build in air table forms or things to entry under data or you can even connect it to zapier or other automation softwares or tools to feed data into it so you have input and then you have data storage and you can build really complicated databases of stuff where things are cross linked and then based on that then you can create dashboards or extensions or output or feed data to other systems based on that data. [00:25:32] And so, yeah, so there's some really cool stuff that you can do with Airtable. So, yeah, so give me another example of something cool that you do in Airtable that you think is may be relevant to property managers. [00:25:44] Jacob: Yeah, we actually incorporated our CRM into Airtable and the main reason for that is because Oh, [00:25:52] Jason: Airtable is your CRM? [00:25:54] Yeah. [00:25:55] Okay, got it. [00:25:57] Jacob: There are some limitations with it, of course, but because we're not doing like mass, we're not doing like really mass marketing, we have really good lists. So we're not targeting like a ton of people because it's very B2B. [00:26:07] Jason: Yeah. [00:26:07] Jacob: And we don't necessarily want everybody short term rental. [00:26:09] Like we're very particular on which properties we want to manage. So anyway, one of the benefits of it is when you're going through the sales process, right? A lot of that process is discovery of property data. Not just owner data, owner problems, whatever. It's also property data. And so, we noticed this huge inefficiency in a lot of sales processes where the salespeople learn all about the property, they get them signed, and then they hand them off and they don't communicate all of the things that they learned about the property. [00:26:38] And then you have to relearn and the owner's like, I already told you this. Like, now I have to tell you about this furnace again, and this AC unit again, and this hot water heater, and this thing about the backyard, and this thing about the sprinkler. This thing about the neighbor, this thing about the, like, there's just on and on. [00:26:49] It's a lot of work for the owner. And so what we've done is we've built that data intake to your whole point about what software is for that data intake that the sales person is collecting through the whole process gets built into the system. So that when that lead converts, that opportunity converts into a client. [00:27:07] All of that data goes straight into the property data, and the onboarding team just has to fill in the gaps. And so it really smooths the transition of data from sales to operations. [00:27:18] Jason: Yeah we sync and merge our CRM, our sales CRM, which is our tool for communication and our text, email, phone, everything fees through our CRM with our existing clients with perspective clients, all that, but we have it sync to our client success database for our existing clients that are in our mastermind and our coaching programs. [00:27:42] And it feeds data across. So for example, we'd like to track how many doors our clients have. We have them complete a weekly check in form. The air table and they're providing their monthly revenue, their door counts. We capture this data and we use this to build what we call proof bombs later that are like visual testimonials that people can absorb seconds, which is an idea I learned from Sharran Srivatsaa, which is the CEO of real and brilliant guy and he taught this to Alex Hormozi. [00:28:13] Alex Hormozi used it in his book launch. As they're showing all these people getting results And so we have the data to prove that our clients are getting results over time and we can show the time period so it just feels more credible. And that data syncs over to our crm and updates their door count updates these things So when we're talking with them in the crm We can communicate with them. [00:28:36] And so we've we're always geeking out and optimizing our system, our client success database, everything so that we can better take care of our clients. Like we have a photo of every client's face in our database. We can learn who they are and know who they are and know their names. So when they show up, Recognize them and yeah, so we stalk them a little bit to get a photo or we capture their face on one of the Zoom calls that they show up on or something, but my team are responsible to make sure Every client has we have a photo. [00:29:06] We have the name. We know their current door count. We know what they're working on and and then yeah, we've got some other really cool things that we've done recently as well so we're always improving this and. Because our key system we run our entire business on is called DoorGrow OS. [00:29:21] It's a planning system that we've built out in Airtable. We coach clients on how to do this as well. And it really, I believe, is our greatest competitive advantage. [00:29:30] Jacob: So do you, like, white label an Airtable instance for those clients? [00:29:33] Jason: So what we do with our clients is we have an enterprise Airtable account and then we give them, we create or duplicate some of our proprietary Airtables that we built for clients and give them access to these. [00:29:47] Jacob: I think this is brilliant. I actually think if there's any property managers out there who are thinking about this, the value that Jason's offering actually through pre building or pre packaging an Airtable setup on how your processes should flow accordingly. That's actually extremely valuable. It's fascinating that you're doing that, Jason, because we've been thinking about it ourselves for a short time. [00:30:07] Jason: So we never really built the process system, because we partner with Flussos, another company that has this brilliant flowchart process software, [00:30:16] Because I think there's three levels of process I've talked about, but the level one is process documentation, which is really shitty because people don't really read processes. [00:30:26] It's like the owner's manual in the glove box of your car, right? Then there's the next level is checklist and that's okay. We've used process street stuff like that in the past. Some will use lead simple. Checklist has its own inherent flaws that the more complicated the process the more only one person understands how to change it or edit it or make it work and then there's like the next the third level which is is visual workflow and this is where everybody understands it and they're clear on it. So visual workflow, what that's done is it's allowed me the nerd to not have to do processes anymore. My team all understand them. They can see them and they can be crazy complicated because it's like playing with flow chart, Visio. [00:31:06] And that's where the processes are built. So that's been a game changer for us, but everything else, like our planning system, and our hiring system, this is where I think Airtable really magically shines because we can custom tailor their hiring system for particular needs. Like we have a client who's adding like 114 doors in like, like a month or two, or like he's just has this ridiculous. [00:31:30] And so his biggest constraint is hiring maintenance technicians. And he lost two he had four. So now he's down. He was down to two He got on a call with me and he was using our DoorGrow ats our applicant tracking system and we talked with him about cloning the application form reducing it to get more maintenance text to flow through, reducing the difficulty and then giving them working interviews and my coaching for him was you need to be probably hiring four techs a month and firing two or three. [00:32:01] That's right. That's exactly right. Which is very different. And so I explained to him, I was like, you are no longer property management business because your business now, your biggest constraint, your business now is, and you need to swallow this pill that your business now is a maintenance talent acquisition company. [00:32:19] And once he's like owns that, then he'll move on to another level boss in the video game of business, you know, but that's the business he's in now. It was originally, it was like, Oh, we're in the business of trying to get clients. And then he was in the business of trying to deal with getting on clients. [00:32:34] And now it's maintenance, right, technician. And hiring and keeping that going. So just like short-term rentals is largely a game of cleaning, and hiring. Yeah. No, I mean, we have a recruiter managing cleaners. [00:32:48] Jacob: Yeah. We have a full-time recruiter. I mean, yeah, we have a constant pipeline of cleaners. Same with maintenance techs. [00:32:53] I mean, yeah, it is. It is. And you have to be shedding them, just like you shed property owners too sometimes. [00:32:59] Jason: Yeah, we also built a rental property analysis tool that our clients use with real estate agents in air table We had some programmers do some custom coding to do some of the more complex formulas that you can't do an air table like amortization schedules and stuff like this And so they're able to create these really cool one page reports for a rental property that are branded with their branding and have their pricing built into it as a property manager, that they can get the real estate agents that are working with investors, they're working on deals, or trying to attract investors, that they can then put on their rental listings to show how that property could either cashflow or in the long run would be a better investment than maybe investing in the stock market. [00:33:41] Jacob: So it's a great idea. We do something similar. Again, part of our sales process is we, when a lead converts to an opportunity, we basically have this template pro forma that gets generated from fields within air table, but it's a Google sheet template. So it allows us to do more is what we want in the Google sheet because it's not just a single page. [00:34:00] It's, you know, there's quite a few pages because short term rentals are very complex in terms of setting them up. Your setup costs, your startup costs are quite large and having a reliable, accurate number for startup costs is actually remarkably difficult. With Airbnb, so similar process, you end up with kind of the same result. [00:34:18] Here's an accurate projection. [00:34:20] Jason: Awesome. Well, cool. Well, maybe we'll have to hang out off out and geek out on some air table stuff. So, but yeah, this has been our competitive advantage. Largely is our planning system and cadence of annual planning, quarterly planning, monthly planning, and have a database where it's all late cross linked. [00:34:37] And so we In our system team members, and clients that use this their team members show up and there's we're keeping track of all the wins. So there's this culture of winning and Nobody wants to show up getting a red no on their weekly commitments. They're getting they want to get a green Yes, and so this is outside of our daily tactical stuff, this is our strategic goals. [00:35:00] And so it gets my entire team focused on innovation on moving towards goals and outcomes moving forward instead of just their daily tactical work, which we're using DoorGrow Flow or Flussos that visual workflow tool. And so that's allowed us to I think that's our strongest competitive advantage is that [00:35:19] other businesses, usually the entrepreneur comes in, throws out a bunch of goals and ideas and it's like a pulling the pin on a grenade. If they get back from a conference to their team and their team trying to do their tactical daily work and they're like, how are we going to do all this? And there's no real plan or clarity and they rarely achieve any of their goals or outcomes that they're aiming for. [00:35:41] And we, on a weekly basis, our goal is we have sometimes four somewhere between 30 to 50 commitments between everyone on my executive team And they've committed to that week that are going towards our 30 day goals And we get at least our goal is to hit 80 percent and we do that with consistency. Now, years and 80 percent of our goals. [00:36:03] And which means our 30 day goals are largely almost always achieved. And which means our quarterly goals are almost always achieved and annually hit our goals. And so we move really fast. We get a lot of stuff done and we innovate a lot in our coaching business. And I don't think there's. And I work with some of the best coaches in the industry. [00:36:23] So we've really built something. I think that's pretty amazing. And we just, we roll out new things like every month. And that innovation has, that system has allowed it us to innovate. And I'm the way we've set up DoorGrow OS and Sarah runs this, my, she's our operator and my wife, she's always like, we vote on things. [00:36:43] We get feedback on things. And she's like, not you, Jason, you're last. Like I'm always last to speak. So I don't end up as the emperor with no clothes in my own business. So anyway, yeah, Airtable is pretty cool. So, yeah, that'd be interesting to see if there's some other ways in which our clients could leverage or use Airtable for keeping track of their own clients because that's not something we played around much with, but. [00:37:06] Jacob: Yeah. Yeah, absolutely. [00:37:08] Jason: Cool. Well, Jacob, for those that are interested in getting their property managed by you, what, which markets do you cover and how do they get ahold? [00:37:18] Jacob: Yeah. So we do have full service management in Colorado, kind of, Southern Colorado, so South of Denver, Colorado Springs, and then further West. [00:37:27] And we also manage in Gulf coast, Florida between Tampa Bay and Fort Myers. So, we're in these two geographic areas for full service, but going back to the pricing thing, we've realized that there are a lot of property owners who love the hospitality side of the Airbnbs, but not the pricing side. That's not why they got into it. [00:37:46] We actually do have a pricing service. Where we market and distribute your listing on a bunch of different booking channels. So a lot of people are seeing your listing and we do the daily pricing for your property. So you don't have to do that. And then you do the cleaning, the maintenance, and the interaction with the guests. [00:38:03] You take care of the property. It's your account. They're your reviews. They're your guests. We don't interact with them. And that is global, a global service. [00:38:11] Jason: Oh, so that's a service that property managers could use, self managers could use. Yep. Okay. Yeah. Great. In fact, [00:38:17] Jacob: we do have some small property managers using it. [00:38:19] . [00:38:19] Jason: Alright, cool. So, how does that work? [00:38:23] Jacob: Yeah, so it really depends on the client. Like with a property manager and some property managers are for their own portfolios. Some, you know, are managing for others. It really depends on the property situation and the setup that's currently in place. But the most common thing is there's an owner operator who says, Hey, I don't want to do the pricing. [00:38:40] I'm getting crushed by my competitors because I'm not doing this algorithmic based pricing and I'm not reviewing it daily. So we come in and we say, okay, great. I see you're on Airbnb or I see you're on VRBO or I see you're just on Airbnb and VRBO. What we do is we come in and we create a bunch more booking channels for you and we aggregate it into a white labeled property management software. [00:39:00] It's not guesty actually. It's a different software tool. So the owner only has one place to go for their calendar, for their messaging. It's all in one place. They don't have to do anything. And then we create those listings and then we market them and then we continue to price them on an ongoing basis and to reset their prices. [00:39:16] to compete whichever market they're in. [00:39:18] Jason: Got it. And is this a fairly affordable service? It is. [00:39:22] Jacob: Yes, it's very low cost compared to full service short term rental management. And it also doesn't have any, like, contracts or anything. It's just day to day. [00:39:29] Jason: Okay, devil's advocate, what if, some listening might be like, well, why would I trust them to price my property when they might have properties in my market? [00:39:38] Like, if they're in a market that you're in, like Colorado, what if they're going to Price there's better or more competitively than my own. [00:39:45] Jacob: That's a great question. Yeah. No, it's a great question. And actually it's related to kind of one of the things that we set out strategically for our market. [00:39:53] Like Colorado Springs, we manage about 120 properties in Colorado Springs out of about 3000 Airbnbs. And we kind of set our market cap at about, or sorry, as large, our market saturation at about 200 units in the Springs. So, we actually won't go above managing 200 properties in Colorado Springs for this very reason. [00:40:10] The cannibalizing of market share. Now, that gets even more detailed where it's not just properties total, but also comp sets. So, if we have more than, let's say, 10 percent of the two bedroom properties in Colorado Springs, we're going to start cannibalizing our own market. And so, we actually have limits on the sizes of properties within our specific markets. [00:40:30] So, right now we actually are pretty, we're pretty darn close to being capped out at one bedrooms and two bedrooms. So, we don't really take on those units anymore. [00:40:38] Jason: Got it. Just 10 bedrooms now. [00:40:41] Jacob: Yeah, that's right. 3, 4, 5, 6. We don't have any 10s. We have a 9, but that's the biggest. [00:40:48] Jason: Yeah. You're not in some giant family reunion markets? [00:40:52] Jacob: No, we are. We're in Two Springs. I mean, that place sleeps, I'm talking to a lady now. She's got a place that sleeps 60. So, that'll be That would be a family reunion for sure. [00:41:02] Jason: Well, cool. So that sounds like an interesting service. Maybe I'll have Sarah check it out. So, cause I know she's checking the pricing every day. [00:41:09] I think she kind of enjoys it though. [00:41:11] Jacob: Yeah, that's totally fine. Yeah. If you enjoy it, then we are not, you know, like it's for people who is like pulling teeth, right? Like I hate doing this. I don't, or I'm not like really into the whole game theory around pricing. Like that doesn't interest me. That kind of thing. [00:41:25] Jason: Yeah. I mean, yeah, it'd be interesting to have her do a demo with you guys and see how it compares to what she's doing and whether she would trust it or not. Yeah. That'd be interesting. I mean, she's checking [00:41:35] Jacob: it every day, Jason, she's probably doing, you know, she's already like 85 percent of the way there. [00:41:40] Yeah. [00:41:41] Jason: Yeah. I don't know, but I think it's interesting. There's you know, there's a lot of property managers that do short term rentals that they're not doing anything like this. And they just not, and they basically set it sort of at a rate that's similar and maybe occasionally they'll adjust it, but they're trying to just let it happen and yeah. [00:42:02] And then the owners get frustrated because they're like, why isn't this renting out as often? Or, you know, it's renting out a lot, but why am I not getting paid very much? You know? [00:42:11] Jacob: Yeah. It's this passive versus active approach, right? I always tell owners like, Hey, there's two kinds of demands. There's existing demand for short term lodging. [00:42:20] These are people who are coming to your market no matter what. They're already coming, now they're looking for lodging. But there's a second kind of demand that's really important, which is the generated demand. These are people who aren't coming to your market and wouldn't otherwise come to your market if you hadn't reached out to them first. [00:42:34] So you're generating demand by marketing, essentially. And so we have a pretty sophisticated system for marketing to very specific or very likely customers to then book and come and stay because of your property that they wouldn't otherwise have come. And so that's a really big distinction with a lot of property managers. [00:42:52] They just look at existing demand and try to capture their share of existing demand versus generating net new demand. So as an example of how we do this. We require our owners to have our tech package in their property. And part of what is included in that tech package is a commercial wifi router system. [00:43:10] So every guest, not just the one who books the property, but every guest who comes to the property and wants to access the internet has to give us their phone and email. And so we build a massive database for marketing towards for guests, direct guest marketing. [00:43:23] Jason: Wow. Okay. [00:43:24] Jacob: A lot of managers don't do that. [00:43:26] Jason: So, the managers out there that would, these pieces, they don't even enjoy doing it. Like the advanced pricing service. And maybe there's some other little things you can help them with as well. They can reach out to you and get this and you said you mentioned white label does that mean they're able to still maintain their brand and people aren't in your business name. [00:43:46] And yeah. [00:43:46] Jacob: Yeah, absolutely [00:43:48] Jason: Okay, very cool. Yeah, cool. Anything else you'd like to share before we wrap up? [00:43:54] Jacob: The only thing I want to share with all the property managers out there is keep on doing the hard work. For those who are outside the industry, they don't understand the challenge of the beat down that can be property management. So just keep it up and do the good work that it is. [00:44:07] Jason: Yeah, it can be challenging. Well, All right. Thanks for Somebody jump on I don't know who that was All right. Thanks for hanging out with us until next time everybody to you know until next time to our mutual growth if you're interested in getting connected with Jacob. How do they reach you? [00:44:24] Jacob: Just go to www. renjoy. com and just fill out a form and you'll get ahold of me. [00:44:30] Jason: Okay. Awesome. Well then, if reach out to them and then if you are interested in growing your property management business and scaling it and getting some support in how to reach out and attract more owners to do third party management, check doorgrow. [00:44:46] com and make sure to join our free Facebook group at doorgrowclub. com. All right. Thanks, Jacob. And bye everyone. Thanks, Jason. Bye [00:44:53] Jacob: everyone. Bye. [00:44:54] Jason: you just listened to the #DoorGrowShow. We are building a community of the savviest property management entrepreneurs on the planet in the DoorGrowClub. Join your fellow DoorGrow Hackers at doorgrowclub.com. Listen, everyone is doing the same stuff. SEO, PPC, pay-per-lead content, social direct mail, and they still struggle to grow! [00:45:21] At DoorGrow, we solve your biggest challenge: getting deals and growing your business. Find out more at doorgrow.com. Find any show notes or links from today's episode on our blog doorgrow.com, and to get notified of future events and news subscribe to our newsletter at doorgrow.com/subscribe. Until next time, take what you learn and start DoorGrow Hacking your business and your life.
In this episode of CISO Tradecraft, hosted by G Mark Hardy, you'll learn about four crucial tools in cloud security: CNAPP, CASB, CSPM, and CWPP. These tools serve various functions like protecting cloud-native applications, managing access security, maintaining cloud posture, and securing cloud workloads. The discussion covers their roles, benefits, key success metrics, and best practices for CISOs. As the cloud security landscape evolves, understanding and integrating these tools is vital for keeping your organization safe against cyber threats. Transcripts: https://docs.google.com/document/d/1Mx9qr30RuWrDUw1TLNkUDQ8xo4xvQdP_ Chapters 00:00 Introduction to Cloud Security Tools 02:24 Understanding CNAPP: The Comprehensive Cyber Defense 08:13 Exploring CASB: The Cloud Access Gatekeeper 11:12 Diving into CSPM: Ensuring Cloud Compliance 13:40 CWPP: Protecting Cloud Workloads 15:08 Best Practices for Cloud Security 15:54 Conclusion and Final Thoughts
Have you ever wondered what it takes to transform cloud security? In this episode of Tech Talks Daily, we explore the intricacies of cloud security with Snir Ben Shimol, the CEO and co-founder of Zest Security. Snir's journey is nothing short of extraordinary—an Israeli intelligence alumnus with over 15 years of experience in security research and product management, he's deeply familiar with the challenges of cybersecurity. Having already built a successful company that was acquired by Palo Alto Networks, Snir couldn't stay away from the field for long. His latest venture, Zest Security, is designed to address the most pressing cloud security challenges businesses face today. Zest Security was born out of Snir's and his co-founder Uri Aronovici's firsthand frustrations with cloud risk remediation processes. Both ex-Israeli Intelligence officers, Snir and Uri have a combined experience of over 25 years in cloud, product, and application security. Their deep understanding of security issues has fueled their mission to drastically reduce the time it takes to remediate cloud security vulnerabilities—from weeks to mere hours. What sets Zest apart is its seamless integration with existing tools and DevOps workflows, automating and simplifying the remediation process. During our conversation, Snir shares how Zest Security's platform is redefining how organizations tackle cloud security vulnerabilities. We explore how their solution connects with cloud environments and security products to offer both immediate mitigation and long-term remediation. We also discuss the current challenges in cloud security, including the startling statistic that only about 50% of identified security issues get fixed due to various constraints. Snir's vision is to make resolution platforms a standard component of cloud security, sitting alongside tools like CSPM and EDR. This episode is packed with insights into the future of cloud security, the role of AI and automation in vulnerability management, and how customer feedback is shaping the evolution of Zest Security's platform. As businesses increasingly rely on cloud services, Snir's expertise offers a valuable perspective on how to stay ahead of the ever-evolving threats in cybersecurity. How can organizations better protect themselves in this digital age, and what role will platforms like Zest play in this journey? Tune in to find out, and don't forget to share your thoughts on this transformative approach to cloud security.
Think of CSPM as your personal security inspector for the cloud. It's a suite of tools and processes designed to continuously monitor and identify security weaknesses in your cloud environment. CSPM acts as your vigilant guardian, proactively searching for misconfigurations, unauthorized access attempts, and potential vulnerabilities within your cloud infrastructure.
Summary In this episode of the Blue Security Podcast, Andy and Adam discuss Defender CSPM (Cloud Security Posture Management). They explain that CSPM is the process of monitoring cloud-based systems and infrastructure for risks and misconfigurations. They highlight the key capabilities of CSPM, including automation, monitoring and managing IaaS, SaaS, and PaaS platforms, and ensuring regulatory compliance. They also introduce Defender CSPM, a paid subscription service that offers additional features such as agentless scanning, container vulnerability assessments, and DevOps security. They mention the inclusion of Entra Permissions Management and external attack surface management in Defender CSPM. They emphasize the value of Defender CSPM for regulatory compliance and the ease of reporting on security posture against specific standards. Takeaways -CSPM is the process of monitoring cloud-based systems and infrastructure for risks and misconfigurations. -Defender CSPM is a paid subscription service that offers additional features such as agentless scanning, container vulnerability assessments, and DevOps security. -Defender CSPM includes Entra Permissions Management and external attack surface management. -Defender CSPM is valuable for regulatory compliance and provides ease of reporting on security posture against specific standards. ---------------------------------------------------- YouTube Video Link: https://youtu.be/lqvWnxyQqVs ---------------------------------------------------- Documentation: https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-cloud-security-posture-management https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-devops-introduction https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-devops-environment-posture-management-overview ---------------------------------------------------- Contact Us: Website: https://bluesecuritypod.com Twitter: https://twitter.com/bluesecuritypod Linkedin: https://www.linkedin.com/company/bluesecpod Youtube: https://www.youtube.com/c/BlueSecurityPodcast ----------------------------------------------------------- Andy Jaw Twitter: https://twitter.com/ajawzero LinkedIn: https://www.linkedin.com/in/andyjaw/ Email: andy@bluesecuritypod.com ---------------------------------------------------- Adam Brewer Twitter: https://twitter.com/ajbrewer LinkedIn: https://www.linkedin.com/in/adamjbrewer/ Email: adam@bluesecuritypod.com
How to secure AWS cloud using AWS Lambda? We spoke to Lily Chau from Roku at BSidesSF about her experience and innovative approach to tackling security issues in AWS environments. From deploying IAM roles to creating impactful playbooks with AWS Lambda, Lily shared her take on automating remediation processes. We spoke about the challenges of managing cloud security with tools like CSPM and CNAPP, and how Lily and her team took a different approach that goes beyond traditional methods to achieve real-time remediation. Guest Socials: Lily Twitter Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:56) A bit about Lily (02:27) What is Auto Remediation? (03:56) Example of Auto Remediation (05:19) CSPMs and Auto Remediation (06:58) Make Auto Remediation in Cloud work for you (09:49) Where to get started with Auto Remediation? (11:52) What defines a High Impact Playbook? (12:58) Auto Remediation for Lateral Movement (14:35) What is running in the background? (16:41) What skillset is required? (19:08) The Fun Section Resources for the episode: Lily's talk at BsidesSF
On this week's show Patrick Gray and Mark Piper discuss the week's security news, including: What on earth happened at Snowflake? A look at operation Endgame Check Point's hilarious adventures with dot dot slash Report says the FTC is looking at Microsoft's security product bundling More ransomware hits Russia Much, much more 404 Media co-founder Joseph Cox is this week's feature guest. He joins us to talk about his new book, Dark Wire, which is all about the FBI's Anom sting. This week's show is brought to you by Resourcely. If your Terraform is a mess or your CSPM dashboards are lighting up with insane and stupid things, you should check out Resourcely. Its founder and CEO Travis McPeak will be along in this week's sponsor interview to talk about all things Terraform. Show notes The Snowflake breach and the need for mandatory MFA Snowflake at centre of world's largest data breach | by Kevin Beaumont | Jun, 2024 | DoublePulsar Cloud company Snowflake denies that reported breach originated with its products ‘Operation Endgame' Hits Malware Delivery Platforms – Krebs on Security Treasury Sanctions Creators of 911 S5 Proxy Botnet – Krebs on Security TikTok warns of exploit aimed at 'high-profile accounts' SEC clarifies intent of cybersecurity breach disclosure rules after initial filings | Cybersecurity Dive SEC.gov | Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents[*] Nurses at Ascension hospital in Michigan raise alarms about safety following ransomware attack London hospitals declare emergency following ransomware attack | Ars Technica North Korea's ‘Moonstone Sleet' using fake tank game, custom ransomware in attacks OpenAI models used in nation-state influence campaigns, company says National Vulnerability Database | NIST More than 600,000 routers knocked out in October by Chalubo malware Hackers steal $305M from DMM Bitcoin crypto exchange | TechCrunch Germany's main opposition party hit by ‘serious' cyberattack Cyberattack disrupts operations of supermarkets across Russia Rare earths miner targeted in cyber attack prior to removal of Chinese investors - ABC News Check Point - Wrong Check Point (CVE-2024-24919) Kevin Beaumont: "The latest Risky Business epis…" - Infosec Exchange This Hacker Tool Extracts All the Data Collected by Windows' New Recall AI | WIRED FTC-industry talks over possible Microsoft probe raised recent hacking incidents - Nextgov/FCW Tim Schofield
Is having a CSPM enough for Cloud Security? At RSA Conference 2024, Ashish sat down with returning guest Jimmy Mesta, Co-Founder and CTO of RAD Security, to talk about the complexities of Kubernetes security and why sometimes traditional Cloud Security Posture Management (CSPM) falls short in a Kubernetes-centric world. We speak about the significance of behavioural baselining, the limitations of signature-based detection, the role of tools like eBPF in enhancing real-time security measures and the importance of proactive security measures and the need for a paradigm shift from reactive alert-based systems to a more silent and efficient operational model. Guest Socials: Jimmy's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (03:12) A bit about Jimmy Mesta (03:48) What is Cloud Native Security? (05:15) How is Cloud Native different to traditional approach? (07:37) What is eBPF? (09:12) Why should we care about eBPF? (11:51) Separating the signal from the noise (13:48) Challenges on moving to Cloud Native (15:58) Proactive Security in 2024 (17:02) Whose monitoring Cloud Native alerts? (23:10) Getting visibility into the complexities of Kubernetes (24:24) Skillsets and Resources for Kubernetes Security (27:54) The Fun Section Resources spoke about the during the interview: OWASP Kubernetes Top Ten
Christian Koberg Pineda, Principal Security DevOps Engineer, joins Erica Toelle and guest host Bojan Magusic, on this week's episode of Uncovering Hidden Risks. In today's episode Erica, Christian and Bojan explore the complexities of managing security across multiple cloud platforms, highlighting the importance of standardization and centralized management. They also cover some of the challenges in identity management, securing cloud-native applications, and the evolving role of AI in both enhancing and threatening cloud security. Christian and Bojan share with Erica the need for innovative, adaptable approaches to stay ahead in the rapidly changing cloud security landscape. In This Episode You Will Learn: Importance of standardization and centralization for security solutions Centralizing identity management to handle multiple identity providers Implementing security checks in development pipelines to detect vulnerabilities Some Questions We Ask: What should organizations consider when standardizing CSPM across multiple clouds? How can organizations defend against next-gen AI attacks on cloud infrastructure? What future factors will impact securing multi-cloud environments? Resources: Download the “2024 State of Multicloud Security Report" today to identify your greatest risks and learn actionable strategies for strengthening multicloud security. View Christian Koberg Pineda on LinkedIn View Bojan Magusic on LinkedIn View Erica Toelle on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Microsoft Threat Intelligence Podcast Discover and follow other Microsoft podcasts at microsoft.com/podcasts Uncovering Hidden Risks is produced by Microsoft and distributed as part of N2K media network.
What are the practical steps for orienting yourself in a new cloud environment? Ashish sat down with Rich Mogull and Chris Farris to explore the intricacies of effective cloud security strategies. Drawing on their extensive experience, Rich and Chris speak about critical importance of moving beyond just addressing vulnerabilities and embracing a more comprehensive approach to cloud security.Rich and Chris share their professional experiences and practical advice for anyone who finds themselves "airdropped" into an organization's cloud environment. They also discuss the development of the Universal Threat Actor Model and how it can help prioritize security efforts in a chaotic landscape of constant alerts and threats. Guest Socials: Rich's Linkedin + Chris's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:26) A bit about Chris Farris (03:10) A bit about Rich Mogull (03:45) First Cloud Service they worked on! (06:27) Where to start in an AWS environment? (10:50) Cloud Security Threat Landscape (15:25) Navigating through the CSPM findings (18:14) Using the Universal Cloud Threat Model (23:16) How is Cloud Ransomware different? (25:44) Surprising attacks or compromises in Cloud (29:43) Where are the CSPM Alerts going? (36:30) Cloud Security Landscape in 2024 (45:37) The need for Cloud Security training in 2024 (46:58) Good starting point to learn Cloud Security (52:13) The Fun Section Resources spoken about during the episode: The Universal Cloud Threat Model AWS Customer Security Incidents by Rami McCarthy Breaches.cloud CloudSLAW
Gil is co-founder and CEO of Orca Security, one of the leading cloud security platforms on the market today. The company was last valued at 1.8 billion dollars in late 2021. Orca has 8 co-founders, and Gil started as Chief Product Officer before taking the CEO reins last year. We talk more about this dynamic in the episode. Before Orca, Gil worked at Check Point for a decade where he gained experience across a variety of different cutting-edge domains including mobile security, advanced threat protection, and cloud gateway. In the episode, we discuss the commoditization of the CSPM space, the relevance of AI in cloud security remediation, and the strategy for Orca moving forward including regional expansion. Orca Website: orca.security Sponsor: vulncheck.com
Guests: None Topics: What have we seen at RSA 2024? Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)? Is this really all about AI? Is this all marketing? Security platforms or focused tools, who is winning at RSA? Anything fun going on with SecOps? Is cloud security still largely about CSPM? Any interesting presentations spotted? Resources: EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side (RSA 2024 episode 1 of 2) “From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis” blog “Decoupled SIEM: Brilliant or Stupid?” blog “Introducing Google Security Operations: Intel-driven, AI-powered SecOps” blog “Advancing the art of AI-driven security with Google Cloud” blog
How is your Cloud Incident Preparedness? Is your CSPM enough? Ashish spoke to Ariel Parnes, Co-Founder and COO at Mitiga about the concept of "Assume Breach" and its importance in developing a proactive cloud security framework. If you are looking to understand the nuances of of cloud incident response and being prepared for them, the effectiveness of current tools, and the future of cloud security operations strategy, then this episode is for you. Guest Socials: Ariel Parnes Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:46) A bit about Ariel Parnes (04:02) Cybersecurity in the world of Cloud (06:07) What is Cloud Incident Preparedness? (08:40) Reality of Cloud Incident Preparedness (11:16) Does a CSPM help with Incident Preparedness? (13:54) Should logs be sent to SIEM? (15:59) Whats a good starting point for Incident Preparedness? (18:31) Gaining deep visibility in your cloud environment (19:50) Do you need a Security Data Lake? (25:56) Demonstrating ROI for Security Operations (28:28) Importance of Human Factor in Security Operations (30:51) Low Hanging fruits to strengthen cloud operations (32:31) The Fun Questions
- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?
Kubernetes security cannot just be Kubernetes but it is like security of a datacenter within another datacenter. In this episode with Tim Miller we spoke about CNAPP, how to approach kubernetes security. Thank you to our episode sponsor Outshift by Cisco Guest Socials: Tim's Linkedin (@timothyemiller) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:42) A bit about Tim Miller (03:35) What is CNAPP? (04:30) Traditional Kubernetes Security (05:18) Where to put a CNAPP? (06:20) CSPM vs CNAPP (09:00) Attack Path Analysis (11:05) Kubernetes Attack Path (12:43) The team you need (14:06) Resources to learn more (16:24) Fun Question
Mike Melo, CISO and head of technology at LifeLabs, talks about his approach to innovation and insights on leading cloud security tools.About Mike Melo: "Heavily focused on people and integrity-led progression, Mike Melo is a Senior IT Executive and Chief Information Security Officer (CISO) with over 15+ years of experience advancing operational efficiencies, cyber indomitability, and overall organizational success. Currently serving as the CISO & VP IT Shared Services for LifeLabs in Canada, Mike holds an extensive background involving agile risk mitigation, post-breach transformation, security architecture, cross-functional technical leadership, regulatory compliance, and the art of developing high-performing team environments that are as positive as they are productive. In addition, he is passionate about not only helping industry leaders rectify security weaknesses while attaining sustainable protection, but doing so in such a way that ultimately propels their competitive capacities and growth initiatives forward. Prior to his most recent role overseeing multi-million cybersecurity programs and their implementation across organizational systems, Mike Initially worked as an International Information Security Officer, quickly scaling to hold several C-level roles under LifeLabs. Notably, this includes being an IT Security Lead, where Mike had the opportunity to support the tech team in rendering new security program development and overseeing the inception of the Incident Response program. More formerly, Mike became a CISO in December of 2019.That said, Mike's ambitions for security excellence were also done in conjunction with ongoing side affiliations supporting various professional engagements, keynote presentations/talking panels, and public contributions. Namely, this involves being a Board Member and Co-Chair of the Operations Committee for the Canadian Cyber Threat Exchange, a CISO Co-Chair for Evanta, and an active Board Member of HUMINT Cybersecurity Recruitment. Furthermore, Mike's devotion to bridging security gaps and innate avocation for making cybersecurity knowledge accessible has not gone unnoticed.Mike currently resides in Calgary with his wife and two children who inspire him to always become better than the day before, and enjoys spending his free time playing guitar - including attending Berklee College of Music in the evenings for guitar performance."SPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube
Tim Miller (@broadcaststorm, Technical Marketing Engineer, Outshift by @Cisco) talks about new ways to approach the overwhelming security challenges created by cloud-native apps and multi-cloud. SHOW: 767CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotwNEW TO CLOUD? CHECK OUT - "CLOUDCAST BASICS"SHOW SPONSORS:Datadog Security Solution: Modern Monitoring and SecurityStart investigating security threats before it affects your customers with a free 14 day Datadog trial. Listeners of The Cloudcast will also receive a free Datadog T-shirt.CloudZero – Cloud Cost Visibility and SavingsCloudZero provides immediate and ongoing savings with 100% visibility into your total cloud spendSHOW NOTES:Panoptica (homepage)Outshift by Cisco (Emerging Technologies)Panoptica - Open Clarity (open source projects)Topic 1 - Welcome to the show. Tell us a bit about your background and what you focus on these days at Outshift by Cisco. Topic 2 - Let's begin by talking about the security challenges that come with modern applications and cloud environments. Topic 3 - The classic challenges of security have always been too many tools, not enough people, lots of misconfigurations, tons of red on the dashboard. Are there new approaches that are trying to address these challenges?Topic 4 - Talk to us about this concept of “Attack Path Analysis”. What is it? What is it trying to accomplish that we didn't/couldn't do before?Topic 5 - How does Panoptica address many of these challenges? How does it integrate with the many areas of the entire picture, from IaC to CI/CD to Observability?Topic 6 - What are some differences that DevOps teams might experience by using Attack Path Analysis? FEEDBACK?Email: show at the cloudcast dot netTwitter: @thecloudcastnet
Guests: Tomer Schwartz, Dazz CTO Topics: It seems that in many cases the challenge with cloud configuration weaknesses is not their detection, but remediation, is that true? As far as remediation scope, do we need to cover traditional vulnerabilities (in stock and custom code), configuration weaknesses and other issues too? One of us used to cover vulnerability management at Gartner, and in many cases the remediation failures [on premise] were due to process, not technology, breakdowns. Is this the same in the cloud? If still true, how can any vendor technology help resolve it? Why is cloud security remediation such a headache for so many organizations? Is the friction real between security and engineering teams? Do they have any hope of ever becoming BFFs? Doesn't every CSPM (and now ASPM too?) vendor say they do automated remediation today? How should security pros evaluate solutions for prioritizing, triaging, and fixing issues? Resources: Video (YouTube, LinkedIn) Cloud Security Remediation for Dummies EP3 Automate and/or Die? EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?' EP54 Container Security: The Past or The Future? EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity? A Guide to Building a Secure SDLC 8 Megatrends drive cloud adoption—and improve security for all
Uncover the mysteries of IT, Scale, and Designing for Success with our special guest, Ganesh, a seasoned engineer, technologist, and entrepreneur. We take a deep dive into his venture into cybersecurity and his revelation of the potential harm that could be inflicted by those with similar knowledge. Together, we traverse the terrain of designing for scale, while sharing lessons learned along the way. Venture with us as we discuss the hurdles faced by startups in their quest for the elusive product-market fit. With Ganesh's insights, we illuminate the journey, highlighting the importance of finding the right customer partner and the necessity for resilience in the face of adversity. We also delve into the concept of overnight success, providing a fresh perspective on the importance of persistence, even when the road gets tough. As the episode evolves, we shift our focus to the challenges and perks of cloud-based applications. We share our insights on the distinct approach required for security in modern cloud-native applications, considering the scale, diversity, and rate of change organizations need to handle these security issues. Ganesh further enriches the conversation by sharing the evolution of his cloud security product and its significant improvements in usability and value in just 18 months. Join us for this enlightening conversation, as we wrap up discussing the rapidly changing nature of cloud solutions and how companies can stay updated.LinkedIn: https://www.linkedin.com/in/ganesh-pai/Website: https://www.uptycs.com/Support the showAffiliate Links:NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902 Follow the Podcast on Social Media!Instagram: https://www.instagram.com/secunfpodcast/Twitter: https://twitter.com/SecUnfPodcastPatreon: https://www.patreon.com/SecurityUnfilteredPodcastYouTube: https://www.youtube.com/@securityunfilteredpodcastTikTok: Not today China! Not today
Listen in as Charlie Webb CPPL speaks with Malinda Elammari Clinical Education Specialist at Healthmark Industries. Today's discussion speaks to the different packaging workflows of medical device manufacturers versus hospitals and clinics. During this discussion, Charlie and Malinda cover the topic of the critical importance of preventative and predictive maintenance.Guest Description:Malinda Elammari, CST, CSPM, CSPDT, CFER, CSIS, CRCST, CIS, CHL, CER, CLSSGBMalinda Elammari is a Clinical Education Specialist for Healthmark Industries. She began her career in the medical field as a Certified Surgical Technologist specializing in Open-Heart surgery. Throughout her career, Malinda has served in a variety of positions within SPD, such as Interim Director of Education and Quality, Sterile Processing Educator and Quality Control Manager, Clinical Operations Manager, OR Liaison, and an Endoscopic Service Rep. In addition, Malinda was the lead instructor for the Central Sterile program at Durham Technical Community College. She holds several certifications in sterile processing through CBSPD and HSPA. Malinda is a TeamSTEPPS Master trainer and is certified as a Lean Six Sigma Green Belt. She is an active member of AAMI and sits on multiple national standard writing committees. Malinda sits on the Editorial Board for AAMI Publications and is a project manager for KiiP's Aseptic Presentation subgroup. She is a graduate of Duke's Innovation & Entrepreneurship program and Duke's Technical Excellence Program. She currently serves as president for the North Carolina HSPA chapter.Contact: melammari@hmark.com
Tools that automate the identification and remediation of cloud misconfigurations. CyberWire Glossary link: https://thecyberwire.com/glossary/cloud-security-posture-management Audio reference link: Josh Whedon. 2005. Serenity [Movie]. IMDb. URL https://www.imdb.com/title/tt0379786/
Tools that automate the identification and remediation of cloud misconfigurations. CyberWire Glossary link: https://thecyberwire.com/glossary/cloud-security-posture-management Audio reference link: Josh Whedon. 2005. Serenity [Movie]. IMDb. URL https://www.imdb.com/title/tt0379786/ Learn more about your ad choices. Visit megaphone.fm/adchoices
In today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effectively. Whether you're encountering overlapping features or unique challenges, we'll help you make a savvy, informed choice for your workloads. Tune in for a practical guide to navigating the complex landscape of cybersecurity tools.
What do you do when your daily log entries increase by a factor of fifty? Shane Barney, USCIS describes that prior to the cloud he had about 200GB of log data a day; after the move to the cloud, this was multiplied by 50, they are at 10TB a day. Obviously, it is not possible to use old tools for a workload this large. Everyone reading this knows that when the federal government made the move to the hybrid cloud, they became deluged with data. The solution discussed today is something called Cloud Security Posture Management. This is an approach that automates identification and remediation of risks across cloud infrastructures. During the interview, the federal leaders gave examples of how they have gone through a digital transition and assumed everything was configured properly. After the transition, the error became obvious. One takeaway is that pilots have checklists, and systems administrators need an automated checklist to look for compliance issues and misconfigurations. Jeffrey Lush, U.S. Air Force, summarizes the need clearly: there is a gap between what you know and what you don't know. Each expert observed that managing a cloud network gives better visibility, for instance, being alerted to when there are open ports, open potentially exposed to the Internet. Further, an approach that includes CSPM can give administrators monitoring, validation, and compliance specifically tied to many areas of the Zero Trust. The net result is early threat detection. In a rare instance of validation of a digital transformation, Shane Barney estimates that his agency saved $25 million in savings through deploying a Cloud Security Posture Management system. Twitter: @FedInsider LinkedIn: https://www.linkedin.com/company/fedinsider/ Facebook: https://www.facebook.com/FedInsiderNews
Are you using Microsoft Sentinel? Richard talks to Cloud Security Advocate Sarah Young about Sentinel, Microsoft's Security Information and Event Management (SIEM) solution. Sarah talks about the role of the SIEM in creating a common place for all security-related data to arrive. She mentions some of the many tools in the Microsoft suite to feed into Sentinel - Defender for Endpoints, Identity, and Cloud as examples. Specialized analysis tools send summaries to Sentinel, but Sentinel can also process raw logs as well - make sure you need the data because billing for Sentinel is connected to the number of ingress sources. There's a lot to learn, but also a lot of great documentation and information to work from. Check the show notes for links!Links:Microsoft SentinelArcSightDefender Security AlertsDefender for EndpointDefender for IdentityMicrosoft Digital Defense Report 2022Defender for CloudWhat is CSPM?Security Baselines BlogMicrosoft Security CopilotRecorded April 6, 2023
Rich Mogull, SVP of Cloud Security at FireMon, joins Corey on Screaming in the Cloud to discuss his career in cybersecurity going back to the early days of cloud. Rich describes how he identified that cloud security would become a huge opportunity in the early days of cloud, as well as how cybersecurity parallels his other jobs in aviation and emergency medicine. Rich and Corey also delve into the history of Rich's involvement in the TidBITS newsletter, and Rich unveils some of his insights into the world of cloud security as a Gartner analyst. About RichRich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 12 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).Links Referenced: FireMon: https://www.firemon.com/. Twitter: https://twitter.com/rmogull Mastodon: [https://defcon.social/@rmogull](https://defcon.social/@rmogull) FireMon Blogs: https://www.firemon.com/blogs/ Securosis Blogs: https://securosis.com/blog TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Rich Mogull, SVP of Cloud Security over at FireMon now that I'm a bit too old to be super into Pokémon, so I forget which one that is. Rich, thanks for joining me. I appreciate it.Rich: Thank you. Although I think we need to be talking more Digimon than Pokémon. Not that I want to start a flame war on the internet in the first two minutes of the conversation.Corey: I don't even have the level of insight into that. But I will say one of the first areas where you came to my notice, which I'm sure you'll blame yourself for later, is that you are the security editor behind TidBITS, which is, more or less, an ongoing newsletter longer than I've been in the space, to my understanding. What is that, exactly?Rich: So, TidBITS is possibly the longest-running—one of the longest-running newsletters on the internet these days and it's focused on all things Apple. So, TidBITS started back in the very early days as kind of more of an email, I think like, 30 years ago or something close to that. And we just write a lot about Apple and I've been reading about Apple security there.Corey: That's got to be a bit of an interesting experience compared to my writing about AWS because people have opinions about AWS, particularly, you know, folks who work there, but let's be clear, there is nothing approaching the zealotry, I think I want to call it, of certain elements of the Apple ecosystem whenever there is the perception of criticism about the company that they favor. And I want to be clear here to make sure I don't get letters myself for saying this: if there's an Apple logo on a product, I will probably buy it. I have more or less surrounded myself with these things throughout the course of the last ten years. So, I say this from a place of love, but I also don't wind up with people threatening me whenever I say unkind things about AWS unless they're on the executive team.Rich: So, it's been a fascinating experience. So, I would say that I'm on the tail end of being involved with kind of the Mac journalist community. But I've been doing this for over 15 years is kind of what I first started to get involved over there. And for a time, I wrote most of the security articles for Macworld, or a big chunk of those, I obviously was writing over a TidBITS. I've been very lucky that I've never been on the end of the death threats and the vitriol in my coverage, even though it was balanced, but I've also had to work a lot—or have a lot of conversations with Apple over the years.And what will fascinate you is at what point in time, there were two companies in the world where I had an assigned handler on the PR team, and one was Apple and then the other was AWS. I will say Apple is much better at PR than [laugh] AWS, especially their keynotes, but we can talk about re:Invent later.Corey: Absolutely. I have similar handlers at a number of companies, myself, including of course, AWS. Someone has an impossible job over there. But it's been a fun and exciting world. You're dealing with the security side of things a lot more than I am, so there's that additional sensitivity that's tied to it.And I want to deviate for a second here, just because I'm curious to get your take on this given that you are not directly representing one of the companies that I tend to, more or less, spend my time needling. It seems like there's a lot of expectation on companies when people report security issues to them, that you're somehow going to dance to their tune and play their games the entire time. It's like, for a company that doesn't even have a public bug bounties process, that feels like it's a fairly impressively high bar. On some level, I could just report this via Twitter, so what's going on over there? That feels like it's very much an enterprise world expectation that probably means I'm out of step with it. But I'm curious to get your take.Rich: Out of step with which part of it? Having the bug bounty programs or the nature of—Corey: Oh, no. That's beside the point. But having to deal with the idea of oh, an independent security researcher shows up. Well, now they have to follow our policies and procedures. It's in my world if you want me to follow your policies and procedures, we need a contract in place or I need to work for you.Rich: Yeah, there is a long history about this and it is so far beyond what we likely have time to get into that goes into my history before I even got involved with dealing with any of the cloud pieces of it. But a lot about responsible disclosure, coordinated disclosure, no more free bugs, there's, like, this huge history around, kind of, how to handle these pieces. I would say that the core of it comes from, particularly in some of the earlier days, there were researchers who wanted to make their products better, often as you criticize various things, to speak on behalf of the customer. And with security, that is going to trigger emotional responses, even among vendors who are a little bit more mature. Give you an example, let's talk about Apple.When I first started covering them, they were horrific. I actually, some of the first writing I did that was public about Apple was all around security and their failures on security disclosures and their inability to work with security researchers. And they may struggle still, but they've improved dramatically with researcher programs, and—but it was iterative; it really did take a cultural change. But if you really want to know the bad stories, we have to go back to when I was writing about Oracle when I was a Gartner analyst.Corey: Oh, dear. I can only imagine how that played out. They have been very aggressive when it comes to smacking down what they perceive to be negative coverage of anything that they decide they like.Rich: Yeah, you know, if I would look at how culturally some of these companies deal with these things when I was first writing about some of the Oracle stuff—and remember, I was a Gartner analyst, not a vulnerability researcher—but I'm a hacker; I go to Blackhat and DEF CON. I'm friends with the people who are smarter than me at that or have become friends with them over the years. And I wrote a Gartner research note saying, “You probably shouldn't buy any more Oracle until they fix their vulnerability management process.” That got published under the Gartner name, which that may have gotten some attention and created some headaches and borderline legal threats and shade and all those kinds of things. That's an organization that looks at security as a PR problem. Even though they say they're more secure, they look at security as a PR problem. There are people in there who are good at security, but that's different. Apple used to be like that but has switched. And then Amazon is… learning.Corey: There is a lot of challenge around basically every aspect of communication because again, to me, a big company is one that has 200 people. I think that as soon as you wind up getting into the trillion-dollar company scale, everything you say gets you in trouble with someone, somehow, somewhere, so the easiest thing to do is to say nothing. The counterpoint is that on some point of scale, you hit a level where you need a fair bit of scrutiny; it's deserved at this point because you are systemically important, and them's the breaks.Rich: Yeah, and they have improved. A lot of the some of the larger companies have definitely improved. Microsoft learned a bunch of those lessons early on. [unintelligible 00:07:33] the product in Azure, maybe we'll get there at some point. But you have to—I look at it both sides a little bit.On the vendor side, there are researchers who are unreasonable because now that I'm on the vendor side for the first time in my career, if something gets reported, like, it can really screw up plans and timing and you got to move developer resources. So, you have outside influences controlling you, so I get that piece of it. But the reality is if some researcher discovered it, some China, Russia, random criminals are going to discover it. So, you need to deal with those issues. So, it's a bit of control. You lose control of your messaging and everything; if marketing gets their hands in this, then it becomes ugly.On the other hand, you have to, as a vendor, always realize that these are people frequently trying to make your products better. Some may be out just to extort you a little bit, whatever. That's life. Get used to it. And in the end, it's about putting the customers first, not necessarily putting your ego first and your marketing first.Corey: Changing gears slightly because believe it or not, neither you nor I have our primary day jobs focused on, you know, journalism or analyst work or anything like that these days, we focus on these—basically cloud, for lack of a better term—through slightly different lenses. I look at it through cost—which is of course architecture—and you look at it through the lens of security. And I will point out that only one of us gets called at three in the morning when things get horrible because of the bill is a strictly business-hours problem. Don't think that's an accident as far as what I decided to focus on. What do you do these days?Rich: You mean, what do I do in my day-to-day job?Corey: Well, it feels like a fair question to ask. Like, what do you do as far as day job, personal life et cetera. Who is Rich Mogull? You've been a name on the internet for a long time; I figured we'd add some color and context to it.Rich: Well, let's see. I just got back from a flying lesson. I'm honing in on my getting ready for my first solo. My side gig is as a disaster response paramedic. I dressed up as a stormtrooper for the 501st Legion. I've got a few kids and then I have a job. I technically have two jobs. So—Corey: I'm envious of some of those things. I was looking into getting into flying but that path's not open to me, given that I have ADHD. And there are ways around it in different ways. It's like no, no, you don't understand. With my given expression of it, I am exactly the kind of person that should not be flying a plane, let's be very clear here. This is not a regulatory thing so much as it is a, “I'm choosing life.”Rich: Yeah. It's a really fascinating thing because it's this combination of a physical and a mental challenge. And I'm still very early in the process. But you know, I cracked 50, it had always been a life goal to do this, and I said, “You know what? I'm going to go do it.”So, first thing, I get my medical to make sure I can actually pass that because I'm over 50, and then from there, I can kind of jump into lessons. Protip though: don't start taking lessons right as summer is kicking in in Phoenix, Arizona, with winds and heat that messes up your density altitude, and all sorts of fun things like that because it's making it a little more challenging. But I'm glad I'm doing it.Corey: I have to imagine. That's got to be an interesting skill set that probably doesn't have a huge amount of overlap with the ins and outs of the cloud business. But maybe I'm wrong.Rich: Oh God, Corey. The correlations between information security—my specialty, and cloud security as a subset of that—aviation, and emergency medicine are incredible. These are three areas with very similar skill sets required in terms of thought processes. And in the case of both the paramedic and aviation, there's physical skills and mental skills at the same time. But how you look at incidents, how you process things algorithmically, how you—your response times, checklists, the correlations.And I've been talking about two of those three things for years. I did a talk a couple years ago, during Covid, my Blackhat talk on the “Paramedics Guide to Surviving Cybersecurity,” where I talked a lot about these kinds of pieces. And now aviation is becoming another part of that. Amazing parallels between all three. Very similar mindsets are required.Corey: When you take a look at the overall sweep of the industry, you've been involved in cloud for a fairly long time. I have, too, but I start off as a cynic. I started originally when I got into the space, 2006, 2007, thinking virtualization was a flash in the pan because of the security potential impact of this. Then cloud was really starting to be a thing and pfff, that's not likely to take off. I mean, who's going to trust someone else to run all of their computing stuff?And at this point, I've learned to stop trying to predict the future because I generally get it 180 degrees wrong, which you know, I can own that. But I'm curious what you saw back when you got into this that made you decide, yeah, cloud has legs. What was that?Rich: I was giving a presentation with this guy, Chris Hoff, a good friend of mine. And Chris and I joined together are individual kind of research threads and were talking about, kind of, “Disruptive Innovation and the Future of Security.” I think that was the title. And we get that at RSA, we gave that at SOURCE Boston, start kind of doing a few sessions on this, and we talked about grid computing.And we were looking at, kind of, the economics of where things were going. And very early, we also realized that on the SaaS side, everybody was already using cloud; they just didn't necessarily know it and they called them Application Service Providers. And then the concepts of cloud in the very early days were becoming compelling. It really hit me the first time I used it.And to give you perspective, I'd spent years, you know, seven years as a Gartner analyst getting hammered with vendors all the time. You can't really test those technologies out because you can never test them in a way that an enterprise would use them. Even if I had a lab, the lab would be garbage; and we know this. I don't trust things coming out of labs because that does not reflect operational realities at enterprise scale. Coming out of Gartner, they train me to be an enterprise guy. You talk about a large company being 200? Large companies start at 3000 to 5000 employees.Corey: Does that map to cloud services the way that AWS expresses? Because EKS, you're going to manage that differently in an enterprise environment—or any other random AWS service; I'm just picking EKS as an example on this. But I can spin up a cluster and see what it's like in 15 minutes, you know, assuming the cluster gets with the program. And it's the same type of thing I would use in an enterprise, but I'm also not experiencing it in the enterprise-like way with the processes and the gating and the large team et cetera, et cetera, et cetera. Do you think it's still a fair comparison at that point?Rich: Yeah, I think it absolutely is. And this is what really blew my mind. 11 or 12 years ago, when I got my first cloud account setup. I realized, oh, my God. And that was, there was no VPC, there was no IAM. It was ephemeral—and—no, we just had EBS was relatively new, and IAM was API only, it wasn't in the console yet.Corey: And the network latency was, we'll charitably call it non-deterministic.Rich: That was the advantage of not running anything at scale, wasn't an issue at the time. But getting the hands-on and being able to build what I could build so quickly and easily and with so little friction, that was mind-blowing. And then for me, the first time I've used security groups I'm like, “Oh, my God, I have the granularity of a host firewall with the manageability of a network firewall?” And then years later, getting much deeper into how AWS networking and all the other pieces were—Corey: And doesn't let it hit the host, which I always thought a firewall that lets—Rich: Yes.Corey: —traffic touch the host is like a seatbelt that lets your face touch the dashboard.Rich: Yeah. The first thing they do, they go in, they're going to change the rules. But you can't do that. It's those layers of defense. And then I'm finding companies in the early days who wanted to put virtual appliances in front of everything. And still do. I had calls last week about that.But those are the things that really changed my mind because all of a sudden, this was what the key was, that I didn't fully realize—and it's kind of something that's evolved into something I call the ‘Grand Unified Theory of Cloud Governance,' these days—but what I realized was those barriers are gone. And there is no way to stop this as people want to build and test and deploy applications because the benefits are going to be too strong. So, grab onto the reins, hold on to the back of the horse, you're going to get dragged away, and it's your choice if your arm gets ripped off in the process or if you're going to be able to ride that thing and at least steer it in the general direction that you need it to go in.Corey: One of the things that really struck me when I started playing around with cloud for more than ten minutes was everything you say is true, but I can also get started today to test out an idea. And most of them don't work, but if something hits, suddenly I don't have the data center constraints, whereas today, I guess you'd call it, I built my experiment MVP on top of a Raspberry Pi and now I have to wait six weeks for Dell to send me something that isn't a piece of crap that I can actually take production traffic on. There's no okay, and I'll throw out the junky hardware and get the good stuff in once you start hitting a point of scale because you're already building on that stuff without the corresponding massive investment of capital to get there.Rich: Yeah well, I mean, look, I lived this, I did a startup that was based on demos at a Blackhat—sorry, at a Blackhat. Blackhat. Did some demos on stage, people were like, “We want your code.” It was about cloud security automation. That led to doing your startup, the thing called DisruptOps, which got acquired, and that's how I ended up at FireMon. So, that's the day job route where I ended up.And what was amazing for that is, to add on to what you said, first of all, the friction was low; once we get the architecture right, scalability is not something we are hugely concerned with, especially because we're CI/CD. Oh, no, we hit limits. Boom, let's just stand up a new version and redirect people over there. Problem solved. And then the ability to, say, run multiple versions of our platform simultaneously? We're doing that right now. We just had to release an entirely free version of it.To do that. It required back-end architectural changes for cost, not for scalability so much, but for a lot around cost and scheduling because our thing was event-driven, we're able to run that and run our other platform fully in parallel, all shared data structures, shared messaging structures. I can't even imagine how hard that would have not been to do in a traditional data center. So, we have a lot of freedom, still have those cost constraints because that's [laugh] your thing, but the experimentation, the ability to integrate things, it's just oh, my God, it's just exciting.Corey: And let's be clear, I, having spent a lot of time as a rat myself in these data centers, I don't regret handing a lot of that responsibility off, just because, let's not kid ourselves, they are better at replacing failed or failing hardware than I will ever be. That's part of the benefit you get from the law of large numbers.Rich: Yeah. I don't want to do all of that stuff, but we're hovering around something that is kind of—all right, so former Gartner analyst means I have a massive ego, and because of that, I like to come up with my own terms for things, so roll with me here. And it's something I'm calling the ‘Grand Unified Theory of Cloud Governance' because you cannot possibly get more egotistical than referring to something as your solution to the biggest problem in all of physics. The idea is, is that cloud, as we have just been discussing, it drops friction and it decentralizes because you don't have to go ask somebody for the network, you don't have to ask somebody for the server. So, all of a sudden, you can build a full application stack without having to call somebody for help. We've just never had that in IT before.And all of our governance structures—and this includes your own costs, as well as security—are built around scarcity. Scarcity of resources, natural choke points that evolved from the data center. Not because it was bad. It wasn't bad. We built these things because that's what we needed for that environment at the data center.Now, we've got cloud and it's this whole new alien technology and it decentralizes. That said, particularly for us on security, you can build your whole application stack, of course, we have completely unified the management interfaces in one place and then we stuck them on the internet, protected with nothing more than a username and password. And if you can put those three things together in your head, you can realize why these are such dramatic changes and so challenging for enterprises, why my kids get to go to Disney a fair bit because we're in demand as security professionals.Corey: What does FireMon do exactly? That's something that I'm not entirely up to speed on, just because please don't take this the wrong way, but I was at RSA this year, and it feels like all the companies sort of blend together as you walk between the different booths. Like, “This is what you should be terrified of today.” And it always turns into a weird sales pitch. Not that that's what you do, but it at some point just blinds me and overloads me as far as dealing with any of the cloud security space.Rich: Oh, I've been going to RSA for 20 years. One of our SEs, I was briefly at our booth—I'm usually in outside meetings—and he goes, “Do you see any fun and interesting?” I go—I just looked at him like I was depressed and I'm like, “I've been to RSA for 20 years. I will never see anything interesting here again. Those days are over.” There's just too much noise and cacophony on that show floor.What do we do? So—Corey: It makes re:Invent's Expo Hall look small.Rich: Yeah. I mean, it's, it's the show over at RSA. And it wasn't always. I mean, it was—it's always been big as long as I've been there, but yeah, it's huge, everyone is there, and they're all saying exactly the same thing. This year, I think the only reason it wasn't all about AI is because they couldn't get the printers to reprint the banners fast enough. Not that anybody has any products that would do anything there. So—you look like you want to say something there.Corey: No, no. I like the approach quite a bit. It's the, everything was about AI this year. It was a hard pivot from trying to sell me a firewall, which it seems like everyone was doing in the previous year. It's kind of wild. I keep saying that there's about a dozen companies that exhibit at RSA. A guess, there are hundreds and hundreds of booths, but it all distills down to the same 12 things. They have different logos and different marketing stories, but it does seem like a lot of stuff is very much just like the booth next to it on both sides.Rich: Yeah. I mean, that's—it's just the nature. And part of—there's a lot of reasons for this. We used to, when I was—so prior to doing the startup thing and then ending up at FireMon, I did Securosis, which was an analyst firm, and we used to do the Securosis guide to RSA every year where we would try and pick the big themes. And the reality is, there's a reason for that.I wrote something once the vendors lied to you because you want them to. It's the most dysfunctional relationship because as customers, you're always asking, “Well, what are you doing for [unintelligible 00:22:16]? What are you doing for zero trust? What are you doing for AI?” When those same customers are still just working on fundamental patch management and firewall management. But it doesn't stop them from asking the questions and the vendors have to have answers because that's just the nature of that part of the world.Corey: I will ask you, over are past 12 years—I have my own thoughts on this, but I want to hear your take on it—what's changed in the world of cloud security?Rich: Everything. I mean, I was one of the first to be doing this.Corey: Oh, is that all?Rich: Yeah. So, there's more people. When I first started, very few people doing it, nobody knew much about it outside AWS, we all knew each other. Now, we've got a community that's developed and there's people that know what they're doing. There's still a shortage of skills, absolutely still a shortage of skills, but we're getting a handle on that, you know? We're getting a bit of a pipeline.And I'd say that's still probably the biggest challenge faced. But what's improved? Well, it's a give-and-take. On one hand, we now have strategies, we have tools that are more helpful, unfortunately—I'll tell you the biggest mistake I made and it ties to the FireMon stuff in my career, in a minute; relates directly to this question, but we're kind of getting there on some of the tool pieces.On the other hand, that complexity is increasing faster. And that's what's made it hard. So, as much as we're getting more skilled people, better at tooling, for example, we kind of know—and we didn't have CloudTrail when I started. We didn't have the fundamental things you need to actually implement security at the start of cloud. Most of those are there; they may not be working the way we wish they always worked, but we've got the pieces to assemble it, depending on which platform you're on. That's probably the biggest change. Now, we need to get into the maturity phase of cloud, and that's going to be much more difficult and time-consuming to kind of get over that hump.Corey: It's easy to wind up saying, “Oh, I saw the future so clearly back then,” but I have to ask, going back 12 years, the path the world would take was far from certain. Did you have doubts?Rich: Like, I had presented with Chris Hoff. We—we're still friends—presented stuff together, and he got a job that was kind of clouding ancillary. And I remember calling him up once and going, “Chris, I don't know what to do.” I was running my little analyst firm—little. We were doing very, very well—I could not get paid to do any work around cloud.People wanted me to write shitty papers on DLP and take customer inquiries on DLP because I had covered that at the Gartner days, and data encryption and those pieces. That was hard. And fortunately, a few things started trickling in. And then it was a flood. It completely changed our business and led to me, you know, eventually going down into the vendor path. But that was a tough day when I hit that point. So, absolutely I knew it was the future. I didn't know if I was going to be able to make a living at it.Corey: It would seem that you did.Rich: Yeah. Worked out pretty well [laugh].Corey: You seem sprightly to me. Good work. You're not on death's door.Rich: No. You know, in fact, the analyst side of it exploded over the years because it turns out, there weren't people who had this experience. So, I could write code to the APIs, but they'll still talk with CEOs and boards of directors around these cloud security issues and frame them in ways that made sense to them. So, that was wonderful. We partnered up with the Cloud Security Alliance, I actually built a bunch of the CSA training, I wrote the current version of the CSA guidance, we're writing the next version of that, did a lot of research with them. They've been a wonderful partner.So, all that went well. Then I got diverted down onto the vendor path. I had this research idea and then it came out, we ended up founding that as a startup and then it got, as I mentioned, acquired by FireMon, which is interesting because FireMon, you asked what we did, it's firewall policy management is the core of the company. Yet the investors realize the company was not going in the right direction necessarily, to deal with the future of cloud. They went to their former CEO and said, “Hey, can you come back”—the founder of the company—“And take this over and start moving us in the right direction?”Well, he happened to be my co-founder at the startup. And so, we kind of came in and took over there. And so, now it's a very interesting position because we have this one cloud-native thing we built for all these years. We made one mistake with that, which I'll talk about which ties back to your predicting the future piece if you want to go into it, but then we have the network firewall piece now extending into hybrid, and we have an asset management moving into the attack surface management space as well. And both of those products have been around for, like, 15-plus years.Corey: No, I'm curious to your thoughts on it because it's been one of those weird areas where there's been so much change and so much evolution, but you also look at today's “OWASP Top 10” list of vulnerabilities, and yeah, they updated a year or so ago, but it still looks basically like things that—from 2008—would have made sense to me when I'm looking at this. Well, insomuch as they do now. I didn't know then, nor do I now what a cross-site scripting attack might be, but other than that, I find that there's, “Oh, you misconfigured something and it winds up causing a problem.” Well, no kidding. Imagine that.Rich: Yeah. Look, the fundamentals don't change, but it's still really easy to screw up.Corey: Oh, having done so a lot, I believe you.Rich: There's a couple of principles, and I'll break it into two sides. One is, a lot of security sounds simple. There's nothing simple at scale. Nothing simple scales. The moment you get up to even 200 employees, everything just becomes ridiculously harder. That's the nature of reality. Simplicity doesn't scale.The other part is even though it's always the same, it's still easy to think you're going to be different this time and you're not going to screw it up, and then you do. For example, so cloud, we were talking about the maturity. I assumed CSPM just wasn't going to be a thing. For real. The Cloud Security Posture Management. Because why would the cloud providers not just make that problem go away and then all the vulnerability assessment vendors and everybody else? It seemed like it was an uninteresting problem.And yet, we were building a cloud security automation thing and we missed the boat because we had everything we needed to be one of the very first CSPM vendors on the market and we're like, “No, no. That problem is going to go away. We'll go there.” And it ties back to what you said, which is it's the same stuff and we just outsmarted ourselves. We thought that people would go further faster. And they don't and they aren't.And that's kind of where we are today. We are dramatically maturing. At the same time, the complexity is increasing dramatically. It's just a huge challenge for skills and staffing to adjust governance programs. Like I think we've got another 10 to 20 years to go on this cloud security thing before we even get close. And then maybe we'll get down to the being bored by the problems. But probably not because AI will ruin us.Corey: I'd like to imagine, on some level, that AI could be that good. I mean, don't get me wrong. It has value and it is transformative for a bunch of things, but I also think a lot of the fear-mongering is more than a little overblown.Rich: No, I agree with you. I'm trying to keep a very close eye on it because—I can't remember if you and I talked about this when we met face-to-face, or… it was somebody at that event—AI is just not just AI. There's different. There's the LLMs, there's the different kinds of technologies that are involved. I mean, we use AI all over the place already.I mean my phone's got it built in to take better pictures. It's a matter of figuring out what the use cases and the, honestly, some of the regulatory structure around it in terms of copyright and everything else. I'm not worried about Clippy turning into Skynet, even though I might make jokes about that on Mastodon, maybe someday there will be some challenges, but no, it's just going to be another tech that we're going to figure out over time. It is disruptive, so we can't ignore that part of it.Corey: I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place to find you that isn't one of the Disney parks?Rich: That really is kind of the best place to find—no. So, these days, I do technically still have a Twitter presence at @rmogull. I'm not on there much, but I will get DMs if people send those over. I'm more on Mastodon. It's at @rmogull defcon.social. I write over at FireMon these days, as well as occasionally still over Securosis, on those blogs. And I'm in the [Cloud Security Slack community 00:30:49] that is now under the banner for CloudSec. That's probably the best place if you want to hit me up and get quick answers on anything.Corey: And I will, of course, include links to all of that in the show notes. Thank you so much for taking the time to speak with me today. I really appreciate it.Rich: Thanks, Corey. I was so happy to be here.Corey: Rich Mogull, SVP of Cloud Security at FireMon. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how at Dell these days, it does not take six weeks to ship a server. And then I will get back to you in six to eight weeks.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Ganesh: CEO and founder at Anzenna, providing contextual learning opportunities to improve employees' cybersecurity training Previously founded Avid Secure, one of the original CSPM companies, which he sold to Sophos in 2019 Joined Sophos as a VP of engineering and worked there for the last three years prior to launching Anzenna Check out the episode for our discussion on the sale of Avid Secure at the very beginning of the CSPM boom, what contextual learning entails in the workforce development space, and how the Anzenna team is going about this challenge.https://www.anzenna.ai/
Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, joins Corey on Screaming in the Cloud to discuss the nuances of an effective cybersecurity strategy. Michael explains that many companies are caught between creating a strategy that's truly secure and one that's merely compliant and within the bounds of cost-effectiveness, and what can be done to help balance the two aims more effectively. Corey and Michael also explore what it means to hire for transferrable skills in the realm of cybersecurity and tech, and Michael reveals that while there's no such thing as a silver-bullet solution for cybersecurity, Sysdig can help bridge many gaps in a company's strategy. About MichaelMike has researched and advised on cybersecurity for over 5 years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He's guided countless organizations globally in their security initiatives and supporting their business.Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with over twenty years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.Links Referenced: Sysdig: https://sysdig.com/ LinkedIn: https://www.linkedin.com/in/michael-isbitski/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Tailscale SSH is a new, and arguably better way to SSH. Once you've enabled Tailscale SSH on your server and user devices, Tailscale takes care of the rest. So you don't need to manage, rotate, or distribute new SSH keys every time someone on your team leaves. Pretty cool, right? Tailscale gives each device in your network a node key to connect to your VPN, and uses that same key for SSH authorization and encryption. So basically you're SSHing the same way that you're already managing your network.So what's the benefit? Well, built-in key rotation, the ability to manage permissions as code, connectivity between any two devices, and reduced latency. You can even ask users to re-authenticate SSH connections for that extra bit of security to keep the compliance folks happy. Try Tailscale now - it's free forever for personal use.Corey: Do you wish your developers had less permanent access to AWS? Has the complexity of Amazon's reference architecture for temporary elevated access caused you to sob uncontrollably? With Sym, you can protect your cloud infrastructure with customizable, just-in-time access workflows that can be setup in minutes. By automating the access request lifecycle, Sym helps you reduce the scope of default access while keeping your developers moving quickly. Say goodbye to your cloud access woes with Sym. Go to symops.com/corey to learn more. That's S-Y-M-O-P-S.com/coreyCorey: Welcome to Screaming in the Cloud, I'm Corey Quinn. I periodically find myself in something of a weird spot when it comes to talking about security. I spent a lot of my time in previous lives having to care about it, but the word security was never in my job title. That's who my weekly podcast on the AWS Morning Brief and the accompanying newsletter goes out to: it's people who have to care about security but don't have it as part of their job title. They just want to know what's going on without all of the buzzwords.This promoted guest episode is brought to us by our friends at Sysdig and my guest is Mike Isbitski, Director of Cybersecurity Strategy at Sysdig. Mike, thanks for joining me.Michael: Thanks, Corey. Yeah, it's great to be here.Corey: So, you've been at Sysdig for a little bit, but your history is fascinating to me. You were at Gartner, which on the one hand would lead someone to think, “Oh okay, you talk about this stuff a lot, but might not have been particularly hands-on,” but that's not true. Either. You have a strong background as a practitioner, but not directly security-focused. Is that right?Michael: Yeah. Yeah, that is correct. I can certainly give the short version of the history lesson [laugh]. It is true, yes. As a Gartner analyst, you don't always get as hands-on, certainly talking to practitioners and leaders from all walks of life, different industries, different company sizes, and organization sizes.But yeah, as a Gartner analyst, I was in a different division that was much more technical. So, for me personally, I did actually try to tinker a lot: set up Docker, deploy Kubernetes clusters, all that fun stuff. But yeah, prior to my life, as an analyst, I was a practitioner, a security leader for close to 20 years at Verizon so, saw quite a bit. And actually started as enterprise architect building, kind of, systems and infrastructure to support all of those business needs, then I kind of transitioned over to application security towards the tail end of that career at Verizon.Corey: And one of the things that I find that I enjoy doing is talking with folks in positions like yours, the folks who did not come to the cybersecurity side of the world from a pure strategy advisory sense, but have been hands-on with these things at varying points in our careers, just because otherwise I feel like I'm sort of coming at this from a very different world. When I walk around the RSA show floor, I am consistently confronted by people trying to sell me the same dozen products over and over again with different words and different branding, but it seems like it's all buzzwords aimed from security people who are deep in the weeds to other security people who are deep in the weeds and it's just presumed that everyone knows what they're talking about already. And obviously worse. I'm not here to tell them that they're going about their business wrong, but for smaller companies, SMBs, folks who have to care about security but don't know the vernacular in the same way and don't have sophisticated security apparatus at their companies, it feels like a dense thicket of impenetrable buzzwords.Michael: Yes. Very, very fair assessment, [laugh] I would say. So, I'd say my life as an analyst was a lot of lengthy conversations. I guess a little bit of the secret behind analyst inquiry, I mean, a lot of times, they are hour-long conversations, sometimes multiple sets of them. But yeah, it's very true, right?There's a lot of nuance to how you work with technology and how you build things, but then also how you secure it, it's very hard to, kind of, condense that, you know, hours of conversation and many pages of documentation down into some bite-size nuggets that marketers might run with. So, I try to kind of live in that in-between world where I can kind of explain deep technology problems and business realities, and kind of explain that in more common language to people. Sometimes it's easier said than done when you're speaking it as opposed to writing it. But yeah, that's kind of where I tried to bring my skills and experience.Corey: It's a little counterintuitive to folks coming out from the other side, I suspect. For me, at least the hardest part of getting into the business of cloud cost optimization the way that I do with the Duckbill Group was learning to talk. Where I come from a background of heavy on the engineering and operations side, but being able to talk to business stakeholders who do not particularly care what a Kubernetes might be, is critical. You have to effectively be able to speak to different constituencies, sometimes in the same conversation, without alienating the rest of them. That was the hard part for me.Michael: Yeah, that's absolutely true and I certainly ran into that quite a bit as an enterprise architect at Verizon. There's kind of really need to work to identify, like, what is the business need. And typically, that is talking to the stakeholders, you know, what are they trying to achieve? They might not even know that, right, [laugh] because not everybody is very structured in how they think about the problem you're trying to solve. And then what is their daily workflow?And then you kind of arrive at the technology. I'd say, a common pitfall for anybody, right, Whether you're an engineer or a security practitioner is to kind of start with the technology or the solution and then try to force that on people, right? “Here's your solution to the problem that maybe you didn't know you had.” [laugh]. It kind of should work in reverse, right? What's the actual business need? What's your workflow? And what's the appropriate technology for that, right?Whether it's right-sizing the infrastructure or a particular type of functionality or protection, all those things, right? So, very similar kind of way of approaching the problem. It's just what you're trying to solve but [laugh] I've definitely seen that, kind of, Kubernetes is all the rage, right, or service mesh. Like, everybody needs to start deploying Istio, and you really should be asking the question—Corey: Oh, it's all resume-driven development.Michael: Yep, exactly. Yeah. It's kind of the new kid on the block, right? Let's push out this cool new technology and then problems be damned, right?Corey: I'm only half-kidding on that. I've talked to folks who are not running those types of things and they said that it is a bit of a drag on their being able to attract talent.Michael: Yeah, it's—you know, I mean, it's newer technologies, right, so it can be hard to find them, right, kind of unicorn status. I used to talk quite a bit in advisory calls to find DevOps practitioners that were kind of full-stack. That's tricky.Corey: I always wonder if it's possible to find them, on some level.Michael: Yeah. And it's like, well, can you find them and then when you do find them, can you afford them?Corey: Oh, yeah. What I'm seeing in these other direction, though, is people who are making, you know, sensible technology choices where you actually understand what lives were without turning it into a murder mystery where you need to hire a private investigator to track it down. Those are the companies that are having trouble hiring because it seems that an awful lot of the talent, or at least a significant subset of it, want to have the latest and greatest technologies on their resume on their next stop. Which, I'm not saying they're wrong for doing that, but it is a strange outcome that I wasn't quite predicting.Michael: Yeah. No, it is very true, I definitely see that quite a bit in tech sector. I've run into it myself, even with the amount of experience I have and skills. Yeah, companies sometimes get in a mode where they're looking for very specific skills, potentially even products or technologies, right? And that's not always the best way to go about it.If you understand concepts, right, with technology and systems engineering, that should translate, right? So, it's kind of learning the new syntax, or semantics, working with a framework or a platform or a piece of technology.Corey: One of the reasons that I started the security side of what I do on the newsletter piece, and it caught some people by surprise, but the reason I did it was because I have always found that, more or less, security and cost are closely aligned spiritually, if nothing else. They're reactive problems and they don't, in the general sense, get companies one iota closer to the business outcome they're chasing, but it's something you have to do, like buying fire insurance for the building. You can spend infinite money on those things, but it doesn't advance. It's all on the defensive, reactive side. And you tend to care about these things a lot right after you failed to care about them sufficiently. Does that track at all from your experience?Michael: Yeah. Yeah, absolutely. I'm just kind of flashing back to some war stories at Verizon, right? It was… I'd say very common that, once you've kind of addressed, well, these are the business problems we want to solve for and we're off to the races, right, we're going to build this cool thing. And then you deploy it, right [laugh], and then you forgot to account for backup, right? What's your disaster recovery plan? Do you have logging in place? Are you monitoring the thing effectively? Are your access controls accounted for?All those, kind of, tangential processes, but super-critical, right, when you think about, kind of, production systems, like, they have to be in place. So, it's absolutely true, right, and it's kind of definitely for just general availability, you need to be thinking about these things. And yeah, they almost always translate to that security piece of it as well, right, particularly with all the regulations that organizations are impacted with today. You really need to be thinking about, kind of, all these pieces of the puzzle, not just hey, let's build this thing and get it on running infrastructure and we're done with our work.Corey: A question that I've got for you—because I'm seeing a very definite pattern emerging tied to the overall macro environment, now, where after a ten-year bull run, suddenly a bunch of companies are discovering, holy crap, money means something again, where instead of being able to go out and gets infinite money, more or less, to throw at an AWS bill, suddenly, oh, that's a big number, and we have no idea what's in it. We should care about that. So, almost overnight, we've seen people suddenly caring about their bill. How are you seeing security over the past year or so? Has there been a similar awareness around that or has that not really been tied to the overall macro-cycle?Michael: Very good question, yeah. So unfortunately, security's often an afterthought, right, just like, kind of those things that support availability—probably going to get a little bit better ranking because it's going to support your customers and employees, so you're going to get budget and headcount to support that. Security, usually in the pecking order, is below that, right, which is unfortunate because [laugh] there can be severe repercussions with that, such as privacy impacts, or data breach, right, lost revenue, all kinds of things. But yeah, typically, security has been undercut, right? You're always seeking headcount, you need more budget.So, security teams tend to look to delegate security process out, right? So, you kind of see a lot of DevOps programs, like, can we empower engineers to run some of these processes and tooling, and then security, kind of, becomes the overseer. So, we see a lot of that where can we kind of have people satisfy some of these pieces. But then with respect to, like, security budgets, it is often security tools consolidation because a lot organizations tend to have a lot of things, right? So, security leaders are looking to scale that back, right, so they can work more effectively, but then also cut costs, which is definitely true these days in the current macroeconomic environment.Corey: I'm curious as well, to see what your take is on the interplay between cost and security. And what I mean by that is, I did the numbers once, and if you were to go into an AWS native environment, ignore third-party vendors for a second, just configure all of the AWS security services in your account, so the way that best practices dictate that you should, you're pretty quickly going to end up in a scenario where the cost of that outweighs that of the data breach that you're ostensibly trying to prevent. So—Michael: Yes.Corey: It's an infinite money pit that you can just throw everything into. So, people care about security, but they also care about cost. Plus, let's be very direct here, you can spend all the money on security and still lose. How do companies think about that now?Michael: A lot of leaders will struggle with, are we trying to be compliant or are we trying to be secure? Because those can be very different conversations and solutions to the problem. I mean, ideally, everybody would pursue that perfect model of security, right, enable all the things, but that's not necessarily cost-effective to do that. And so, most organizations and most security teams are going to prioritize their risks, right? So, they'll start to carve out, maybe these are all our internet-facing applications, these are the business-critical ones, so we're going to allocate more security focus to them and security spend, so [maybe we will be turn up 00:13:20] more security services to protect those things and monitor them.Then [laugh], unfortunately, you can end up with a glut of maybe internal applications or non-critical things that just don't get that TLC from security, unfortunately, for security teams, but fortunate for attackers, those things become attack targets, right? So, they don't necessarily care how you've prioritized your controls or your risk. They're going to go for the low-hanging fruit. So, security teams have always struggled with that, but it's very true. Like, in a cloud environment like AWS, yeah, if you start turning everything up, be prepared for a very, very costly cloud expense bill.Corey: Yeah, in my spare time, I'm working on a project that I was originally going to open-source, but I realized if I did it, it would cause nothing but pain and drama for everyone, of enabling a whole bunch of AWS misconfiguration options, given a set of arbitrary credentials, that just effectively try to get the high score on the bill. And it turned out that my early tests were way more successful than anticipated, and instead, I'm just basically treating it as a security vulnerability reporting exercise, just because people don't think about this in quite the same way. And again, it's not that these tools are necessarily overpriced; it's not that they aren't delivering value. It's that in many cases, it is unexpectedly expensive when they bill across dimensions that people are not aware of. And it's one of those everyone's aware of that trap the second time type of situations.It's a hard problem. And I don't know that there's a great way to answer it. I don't think that AWS is doing anything untoward here; I don't think that they're being intentionally malicious around these things, but it's very vast, very complex, and nobody sees all of it.Michael: Very good point, yes. Kind of, cloud complexity and ephemeral nature of cloud resources, but also the cost, right? Like, AWS isn't in the business of providing free service, right? Really, no cloud provider is. They are a business, right, so they want to make money on Cloud consumption.And it's interesting, I remember, like, the first time I started exploring Kubernetes, I did deploy clusters in cloud providers, so you can kind of tinker and see how these things work, right, and they give you some free credits, [a month of credit 00:15:30], to kind of work with this stuff. And, you know, if you spin up a [laugh] Kubernetes cluster with very bare bones, you're going to chew through that probably within a day, right? There's a lot of services in it. And that's even with defaults, which includes things like minimal, if anything, with respect to logging. Which is a problem, right, because then you're going to miss general troubleshooting events, but also actual security events.So, it's not necessarily something that AWS could solve for by turning everything up, right, because they are going to start giving away services. Although I'm starting to see some tide shifts with respect to cybersecurity. The Biden administration just released their cybersecurity strategy that talks about some of this, right? Like, should cloud providers start assuming more of the responsibility and accountability, potentially just turning up logging services? Like, why should those be additional cost to customers, right, because that's really critical to even support basic monitoring and security monitoring so you can report incidents and breaches.Corey: When you look across what customers are doing, you have a different problem than I do. I go in and I say, “Oh, I fixed the horrifying AWS bill.” And then I stop talking and I wait. Because if people [unintelligible 00:16:44] to that, “Ooh, that's a problem for us,” great. We're having a conversation.If they don't, then there's no opportunity for my consulting over in that part of the world. I don't have to sit down and explain to people why their bill is too high or why they wouldn't want it to be they intrinsically know and understand it or they're honestly not fit to be in business if they can't make a strategic evaluation of whether or not their bill is too high for what they're doing. Security is very different, especially given how vast it is and how unbounded the problem space is, relatively speaking. You have to first educate customers in some ways before attempting to sell them something. How do you do that without, I guess, drifting into the world of FUD where, “Here are all the terrible things that could happen. The solution is to pay me.” Which in many cases is honest, but people have an aversion to it.Michael: Yeah. So, that's how I feel [laugh] a lot of my days here at Sysdig. So, I do try to explain, kind of, these problems in general terms as opposed to just how Sysdig can help you solve for it. But you know, in reality, it is larger strategic challenges, right, there's not necessarily going to be one tool that's going to solve all your problems, the silver bullet, right, it's always true. Yes, Sysdig has a platform that can address a lot of cloud security-type issues, like over-permissioning or telling you what are the actual exploitable workloads in your environment, but that's not necessarily going to help you with, you know, if you have a regulator breathing down your neck and wants to know about an incident, how do you actually relay that information to them, right?It's really just going to help surface event data, stitch things together, that now you have to carry that over to that person or figure out within your organization who's handling that. So, there is kind of this larger piece of, you know, governance risk and compliance, and security tooling helps inform a lot of that, but yeah, every organization is, kind of, have to answer to [laugh] those authorities, often within their own organization, but it could also be government authorities.Corey: Part of the challenge as well is that there's—part of it is tooling, absolutely, but an awful lot of it is a people problem where you have these companies in the security space talking about a variety of advanced threats, of deeply sophisticated attackers that are doing incredibly arcane stuff, and then you have the CEO yelling about what they're doing on a phone call in the airport lounge and their password—which is ‘kitty' by the way—is on a Post-It note on their laptop for everyone to see. It feels like it's one of those, get the basic stuff taken care of first, before going down the path to increasingly arcane attacks. There's an awful lot of vectors to wind up attacking an infrastructure, but so much of what we see from data breaches is simply people not securing S3 buckets, as a common example. It's one of those crawl, walk, run types of stories. For what you do, is there a certain level of sophistication that companies need to get to before what you offer starts to bear fruit?Michael: Very good question, right, and I'd start with… right, there's certainly an element of truth that we're lagging behind on some of the security basics, right, or good security hygiene. But it's not as simple as, like, well, you picked a bad password or you left the port exposed, you know? I think certainly security practitioners know this, I'd even put forth that a lot of engineers know it, particularly if they're been trained more recently. There's been a lot of work to promote security awareness, so we know that we should provide IDs and passwords of sufficient strength, don't expose things you shouldn't be doing. But what tends to happen is, like, as you build monitoring systems, they're just extremely complex and distributed.Not to go down the weeds with app designs, with microservices architecture patterns, and containerized architectures, but that is what happens, right, because the days of building some heavyweight system in the confines of a data center in your organization, those things still do happen, but that's not typically how new systems are being architected. So, a lot of the old problems still linger, there's just many more instances of it and it's highly distributed. So it, kind of, the—the problem becomes very amplified very quickly.Corey: That's, I think, on some level, part of the challenge. It's worse in some ways that even the monitoring and observability space where, “All right, we have 15 tools that we're using right now. Why should we talk to yours?” And the answer is often, “Because we want to be number 16.” It's one of those stories where it winds up just adding incremental cost. And by cost, I don't just mean money; I mean complexity on top of these things. So, you folks are, of course, sponsoring this episode, so the least I can do is ask you, where do you folks start and stop? Sysdig: you do a lot of stuff. What's the sweet spot?Michael: Yeah, I mean, there's a few, right, because it is a larger platform. So, I often talk in terms of full lifecycle security, right? And a lot of organizations will split their approaches. We'll talk about shift left, which is really, let's focus very heavily on secure design, let's test all the code and all the artifacts prior to delivering that thing, try to knock out all quality issues, right, for kind of that general IT, but also security problems, which really should be tracked as quality issues, but including those things like vulnerabilities and misconfigs. So, Sysdig absolutely provides that capability that to satisfy that shift left approach.And Sysdig also focuses very heavily on runtime security or the shield right side of the equation. And that's, you know, give me those capabilities that allow me to monitor all types of workloads, whether they're virtual machines, or containers, serverless abstractions like Fargate because I need to know what's going on everywhere. In the event that there is a potential security incident or breach, I need all that information so I can actually know what happened or report that to a regulatory authority.And that's easier said than done, right? Because when you think about containerized environments, they are very ephemeral. A container might spin up a tear down within minutes, right, and if you're not thinking about your forensics and incident response processes, that data is going to be lost [unintelligible 00:23:10] [laugh]. You're kind of shooting yourself in the foot that way. So yeah, Sysdig kind of provides that platform to give you that full range of capabilities throughout the lifecycle.Corey: I think that that is something that is not fully understood in a lot of cases. I remember a very early Sysdig, I don't know if it was a demo or what exactly it was, I remember was the old Heavybit space in San Francisco, where they came out, it was, I believe, based on an open-source project and it was still taking the perspective, isn't this neat? It gives you really in-depth insight into almost a system-call level of what it is the system is doing. “Cool. So, what's the value proposition for this?”It's like, “Well, step one, be an incredibly gifted engineer when it comes to systems internals.” It's like, “Okay, I'll be back in five years. What's step two?” It's like, “We'll figure it out then.” Now, the story has gone up the stack. It originally felt a little bit like it was a solution in search of a problem. Now, I think you have found that problem, you have clearly hit product-market fit. I see you folks in the wild in many of my customer engagements. You are doing something very right. But it was neat watching, like, it's almost for me, I turned around, took my eye off the ball for a few seconds and it went from, “We have no idea of what we're doing” to, “We know exactly what we're doing.” Nice work.Michael: Yeah. Yeah. Thanks, Corey. Yeah, and there's quite a history with Sysdig in the open-source community. So, one of our co-founders, Loris Degioanni, was one of the creators of Wireshark, which some of your listeners may be familiar with.So, Wireshark was a great network traffic inspection and observability tool. It certainly could be used by, you know, just engineers, but also security practitioners. So, I actually used it quite a bit in my days when I would do pen tests. So, a lot of that design philosophy carried over to the Sysdig open source. So, you're absolutely correct.Sysdig open source is all about gathering that sys-call data on what is happening at that low level. But it's just one piece of the puzzle, exactly as you described. The other big piece of open-source that Sysdig does provide is Falco, which is kind of a threat detection and response engine that can act on all of those signals to tell you, well, what is actually happening is this potentially a malicious event? Is somebody trying to compromise the container runtime? Are they trying to launch a suspicious process? So that those pieces are there under the hood, right, and then Sysdig Secure is, kind of, the larger platform of capabilities that provide a lot of the workflow, nice visualizations, all those things you kind of need to operate at scale when you're supporting your systems and security.Corey: One thing that I do find somewhat interesting is there's always an evolution as companies wind up stumbling through the product lifecycle, where originally it starts off as we have an idea around one specific thing. And that's great. And for you folks, it feels like it was security. Then it started changing a little bit, where okay, now we're going to start doing different things. And I am very happy with the fact right now that when I look at your site, you have two offerings and not two dozen, like a number of other companies tend to. You do Sysdig Secure, which is around the security side of the world, and Sysdig Monitor, which is around the observability side of the world. How did that come to be?Michael: Yeah, it's a really good point, right, and it's kind of in the vendor space [laugh], there's also, like, chasing the acronyms. And [audio break 00:26:41] full disclosure, we are guilty of that at times, right, because sometimes practitioners and buyers seek those things. So, you have to kind of say, yeah, we checked that box for CSPM or CWPP. But yeah, it's kind of talking more generally to organizations and how they operate their businesses, like, that's more well-known constructs, right? I need to monitor this thing or I need to get some security. So, lumping into those buckets helps that way, right, and then you turn on those capabilities you need to support your environment, right?Because you might not be going full-bore into a containerized environment, and maybe you're focusing specifically on the runtime pieces and you're going to, kind of, circle back on security testing in your build pipeline. So, you're only going to use some of those features at the moment. So, it is kind of that platform approach to addressing that problem.Corey: Oh, I would agree. I think that one of the challenges I still have around the observability space—which let's remind people, is hipster monitoring; I don't care what other people say. That's what it is—is that it is depressingly tied to a bunch of other things. To this day, the only place to get a holistic view of everything in your AWS account in every region is the bill. That somehow has become an observability tool. And that's ridiculous.On the other side of it, I have had several engagements that inadvertently went from, “We're going to help optimize your cost,” to, “Yay. We found security incidents.” I don't love a lot of these crossover episodes we wind up seeing, but it is the nature of reality where security, observability, and yes, costs all seem to tie together to some sort of unholy triumvirate. So, I guess the big question is when does Sysdig launch a cost product?Michael: Well, we do have one [laugh], specifically for—Corey: [laugh]. Oh, events once again outpace me.Michael: [laugh]. But yeah, I mean, you touched on this a few times in our discussion today, right? There's heavy intersections, right, and the telemetry you need to gather, right, or the log data you need to gather to inform monitoring use cases or security use cases, a lot of the times that telemetry is the same set of data, it's just you're using it for different purposes. So, we actually see this quite commonly where Sysdig customers might pursue, Monitor or Secure, and then they actually find that there's a lot of value-add to look at the other pieces.And it goes both ways, right? They might start with the security use cases and then they find, well, we've over-allocated on our container environments and we're over-provisioning in Kubernetes resources, so all right, that's cool. We can actually reduce costs that could help create more funding to secure more hosts or more workloads in an environment, right? So it's, kind of, show me the things I'm doing wrong on this side of the equation, whether that's general IT security problems and then benefit the other. And yeah, typically we find that because things are so complex, yeah, you're over-permissioning you're over-allocating, it's just very common, rights? Kubernetes, as amazing as it can be or is, it's really difficult to operate that in practice, right? Things can go off the rails very, very quickly.Corey: I really want to thank you for taking time to speak about how you see the industry and the world. If people want to learn more, where's the best place for them to find you?Michael: Yes, thanks, Corey. It's really been great to be here and talk with you about these topics. So, for me personally, you know, I try to visit LinkedIn pretty regularly. Probably not daily but, you know, at least once a week, so please, by all means, if you ever have questions, do contact me. I love talking about this stuff.But then also on Sysdig, sysdig.com, I do author content on there. I speak regularly in all types of event formats. So yeah, you'll find me out there. I have a pretty unique last name. And yeah, that's kind of it. That's the, I'd say the main sources for me at the moment. Don't fall for the other Isbitski; that's actually my brother, who does work for AWS.Corey: [laugh]. That's okay. There's no accounting for family, sometimes.Michael: [laugh].Corey: I kid, I kid. Okay, great company. Great work. Thank you so much for your time. I appreciate it.Michael: Thank you, Corey.Corey: Mike Isbitski, Director of Cybersecurity Strategy at Sysdig. I'm Cloud Economist Corey Quinn and this has been a promoted guest episode brought to us by our friends at Sysdig. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, insulting comment from your place, which is no doubt expensive, opaque, and insecure, hitting all three points of that triumvirate.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Dean's Chat host, Dr. Jeffrey Jensen, is joined by Dr. Eric Stamps, the Dean at the California School of Podiatric Medicine (CSPM) at Samuel Merritt University in Oakland, California. Dr. Stamps highlights his role as Dean at CSPM and his role (advancing the profession) serving in multiple capacities including Chair, American Association of Colleges of Podiatric Medicine (AACPM) and Chair, Accreditation Committee of the Council on Podiatric Medical Education (CPME). He also discusses his history as a technical writer prior to entering podiatric medicine. They discuss Dr. Stamps' journey in the field of podiatry, starting from his education at the California College of Podiatric Medicine in 1993 to becoming the Dean at the California School of Podiatric Medicine (CSPM) at Samuel Merritt University in Oakland, California. Dr. Stamps shares his professional interests in musculoskeletal imaging and diabetic foot problem prevention. Tune in to learn more about Dr. Stamps' impressive career in podiatric medicine. Dr. Stamps reveals a hidden desire to be a stand-up comedian, which he never pursued as a career. However, he found a way to incorporate humor into his lectures as a lecturer, making difficult subjects more entertaining for his students. While he acknowledges that his attempts at humor didn't always succeed, he made a consistent effort to create an engaging learning environment and pursue his commitment to making education enjoyable and accessible to his students. Dr. Jensen and Dr. Stamps talk about how Dr. Stamps' leadership style revolves around prioritizing students. He believes in making challenging subjects more entertaining and fosters a student-first environment by involving his leadership team. Collaboration is highly valued, and the opinions and input of colleagues are sought after. He actively encourages diverse perspectives and welcomes criticism, avoiding a team of "yes" people. His leadership style is not dictatorial, and he strives to make decisions based on the input he receives. Overall, the dean's collaborative leadership style focuses on creating a student-first climate by involving his team and valuing their opinions. Dr. Stamps credits his mentors for playing a significant role in his transition from being an associate dean to becoming the dean. One of his mentors, Dr. John Benson, who served as the dean from 2008 to 2017, had a profound impact on his career. When Dr. Benson retired, the guest speaker was asked to be the interim dean in 2017, and although he initially hesitated, he eventually accepted the position. With the guidance and mentorship of Dr. Benson, he was able to grow and develop the necessary skills to take on the role of dean. Dr. Stamps highlights how mentors played a crucial role in his professional development, helping him navigate the transition from being an associate dean to becoming the dean. Their guidance and support enabled him to acquire the necessary skills and confidence to assume a leadership role. https://www.samuelmerritt.edu/doctor-podiatric-medicine https://aacpm.org/ Dean's Chat Website Dean's Chat Episodes Dean's Chat Blog Why Podiatric Medicine? Become a Podiatric Physician
Andrew Krug from Datadog In this episode, Andrew Krug talks about Datadog as a security observability tool, shedding light on some of its applications as well as its benefits to engineers. Andrew is the lead in Datadog Security Advocacy and Datadog Security Labs. Also a Cloud Security consultant, he started the Threat Response Project, a toolkit for Amazon Web Services first responders. Andrew has also spoken at Black Hat USA, DEFCON, re:Invent, and other platforms.. DataDog Product Overview Datadog is focused on bringing security to engineering teams, not just security people. One of the biggest advantages of Datadog or other vendors is how they ingest and normalize various log sources. It can be very challenging to maintain a reasonable data structure for logs ingested from cloud providers. Vendors try to provide customers with enough signals that they feel they are getting value while trying not to flood them with unactionable alerts. Also, considering the cloud friendliness for the stack is crucial for clients evaluating a new product. Datadog is active in the open-source community and gives back to groups like the Cloud native computing foundation. One of their popular open-source security tools created is Stratus-red-team which simulates the techniques of attackers in a clean room environment. The criticality of findings is becoming a major topic. It is necessary when evaluating that criticality is based on how much risk applies to the business, and what can be done. One of the things that teams struggle with as high maturity DevOps is trying to automate incident handling or response to critical alerts as this can cause Configuration Drift which is why there is a lot of hesitation to fully automate things. Having someone to make hard choices is at the heart of incident handling processes. Datadog Cloud SIEM was created to help customers who were already customers of logs. Datadog SIEM is also very easy to use such that without being a security expert, the UI is simple. It is quite difficult to deploy a SIEM on completely unstructured logs, hence being able to extract and normalize data to a set of security attributes is highly beneficial. Interestingly, the typical boring hygienic issues that are easy to detect still cause major problems for very large companies. This is where posture management comes in to address issues on time and prevent large breaches. Generally, Datadog is inclined towards moving these detections closer to the data that they are securing, and examining the application run time in real-time to verify that there are no issues. Datadog would be helpful to solve IAM challenges through CSPM which evaluates policies. For engineering teams, the benefit is seen in how information surfaces in areas where they normally look, especially with Datadog Security products where Issues are sorted in order of importance. Security Observability Day is coming up on the 18th of April when Datadog products will be highlighted; the link to sign up is available on the Datadog Twitter page and Datadog community Slack. To find out more, reach out to Andrew on Twitter @andrewkrug and on the Datadog Security Labs website. Top Quotes
In this episode, host Raghu Nandakumara sits down with Stephen Coraggio and Greg Tkaczyk, Managing Partner and Executive Consultant at IBM Security, to discuss the business value of cybersecurity, defining your crown jewels, and overcoming “analysis paralysis” and other Zero Trust challenges. --------“Back in the day it was around protecting everything, encrypting everything, and really making sure that we scan everything in an environment. Now when we talk to clients, it's around how do we make sure that we are truly looking after the most important things in our environment, making sure that those are properly protected, [and] controlled.” - Stephen Coraggio“You don't want to spend four months deciding what top five policies you want to enforce in a CSPM solution—Make those decisions quickly and reduce risk.” - Greg Tkaczyk--------Time Stamps* 10:17 – Defining your “crown jewels”* 13:09 – Overcoming “analysis paralysis”* 22:35 – ZT as a framework: “It's a set of guiding principles”* 30:30 – What comes next in cyber (a case for AI/automation)* 34:10 – Using data to demonstrate ROI--------SponsorAssume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company. Learn more at illumio.com/--------LinksConnect with Stephen on LinkedInConnect with Greg on LinkedIn
Episode SummaryChris Farris, Cloud Security Nerd at Turbot, joins Corey on Screaming in the Cloud to discuss the latest events in cloud security, which leads to an interesting analysis from Chris on how legal departments obscure valuable information that could lead to fewer security failures in the name of protecting company liability, and what the future of accountability for security failures looks like. Chris and Corey also discuss the newest dangers in cloud security and billing practices, and Chris describes his upcoming cloud security conference, fwd:cloudsec. About ChrisChris Farris has been in the IT field since 1994 primarily focused on Linux, networking, and security. For the last 8 years, he has focused on public-cloud and public-cloud security. He has built and evolved multiple cloud security programs for major media companies, focusing on enabling the broader security team's objectives of secure design, incident response and vulnerability management. He has developed cloud security standards and baselines to provide risk-based guidance to development and operations teams. As a practitioner, he's architected and implemented multiple serverless and traditional cloud applications focused on deployment, security, operations, and financial modeling.Chris now does cloud security research for Turbot and evangelizes for the open source tool Steampipe. He is one of the organizers of the fwd:cloudsec conference (https://fwdcloudsec.org) and has given multiple presentations at AWS conferences and BSides events.When not building things with AWS's building blocks, he enjoys building Legos with his kid and figuring out what interesting part of the globe to travel to next. He opines on security and technology on Mastodon, Twitter and his website https://www.chrisfarris.comLinks Referenced: Turbot: https://turbot.com/ fwd:cloudsec: https://fwdcloudsec.org/ Mastodon: https://infosec.exchange/@jcfarris Personal website: https://chrisfarris.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn and we are here today to learn exciting things, steal exciting secrets, and make big trouble for Moose and Squirrel. Maybe that's the podcast; maybe that's the KGB, we're not entirely sure. But I am joined once again by Chris Farris, cloud security nerd at Turbot, which I will insist on pronouncing as ‘Turbo.' Chris, thanks for coming back.Chris: Thanks for having me.Corey: So, it's been a little while and it's been an uneventful time in cloud security with nothing particularly noteworthy happening, not a whole lot of things to point out, and honestly, we're just sort of scraping the bottom of the barrel for news… is what I wish I could say, but it isn't true. Instead, it's, “Oh, let's see what disastrous tire fire we have encountered this week.” What's top of mind for you as we record this?Chris: I think the most interesting one I thought was, you know, going back and seeing the guilty plea from Nickolas Sharp, who formerly was an employee at Ubiquiti and apparently had, like, complete access to everything there and then ran amok with it.Corey: Mm-hm.Chris: The details that were buried at the time in the indictment, but came out in the press releases were he was leveraging root keys, he was leveraging lifecycle policies to suppress the CloudTrail logs. And then of course, you know, just doing dumb things like exfiltrating all of this data from his home IP address, or exfiltrating it from his home through a VPN, which have accidentally dropped and then exposed his home IP address. Oops.Corey: There's so much to dive into there because I am not in any way shape or form, saying that what he did was good, or I endorse any of those things. And yeah, I think he belongs in prison for what he did; let's be very clear on this. But I personally did not have a business relationship with him. I am, however, Ubiquiti's customer. And after—whether it was an insider threat or whether it was someone external breaching them, Krebs On Security wound up doing a whole write-up on this and was single-sourcing some stuff from the person who it turned out, did this.And they made a lot of hay about this. They sued him at one point via some terrible law firm that's entire brand is suing media companies. And yeah, just wonderful, wonderful optics there and brilliant plan. But I don't care about the sourcing. I don't care about the exact accuracy of the reporting because what I'm seeing here is that what is not disputed is this person, who whether they were an employee or not was beside the point, deleted all of the audit logs and then as a customer of Ubiquiti, I received an email saying, “We have no indication or evidence that any customer data was misappropriated.” Yeah, you just turn off your logs and yeah, you could say that always and forever and save money on logging costs. [unintelligible 00:03:28] best practice just dropped, I guess. Clowns.Chris: So, yeah. And there's definitely, like, compliance and standards and everything else that say you turn on your logs and you protect your logs, and service control policies should have been able to detect that. If they had a security operations center, you know, the fact that somebody was using root keys should have been setting off red flags and causing escalations to occur. And that wasn't happening.Corey: My business partner and I have access to our AWS org, and when I was setting this stuff up for what we do here, at a very small company, neither of us can log in with root credentials without alarms going off that alert the other. Not that I don't trust the man; let's be very clear here. We both own the company.Chris: In business together. Yes.Corey: Ri—exactly. It is, in many ways, like a marriage in that one of us can absolutely ruin the other without a whole lot of effort. But there's still the idea of separation of duties, visibility into what's going on, and we don't use root API keys. Let me further point out that we are not pushing anything that requires you to send data to us. We're not providing a service that is software powered to people, much less one that is built around security. So, how is it that I have a better security posture than Ubiquiti?Chris: You understand AWS and in-depth cloud better. You know, it really comes down to how do you, as an AWS customer, understand all of the moving parts, all of the security tooling, all of the different ways that something can happen. And Amazon will say, “Well, it's in the documentation,” but you know, they have, what, 357 services? Are you reading the security pages of all of those? So, user education, I agree, you should have, and I have on all of my accounts, if anything pops up, if any IAM change happens, I'm getting text messages. Which is great if my account got compromised, but is really annoying when I'm actually making a change and my phone is blowing up.Corey: Yeah. It's worth pointing out as well that yes, Ubiquiti is publicly traded—that is understood and accepted—however, 93% of it is owned by their CEO-founder god-king. So, it is effectively one person's personal fiefdom. And I tend to take a very dim view as a direct result. When you're in cloud and you have suffered a breach, you have severely screwed something up somewhere. These breaches are never, “Someone stole a whole bunch of drives out of an AWS data center.” You have misconfigured something somewhere. And lashing out at people who reported on it is just a bad look.Chris: Definitely. Only error—now, of course, part of the problem here is that our legal system encourages people to not come forward and say, “I screwed up. Here's how I screwed up. Everybody come learn from my mistakes.” The legal professions are also there to manage risk for the company and they're like, “Don't say anything. Don't say anything. Don't even tell the government. Don't say anything.”Whereas we all need to learn from these errors. Which is why I think every time I do see a breach or I do see an indictment, I start diving into it to learn more. I did a blog post on some of the things that happened with Drizly and GitHub, and you know, I think the most interesting thing that came out of Drizly case was the ex-CEO of Drizly, who was CEO at the time of the breach, now has following him, for the rest of his life, an FTC order that says he must implement a security program wherever he goes and works. You know, I don't know what happens when he becomes a Starbucks barista or whatever, but that is on him. That is not on the company; that is on him.And I do think that, you know, we will start seeing more and more chief executive officers, chief security or information security officers becoming accountable to—or for the breaches and being personally accountable or professionally accountable for it. I think we kind of need it, even though, you know, there's only so much a CISO can do.Corey: One of the things that I did when I started consulting independently on AWS bills back in 2016 was, while I was looking at customer environments, I also would do a quick check for a few security baseline things. And I stopped doing it because I kept encountering a bunch of things that needed attention and it completely derailed the entire stated purpose of the engagement. And, frankly, I don't want to be running a security consultancy. There's a reason I focus on AWS bills. And people think I'm kidding, but I swear to you I'm not, when I say that the reason is in part because no one has a middle-of-the-night billing emergency. It is strictly a business-hours problem. Whereas with security, wake up.In fact, the one time I have been woken up in the middle of the night by a customer phone call, they were freaking out because it was a security incident and their bill had just pegged through the stratosphere. It's, “Cool. Fix the security problem first, then we'll worry about the bill during business hours. Bye.” And then I stopped leaving my phone off of Do Not Disturb at night.Chris: Your AWS bill is one of your indicators of compromise. Keep an eye on it.Corey: Oh, absolutely. We've had multiple engagements discover security issues on that. “So, what are these instances in Australia doing?” “We don't have anything there.” “I believe you're being sincere when you say this.”Chris: Yes.Corey: However.Chris: “Last month, you're at $1,000 and this month, you're at $50,000. And oh, by the way, it's the ninth, so you might want to go look at that.”Corey: Here's the problem that you start seeing in large-scale companies though. You or I wind up posting our IAM credentials on GitHub somewhere in public—and I do this from time to time, intentionally with absolutely no permissions attached to a thing—and I started look at the timeline of, “Okay 3, 2, 1, go,” with the push and now I start counting. What happens? At what time does the quarantine policy apply? When do I get an email alert? When do people start trying to exploit it? From where are they trying to exploit it?It's a really interesting thing to look into, just from the position of how this stuff all fits together and works. And that's great, but there's a whole ‘nother piece to it where if you or I were to do such a thing and actually give it admin credentials, okay, my, I don't know, what, $50, $100 a month account that I use for a lot of my test stuff now starts getting charged enormous piles of money that winds up looking like a mortgage in San Francisco, I'm going to notice that. But if you have a company that spending, I don't know, between ten and $20 million a month, do you have any idea how much Bitcoin you've got to be mining in that account to even make a slight dent in the overall trajectory of those accounts?Chris: In the overall bill, a lot. And in a particularly mismanaged account, my experience is you will notice it if you're monitoring billing anomalies on a per-account basis. I think it's important to note, you talked about that quarantine policy. If you look at what actually Amazon drops a deny on, it's effectively start EC2 instances and change IAM policies. It doesn't prevent anybody from listing all your buckets and exfiltrating all your data. It doesn't prevent anybody from firing up Lambdas and other less commonly used resources. Don't assume oh, Amazon dropped the quarantine policy. I'm safe.Corey: I was talking to somebody who spends $4 a month on S3 and they wound up suddenly getting $60 grand a day and Lambda charges, because max out the Lambda concurrency in every region and set it to mine crypto for 15 minutes apiece, yeah, you'll spend $60,000 a day to get, what $500 in crypto. But it's super economical as long as it's in someone else's account. And then Amazon hits them with a straight face on these things, where, “Please pay the bill.” Which is horrifying when there's several orders of magnitude difference between your normal bill and what happens post-breach. But what I did my whole post on “17 Ways to Run Containers on AWS,” followed by “17 More Ways to Run Containers on AWS,” and [unintelligible 00:12:00] about three services away from having a third one ready to go on that, the point is not, “Too many ways to run containers,” because yes, that is true and it's also amusing to me—less so to the containers team at AWS which does not have a sense of humor or sense of self-awareness of which they have been alerted—and fine, but every time you're running a container, it is a way to turn it into a crypto mining operation, in some way shape or form, which means there are almost 40-some-odd services now that can reasonably be used to spin up cryptocurrency mining. And that is the best-case breach scenario in a bunch of ways. It costs a bunch of money and things to clean up, but ‘we lost customer data.' That can destroy companies.Chris: Here's the worst part. Crypto mining is no longer profitable even when I've got stolen API keys because bitcoin's in the toilet. So, now they are going after different things. Actually, the most recent one is they look to see if your account is out of the SCS sandbox and if so, they go back to the tried-and-true way of doing internet scams, which is email spam.Corey: For me, having worked in operations for a very long time, I've been in situations where I worked at Expensify and had access to customer data there. I have worked in other finance companies—I worked at Blackrock. Where I work now, I have access to customer billing data. And let me be serious here for a second, I take all of these things seriously, but I also in all of those roles slept pretty well at night. The one that kept me up was a brief stint I did as the Director of Tech Ops at Grindr over ten years ago because unlike the stuff where I'm spending the rest of my career and my time now, it's not just money anymore.Whereas today, if I get popped, someone can get access to what a bunch of companies are paying AWS. It's scandalous, and I will be sued into oblivion and my company will not exist anymore and I will have a cloud hanging over my head forever. So, I have to be serious about it—Chris: But nobody will die.Corey: Nobody dies. Whereas, “Oh, this person is on Grindr and they're not out publicly,” or they live in a jurisdiction where that is punishable by imprisonment or death, you have blood on your hands, on some level, and I have never wanted that kind of responsibility.Chris: Yeah. It's reasonably scary. I've always been happy to say that, you know, the worst thing that I had to do was keep the Russians off CNN and my friends from downloading Rick and Morty.Corey: Exactly. It's, “Oh, heavens, you're winding up costing some giant conglomerate somewhere theoretical money on streaming subscriptions.” It's not material to the state of the world. And part of it, too, is—what's always informed my approach to things is, I'm not a data hoarder in the way that it seems our entire industry is. For the Last Week in AWS newsletter, the data that I collect and track is pretty freaking small.It's, “You want to sign up for the lastweekinaws.com newsletter. Great, I need your email address.” I don't need your name, I don't need the company you work at. You want to give me a tagged email address? Fine. You want to give me some special address that goes through some anonymizing thing? Terrific. I need to know where I'm sending the newsletter. And then I run a query on that for metrics sometimes, which is this really sophisticated database query called a count. How many subscribers do I have at any given point because that matters to our sponsors. But can we get—you give us any demographic? No, I cannot. I can't. I have people who [unintelligible 00:15:43] follow up surveys sometimes and that's it.Chris: And you're able to make money doing that. You don't have to collect, okay, you know, Chris's zip code is this and Bob's zip code is that and Frank's zip code is the other thing.Corey: Exactly.Chris: Or job titles, or you know, our mother's maiden name or anything else like that.Corey: I talk about what's going on in the world of AWS, so it sort of seems to me that if you're reading this stuff every week, either because of the humor or in spite of the humor, you probably are in a position where services and goods tied to that ecosystem would be well-received by you or one of the other 32,000 people who happen to be reading the newsletter or listening to the podcast or et cetera, et cetera, et cetera. It's an old-timey business model. It's okay, I want to wind up selling, I don't know, expensive wristwatches. Well, maybe I'll advertise in a magazine that caters to people who have an interest in wristwatches, or caters to a demographic that traditionally buys those wristwatches. And okay, we'll run an ad campaign and see if it works.Chris: It's been traditional advertising, not the micro-targeting stuff. And you know, television was the same way back in the broadcast era, you know? You watched a particular show, people of that demographic who watched that particular show had certain advertisers they wanted.Corey: That part of the challenge I've seen too, from sponsors of this show, for example, is they know it works, but they're trying to figure out how to do any form of attribution on this. And my answer—which sounds self-serving, but it's true—is, there's no effective way to do it because every time you try, like, “Enter this coupon code,” yeah, I assure you, some of these things wind up costing millions of dollars to deploy at large companies at scale and they provide value for doing it. No one's going to punch in a coupon code to get 10% off or something like that. Procurement is going to negotiate custom contracts and it's going to be brought up maybe by someone who heard the podcast ad. Maybe it just sits in the back of their mind until they hear something and it just winds of contributing to a growing awareness of these things.You're never going to do attribution that works on things like that. People try sometimes to, “Oh, you'll get $25 in credit,” or, “We'll give you a free t-shirt if you fill out the form.” Yeah, but now you're biasing for people who find that a material motivator. When I'm debating what security suite I'm going to roll out at my enterprise I don't want a free t-shirt for that. In fact, if I get a free t-shirt and I wear that shirt from the vendor around the office while I'm trying to champion bringing that thing in, I look a little compromised.Chris: Yeah. Yeah, I am—[laugh] I got no response to that [laugh].Corey: No, no. I hear you. One thing I do want to talk about is the last time we spoke, you mentioned you were involved in getting fwd:cloudsec—a conference—off the ground. Like all good cloud security conferences, it's named after an email subject line.It is co-located with re:Inforce this year in Anaheim, California. Somewhat ominously enough, I used to live a block-and-a-half away from the venue. But I don't anymore and in fact, because nobody checks the global event list when they schedule these things, I will be on the other side of the world officiating a wedding the same day. So, yet again, I will not be at re:Inforce.Chris: That is a shame because I think you would have made an excellent person to contribute to our call for papers and attend. So yes, fwd:cloudsec is deliberately actually named after a subject line because all of the other Amazon conferences seem to be that way. And we didn't want to be going backwards and thinking, you know, past tense. We were looking forward to our conference. Yeah, so we're effectively a vendor-neutral cloud security conference. We liked the idea of being able to take the talks that Amazon PR would never allow on stage at re:Inforce and run with it.Corey: I would question that. I do want to call that out because I gave a talk at re:Invent one year about a vulnerability I found and reported, with the help of two other people, Scott Piper and Brandon Sherman, to the AWS security team. And we were able to talk about that on stage with Zack Glick, who at the time, was one of basically God's own prototypes, working over in the AWS environment next to Dan [Erson 00:19:56]. Now, Dan remains the salt of the earth, and if he ever leaves basically just short the entire US economy. It's easier. He is amazing. I digress. The point being is that they were very open about talking about an awful lot of stuff that I would never have expected that they would be okay with.Chris: And last year at re:Inforce, they had an excellent, excellent chalk talk—but it was a chalk talk, not recorded—on how ransomware attacks operate. And they actually, like, revealed some internal, very anonymized patterns of how attacks are working. So, they're starting to realize what we've been saying in the cloud security community for a while, which is, we need more legitimate threat intelligence. On the other hand, they don't want to call it threat intelligence because the word threat is threatening, and therefore, you know, we're going to just call it, you know, patterns or whatever. And our conference is, again, also multi-cloud, a concept that until recently, AWS, you know, didn't really want to acknowledge that there were other clouds and that people would use both of them [crosstalk 00:21:01]—Corey: Multi-cloud security is a nightmare. It's just awful.Chris: Yeah, I don't like multi-cloud, but I've come to realize that it is a thing. That you will either start at a company that says, “We're AWS and we're uni-cloud,” and then next thing, you know, either some rogue developer out there has gone and spun up an Azure subscription or your acquire somebody who's in GCP, or heaven forbid, you have to go into some, you know, tinhorn dictator's jurisdiction and they require you to be on-prem or leverage Oracle Cloud or something. And suddenly, congratulations, you're now multi-cloud. So yes, our goal is really to be the things that aren't necessarily onstage or aren't all just, “It's great.” Even your talk was how great the incident response and vulnerability remediation process was.Corey: How great my experience with it was at the time, to be clear. Because I also have gotten to a point where I am very aware that, in many cases when dealing with AWS, my reputation precedes me. So, when I wind up tweeting about a problem or opening a support case, I do not accept as a given that my experience is what everyone is going to experience. But a lot of the things they did made a lot of sense and I was frankly, impressed that they were willing to just talk about anything that they did internally. Because previously that had not been a thing that they did in open forums like that.Chris: But you go back to the Glue incident where somebody found a bug and they literally went and went to every single CloudTrail event going back to the dawn of the service to validate that, okay, the, only two times we ever saw this happen were between the two researcher's accounts who disclosed it. And so, kudos to them for that level of forward communication to their customers because yeah, I think we still haven't heard anything out of Azure for last year's—or a year-and-a-half ago's Wiz findings.Corey: Well, they did do a broad blog post about this that they put out, which I thought, “Okay, that was great. More of this please.” Because until they start talking about security issues and culture and the remediation thereof, I don't give a shit what they have to say about almost anything else because it all comes back to security. The only things I use Azure for, which admittedly has some great stuff; their computer vision API? Brilliant—but the things I use them for are things that I start from a premise of security is not important to that service.The thing I use it for on the soon-to-be-pivoted to Mastodon Twitter thread client that I built, it writes alt-text for images that are about to be put out publicly. Yeah, there's no security issue from that perspective. I am very hard-pressed to imagine a scenario in which that were not true.Chris: I can come up with a couple, but you know—Corey: It feels really contrived. And honestly, that's the thing that concerns me, too: the fact that I finally read, somewhat recently, an AWS white paper talking about—was it a white paper or was it blog post? I forget the exact media that it took. But it was about how they are seeing ransomware attacks on S3, which was huge because before that, I assumed it was something that was being made up by vendors to sell me something.Chris: So, that was the chalk talk.Corey: Yes.Chris: They finally got the chalk talk from re:Inforce, they gave it again at re:Invent because it was so well received and now they have it as a blog post out there, so that, you know, it's not just for people who show up in the room, they can hear it; it's actually now documented out there. And so, kudos to the Amazon security team for really getting that sort of threat intelligence out there to the community.Corey: Now, it's in writing, and that's something that I can cite as opposed to, “Well, I was at re:Invent and I heard—” Yeah, we saw the drink tab. We know what you might have thought you heard or saw at re:Invent. Give us something we can take to the board.Chris: There were a lot of us on that bar tab, so it's not all you.Corey: Exactly. And it was my pleasure to do it, to be clear. But getting back to fwd:cloudsec, I'm going to do you a favor. Whether it's an actual favor or the word favor belongs in quotes, the way that I submit CFPs, or conference talks, is optimized because I don't want to build a talk that is never going to get picked up. Why bother to go through all the work until I have to give it somewhere?So, I start with a catchy title and then three to five sentences. And if people accept it, great, then I get to build the talk. This is a forcing function in some ways because if you get a little delayed, they will not move the conference for you. I've checked. But the title of a talk that I think someone should submit for fwd:cloudsec is, “I Am Smarter Than You, so Cloud Security is Easy.”And the format and the conceit of the talk is present it with sort of a stand-it-up-to-take-it-down level of approach where you are over-confident in the fact that you are smarter than everyone else and best practices don't apply to you and so much of this stuff is just security theater designed as a revenue extraction mechanism as opposed to something you should actually be doing. And talk about why none of these things matter because you use good security and you know, it's good because you came up with it and there's no way that you could come up with something that you couldn't break because you're smart. It says so right in the title and you're on stage and you have a microphone. They don't. Turn that into something. I feel like there's a great way to turn that in a bunch of different directions. I'd love to see someone give that talk.Chris: I think Nickolas Sharp thought that too.Corey: [laugh]. Exactly. In fact, that will be a great way to bring it back around at the end. And it's like, “And that's why I'm better at security than you are. If you have any questions beyond this, you can reach me at whatever correctional institute I go in on Thursday.” Exactly. There's ways to make it fun and engaging. Because from my perspective, talks have to be entertaining or people don't pay attention.Chris: They're either entertaining, or they're so new and advanced. We're definitely an advanced cloud security practice thing. They were 500 levels. Not to brag or anything, but you know, you want the two to 300-level stuff, you can go CCJ up the street. We're hitting and going above and beyond what a lot of the [unintelligible 00:27:18]—Corey: I am not as advanced on that path as you are; I want to be very clear on this. You speak, I listen. You're one of those people when it comes to security. Because again, no one's life is hanging in the balance with respect to what I do. I am confident in our security posture here, but nothing's perfect. Everything is exploitable, on some level.It's also not my core area of focus. It is yours. And if you are not better than I am at this, then I have done something sort of strange, or so of you, in the same way that it is a near certainty—but not absolute—that I am better at optimizing AWS bills than you are. Specialists exist for a reason and to discount that expertise is the peak of hubris. Put that in your talk.Chris: Yeah. So, one talk I really want to see, and I've been threatening to give it for a while, is okay, if there's seventeen ways—or sorry, seventeen times two, soon to be seventeen times three ways to run containers in AWS, there's that many ways to exfiltrate credentials from those containers. What are all of those things? Do we have a holistic way of understanding, this is how credentials can be exfiltrated so that we then as defenders can go figure out, okay, how do we build detections and mitigations for this?Corey: Yeah. I'm a huge fan of Canarytokens myself, for that exact purpose. There are many devices I have where the only credentials in plain text on disk are things that as soon as they get used, I wind up with a bunch of things screaming at me that there's been a problem and telling me where it is. I'm not saying that my posture is impenetrable. Far from it. But you're going to have to work for it a little bit harder than running some random off-the-shelf security scanner against my AWS account and finding, oops, I forgot to turn on a bucket protection.Chris: And the other area that I think is getting really interesting is, all of the things that have credentials into your Cloud account, whether it's something like CircleCI or GitHub. I was having a conversation with somebody just this morning and we were talking about Roles Anywhere, and I was like, “Roles Anywhere is great if you've got a good strong PKI solution and can keep that private certificate or that certificate you need safe.” If you just put it on a disk, like, you would have put your AKIA and secret on a desk, congratulations, you haven't really improved security. You've just gotten rid of the IAM users that are being flagged in your CSPM tool, and congratulations, you have, in fact, achieved security theater.Corey: It's obnoxious, on some level. And part of the problem is cost and security are aligned and that people care about them right after they really should have cared about them. The difference is you can beg, cry, whine, et cetera to AWS for concessions, you can raise another round of funding; there have solutions with money. But security? That ship has already sailed.Chris: Yeah. Once the data is out, the data is out. Now, I will say on the bill, you get reminded of it every month, about three or four days after. It's like, “Oh. Crap, yeah, I should have turned off that EC2 instance. I just burned $100.” Or, “Oh hey, we didn't turn off that application. I just burned $100,000.” That doesn't happen on security. Security events tend to be few and far between; they're just much bigger when they happen.Corey: I really want to thank you for taking the time to chat with me. I'm sure I'll have you back on between now and re:Inforce slash fwd:cloudsec or anything else we come up with that resembles an email subject line. If people want to learn more and follow along with your adventures—as they should—where's the best place for him to find you these days?Chris: So, I am now pretty much living on Mastodon on the InfoSec Exchange. And my website, chrisfarris.com is where you can find the link to that because it's not just at, you know, whatever. You have to give the whole big long URL in Mastodon. It's no longer—Corey: Yeah. It's like a full-on email address with weird domains.Chris: Exactly, yeah. So, find me at http colon slash slash infosec dot exchange slash at jcfarris. Or just hit Chris Farris and follow the links. For fwd:cloudsec, we are conveniently located at fwdcloudsec.org, which is F-W-D cloud sec dot org. No colons because I don't think those are valid in whois.Corey: Excellent choice. And of course, links to that go in the [show notes 00:31:32], so click the button. It's easier. Thanks again for your time. I really appreciate it.Chris: Thank you.Corey: Chris Farris, Cloud Security Nerd at Turbot slash Turbo. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment that resembles a lawsuit being filed, and then have it processed-served to me because presumably, you work at Ubiquiti.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
In this episode, we talk about application security with guest Tanya Janca. Hear our discussion on the tension between authentication and authorization, the prevalence of API security flaws, the upcoming open comment period for the new version of the OWASP Top Ten, and the inadequacy of API security measures. We also discussed the importance of designing an effective security program for different industry companies, the differences between CSPM and CASB, the use of tools, and the importance of keeping up with updates. Read the associated short blog on Application Security: https://www.horangi.com/blog/exploring-the-challenges-of-application-security - About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com - About the Guest -- Tanya's LinkedIn: https://www.linkedin.com/in/tanya-janca/ SheHacksPurple: https://shehackspurple.ca/ - Get Tanya's book here -- https://a.co/d/cY33RL0
Ever watched TV and seen an expert witness? Me too. This is one reason I am so excited about Dr. Kimberly Davis. She frequently serves as an expert witness and as a medical consultant. Dr. Davis earned her medical degree from the USC-Keck School of Medicine and completed her internship in Internal Medicine in Baltimore. She completed her residency in Physical Medicine & Rehabilitation at UTSW-Dallas. Dr. Davis served as the Palomar Hospital Acute Rehabilitation Unit's Medical Director and the Associate Medical Director for Encompass Rehabilitation Hospital. She is also the President-elect for CSPM&R, a professional organization dedicated to advancing physical medicine and rehabilitation. Dr. Davis founded the Dancing Doctoras, an organization that promotes wellness through dance and movement. --- Send in a voice message: https://anchor.fm/urcaringdocs/message
On this episode, we had the opportunity to speak to Tyler Young, the CISO at BigID, a leading modern data security vendor that helps organizations with their data security, privacy, compliance, and governance. Find out what key lessons Tyler learned as a newly-appointed CISO, how you can protect your data, and what he, as a CISO, thinks is the best way to implement and communicate security needs to various departments and people in an organization. You'll also learn more about Data Security Posture Management or DSPM and how and why Identity Management is closely tied to Data Security. Read the associated blog: Understanding DSPM & CSPM for Optimal Data Security here: https://www.horangi.com/blog/understanding-dspm--cspm-for-optimal-data-security - About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com - About the Guest -- Tyler's LinkedIn: https://www.linkedin.com/in/tyler-young-07841085/
About Chris Chris Farris has been in the IT field since 1994 primarily focused on Linux, networking, and security. For the last 8 years, he has focused on public-cloud and public-cloud security. He has built and evolved multiple cloud security programs for major media companies, focusing on enabling the broader security team's objectives of secure design, incident response and vulnerability management. He has developed cloud security standards and baselines to provide risk-based guidance to development and operations teams. As a practitioner, he's architected and implemented multiple serverless and traditional cloud applications focused on deployment, security, operations, and financial modeling.Chris now does cloud security research for Turbot and evangelizes for the open source tool Steampipe. He is one if the organizers of the fwd:cloudsec conference (https://fwdcloudsec.org) and has given multiple presentations at AWS conferences and BSides events.When not building things with AWS's building blocks, he enjoys building Legos with his kid and figuring out what interesting part of the globe to travel to next. He opines on security and technology on Twitter and his website https://www.chrisfarris.comLinks Referenced: Turbot: https://turbot.com/ fwd:cloudsec: https://fwdcloudsec.org/ Steampipe: https://steampipe.io/ Steampipe block: https://steampipe.io/blog TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Tailscale SSH is a new, and arguably better way to SSH. Once you've enabled Tailscale SSH on your server and user devices, Tailscale takes care of the rest. So you don't need to manage, rotate, or distribute new SSH keys every time someone on your team leaves. Pretty cool, right? Tailscale gives each device in your network a node key to connect to your VPN, and uses that same key for SSH authorization and encryption. So basically you're SSHing the same way that you're already managing your network.So what's the benefit? Well, built-in key rotation, the ability to manage permissions as code, connectivity between any two devices, and reduced latency. You can even ask users to re-authenticate SSH connections for that extra bit of security to keep the compliance folks happy. Try Tailscale now - it's free forever for personal use.Corey: This episode is sponsored by our friends at Logicworks. Getting to the cloud is challenging enough for many places, especially maintaining security, resiliency, cost control, agility, etc, etc, etc. Things break, configurations drift, technology advances, and organizations, frankly, need to evolve. How can you get to the cloud faster and ensure you have the right team in place to maintain success over time? Day 2 matters. Work with a partner who gets it - Logicworks combines the cloud expertise and platform automation to customize solutions to meet your unique requirements. Get started by chatting with a cloud specialist today at snark.cloud/logicworks. That's snark.cloud/logicworksCorey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is someone that I have been meaning to invite slash drag onto this show for a number of years. We first met at re:Inforce the first year that they had such a thing, Amazon's security conference for cloud, as is Amazon's tradition, named after an email subject line. Chris Farris is a cloud security nerd at Turbot. He's also one of the organizers for fwd:cloudsec, another security conference named after an email subject line with a lot more self-awareness than any of Amazon's stuff. Chris, thank you for joining me.Chris: Oh, thank you for dragging me on. You can let go of my hair now.Corey: Wonderful, wonderful. That's why we're all having the thinning hair going on. People just use it to drag us to and fro, it seems. So, you've been doing something that I'm only going to describe as weird lately because your background—not that dissimilar from mine—is as a practitioner. You've been heavily involved in the security space for a while and lately, I keep seeing an awful lot of things with your name on them getting sucked up by the giant app surveillance apparatus deployed to the internet, looking for basically any mention of AWS that I wind up using to write my newsletter and feed the content grist mill every year. What are you doing and how'd you get there?Chris: So, what am I doing right now is, I'm in marketing. It's kind of a, you know, “Oops, I'm sorry I did that.”Corey: Oh, the running gag is, you work in DevRel; that means, “Oh, you're in marketing, but they're scared to tell you that.” You're self-aware.Chris: Yeah.Corey: Good for you.Chris: I'm willing to address that I'm in marketing now. And I've been a cloud practitioner since probably 2014, cloud security since about 2017. And then just decided, the problem that we have in the cloud security community is a lot of us are just kind of sitting in a corner in our companies and solving problems for our companies, but we're not solving the problems at scale. So, I wanted a job that would allow me to reach a broader audience and help a broader audience. Where I see cloud security having—you know, or cloud in general falling down is Amazon makes it really hard for you to do your side of shared responsibility, and so we need to be out there helping customers understand what they need to be doing. So, I am now at a company called Turbot and we're really trying to promote cloud security.Corey: One of the first promoted guest episodes of this show was David Boeke, your CTO, and one of the things that I regret is that I've sort of lost track of Turbot over the past few years because, yeah, one or two things might have been going on during that timeline as I look back at having kids in the middle of a pandemic and the deadly plague o'er land. And suddenly, every conversation takes place over Zoom, which is like, “Oh, good, it's like a happy hour only instead, now it's just like a conference call for work.” It's like, ‘Conference Calls: The Drinking Game' is never the great direction to go in. But it seems the world is recovering. We're going to be able to spend some time together at re:Invent by all accounts that I'm actively looking forward to.As of this recording, you're relatively new to Turbot, and I figured out that you were going there because, once again, content hits my filters. You wrote a fascinating blog post that hits on an interest of mine that I don't usually talk about much because it's off-putting to some folk, and these days, I don't want to get yelled at and more than I have to about the experience of traveling, I believe it was to an all-hands on the other side of the world.Chris: Yep. So, my first day on the job at Turbot, I was landing in Kuala Lumpur, Malaysia, having left the United States 24 hours—or was it 48? It's hard to tell when you go to the other side of the planet and the time zones have also shifted—and then having left my prior company day before that. But yeah, so Turbot about traditionally has an annual event where we all get together in person. We're a completely remote company, but once a year, we all get together in person in our integrate event.And so, that was my first day on the job. And then you know, it was basically two weeks of reasonably intense hackathons, building out a lot of stuff that hopefully will show up open-source shortly. And then yeah, meeting all of my coworkers. And that was nice.Corey: You've always had a focus through all the time that I've known you and all the public content that you've put out there that has come across my desk that seems to center around security. It's sort of an area that I give a nod to more often than I would like, on some level, but that tends to be your bread and butter. Your focus seems to be almost overwhelmingly on I would call it AWS security. Is that fair to say or is that a mischaracterization of how you view it slash what you actually do? Because, again, we have these parasocial relationships with voices on the internet. And it's like, “Oh, yeah, I know all about that person.” Yeah, you've met them once and all you know other than that is what they put on Twitter.Chris: You follow me on Twitter. Yeah, I would argue that yes, a lot of what I do is AWS-related security because in the past, a lot of what I've been responsible for is cloud security in AWS. But I've always worked for companies that were multi-cloud; it's just that 90% of everything was Amazon and so therefore 90% of my time, 90% of my problems, 90% of my risk was all in AWS. I've been trying to break out of that. I've been trying to understand the other clouds.One of the nice aspects of this role and working on Steampipe is I am now experimenting with other clouds. The whole goal here is to be able to scale our ability as an industry and as security practitioners to support multiple clouds. Because whether we want to or not, we've got it. And so, even though 90% of my spend, 90% of my resources, 90% of my applications may be in AWS, that 10% that I'm ignoring is probably more than 10% of my risk, and we really do need to understand and support major clouds equally.Corey: One post you had recently that I find myself in wholehearted agreement with is on the adoption of Tailscale in the enterprise. I use it for all of my personal nonsense and it is transformative. I like the idea of what that portends for a multi-cloud, or poly-cloud, or whatever the hell we're calling it this week, sort of architectures were historically one of the biggest problems in getting to clouds two speak to one another and manage them in an intelligent way is the security models are different, the user identity stuff is different as well, and the network stuff has always been nightmarish. Well, with Tailscale, you don't have to worry about that in the same way at all. You can, more or less, ignore it, turn on host-based firewalls for everything and just allow Tailscale. And suddenly, okay, I don't really have to think about this in the same way.Chris: Yeah. And you get the micro-segmentation out of it, too, which is really nice. I will agree that I had not looked at Tailscale until I was asked to look at Tailscale, and then it was just like, “Oh, I am completely redoing my home network on that.” But looking at it, it's going to scare some old-school network engineers, it's going to impact their livelihoods and that is going to make them very defensive. And so, what I wanted to do in that post was kind of address, as a practitioner, if I was looking at this with an enterprise lens, what are the concerns you would have on deploying Tailscale in your environment?A lot of those were, you know, around user management. I think the big one that is—it's a new thing in enterprise security, but kind of this host profiling, which is hey, before I let your laptop on the network, I'm going to go make sure that you have antivirus and some kind of EDR, XDR, blah-DR agents so that you know we have a reasonable thing that you're not going to just go and drop [unintelligible 00:09:01] on the network and next thing you know, we're Maersk. Tailscale, that's going to be their biggest thing that they are going to have to figure out is how do they work with some of these enterprise concerns and things along those lines. But I think it's an excellent technology, it was super easy to set up. And the ability to fine-tune and microsegment is great.Corey: Wildly so. They occasionally sponsor my nonsense. I have no earthly idea whether this episode is one of them because we have an editorial firewall—they're not paying me to set any of this stuff, like, “And this is brought to you by whatever.” Yeah, that's the sponsored ad part. This is just, I'm in love with the product.One of the most annoying things about it to me is that I haven't found a reason to give them money yet because the free tier for my personal stuff is very comfortably sized and I don't have a traditional enterprise network or anything like that people would benefit from over here. For one area in cloud security that I think I have potentially been misunderstood around, so I want to take at least this opportunity to clear the air on it a little bit has been that, by all accounts, I've spent the last, mmm, few months or so just absolutely beating the crap out of Azure. Before I wind up adding a little nuance and context to that, I'd love to get your take on what, by all accounts, has been a pretty disastrous year-and-a-half for Azure security.Chris: I think it's been a disastrous year-and-a-half for Azure security. Um—[laugh].Corey: [laugh]. That was something of a leading question, wasn't it?Chris: Yeah, no, I mean, it is. And if you think, though, back, Microsoft's repeatedly had these the ebb and flow of security disasters. You know, Code Red back in whatever the 2000s, NT 4.0 patching back in the '90s. So, I think we're just hitting one of those peaks again, or hopefully, we're hitting the peak and not [laugh] just starting the uptick. A lot of what Azure has built is stuff that they already had, commercial off-the-shelf software, they wrapped multi-tenancy around it, gave it a new SKU under the Azure name, and called is cloud. So, am I super-surprised that somebody figured out how to leverage a Jupyter notebook to find the back-end credentials to drop the firewall tables to go find the next guy over's Cosmos DB? No, I'm not.Corey: I find their failures to be less egregious on a technical basis because let's face it, let's be very clear here, this stuff is hard. I am not pretending for even a slight second that I'm a better security engineer than the very capable, very competent people who work there. This stuff is incredibly hard. And I'm not—Chris: And very well-funded people.Corey: Oh, absolutely, yeah. They make more than I do, presumably. But it's one of those areas where I'm not sitting here trying to dunk on them, their work, their efforts, et cetera, and I don't do a good enough job of clarifying that. My problem is the complete radio silence coming out of Microsoft on this. If AWS had a series of issues like this, I'm hard-pressed to imagine a scenario where they would not have much more transparent communications, they might very well trot out a number of their execs to go on a tour to wind up talking about these things and what they're doing systemically to change it.Because six of these in, it's like, okay, this is now a cultural problem. It's not one rando engineer wandering around the company screwing things up on a rotational basis. It's, what are you going to do? It's unlikely that firing Steven is going to be your fix for these things. So, that is part of it.And then most recently, they wound up having a blog post on the MSRC, the Microsoft Security Resource Center is I believe that acronym? The [mrsth], whatever; and it sounds like a virus you pick up in a hospital—but the problem that I have with it is that they spent most of that being overly defensive and dunking on SOCRadar, the vulnerability researcher who found this and reported it to them. And they had all kinds of quibbles with how it was done, what they did with it, et cetera, et cetera. It's, “Excuse me, you're the ones that left customer data sitting out there in the Azure equivalent of an S3 bucket and you're calling other people out for basically doing your job for you? Excuse me?”Chris: But it wasn't sensitive customer data. It was only the contract information, so therefore it was okay.Corey: Yeah, if I put my contract information out there and try and claim it's not sensitive information, my clients will laugh and laugh as they sue me into the Stone Age.Chris: Yeah well, clearly, you don't have the same level of clickthrough terms that Microsoft is able to negotiate because, you know, [laugh].Corey: It's awful as well, it doesn't even work because, “Oh, it's okay, I lost some of your data, but that's okay because it wasn't particularly sensitive.” Isn't that kind of up to you?Chris: Yes. And if A, I'm actually, you know, a big AWS shop and then I'm looking at Azure and I've got my negotiations in there and Amazon gets wind that I'm negotiating with Azure, that's not going to do well for me and my business. So no, this kind of material is incredibly sensitive. And that was an incredibly tone-deaf response on their part. But you know, to some extent, it was more of a response than we've seen from some of the other Azure multi-tenancy breakdowns.Corey: Yeah, at least they actually said something. I mean, there is that. It's just—it's wild to me. And again, I say this as an Azure customer myself. Their computer vision API is basically just this side of magic, as best I can tell, and none of the other providers have anything like it.That's what I want. But, you know, it almost feels like that service is under NDA because no one talks about it when they're using this service. I did a whole blog post singing its praises and no one from that team reached out to me to say, “Hey, glad you liked it.” Not that they owe me anything, but at the same time it's incredible. Why am I getting shut out? It's like, does this company just have an entire policy of not saying anything ever to anyone at any time? It seems it.Chris: So, a long time ago, I came to this realization that even if you just look at the terminology of the three providers, Amazon has accounts. Why does Amazon have Amazon—or AWS accounts? Because they're a retail company and that's what you signed up with to buy your underwear. Google has projects because they were, I guess, a developer-first thing and that was how they thought about it is, “Oh, you're going to go build something. Here's your project.”What does Microsoft have? Microsoft Azure Subscriptions. Because they are still about the corporate enterprise IT model of it's really about how much we're charging you, not really about what you're getting. So, given that you're not a big enterprise IT customer, you don't—I presume—do lots and lots of golfing at expensive golf resorts, you're probably not fitting their demographic.Corey: You're absolutely not. And that's wild to me. And yet, here we are.Chris: Now, what's scary is they are doing so many interesting things with artificial intelligence… that if… their multi-tenancy boundaries are as bad as we're starting to see, then what else is out there? And more and more, we is carbon-based life forms are relying on Microsoft and other cloud providers to build AI, that's kind of a scary thing. Go watch Satya's keynote at Microsoft Ignite and he's showing you all sorts of ways that AI is going to start replacing the gig economy. You know, it's not just Tesla and self-driving cars at this point. Dali is going to replace the independent graphics designer.They've got things coming out in their office suite that are going to replace the mom-and-pop marketing shops that are generating menus and doing marketing plans for your local restaurants or whatever. There's a whole slew of things where they're really trying to replace people.Corey: That is a wild thing to me. And part of the problem I have in covering AWS is that I have to differentiate in a bunch of different ways between AWS and its Amazon corporate parent. And they have that problem, too, internally. Part of the challenge they have, in many cases, is that perks you give to employees have to scale to one-and-a-half million people, many of them in fulfillment center warehouse things. And that is a different type of problem that a company, like for example, Google, where most of their employees tend to be in office job-style environments.That's a weird thing and I don't know how to even start conceptualizing things operating at that scale. Everything that they do is definitionally a very hard problem when you have to make it scale to that point. What all of the hyperscale cloud providers do is, from where I sit, complete freaking magic. The fact that it works as well as it does is nothing short of a modern-day miracle.Chris: Yeah, and it is more than just throwing hardware at the problem, which was my on-prem solution to most of the things. “Oh, hey. We need higher availability? Okay, we're going to buy two of everything.” We called it the Noah's Ark model, and we have an A side and a B side.And, “Oh, you know what? Just in case we're going to buy some extra capacity and put it in a different city so that, you know, we can just fail from our primary city to our secondary city.” That doesn't work at the cloud provider scale. And really, we haven't seen a major cloud outage—I mean, like, a bad one—in quite a while.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: The outages are always fascinating, just from the way that they are reported in the mainstream media. And again, this is hard, I get it. I am not here to crap on journalists. They, for some ungodly, unknowable reason, have decided not to spend their entire career focusing on the nuances of one very specific, very deep industry. I don't know why.But as [laugh] a result, they wind up getting a lot of their baseline facts wrong about these things. And that's fair. I'm not here to necessarily act as an Amazon spokesperson when these things happen. They have an awful lot of very well-paid people who can do that. But it is interesting just watching the blowback and the reaction of whatever there's an outage, the conversation is never “Does Amazon or Azure or Google suck?” It's, “Does cloud suck as a whole?”That's part of the reason I care so much about Azure getting their act together. If it were just torpedoing Microsoft's reputation, then well, that's sad, but okay. But it extends far beyond that to a point where it's almost where the enterprise groundhog sees the shadow of a data breach and then we get six more years of data center build-outs instead of moving things to a cloud. I spent too many years working in data centers and I have the scars from the cage nuts and crimping patch cables frantically in the middle of the night to prove it. I am thrilled at the fact that I don't believe I will ever again have to frantically drive across town in the middle of the night to replace a hard drive before the rest of the array degrades. Cloud has solved those problems beautifully. I don't want to go back to the Dark Ages.Chris: Yeah, and I think that there's a general potential that we could start seeing this big push towards going back on-prem for effectively sovereign data reasons, whether it's this country has said, “You cannot store your data about our citizens outside of our borders,” and either they're doing that because they do not trust the US Silicon Valley privacy or whatever, or because if it's outside of our borders, then our secret police agents can come knocking on the door at two in the morning to go find out what some dissidents' viewings habits might have been, I see sovereign cloud as this thing that may be a back step from this ubiquitous thing that we have right now in Amazon, Azure, and Google. And so, as we start getting to the point in the history books where we start seeing maps with lots of flags, I think we're going to start seeing a bifurcation of cloud as just a whole thing. We see it already right now. The AWS China partition is not owned by Amazon, it is not run by Amazon, it is not controlled by Amazon. It is controlled by the communist government of China. And nobody is doing business in Russia right now, but if they had not done what they had done earlier this year, we might very well see somebody spinning up a cloud provider that is completely controlled by and in the Russian government.Corey: Well, yes or no, but I want to challenge that assessment for a second because I've had conversations with a number of folks about this where people say, “Okay, great. Like, is the alt-right, for example, going to have better options now that there might be a cloud provider spinning up there?” Or, “Well, okay, what about a new cloud provider to challenge the dominance of the big three?” And there are all these edge cases, either geopolitically or politically based upo—or folks wanting to wind up approaching it from a particular angle, but if we were hired to build out an MVP of a hyperscale cloud provider, like, the budget for that MVP would look like one 100 billion at this point to get started and just get up to a point of critical mass before you could actually see if this thing has legs. And we'd probably burn through almost all of that before doing a single dime in revenue.Chris: Right. And then you're doing that in small markets. Outside of the China partition, these are not massively large markets. I think Oracle is going down an interesting path with its idea of Dedicated Cloud and Oracle Alloy [unintelligible 00:22:52].Corey: I like a lot of what Oracle's doing, and if younger me heard me say that, I don't know how hard I'd hit myself, but here we are. Their free tier for Oracle Cloud is amazing, their data transfer prices are great, and their entire approach of, “We'll build an entire feature complete region in your facility and charge you what, from what I can tell, is a very reasonable amount of money,” works. And it is feature complete, not, “Well, here are the three services that we're going to put in here and everything else is well… it's just sort of a toehold there so you can start migrating it into our big cloud.” No. They're doing it right from that perspective.The biggest problem they've got is the word Oracle at the front end and their, I would say borderline addiction to big-E enterprise markets. I think the future of cloud looks a lot more like cloud-native companies being founded because those big enterprises are starting to describe themselves in similar terminology. And as we've seen in the developer ecosystem, as go startups, so do big companies a few years later. Walk around any big company that's undergoing a digital transformation, you'll see a lot more Macs on desktops, for example. You'll see CI/CD processes in place as opposed to, “Well, oh, you want something new, it's going to be eight weeks to get a server rack downstairs and accounting is going to have 18 pages of forms for you to fill out.” No, it's “click the button,” or—Chris: Don't forget the six months of just getting the financial CapEx approvals.Corey: Exactly.Chris: You have to go through the finance thing before you even get to start talking to techies about when you get your server. I think Oracle is in an interesting place though because it is embracing the fact that it is number four, and so therefore, it's like we are going to work with AWS, we are going to work with Azure, our database can run in AWS or it can run in our cloud, we can interconnect directly, natively, seamlessly with Azure. If I were building a consumer-based thing and I was moving into one of these markets where one of these governments was demanding something like a sovereign cloud, Oracle is a great place to go and throw—okay, all of our front-end consumer whatever is all going to sit in AWS because that's what we do for all other countries. For this one country, we're just going to go and build this thing in Oracle and we're going to leverage Oracle Alloy or whatever, and now suddenly, okay, their data is in their country and it's subject to their laws but I don't have to re-architect to go into one of these, you know, little countries with tin horn dictators.Corey: It's the way to do multi-cloud right, from my perspective. I'll use a component service in a different cloud, I'm under no illusions, though, in doing that I'm increasing my resiliency. I'm not removing single points of failure; I'm adding them. And I make that trade-off on a case-by-case basis, knowingly. But there is a case for some workloads—probably not yours if you're listening to this; assume not, but when you have more context, maybe so—where, okay, we need to be across multiple providers for a variety of strategic or contextual reasons for this workload.That does not mean everything you build needs to be able to do that. It means you're going to make trade-offs for that workload, and understanding the boundaries of where that starts and where that stops is going to be important. That is not the worst idea in the world for a given appropriate workload, that you can optimize stuff into a container and then can run, more or less, anywhere that can take a container. But that is also not the majority of most people's workloads.Chris: Yeah. And I think what that comes back to from the security practitioner standpoint is you have to support not just your primary cloud, your favorite cloud, the one you know, you have to support any cloud. And whether that's, you know, hey, congratulations. Your developers want to use Tailscale because it bypasses a ton of complexity in getting these remote island VPCs from this recent acquisition integrated into your network or because you're going into a new market and you have to support Oracle Cloud in Saudi Arabia, then you as a practitioner have to kind of support any cloud.And so, one of the reasons that I've joined and I'm working on, and so excited about Steampipe is it kind of does give you that. It is a uniform interface to not just AWS, Azure, and Google, but all sorts of clouds, whether it's GitHub or Oracle, or Tailscale. So, that's kind of the message I have for security practitioners at this point is, I tried, I fought, I screamed and yelled and ranted on Twitter, against, you know, doing multi-cloud, but at the end of the day, we were still multi-cloud.Corey: When I see these things evolving, is that, yeah, as a practitioner, we're increasingly having to work across multiple providers, but not to a stupendous depth that's the intimidating thing that scares the hell out of people. I still remember my first time with the AWS console, being so overwhelmed with a number of services, and there were 12. Now, there are hundreds, and I still feel that same sense of being overwhelmed, but I also have the context now to realize that over half of all customer spend globally is on EC2. That's one service. Yes, you need, like, five more to get it to work, but okay.And once you go through learning that to get started, and there's a lot of moving parts around it, like, “Oh, God, I have to do this for every service?” No, take Route 53—my favorite database, but most people use it as a DNS service—you can go start to finish on basically everything that service does that a human being is going to use in less than four hours, and then you're more or less ready to go. Everything is not the hairy beast that is EC2. And most of those services are not for you, whoever you are, whatever you do, most AWS services are not for you. Full stop.Chris: Yes and no. I mean, as a security practitioner, you need to know what your developers are doing, and I've worked in large organizations with lots of things and I would joke that, oh, yeah, I'm sure we're using every service but the IoT, and then I go and I look at our bill, and I was like, “Oh, why are we dropping that much on IoT?” Oh, because they wanted to use the Managed MQTT service.Corey: Ah, I start with the bill because the bill is the source of truth.Chris: Yes, they wanted to use the Managed MQTT service. Okay, great. So, we're now in IoT. But how many of those things have resource policies, how many of those things can be made public, and how many of those things are your CSPM actually checking for and telling you that, hey, a developer has gone out somewhere and made this SageMaker notebook public, or this MQTT topic public. And so, that's where you know, you need to have that level of depth and then you've got to have that level of depth in each cloud. To some extent, if the cloud is just the core basic VMs, object storage, maybe some networking, and a managed relational database, super simple to understand what all you need to do to build a baseline to secure that. As soon as you start adding in on all of the fancy services that AWS has. I re—Corey: Yeah, migrating your Step Functions workflow to other cloud is going to be a living goddamn nightmare. Migrating something that you stuffed into a container and run on EC2 or Fargate is probably going to be a lot simpler. But there are always nuances.Chris: Yep. But the security profile of a Step Function is significantly different. So, you know, there's not much you can do there wrong, yet.Corey: You say that now, but wait for their next security breach, and then we start calling them Stumble Functions instead.Chris: Yeah. I say that. And the next thing, you know, we're going to have something like Lambda [unintelligible 00:30:31] show up and I'm just going to be able to put my Step Function on the internet unauthenticated. Because, you know, that's what Amazon does: they innovate, but they don't necessarily warn security practitioners ahead of their innovation that, hey, you're we're about to release this thing. You might want to prepare for it and adjust your baselines, or talk to your developers, or here's a service control policy that you can drop in place to, you know, like, suppress it for a little bit. No, it's like, “Hey, these things are there,” and by the time you see the tweets or read the documentation, you've got some developer who's put it in production somewhere. And then it becomes a lot more difficult for you as a security practitioner to put the brakes on it.Corey: I really want to thank you for spending so much time talking to me. If people want to learn more and follow your exploits—as they should—where can they find you?Chris: They can find me at steampipe.io/blog. That is where all of my latest rants, raves, research, and how-tos show up.Corey: And we will, of course, put a link to that in the [show notes 00:31:37]. Thank you so much for being so generous with your time. I appreciate it.Chris: Perfect, thank you. You have a good one.Corey: Chris Farris, cloud security nerd at Turbot. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry insulting comment, and be sure to mention exactly which Azure communications team you work on.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Brandon Evans and fellow cloud security podcaster Ashish Rajan, host of the Cloud Security Podcast and Principal Cloud Security Advocate for Snyk, chat about developer-first security, multicloud abstraction layers, cybersecurity conferences, and the 5 Cs of cloud security products (CASB, CIEM, CNAPP, CSPM, and CWPP).Our Guest - Ashish RajanAshish Rajan is the host of the wildly popular Cloud Security Podcast, a CISO, CyberSecurity Influencer, a SANS Trainer for Cloud Security and an outspoken opinion leader on all things Cloud Security & DevSecOps. He is a frequent contributor on topics related to public cloud transformation, DevSecOps, Future Tech and the associated security challenges for practitioners and CISOs.Follow AshishTwitterLinkedInWebSponsor's Note:Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs.Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security.Review and Download Cloud Security Resources: sans.org/cloud-security/Join our growing and diverse community of cloud security professionals on your platform of choice:Discord | Twitter | LinkedIn | YouTubeSPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube