POPULARITY
8 episodes with kelly shortridge
9 episodes with kelly shortridge
6 episodes with kelly shortridge
7 episodes with kelly shortridge
3 episodes with kelly shortridge
2 episodes with kelly shortridge
2 episodes with kelly shortridge
2 episodes with kelly shortridge
2 episodes with kelly shortridge
Users, threat actors, and the system design all influence—and are influenced by—one another. To design safer systems, we first need to understand the players who operate within those systems. Kelly Shortridge and Josiah Dykstra exemplify this human-centered approach in their work. In this episode we talk about:The vital role of human factors in cyber-resilience—how Josiah and Kelly apply a behavioral-economics mindset every day to design safer, more adaptable systems.Key cognitive biases that undermine incident response (like action bias and opportunity costs) and simple heuristics to counter them.The “sludge” strategy: deliberately introducing friction to attacker workflows to increase time, effort, and financial costs—as Kelly says, “disrupt their economics.”Why moving from a security culture of shame and blame to one of open learning and continuous improvement is essential for true cybersecurity resilience.Kelly Shortridge is VP, Security Products at Fastly, formerly VP of Product Management and Product Strategy at Capsule8. She is the author of Security Chaos Engineering: Sustaining Resilience in Software and Systems.Josiah Dykstra is the owner of Designer Security, human-centered security advocate, cybersecurity researcher, and former Director of Strategic Initiatives at Trail of Bits. He also worked at the NSA as Technical Director, Critical Networks and Systems. Josiah is the author of Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.During this episode, we reference:Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Sludge for Good: Slowing and Imposing Costs on Cyber Attackers,” arXiv preprint arXiv:2211.16626 (2022).Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Opportunity Cost of Action Bias in Cybersecurity Incident Response,” Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 66, Issue 1 (2022): 1116-1120.
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes: https://securityweekly.com/vault-asw-13
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes: https://securityweekly.com/vault-asw-13
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes: https://securityweekly.com/vault-asw-13
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023. What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Show Notes: https://securityweekly.com/vault-asw-13
At RSA Conference 2024, Kelly Shortridge, senior director of portfolio product management at Fastly, talks about the first steps organizations can take toward adopting a Secure by Design mindset and how businesses can approach the challenge of sustaining resilience in complex systems.
It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them! It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-360
It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Show Notes: https://securityweekly.com/esw-360
It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Show Notes: https://securityweekly.com/esw-360
It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them! It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-360
Pascal Geenens from Radware joins us to discuss the latest research findings relating to hacktivists an other actors using volumetric and other network-based attacks. We'll discuss everything from the current state of DDoS attacks to use in the military and even the impact of cyberattacks on popular culture! You can find the report Pascal mentions here, on Radware's website: https://www.radware.com/threat-analysis-report/ In this week's news segment, we discuss the lack of funding announcements, and the potential effect RSA could have on the timing of all sorts of press releases. We also discuss 1Password's potential future with its sizable customer base and the $620M it raised a few years back. Some other topics we discuss: NIST CSF 2.0 insider threats Ivanti Pulse Secure's appliance software found to be running positively ancient software (11 year old Linux distro, 5-20+ year old libraries & components) Nevada AG trying to get messaging decrypted for children, to "protect them" Kelly Shortridge's response to CISA's secure development RFI OpenAI's new GenAI video product, Sora and the potential impact it could have on cybersecurity Instacart spews out crappy AI recipes and photos Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-351
Pascal Geenens from Radware joins us to discuss the latest research findings relating to hacktivists an other actors using volumetric and other network-based attacks. We'll discuss everything from the current state of DDoS attacks to use in the military and even the impact of cyberattacks on popular culture! You can find the report Pascal mentions here, on Radware's website: https://www.radware.com/threat-analysis-report/ In this week's news segment, we discuss the lack of funding announcements, and the potential effect RSA could have on the timing of all sorts of press releases. We also discuss 1Password's potential future with its sizable customer base and the $620M it raised a few years back. Some other topics we discuss: NIST CSF 2.0 insider threats Ivanti Pulse Secure's appliance software found to be running positively ancient software (11 year old Linux distro, 5-20+ year old libraries & components) Nevada AG trying to get messaging decrypted for children, to "protect them" Kelly Shortridge's response to CISA's secure development RFI OpenAI's new GenAI video product, Sora and the potential impact it could have on cybersecurity Instacart spews out crappy AI recipes and photos Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-351
In this week's news segment, we discuss the lack of funding announcements, and the potential effect RSA could have on the timing of all sorts of press releases. We also discuss 1Password's potential future with its sizable customer base and the $620M it raised a few years back. Some other topics we discuss: NIST CSF 2.0 insider threats Ivanti Pulse Secure's appliance software found to be running positively ancient software (11 year old Linux distro, 5-20+ year old libraries & components) Nevada AG trying to get messaging decrypted for children, to "protect them" Kelly Shortridge's response to CISA's secure development RFI OpenAI's new GenAI video product, Sora and the potential impact it could have on cybersecurity Instacart spews out crappy AI recipes and photos Show Notes: https://securityweekly.com/esw-351
In this week's news segment, we discuss the lack of funding announcements, and the potential effect RSA could have on the timing of all sorts of press releases. We also discuss 1Password's potential future with its sizable customer base and the $620M it raised a few years back. Some other topics we discuss: NIST CSF 2.0 insider threats Ivanti Pulse Secure's appliance software found to be running positively ancient software (11 year old Linux distro, 5-20+ year old libraries & components) Nevada AG trying to get messaging decrypted for children, to "protect them" Kelly Shortridge's response to CISA's secure development RFI OpenAI's new GenAI video product, Sora and the potential impact it could have on cybersecurity Instacart spews out crappy AI recipes and photos Show Notes: https://securityweekly.com/esw-351
Jelle Niemantsverdriet joins us in this episode to discuss how the mindset around security is evolving, both from organisations and from professionals. My favourite takeaway is that security is on the same path as testing and becoming part of quality in software development. Connect with Jelle Niemantsverdriet: https://www.linkedin.com/in/jelleniemantsverdriet https://twitter.com/jelle_n References: Digital Defense Report - https://www.microsoft.com/nl-nl/security/security-insider/microsoft-digital-defense-report-2023 Data Breach Investigations Report (DBIR) - https://www.verizon.com/business/resources/reports/dbir/?CMP=OOH_SMB_OTH_22222_MC_20200501_NA_NM20200079_00001 Sidney Dekker - https://sidneydekker.com Kelly Shortridge - https://kellyshortridge.com/blog/ Chaos Engineering - https://www.securitychaoseng.com OUTLINE 00:00:00 - Intro 00:00:25 - Security is a matter of software quality 00:02:19 - Security way of working 00:04:37 - Professional pride 00:06:53 - Layers of defense, or excuse? 00:09:05 - The industrial revolution in IT 00:10:48 - Security as speciality 00:13:18 - Collaborating with the security department 00:14:29 - Building bridges 00:16:22 - Willingness to listen 00:19:29 - Scenario analysis workshops 00:21:01 - Unpredictable human behaviour 00:23:21 - Seemless and friction in security solutions 00:25:28 - Instant cake 00:26:38 - Red, blue and purple teaming 00:28:34 - Exploring the boundaries in AI 00:31:38 - Gamified security 00:32:46 - With risk comes reward 00:36:17 - Security costs vs. benefit 00:38:49 - Frequent password changes 00:41:20 - Verizon Data Breach Investigations Report 00:43:55 - Sidney Dekker - Human error doesn't exist 00:46:23 - Kelly Shortridge - Sensemaking 00:47:14 - Sharing knowledge around security
Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today. We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-339
Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today. We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-339
During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Show Notes: https://securityweekly.com/esw-339
We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. Show Notes: https://securityweekly.com/esw-339
We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. Show Notes: https://securityweekly.com/esw-339
During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Show Notes: https://securityweekly.com/esw-339
Podcast: Unsolicited Response (LS 34 · TOP 5% what is this?)Episode: Kelly Shortridge - Security Chaos Engineering in ICSPub date: 2023-11-01Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in Nonproduction environments" The experiment / scientific method approach and how it can start small The Danger Zone: tight coupling and complex interactions How should ICS use Chaos Engineering The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Podcast: Unsolicited Response (LS 33 · TOP 5% what is this?)Episode: Kelly Shortridge - Security Chaos Engineering in ICSPub date: 2023-11-01Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in Nonproduction environments" The experiment / scientific method approach and how it can start small The Danger Zone: tight coupling and complex interactions How should ICS use Chaos Engineering The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in Nonproduction environments" The experiment / scientific method approach and how it can start small The Danger Zone: tight coupling and complex interactions How should ICS use Chaos Engineering
Ready to inject a little chaos into your systems? Richard talks to Kelly Shortridge about her book Security Chaos Engineering. Kelly discusses the challenges of modern cybersecurity - how do you find weaknesses in your infrastructure and security systems? This leads to a discussion about challenging assumptions by exploring the workflows that exist in your infrastructure today. Exploring the workflows shows where assumptions exist, and that opens the door to testing them. There's sure to be some low-hanging fruit you can deal with, but eventually, you're left with tests that have to be set loose on your system - and you'll find out how resilient you really are!Links:FastlySecurity Chaos EngineeringDeciduousRecorded August 22, 2023
The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget).The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge's Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries and much more to do with modernizing our headspace to accommodate the new, incredibly complex environment we find ourselves in today. Sun Tzu quotes are replaced by Ursula K. Le Guin and Buckminster Fuller. Jurassic park analogies take center stage. Ice cream metaphors and decision trees supported by open source projects make the formerly esoteric approachable. Practical even.Our 1 hour conversation with Kelly covers many of the core ideas in the book she recently published along with Aaron Rhinehart, centering on adopting a mindset of evaluation and experimentation. A common thread running through the dialogue is that of empowerment: we live in a privileged time where much of what we do now can be stress tested to build resiliency. And that this is a far more sane approach given modern complexity than attempting to comprehensively model risk and prevent attacks. Cat and mouse? No, we and our adversaries are peers on equal footing who are capable of both offense and defense. The future, and the present for those who lean into it, is much more Spy vs. Spy than Tom and Jerry. We hope this dialogue takes you at least one step closer to it.
Discussing ways to ensure client success with MDR and discuss the ways organizations hurt MDR efficacy with overly broad global exclusions, poor deployment practices, and poor policy hygiene. This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! We talk to Chris Sanders today, who has been steeped in the world of SecOps and detection/response for many years. After many years of writing books and training folks in the cybersecurity industry, he started delving into cognitive psychology and educational effectiveness. He leverages this knowledge in the training classes he builds and delivers. Today we'll discuss why it seems like defenders are still failing, despite the security industry largely (and arguably) receiving the resources it has been requesting. In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities. Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK. Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-331
Discussing ways to ensure client success with MDR and discuss the ways organizations hurt MDR efficacy with overly broad global exclusions, poor deployment practices, and poor policy hygiene. This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! We talk to Chris Sanders today, who has been steeped in the world of SecOps and detection/response for many years. After many years of writing books and training folks in the cybersecurity industry, he started delving into cognitive psychology and educational effectiveness. He leverages this knowledge in the training classes he builds and delivers. Today we'll discuss why it seems like defenders are still failing, despite the security industry largely (and arguably) receiving the resources it has been requesting. In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities. Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK. Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-331
In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities. Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK. Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants. Show Notes: https://securityweekly.com/esw-331
In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities. Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK. Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants. Show Notes: https://securityweekly.com/esw-331
Speaking at Black Hat 2023, Kelly Shortridge is bringing cybersecurity out of the dark ages by infusing security by design to create secure patterns and practices. It's a subject of her new book on Security Chaos Computing, and it's a topic that's long overdue to be discussed in the field.
Guest: Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly Topics: So what is Security Chaos Engineering? “Chapter 5. Operating and Observing” is Anton's favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection? How chaos engineering (or is it really about software resilience?) intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles? How can organizations get started with chaos engineering for software resilience and security? What is your favorite chaos engineering experiment that you have ever done? We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023? Resources: Video (LinkedIn, YouTube) “Security Chaos Engineering: Sustaining Resilience in Software and Systems” by Kelly Shortridge, Aaron Rinehart “Cybersecurity Myths and Misconceptions” book “Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems“ book “Normal Accidents: Living with High-Risk Technologies” book “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) “The Good, the Bad, and the Epic of Threat Detection at Scale with Panther” (ep123) “Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?” (ep117) IKEA Effect “Modernizing SOC ... Introducing Autonomic Security Operations” blog
Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it?Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering?Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure?Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?
Kelly Shortridge, Senior Principal Engineer at Fastly, joins Corey on Screaming in the Cloud to discuss their recently released book, Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly explains why a resilient strategy is far preferable to a bubble-wrapped approach to cybersecurity, and how developer teams can use evidence to mitigate security threats. Corey and Kelly discuss how the risks of working with complex systems is perfectly illustrated by Jurassic Park, and Kelly also highlights why it's critical to address both system vulnerabilities and human vulnerabilities in your development environment rather than pointing fingers when something goes wrong.About KellyKelly Shortridge is a senior principal engineer at Fastly in the office of the CTO and lead author of "Security Chaos Engineering: Sustaining Resilience in Software and Systems" (O'Reilly Media). Shortridge is best known for their work on resilience in complex software systems, the application of behavioral economics to cybersecurity, and bringing security out of the dark ages. Shortridge has been a successful enterprise product leader as well as a startup founder (with an exit to CrowdStrike) and investment banker. Shortridge frequently advises Fortune 500s, investors, startups, and federal agencies and has spoken at major technology conferences internationally, including Black Hat USA, O'Reilly Velocity Conference, and SREcon. Shortridge's research has been featured in ACM, IEEE, and USENIX, spanning behavioral science in cybersecurity, deception strategies, and the ROI of software resilience. They also serve on the editorial board of ACM Queue.Links Referenced: Fastly: https://www.fastly.com/ Personal website: https://kellyshortridge.com Book website: https://securitychaoseng.com LinkedIn: https://www.linkedin.com/in/kellyshortridge/ Twitter: https://twitter.com/swagitda_ Bluesky: https://shortridge.bsky.social TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Have you listened to the new season of Traceroute yet? Traceroute is a tech podcast that peels back the layers of the stack to tell the real, human stories about how the inner workings of our digital world affect our lives in ways you may have never thought of before. Listen and follow Traceroute on your favorite platform, or learn more about Traceroute at origins.dev. My thanks to them for sponsoring this ridiculous podcast. Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. My guest today is Kelly Shortridge, who is a Senior Principal Engineer over at Fastly, as well as the lead author of the recently released Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly, welcome to the show.Kelly: Thank you so much for having me.Corey: So, I want to start with the honest truth that in that title, I think I know what some of the words mean, but when you put them together in that particular order, I want to make sure we're talking about the same thing. Can you explain that like I'm five, as far as what your book is about?Kelly: Yes. I'll actually start with an analogy I make in the book, which is, imagine you were trying to rollerblade to some destination. Now, one thing you could do is wrap yourself in a bunch of bubble wrap and become the bubble person, and you can waddle down the street trying to make it to your destination on the rollerblades, but if there's a gust of wind or a dog barks or something, you're going to flop over, you're not going to recover. However, if you instead do what everybody does, which is you know, kneepads and other things that keep you flexible and nimble, the gust you know, there's a gust of wind, you can kind of be agile, navigate around it; if a dog barks, you just roller-skate around it; you can reach your destination. The former, the bubble person, that's a lot of our cybersecurity today. It's just keeping us very rigid, right? And then the alternative is resilience, which is the ability to recover from failure and adapt to evolving conditions.Corey: I feel like I am about to torture your analogy to death because back when I was in school in 2000, there was an annual tradition at the school I was attending before failing out, where a bunch of us would paint ourselves green every year and then bike around the campus naked. It was the green bike ride. So, one year I did this on rollerblades. So, if you wind up looking—there's the bubble wrap, there's the safety gear, and then there's wearing absolutely nothing, which feels—Kelly: [laugh]. Yes.Corey: —kind of like the startup approach to InfoSec. It's like, “It'll be fine. What's the worst that happens?” And you're super nimble, super flexible, until suddenly, oops, now I really wish I'd done things differently.Kelly: Well, there's a reason why I don't say rollerblade naked, which other than it being rather visceral, what you described is what I've called YOLOSec before, which is not what you want to do. Because the problem when you think about it from a resilience perspective, again, is you want to be able to recover from failure and adapt. Sure, you can oftentimes move quickly, but you're probably going to erode software quality over time, so to a certain point, there's going to be some big incident, and suddenly, you aren't fast anymore, you're actually pretty slow. So, there's this, kind of, happy medium where you have enough, I would like security by design—we can talk about that a bit if you want—where you have enough of the security by design baked in and you can think of it as guardrails that you're able to withstand and recover from any failure. But yeah, going naked, that's a recipe for not being able to rollerblade, like, ever again, potentially [laugh].Corey: I think, on some level, that the correct dialing in of security posture is going to come down to context, in almost every case. I'm building something in my spare time in the off hours does not need the same security posture—mostly—as we are a bank. It feels like there's a very wide gulf between those two extremes. Unfortunately, I find that there's a certain tone-deafness coming from a lot of the security industry around oh, everyone must have security as their number one thing, ever. I mean, with my clients who I fixed their AWS bills, I have to care about security contractually, but the secrets that I hold are boring: how much money certain companies pay another very large company.Yes, I'll get sued into oblivion if that leaks, but nobody dies. Nobody is having their money stolen as a result. It's slightly embarrassing in the tech press for a cycle and then it's over and done with. That's not the same thing as a brief stint I did running tech ops at Grindr ten years ago where, leak that database and people will die. There's a strong difference between those threat models, and on some level, being able to act accordingly has been one of the more eye-opening approaches to increasing velocity in my experience. Does that align with the thesis of your book, since my copy has not yet arrived for this recording?Kelly: Yes. The book, I am not afraid to say it depends on the book, and you're right, it depends on context. I actually talk about this resilience potion recipe that you can check out if you want, these ingredients so we can sustain resilience. A key one is defining your critical functions, just what is your system's reason for existence, and that is what you want to make sure it can recover and still operate under adverse conditions, like you said.Another example I give all the time is most SaaS apps have some sort of reporting functionality. Guess what? That's not mission-critical. You don't need the utmost security on that, for the most part. But if it's processing transactions, yeah, probably you want to invest more security there. So yes, I couldn't agree more that it's context-dependent and oh, my God, does the security industry ignore that so much of the time, and it's been my gripe for, I feel like as long as I've been in the industry.Corey: I mean, there was a great talk that Netflix gave years ago where they mentioned in passing, that all developers have root in production. And that's awesome and the person next to him was super excited and I looked at their badge, and holy hell, they worked at an actual bank. That seems like a bad plan. But talking to the Netflix speaker after the fact, Dave Hahn, something that I found that was extraordinarily insightful, was that, yeah, well we just isolate off the PCI environment so the rest and sensitive data lives in its own compartmentalized area. So, at that point, yeah, you're not going to be able to break much in that scenario.It's like, that would have been helpful context to put in talk. Which I'm sure he did, but my attention span had tripped out and I missed that. But that's, on some level, constraining blast radius and not having compliance and regulatory issues extending to every corner of your environment really frees you up to do things appropriately. But there are some things where you do need to care about this stuff, regardless of how small the surface area is.Kelly: Agreed. And I introduced the concept of the effort investment portfolio in the book, which is basically, that is where does it matter to invest effort and where can you kind of like, maybe save some resources up. I think one thing you touched on, though, is, we're really talking about isolation and I actually think people don't think about isolation in as detailed or maybe as expansively as they could. Because we want both temporal and logical and spatial isolation. What you talked about is, yeah, there are some cases where you want to isolate data, you want to isolate certain subsystems, and that could be containers, it could also be AWS security groups.It could take a bunch of different forms, it could be something like RLBox in WebAssembly land. But I think that's something that I really try to highlight in the book is, there's actually a huge opportunity for security engineers starting from the design of a system to really think about how can we infuse different forms of isolation to sustain resilience.Corey: It's interesting that you use the word investment. When fixing AWS bills for a living, I've learned over the last almost seven years now of doing this that cost and architecture and cloud are fundamentally the same thing. And resilience is something that comes with a very real cost, particularly when you start looking at what the architectural choices are. And one of the big reasons that I only ever work on a fixed-fee basis is because if I'm charging for a percentage of savings or something, it inspires me to say really uncomfortable things like, “Backups are for cowards.” And, “When was the last time you saw an entire AWS availability zone go down for so long that it mattered? You don't need to worry about that.” And it does cut off an awful lot of cost issues, at the price of making the environment more fragile.That's where one of the context thing starts to come in. I mean, in many cases, if AWS is having a bad day in a given region, well does your business need that workload to be functional? For my newsletter, I have a publication system that's single-homed out of the Oregon region. If that whole thing goes down for multiple days, I'm writing that week's issue by hand because I'm going to have something different to talk about anyway. For me, there is no value in making that investment. But for companies, there absolutely is, but there's also seems to be a lack of awareness around, how much is a reasonable investment in that area when do you start making that investment? And most critically, when do you stop?Kelly: I think that's a good point, and luckily, what's on my side is the fact that there's a lot of just profligate spending in cybersecurity and [laugh] that's really what I'm focused on is, how can we spend those investments better? And I actually think there's an opportunity in many cases to ditch a ton of cybersecurity tools and focus more on some of the stuff he talked about. I agree, by the way that I've seen some threat models where it's like, well, AWS, all regions go down. I'm like, at that point, we have, like, a severe, bigger-than-whatever-you're-thinking-about problem, right?Corey: Right. So, does your business continuity plan account for every one of your staff suddenly quitting on the spot because there's a whole bunch of companies with very expensive consulting, like, problems that I'm going to go work for a week and then buy a house in cash. It's one of those areas where, yeah, people are not going to care about your environment more than they are about their families and other things that are going on. Plan accordingly. People tend to get so carried away with these things with tabletop planning exercises. And then of course, they forget little things like I overwrote the database by dropping the wrong thing. Turns out that was production. [laugh]. Remembering for [a me 00:10:00] there.Kelly: Precisely. And a lot of the chaos experiments that I talk about in the book are a lot of those, like, let's validate some of those basics, right? That's actually some of the best investments you can make. Like, if you do have backups, I can totally see your argument about backups are for cowards, but if you do have them, like, maybe you conduct experiments to make sure that they're available when you need them, and the same thing, even on the [unintelligible 00:10:21] side—Corey: No one cares about backups, but everyone really cares about restores, suddenly, right after—Kelly: Yeah.Corey: —they really should have cared about backups.Kelly: Exactly. So, I think it's looking at those experiments where it's like, okay, you have these basic assumptions in place that you assume to be invariance or assume that they're going to bail you out if something goes wrong. Let's just verify. That's a great place to start because I can tell you—I know you've been to the RSA hall floor—how many cybersecurity teams are actually assessing the efficacy and actually experimenting to see if those tools really help them during incidents. It's pretty few.Corey: Oh, vendors do not want to do those analyses. They don't want you to do those analyses, either, and if you do, for God's sakes, shut up about it. They're trying to sell things here, mostly firewalls.Kelly: Yeah, cybersecurity vendors aren't necessarily happy about my book and what I talk about because I have almost this ruthless focus on evidence and [unintelligible 00:11:08] cybersecurity vendors kind of thrive on a lack of evidence. So.Corey: There's so much fear, uncertainty, and doubt in that space and I do feel for them. It's a hard market to sell in without having to talk about here's the thing that you're defending against. In my case, it's easy to sell the AWS bill is high because if I don't have to explain why more or less setting money on fire as a bad thing, I don't really know what to tell you. I'm going to go look for a slightly different customer profile. That's not really how it works in security, I'm sure there are better go-to-market approaches, but they're hard to find, at least, ones that work holistically.Kelly: There are. And one of my priorities with the book was to really enumerate how many opportunities there are to take software engineering practices that people already know, let's say something like type systems even, and how those can actually help sustain resilience. Even things like integration testing or infrastructure as code, there are a lot of opportunities just to extend what we already do for systems reliability to sustain resilience against things that aren't attacks and just make sure that, you know, we cover a few of those cases as well. A lot of it should be really natural to software engineering teams. Again, security vendors don't like that because it turns out software engineering teams don't particularly like security vendors.Corey: I hadn't noticed that. I do wonder, though, for those who are unaware, chaos engineering started off as breaking things on purpose, which I feel like one person had a really good story and thought about it super quickly when they were about to get fired. Like, “No, no, it's called Chaos Engineering.” Good for them. It's now a well-regarded discipline. But I've always heard of it in the context of reliability of, “Oh, you think your site is going to work if the database falls over? Let's push it over and see what happens.” How does that manifest in a security context?Kelly: So, I will clarify, I think that's a slight misconception. It's really about fixing things in production, and that's the end goal. I think we should not break things just to break them, right? But I'll give a simple example, which I know it's based on what Aaron Rinehart conducted at UnitedHealth Group, which is, okay, let's inject a misconfigured port as an experiment and see what happens, end-to-end. In their case, the firewall only detected the misconfigured port 60% of the time, so 60% of the time, it works every time.But it was actually the cloud, the very common, like, Cloud configuration management tool that caught the change and alerted responders. So, it's that kind of thing where we're still trying to verify those assumptions that we have about our systems and how they behave, again, end-to-end. In a lot of cases, again, with security tools, they are not behaving as we expect. But I still argue security is just a subset of software quality, so if we're experimenting to verify, again, our assumptions and observe system behavior, we're benefiting software quality, and security is just a subset of that. Think about C code, right? It's not like there's, like, a healthy memory corruption, so it's bad for both the quality and security reason.Corey: One problem that I've had in the security space for a while is—let's [unintelligible 00:14:05] on this to AWS for a second because that is the area in which I spend the most of my time, which probably explains a lot about my personality challenges. But the problem that I keep smacking into is if I go ahead and configure everything the way that I should according to best practices and the rest, I wind up with a firehose torrent of information in terms of CloudTrail logs, et cetera. And it's expensive in its own right. But then to sort through it or to do a lot of things in security, there are basically two options. I can either buy a vendor's product, which generally tends to start around $12,000 a year and goes up rapidly from there on my current $6,000 a year bill, so okay, twice as much as the infrastructure for security monitoring. Okay.Or alternately, find a bunch of different random scripts and tools on GitHub of wildly diverging quality and sort of hope for the best on that. It feels like there's nothing in between. And the reason I care about this is not because I'm cheap but because when you have an individual learner who is either a student or a career switcher or someone just trying to experiment with this, you want them to begin as you want them to go on, and things that are no money for an enterprise are all the money to them. They're going to learn to work with the tools that they can afford. That feels like it's a big security swing and a miss. Do you agree or disagree? What's the nuance I'm missing here?Kelly: No, I don't think there's nuance you're missing. I think security observability, for one, isn't a buzzword that particularly exists. I've been trying to make it a thing, but I'm solely one individual screaming into the void. But observability just hasn't been a thing. We haven't really focused on, okay, so what, like, we get data and what do we do with it?And I think, again, from a software engineering perspective, I think there's a lot we can do. One, we can just avoid duplicating efforts. We can treat observability, again, of any sort of issue as similar, whether that's an attack or a performance issue. I think this is another place where security, or any sort of chaos experiment, shines though because if you have an idea of here's an adverse scenario we care about, you can actually see how does it manifest in the logs and you can start to figure out, like, what signals do we actually need to be looking for, what signals mattered to be able to narrow it down. Which again, it involves time and effort, but also, I can attest when you're buying the security vendor tool and, in theory, absolving some of that time and effort, it's maybe, maybe not, because it can be hard to understand what the outcomes are or what the outputs are from the tool and it can also be very difficult to tune it and to be able to explain some of the outputs. It's kind of like trading upfront effort versus long-term overall overhead if that makes sense.Corey: It does. On that note, the title of your book includes the magic key phrase ‘sustaining resilience.' I have found that security effort and investment tends to resemble a fire drill in—Kelly: [laugh].Corey: —an awful lot of places, where, “We care very much about security,” says the company, right after they very clearly failed to care about security, and I know this because I'm reading getting an email about a breach that they've just sent me. And then there's a whole bunch of running around and hair-on-fire moments. But then there's a new shiny that always comes up, a new strategic priority, and it falls to the wayside again. What do you see the drives that sustained effort and focus on resilience in a security context?Kelly: I think it's really making sure you have a learning culture, which sounds very [unintelligible 00:17:30], but things again, like, experiments can help just because when you do simulate those adverse scenarios and you see how your system behaves, it's almost like running an incident and you can use that as very fresh, kind of, like collective memory. And I even strongly recommend starting off with prior incidents in simulating those, just to see like, hey, did the improvements we make actually help? If they didn't, that can be kind of another fire under the butt, so to speak, to continue investing. So, definitely in practice—and there's some case studies in the book—it can be really helpful just to kind of like sustain that memory and sustain that learning and keep things feeling a bit fresh. It's almost like prodding the nervous system a little, just so it doesn't go back to that complacent and convenient feeling.Corey: It's one of the hard problems because—I'm sure I'm going to get castigated for this by some of the listeners—but computers are easy, particularly compared to the people. There are deterministic ways to solve almost any computer problem, but people are always going to be a little bit different, and getting them to perform the same way today that they did yesterday is an exercise in frustration. Changing the culture, changing the approach and the attitude that people take toward a lot of these things feels, from my perspective, like, something of an impossible job. Cultural transformations are things that everyone talks about, but it's rare to see them succeed.Kelly: Yes, and that's actually something that I very strongly weaved throughout the book is that if your security solutions rely on human behavior, they're going to fail. We want to either reduce hazards or eliminate hazards by design as much as possible. So, my view is very much again, like, can you make processes more repeatable? That's going to help security. I definitely do not think that if anyone takes away from my book that they need to have, like, a thousand hours of training to change hearts and minds, then they have completely misunderstood most of the book.The idea is very much like, what are practices that we want for other outcomes anyway—again, reliability or faster time to market—and how can we harness those to also be improving resilience or security at the same time? It's very much trying to think about those opportunities rather than, you know, trying to drill into people's heads, like, “Thou shalt not,” or, “Thou shall.”Corey: Way back in 2018, you gave a keynote at some conference or another and you built the entire thing on the story of Jurassic Park, specifically Ian Malcolm as one of your favorite fictional heroes, and you tied it into security in a bunch of different ways. You hadn't written this book then unless the authorship process is way longer than I think it is. So, I'm curious to get your take on what Jurassic Park can teach us about software security.Kelly: Yes, so I talk about Jurassic Park as a reference throughout the book, frequently. I've loved that book since I was a very young child. Jurassic Park is a great example of a complex system gone wrong because you can't point to any one thing. Like there's Dennis Nedry, you know, messing up the power system, but then there's also the software was looking for a very specific count of dinosaurs and they didn't anticipate there could be more in the count. Like, there are so many different factors that influenced it, you can't actually blame just, like, human error or point fingers at one thing.That's a beautiful example of how things go wrong in our software systems because like you said, there's this human element and then there's also how the humans interact and how the software components interact. But with Jurassic Park, too, I think the great thing is dinosaurs are going to do dinosaur things like eating people, and there are also equivalents in software, like C code. C code is going to do C code things, right? It's not a memory safe language, so we shouldn't be surprised when something goes wrong. We need to prepare accordingly.Corey: “How could this happen? Again?” Yeah.Kelly: Right. At a certain point, it's like, there's probably no way to sufficiently introduce isolation for dinosaurs unless you put them in a bunker where no one can see them, and it's the same thing sometimes with things like C code. There's just no amount of effort you can invest, and you're just kind of investing for a really unclear and generally not fortuitous outcome. So, I like it as kind of this analogy to think about, okay, where do our effort investments make sense and where is it sometimes like, we really just do need to refactor because we're dealing with dinosaurs here.Corey: When I was a kid, that was one of my favorite books, too. The problem is, I didn't realize I was getting a glimpse of my future at a number of crappy startups that I worked at. Because you have John Hammond, who was the owner of the park talking constantly about how, “We spared no expense,” but then you look at what actually happened and he spared every frickin expense. You have one IT person who is so criminally underpaid that smuggling dinosaur embryos off the island becomes a viable strategy for this. He wound up, “Oh, we couldn't find the right DNA, so we're just going to, like, splice some other random stuff in there. It'll be fine.”Then you have the massive overconfidence because it sounds very much like he had this almost Muskian desire to fire anyone who disagreed with him, and yeah, there was a certain lack of investment that could have been made, despite loud protestations to the contrary. I'd say that he is the root cause, he is the proximate reason for the entire failure of the park. But I'm willing to entertain disagreement on that point.Kelly: I think there are other individuals, like Dr. Wu, if you recall, like, deciding to do the frog DNA and not thinking that maybe something could go wrong. I think there was a lot of overconfidence, which you're right, we do see a lot in software. So, I think that's actually another very important lesson is that incentives matter and incentives are very hard to change, kind of like what you talked about earlier. It doesn't mean that we shouldn't include incentives in our threat model.So like, in the book I talked about, our threat models should include things like maybe yeah, people are underpaid or there is a ton of pressure to deliver things quickly or, you know, do things as cheaply as possible. That should be just as much of our threat models as all of the technical stuff too.Corey: I think that there's a lot that was in that movie that was flat-out wrong. For example, one of the kids—I forget her name; it's been a long time—was logging in and said, “Oh, this is Unix. I know Unix.” And having learned Unix as my first basically professional operating system, “No, you don't. No one knows Unix. They get very confused at some point, the question is, just how far down what rabbit hole it is.”I feel so sorry for that kid. I hope she wound up seeking therapy when she was older to realize that, no, you don't actually know Unix. It's not that you're bad at computers, it's that Unix is user-hostile, actively so. Like, the raptors, like, that's the better metaphor when everything winds up shaking out.Kelly: Yeah. I don't disagree with that. The movie definitely takes many liberties. I think what's interesting, though, is that Michael Creighton, specifically, when he talks about writing the book—I don't know how many people know this—dinosaurs were just a mechanism. He knew people would want to read it in airport.What he cared about was communicating really the danger of complex systems and how if you don't respect them and respect that interactivity and that it can baffle and surprise us, like, things will go wrong. So, I actually find it kind of beautiful in a way that the dinosaurs were almost like an afterthought. What he really cared about was exactly what we deal with all the time in software, is when things go wrong with complexity.Corey: Like one of his other books, Airframe, talked about an air disaster. There's a bunch of contributing factors in the rest, and for some reason, that did not receive the wild acclaim that Jurassic Park did to become a cultural phenomenon that we're still talking about, what, 30 years later.Kelly: Right. Dinosaurs are very compelling.Corey: They really are. I have to ask though—this is the joy of having a kid who is almost six—what is your favorite dinosaur? Not a question most people get asked very often, but I am going to trot that one out.Kelly: No. Oh, that is such a good question. Maybe a Deinonychus.Corey: Oh, because they get so angry they spit and kill people? That's amazing.Kelly: Yeah. And I like that, kind of like, nimble, smarter one, and also the fact that most of the smaller ones allegedly had feathers, which I just love this idea of, like, feather-ful murder machines. I have the classic, like, nerd kid syndrome, though, where I read all these dinosaur names as a kid and I've never pronounced them out loud. So, I'm sure there are others—Corey: Yep.Kelly: —that I would just word salad. But honestly, it's hard to go wrong with choosing a favorite dinosaur.Corey: Oh, yeah. I'm sure some paleontologist is sitting out there in the field on the dig somewhere listening to this podcast, just getting very angry at our pronunciation and things. But for God's sake, I call the database Postgres-squeal. Get in line. There's a lot of that out there where looking at a complex system failures and different contributing factors and the rest makes stuff—that's what makes things interesting.I think that there's this the idea of a root cause is almost always incorrect. It's not, “Okay, who tripped over the buried landmine,” is not the interesting question. It's, “Who buried the thing?” What were all the things that wound up contributing to this? And you can't even frame it that way in the blaming context, just because you start doing that and people clam up, and good luck figuring out what really happened.Kelly: Exactly. That's so much of what the cybersecurity industry is focused on is how do we assign blame? And it's, you know, the marketing person clicked on a link. And it's like, they do that thousands of times, like a month, and the one time, suddenly, they were stupid for doing it? That doesn't sound right.So, I'm a big fan of, yes, vanquishing root cause, thinking about contributing factors, and in particular, in any sort of incident review, you have to think about, was there a designer process problem? You can't just think about the human behavior; you have to think about where are the opportunities for us to design things better, to make this secure way more of the default way.Corey: When you talk about resilience and reliability and big, notable outages, most forward-thinking companies are going to go and do a variety of incident reviews and disclosures around everything that happened to it, depending upon levels of trust and whether your NDA'ed or not, and how much gets public is going to vary from place to place. But from a security perspective, that feels like the sort of thing that companies will clam up about and never say a word.Kelly: Yes.Corey: Because I can wind up pouring a couple of drinks into people and get the real story of outages, or the AWS bill, but security stuff, they start to wonder if I'm a state actor, on some level. When you were building all of this, how did you wind up getting people to talk candidly and forthrightly about issues that if it became tied to them that they were talking to this in public would almost certainly have negative career impact for them?Kelly: Yes, so that's almost like a trade secret, I feel like. A lot of it is yes, over the years talking with people over, generally at a conference where you know, things are tipsy. I never want to betray confidentiality, to be clear, but certainly pattern-matching across people's stories.Corey: Yeah, we're both in positions where if even the hint of they can't be trusted enters the ecosystem, I think both of our careers explode and never recover. Like it's—Kelly: Exactly.Corey: —yeah. Oh, yeah. They play fast and loose with secrets is never the reputation you want as a professional.Kelly: No. No, definitely not. So, it's much more pattern matching and trying to generalize. But again, a lot of what can go wrong is not that different when you think about a developer being really tired and making a bunch of mistakes versus an attacker. A lot of times they're very much the same, so luckily there's commonality there.I do wish the security industry was more forthright and less clandestine because frankly, all of the public postmortems that are out there about performance issues are just such, such a boon for everyone else to improve what they're doing. So, that's a change I wish would happen.Corey: So, I have to ask, given that you talk about security, chaos engineering, and resilience-and of course, software and systems—all in the title of the O'Reilly book, who is the target audience for this? Is it folks who have the word security featured three times in their job title? Is it folks who are new to the space? What is your target audience start and stop?Kelly: Yes, so I have kept it pretty broad and it's anyone who works with software, but I'll talk about the software engineering audience because that is, honestly, probably out of anyone who I would love to read the book the most because I firmly believe that there's so much that software engineering teams can do to sustain resilience and security and they don't have to be security experts. So, I've tried to demystify security, make it much less arcane, even down to, like, how attackers, you know, they have their own development lifecycle. I try to demystify that, too. So, it's very much for any team, especially, like, platform engineering teams, SREs, to think about, hey, what are some of the things maybe I'm already doing that I can extend to cover, you know, the security cases as well? So, I would love for every software engineer to check it out to see, like, hey, what are the opportunities for me to just do things slightly differently and have these great security outcomes?Corey: I really want to thank you for taking the time to talk with me about how you view these things. If people want to learn more, where's the best place for them to find you?Kelly: Yes, I have all of the social media which is increasingly fragmented, [laugh] I feel like, but I also have my personal site, kellyshortridge.com. The official book site is securitychaoseng.com as well. But otherwise, find me on LinkedIn, Twitter, [Mastodon 00:30:22], Bluesky. I'm probably blanking on the others. There's probably already a new one while we've spoken.Corey: Blue-ski is how I insist on pronouncing it as well, while we're talking about—Kelly: Blue-ski?Corey: Funhouse pronunciation on things.Kelly: I like it.Corey: Excellent. And we will, of course, put links to all of those things in the [show notes 00:30:37]. Thank you so much for being so generous with your time. I really appreciate it.Kelly: Thank you for having me and being a fellow dinosaur nerd.Corey: [laugh]. Kelly Shortridge, Senior Principal Engineer at Fastly. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment about how our choice of dinosaurs is incorrect, then put the computer away and struggle to figure out how to open a door.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
What is security chaos engineering? You may remember Kelly Shortridge, our very first guest, who came on the show to talk about behavioral economics and cybersecurity. Well Kelly is back to talk about her new book, "Security Chaos Engineering: Sustaining Resilience in Software and Systems". Security chaos engineering is derived from chaos engineering, a relatively new discipline in software development that seeks to test distributed computing systems to ensure that they withstand unexpected disruptions. It's all about resilience, in other words. Security chaos engineering seeks to do the same for the security of such software systems. Kelly breaks down her book during a lively conversation featuring an opinion or two her cat, Link (yes, a Zelda reference!): Who should read this book? Resilience in software and systems Systems-oriented security Architecting and designing Building and delivering Operating and observing (Allan's favorite chapter as it intersects with one of his Zero Trust tenets) Responding and recovering Platform resilience engineering Security chaos experiments (a very fun chapter!) Case studies Note that the book is peppered with references and quotes from other disciplines. We would expect no less from Kelly. Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.
What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ In the ever-evolving world of cybersecurity, attackers are constantly finding new ways to infiltrate your software supply chains. But with GitGuardian's Honeytoken, you can stay ahead of the game. Deploy honeytokens at scale, monitor for unauthorized use, and detect intrusions before they can wreak havoc on your system. With Honeytoken, you'll have the insight you need to protect your confidential data and know where, who, and how attackers are trying to access it. This segment is sponsored by GitGuardian. Visit https://securityweekly.com/gitguardianrsac to learn more about them! In light of the constant change in the threat landscape, how does an organization keep up with the attackers who're always innovating? New specialized security solutions are regularly being introduced to address new threats, increasing complexities and the non-functional requirement(NFRs) associated with integration of these systems to already complicated enterprise web applications. How does an organization implement holistic defense without increasing cost, complexity and impacting user experience? Edgio will address how an edge-enabled holistic security platform can effectively reduce the attack surface, improve the effectiveness of the defense while reducing the latency of critical web applications via it's multi-layered defense approach. It also offers the ability to integrate with an enterprises' DevSecOps workflow to achieve better security practices. Edio will discuss how its security platform “shrinks the haystacks” so that organizations can better focus on delivering key business outcomes. This segment is sponsored by Edgio. Visit https://securityweekly.com/edgiorsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw240
What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw240
What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw240
"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there's been an arrest in the Discord Papers case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/72 Selected reading. Read The Manual Locker: A Private RaaS Provider (Trellix) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) Espionage campaign linked to Russian intelligence services (Baza wiedzy) Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online) Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023) Cyberattack knocks out website and mobile app for Quebec's hydro utility (Toronto Star) F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times) DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense)
Kellermann will discuss the recently published report “Cyber Bank Heist” that exposes the cybersecurity threats facing the financial sector. Security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Podcast listeners will learn what financial sector security leaders from around the world revealed in a series of interviews about specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Segment Resources: - https://www.contrastsecurity.com/cyber-bank-heists-report - https://www.contrastsecurity.com/security-influencers/cyber-bank-heists-report-code-patrol-podcast-contrast-security Overall increase in government regulations. EU as well. Shift in liability from consumers to organizations.How to take advantage of safe harbor protections and reduce organizational risk and liability. NIST SSD Framework - how do you understand the security practices of the open source packages you use in your applications and ensure they are following the NIST practices (so you can take full advantage of safe harbor protections and reduce potential liability). Creating a network of open source maintainers, documenting and attesting to their security practices, is a solution. Work with the maintainers to be able to provide documentation. How to get more involved with development in open source security. What is the mechanism? Segment Resources: https://tidelift.com/government-open-source-cybersecurity-resources https://blog.tidelift.com/webinar-how-the-nist-secure-software-development-framework-impacts-open-source-software https://blog.tidelift.com/webinar-recap-what-the-new-u.s.-national-cybersecurity-strategy-means-for-open-source-software https://blog.tidelift.com/tidelift-advisory-impact-of-new-u.s.-national-cybersecurity-strategy-on-organizations-building-apps-with-open-source-software In this week's enterprise security news, we talk about new companies and funding, trends in the deception and SaaS Security/SSPM space. We discuss Andy Ellis's "10 plagues of cloud security" and Kelly Shortridge's 69 ways to F*&$ up your deploy. We discuss rolling out Yubikeys and the pros/cons of using biometrics instead of security keys. There have been some bad takes in the media on how OpenAI uses your ChatGPT prompts, so we set the record straight there. Cybersecurity is a new requirement for K-12 students in North Dakota, and you've got to see this week's security story - a rogue tire sends a Kia Soul FLYING.* * - but no one was hurt! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw312
Kellermann will discuss the recently published report “Cyber Bank Heist” that exposes the cybersecurity threats facing the financial sector. Security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Podcast listeners will learn what financial sector security leaders from around the world revealed in a series of interviews about specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Segment Resources: - https://www.contrastsecurity.com/cyber-bank-heists-report - https://www.contrastsecurity.com/security-influencers/cyber-bank-heists-report-code-patrol-podcast-contrast-security Overall increase in government regulations. EU as well. Shift in liability from consumers to organizations.How to take advantage of safe harbor protections and reduce organizational risk and liability. NIST SSD Framework - how do you understand the security practices of the open source packages you use in your applications and ensure they are following the NIST practices (so you can take full advantage of safe harbor protections and reduce potential liability). Creating a network of open source maintainers, documenting and attesting to their security practices, is a solution. Work with the maintainers to be able to provide documentation. How to get more involved with development in open source security. What is the mechanism? Segment Resources: https://tidelift.com/government-open-source-cybersecurity-resources https://blog.tidelift.com/webinar-how-the-nist-secure-software-development-framework-impacts-open-source-software https://blog.tidelift.com/webinar-recap-what-the-new-u.s.-national-cybersecurity-strategy-means-for-open-source-software https://blog.tidelift.com/tidelift-advisory-impact-of-new-u.s.-national-cybersecurity-strategy-on-organizations-building-apps-with-open-source-software In this week's enterprise security news, we talk about new companies and funding, trends in the deception and SaaS Security/SSPM space. We discuss Andy Ellis's "10 plagues of cloud security" and Kelly Shortridge's 69 ways to F*&$ up your deploy. We discuss rolling out Yubikeys and the pros/cons of using biometrics instead of security keys. There have been some bad takes in the media on how OpenAI uses your ChatGPT prompts, so we set the record straight there. Cybersecurity is a new requirement for K-12 students in North Dakota, and you've got to see this week's security story - a rogue tire sends a Kia Soul FLYING.* * - but no one was hurt! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw312
In this week's enterprise security news, we talk about new companies and funding, trends in the deception and SaaS Security/SSPM space. We discuss Andy Ellis's "10 plagues of cloud security" and Kelly Shortridge's 69 ways to F*&$ up your deploy. We discuss rolling out Yubikeys and the pros/cons of using biometrics instead of security keys. There have been some bad takes in the media on how OpenAI uses your ChatGPT prompts, so we set the record straight there. Cybersecurity is a new requirement for K-12 students in North Dakota, and you've got to see this week's security story - a rogue tire sends a Kia Soul FLYING.* * - but no one was hurt! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw312
In this week's enterprise security news, we talk about new companies and funding, trends in the deception and SaaS Security/SSPM space. We discuss Andy Ellis's "10 plagues of cloud security" and Kelly Shortridge's 69 ways to F*&$ up your deploy. We discuss rolling out Yubikeys and the pros/cons of using biometrics instead of security keys. There have been some bad takes in the media on how OpenAI uses your ChatGPT prompts, so we set the record straight there. Cybersecurity is a new requirement for K-12 students in North Dakota, and you've got to see this week's security story - a rogue tire sends a Kia Soul FLYING.* * - but no one was hurt! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw312
This interview was recorded for the GOTO Book Club.gotopia.tech/bookclubRead the full transcription of the interview hereKelly Shortridge - Co- Author of Security Chaos Engineering and Senior Principal, Product Technology at FastlyAaron Rinehart - Co- Author of Security Chaos Engineering and Co-Founder & CTO at VericaMark Miller - Co-Author of Epic Failures in DevSecOps and Vice President, Community Engagement and Outreach at The Linux FoundationDESCRIPTIONWhat's the state of the art in modern security practices?The authors of the book Security Chaos Engineering, Aaron Rinehart and Kelly Shortridge talk to Mark Miller about the shift in the mental model that one has to undertake to reap its benefits. Their approach paves a new way that allows security engineers to uncover bugs in complex systems by chaos experiments before an actual attack.The interview is based on Kelly's and Aaron's book "Security Chaos Engineering":www.verica.io/sce-bookRECOMMENDED BOOKSKelly Shortridge & Aaron Rinehart • Security Chaos EngineeringNora Jones & Casey Rosenthal • Chaos EngineeringNora Jones & Casey Rosenthal • Chaos EngineeringMikolaj Pawlikowski • Chaos EngineeringRuss Miles • Learning Chaos EngineeringMurphy, Beyer, Jones & Petoff • Site Reliability EngineeringTwitterLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket at gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily.Discovery MattersA collection of stories and insights on matters of discovery that advance life...Listen on: Apple Podcasts Spotify Health, Wellness & Performance Catalyst w/ Dr. Brad CooperLooking for a catalyst to optimize your health, wellness & performance? You've found it!!Listen on: Apple Podcasts Spotify The New Arab VoiceA podcast from The New Arab, a leading English-language website based in London...Listen on: Apple Podcasts Spotify
Kelly Shortridge, a Senior Principal from Fastly, joins Dave to discuss her talk at RSAC on why behavioral science and behavioral economics matters for InfoSec. Joe's story shares an old scam with a new twist, it's about packages being delivered to you that you never ordered. Dave's story is on how a large scale phishing campaign compromised one million Facebook credentials. Our catch of the day comes from listener Will who was reached out to by someone claiming to be the "Head IMF/EUROPEAN UNION coordinator," who claimed to want to give Will one million dollars in compensation. Links to stories: Package scam delivers unordered items, victims billed hundreds of dollars One Million Facebook Credentials Compromised in Four Months by Ongoing Phishing Campaign Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter
Interpol coordinates international enforcement action against scammers. A new version of IceXLoader is observed. Exploiting versioning limits to render files inaccessible. Reflections on the first large-scale hybrid war. Kelly Shortridge from Fastly on why behavioral science and economics matters for InfoSec. Patrick Orzechowski from DeepWatch on Russian IoCs and critical infrastructure. And the possibility of cyber escalation in Russia's hybrid war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/116 Selected reading. Hundreds arrested and millions seized in global INTERPOL operation against social engineering scams (Interpol) New IceXLoader 3.0 – Developers Warm Up to Nim (Fortinet Blog) Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive (Proofpoint) Russia's cyber fog in the Ukraine war (GIS Reports) Russia Might Try Reckless Cyber Attacks as Ukraine War Drags On, US Warns (Defense One) Cyber Attacks in Times of Conflict (CyberPeace Institute) Vladimir Putin's Ukraine invasion is the world's first full-scale cyberwar (Atlantic Council) Why Russia has refrained from a major cyber-attack against the West (Cyber Security Hub) In modern war, we have as much to fear from cyber weapons as kinetics (Computing)
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Germany issues stark warning to Kaspersky users Ukraine SATCOM hack keeps getting more interesting Russia to spin up its own CA, but it's not what it seems Why the ransomware threat could get worse, then better Much, much more This week's show is brought to you by Fastly. Kelly Shortridge, Fastly's Senior Principal Product Technologist, joins the show this week to tell us what modern security actually looks like. Kelly is always fascinating so we were thrilled she was in the sponsor chair this week. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes German government issues warning about Kaspersky products - CyberScoop Exclusive: U.S. spy agency probes sabotage of satellite internet during Russian invasion, sources say | Reuters SATELLITE SYSTEMS, SATCOM AND SPACE SYSTEMS UPDATE Russia to create its own security certificate authority, alarming experts Political fallout in cybercrime circles upping the threat to Western targets (2) Oleg Shakirov on Twitter: "Russia's deputy foreign minister says he hopes the Russian-U.S. dialogue on cyber security will be resumed in response to a question whether it has been frozen He adds that it can bring tangible results like the disruption of REvil https://t.co/m817WD80vr" / Twitter FinCEN warns ransomware proceeds could be part of Russia sanctions evasion Biden takes big step toward government-backed digital currency Ukrainian hackers say HackerOne is blocking their bug bounty payouts | TechCrunch (2) Techmeme on Twitter: "Sources: Apple and Google removed Kremlin critic Navalny's app in September after FSB agents came to homes of top execs and threatened to take them to prison (Washington Post) https://t.co/nqvtHmG1Ft https://t.co/gQCcnFhnyo" / Twitter Government agencies in Ukraine targeted in cyber-attacks deploying MicroBackdoor malware | The Daily Swig (2) ESET research on Twitter: "#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine
This week, first up, we welcome Kelly Shortridge, Senior Principal Product Technologist at Fastly, to talk about “Deciduous”, Decision Trees, and Security Chaos Engineering! Then, Deb Radcliff, Strategic Analyst and Author from CyberRisk Alliance Joins to discuss “Penning a Cyber Thriller”! Finally, In the Enterprise News Guardicore Centra lets teams stop ransomware and lateral movement, Netskope streamlines procedures with improved attribution models and collaboration, Cloudflare claims they blocked the ‘greatest DDoS attack in history', SecurityScorecard partners up with Tenable to improve Risk Management, Sumo Logic delivers on SOAR promise by acquiring DFLabs, SCAR invests in cyber startup Hook Security, Hunters raises $30 Million in Series B, and more! Show Notes: https://securityweekly.com/esw240 Segment Resources: - https://www.deciduous.app/ - https://swagitda.com/blog/posts/rick-morty-thanksploitation-decision-tree/ - https://swagitda.com/blog/posts/deciduous-attack-tree-app/ - https://learning.oreilly.com/library/view/security-chaos-engineering/9781492080350/ - The book is available at https://www.amazon.com/Breaking-Backbones-Information-Hacker-Trilogy/dp/1665701080/ ; and her articles, speaking engagements and more information is available at www.debradcliff.com Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, first up, we welcome Kelly Shortridge, Senior Principal Product Technologist at Fastly, to talk about “Deciduous”, Decision Trees, and Security Chaos Engineering! Then, Deb Radcliff, Strategic Analyst and Author from CyberRisk Alliance Joins to discuss “Penning a Cyber Thriller”! Finally, In the Enterprise News Guardicore Centra lets teams stop ransomware and lateral movement, Netskope streamlines procedures with improved attribution models and collaboration, Cloudflare claims they blocked the ‘greatest DDoS attack in history', SecurityScorecard partners up with Tenable to improve Risk Management, Sumo Logic delivers on SOAR promise by acquiring DFLabs, SCAR invests in cyber startup Hook Security, Hunters raises $30 Million in Series B, and more! Show Notes: https://securityweekly.com/esw240 Segment Resources: - https://www.deciduous.app/ - https://swagitda.com/blog/posts/rick-morty-thanksploitation-decision-tree/ - https://swagitda.com/blog/posts/deciduous-attack-tree-app/ - https://learning.oreilly.com/library/view/security-chaos-engineering/9781492080350/ - The book is available at https://www.amazon.com/Breaking-Backbones-Information-Hacker-Trilogy/dp/1665701080/ ; and her articles, speaking engagements and more information is available at www.debradcliff.com Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Deciduous is an app Kelly built with Ryan Petrich that simplifies the process of creating security decision trees. Security decision trees are valuable aids in threat modeling and prioritizing mitigations, harnessing the power of belief prompting from the realm of behavioral game theory. Segment Resources: - https://www.deciduous.app/ - https://swagitda.com/blog/posts/rick-morty-thanksploitation-decision-tree/ - https://swagitda.com/blog/posts/deciduous-attack-tree-app/ - https://learning.oreilly.com/library/view/security-chaos-engineering/9781492080350/ Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw240
Deciduous is an app Kelly built with Ryan Petrich that simplifies the process of creating security decision trees. Security decision trees are valuable aids in threat modeling and prioritizing mitigations, harnessing the power of belief prompting from the realm of behavioral game theory. Segment Resources: - https://www.deciduous.app/ - https://swagitda.com/blog/posts/rick-morty-thanksploitation-decision-tree/ - https://swagitda.com/blog/posts/deciduous-attack-tree-app/ - https://learning.oreilly.com/library/view/security-chaos-engineering/9781492080350/ Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw240
Links: How to Bridge On-Premises and Cloud Identity: https://www.darkreading.com/vulnerabilities—threats/how-to-bridge-on-premises-and-cloud-identity-/a/d-id/1341512 How AWS is helping EU customers navigate the new normal for data protection: https://aws.amazon.com/blogs/security/how-aws-is-helping-eu-customers-navigate-the-new-normal-for-data-protection/ Cloud security should never be a developer issue: https://www.securitymagazine.com/articles/95641-cloud-security-should-never-be-a-developer-issue Tool Sprawl & False Positives Hold Security Teams Back: https://www.darkreading.com/application-security/tool-sprawl-and-false-positives-hold-security-teams-back/d/d-id/1341517 The what and Why of Cloud-Native Security: https://containerjournal.com/editorial-calendar/cloud-native-security/the-what-and-why-of-cloud-native-security/ OSPAR 2021 report now available with 127 services in scope: https://aws.amazon.com/blogs/security/ospar-2021-report-now-available-with-127-services-in-scope/ Researchers Create New Approach to Detect Brand Impersonation: https://www.darkreading.com/endpoint/researchers-create-new-approach-to-detect-brand-impersonation/d/d-id/1341549 Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia?: https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/ CISA Launches New Website to Aid Ransomware Defenders: https://www.darkreading.com/threat-intelligence/cisa-launches-new-website-to-aid-ransomware-defenders/d/d-id/1341539 stopransomware.gov: https://stopransomware.gov TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let's elaborate a bit on each.Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don't collect or disclose things you don't absolutely need to, and always ensure you have permission before any collection or disclosure of information.Ransomware is the software that will destroy or disclose—or both—your data if you don't pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It's that whole shift-left thing.Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They're the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I'm interested in the output from this practical research group to see if this bolsters API use and implementation in general.How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it's a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece supports those movements. I like the view of supporting and protecting the developers to do better security. You don't need to hire a bunch of security experts and teach them to code; that wouldn't work so well. You can hire coders and teach them to code securely.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Tool Sprawl & False Positives Hold Security Teams Back. Tool confusion and poorly tuned alerting systems plagues IT and security alike. Think about how you can streamline this by consolidating both IT and security management monitoring and alerting tools into a set of tools spanning use cases. Also, you need to read this because a source of the article is one of the most forward-thinkers in security today: Kelly Shortridge.The What and Why of Cloud-Native Security. Sometimes we humans struggle with the transition to a new paradigm. Well, most of the time. Despite rapid and drastic shifts in technology constantly since computers were a thing, we still struggle as professionals. Many of us had just gotten cybersecurity figured out when this cloud thing started raining on us. Let's get us all sorted out before we miss the rainy weather.OSPAR 2021 report now available with 127 services in scope. If you think your compliance issues are complex, have you considered what a global cloud provider has to support? I've worked with compliance for over two decades and I still struggle to keep up with the pace of change. Thankfully, AWS breaks it down for you with the Outsource Service Provider Audit Report, or OSPAR.Researchers Create New Approach to Detect Brand Impersonation. Brand impersonation is where someone puts up a site that looks just like yours, but it's a ruse to collect passwords and other information. Having a better way to find these and alert us is amazing. It used to be, this type of thing wasn't common because of the effort involved to do it. Now, it's far easier, even though the technology underpinning things have gotten much more complex.Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia? If you aren't sure what privacy laws apply to your operations, you should consult legal advice and get on top of this quickly. There are laws being passed in many jurisdictions around the world tightening the requirements for storing, using, and reporting on people's information and activities in your environments.CISA Launches New Website to Aid Ransomware Defenders. Many of us don't need to know the details about security things as long as they're monitored and managed by people who do know cybersecurity. However, we all need to better understand ransomware because it's a difficult-to-impossible problem to tackle without a concerted effort between multiple groups in our organizations. Check out the stopransomware.gov site for some help.And now for the tip of the week. Compliance is often a messy thing. It shouldn't be the burden it ends up being for most of us. Use the AWS Artifact service to understand AWS compliance. This service saves you hours of trying to figure out what reports to give your auditors for security compliance. Get in there and look around; it's peace of mind, just one URL away. You can manage various compliance-related agreements in there as well, so it's a fantastic resource. And that's it for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: Blog entry: https://swagitda.com/blog/posts/on-yolosec-and-fomosec/ Why the Worst Cloud Security Predictions Might not Come True: https://securityintelligence.com/articles/worst-cloud-security-predictions-not-true/ First Known Malware Surfaces Targeting Windows Containers: https://www.darkreading.com/vulnerabilities—threats/first-known-malware-surfaces-targeting-windows-containers/d/d-id/1341230 Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang: https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/ TeamTNT attacks IAM credentials of AWS and Google Cloud: https://www.scmagazine.com/home/security-news/cloud-security/teamtnt-attacks-iam-credentials-of-aws-and-google-cloud/ School Cybersecurity: How Awareness Training Removes Attackers' Options: https://securityintelligence.com/articles/how-awareness-training-improves-school-cybersecurity/ Only 17% of organizations encrypt at least half of their sensitive cloud data: https://www.scmagazine.com/home/security-news/only-17-of-organizations-encrypt-at-least-half-of-their-sensitive-cloud-data/ Return to Basics: Email Security in the Post-COVID Workplace: https://beta.darkreading.com/vulnerabilities-threats/return-to-basics-email-security-in-the-post-covid-workplace Zero Trust or Bust: What it is and Why it Matters to Data Security: https://securityintelligence.com/posts/zero-trust-why-it-matters-data-security/ What the FedEx Logo Taught Me About Cybersecurity: https://www.darkreading.com/vulnerabilities—threats/what-the-fedex-logo-taught-me-about-cybersecurity/a/d-id/1341118 How the Rise of the Remote SOC Changed the Industry: https://securityintelligence.com/articles/work-from-home-remote-soc/ Organizations Shift Further Left in App Development: https://www.darkreading.com/application-security/organizations-shift-further-left-in-app-development/d/d-id/1341219 Kate Turchin Wang YouTube: https://www.youtube.com/c/KeynoteSinger The Misaligned Incentives for Cloud Security: https://securityboulevard.com/2021/05/the-misaligned-incentives-for-cloud-security/ Kelly Shortridge Twitter: https://twitter.com/swagitda_ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Every week, I read dozens of articles, hundreds of social media posts on several platforms, and thousands of private messages about cybersecurity. There is one single most pervasive theme from all of them: security messaging is binary; there are generally only two mindsets about security. Both of these are wrong.First, there's the sensationalists who dream of being Case, the antihero in Gibson's novel, Neuromancer, which is, by the way, the greatest dystopian cyberpunk novel ever written. I will fight you on that. These jokers want the world to think they are the first and final defense against the alien invasion of sophisticated and powerful hackers. Really, most of these folks are trying to chase a non-existent adrenaline rush doing defensive security. Don't get me wrong, I love being a defender. It's just not strapping a saddle onto a missile and riding into the sunset.Second, there's the cyber-doomers who spread fear, uncertainty, and doubt—we call it FUD—about how cyberspace has already collapsed and we're all on life support while the hackers outside [unintelligible 00:02:06] run amok in pure cyber-anarchy. These purveyors of apocalyptic doomscapes assure us all that culture of no is the only answer to keeping sanity and safety within our control. They live on and trade in fear, but all this does is cost more money and hinder the mission in business. Kelly Shortridge calls this YOLOsec and FOMOsec and does a much better job at this than I can. Go read her blog entry.Meanwhile, in the news. Why the Worst Cloud Security Predictions Might not Come True. We security people are usually gloom and doomers. It's our stock and trade.However, the migration to cloud is moving the exposed attack surfaces. This may not mean an increase in risk for many organizations. This could simply be a shift in risk categories.First Known Malware Surfaces Targeting Windows Containers. If you run Windows systems in Kubernetes clusters, you may get popped by this one. Once again, following the basic best practices of running everything—yes, I do mean everything—using the minimal amount of permissions possible in your environment, managing your cloud resources is likely your protection. This is called the principle of least privilege.Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang. This one just feels good. Recovering a few million dollars from ransomware groups is barely a rounding error, but it's like getting your five pennies back from that bully who stole $25 in lunch money from you and your friends.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: TeamTNT attacks IAM credentials of AWS and Google Cloud haven't I been on message about securing your credentials? I don't ever believe someone deserves to be attacked and breached, but if you don't secure your accounts and use the principle of least privilege, you're likely to get owned sooner rather than later. Stopping the low-hanging fruit.School Cybersecurity: How Awareness Training Removes Attackers' Options. The only path to long-term change for things like getting people to stop using links in phishing emails is to teach children not to do these stupid things when they are young. More people won't do stupid security things as adults if they spend their childhood learning how to be smarter about their computer use.Only 17% of organizations encrypt at least half of their sensitive cloud data. Really people? This is a combination of laziness and not shifting left with security in your development and deployment processes. If your data is encrypted and the inevitable—or pervasive, depending on how bad your security practices are—access misconfiguration exposing your data won't be catastrophic.Return to Basics: Email Security in the Post-COVID Workplace. One thing almost every security person agrees on—and data supports—is that there are a handful of basic best practices that mitigate almost all risks. Email is the scourge of modern life—God I hate it—and is full of nasty phishing junk. Get your people to not be stupid about email.Zero Trust or Bust: What it is and Why it Matters to Data Security. You know I can't pass up an opportunity to hammer on zero trust. As a co-panelist with me at a conference said to me yesterday, zero trust is a horrible name for the concept of dynamic contextual authorization, but it's the name that stuck. Whether you've heard my soapbox rants on zero trust or not, your homework is to read another pushy article about implementing zero trust.What the FedEx Logo Taught Me About Cybersecurity. Do you see the arrow? I've done some detours through design and logo development, and I've seen the FedEx arrow forever now. Go look at the logo they have. Whitespace in visual design being overlooked by most people is a great analogy to explain newer algorithmic security analyses.How the Rise of the Remote SOC Changed the Industry. This is a cool peek behind the curtain of cybersecurity profession and the dangers. This article brings up ethics, which is something most articles ignore, but most of us in security think about the ethical ramifications of our work every single day.Organizations Shift Further Left in App Development. This is another topic I like beating on. It's like I'm building a one-person band of security methodologies. Actually, I'm quite musically inept, so if you really want to have [laugh] some musical fun in cloud security, go listen to Kate Turchin Wang, the cloud security singer on YouTube. She's awesome.The Misaligned Incentives for Cloud Security. I often say economics drives behavior. There's a whole field of study on this called behavioral economics. This article is dry and dense, but it lays out how cloud providers aren't given reasons to work that hard on security. If you want to follow the rabbit down the hole about behavioral economics and cybersecurity, follow Kelly Shortridge on Twitter, she's @swagita_. She is both amazing and entertaining.And now for the tip of the week. This one is easy. Well, maybe not for some of us. Work with me here. Put down your tools. Set aside your technical mission for the moment. Go ask your organizational leaders what they care about in your business or mission. Really talk to them. Send them an email. Be curious and be genuine. You will learn vast amounts more about what your security focus should be and should not be by learning the business.That's it for the week, folks, securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Behavioral Economics has altered our perceptions of what actually motivates human beings. How do these theories about our more primitive behaviors as well as our intellectual biases apply to information security? Allan Alford & Kelly Shortridge discuss in the context of infosec programs and events in a whirlwind of conversation. Sponsored by our friends at AttackIQ Podcast: The Cyber Ranch Podcast Episode 2: Behavioral Economics and InfoSec with Kelly Shortridge On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Kelly Shortridge, VP of Product Management at Capsule8. Their conversation begins with Kelly introducing herself and her work. She works in products for a security vendor, and she's done research into applying behavioral economics to security. Kelly says she grew up with a love of computers, but was mostly about building gaming rigs side of things. Her career in information security began in the investment banking industry, which led her to fall in love with security. Next, Allan asks Kelly about her work in behavioral economics. Economics is the study of choice, behavioral economics looks at the way humans actually behave by conducting experiments and observing natural occurrences. Humans don't always behave in the rational, textbook way, but Kelly explains that often their choices are rational when you factor in competing priorities. In information security, this shows up when folks find themselves reacting to threats that have the most attention, rather than those that are proven to be the most pressing. Information security is also affected by hindsight and outcome biases. Kelly explains how our brains try to trick us into blaming a single factor in a crisis, but that is not how the real world or cyber attacks work. Now that behavioral economics has clued us in to the biases formed by what Kelly affectionately refers to as our “lizard brains,” Allan wonders if we should be optimistic about how we may think and prevent attacks in the future. Kelly isn't so sure. She explains that changing some systems to be more compatible with our lizard brain has been effective, however knowing how we think doesn't help people think differently. In InfoSec, there are opportunities to continue making the secure way the easiest way, and circumvent the lizard brain. Other industries have been designing systems and workloads based on the way people behave; Kelly says InfoSec is just behind the curve. As the episode ends, Allan asks Kelly what keeps her still in InfoSec. Kelly says it is spite. There are still inefficiencies and an industry that pats itself on the back for doing little, that makes her spiteful she says. She wants to be an industry member that adds value to organizations and highlights the user. Follow Kelly on Twitter as @swagitda_ or on LinkedIn at Kelly Shortridge Learn more about Allan and the Cyber Ranch Podcast at Hacker Valley Studio Sponsored by our good friends at AttackIQ
All links and images for this episode can be found on CISO Series (https://cisoseries.com/when-should-you-stop-trusting-your-ciso/) How technically capable does my CISO need to be? If they lose their technical chops, should we stop trusting them? Should they even be a CISO if they had no technical chops to begin with? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is James Dolph, CISO for Guidewire Software. Thanks to our sponsor, Dtex. Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today’s organizations need and employees will embrace. Learn more at dtexsystems.com. On this week’s episode We mentioned past guest, Kelly Shortridge's new book with Aaron Rinehart, "Security Chaos Engineering". First 90 days of a CISO It's time for a CISO do-over. One of the great things about being a CISO is you get a chance to actually apply everything you learned from past jobs. Our guest, James, worked in product security with Salesforce before becoming a CISO. When we recorded the episode, James wasn't yet a full 90 days into his job. And Mike also came from Salesforce as well (they worked together) and working at Lyft was his first CISO job directly from Salesforce as well. Did they both have the same viewpoints of applying product security principles to the CISO role? How do you go about discovering new security solutions What criteria do you use to evaluate phishing solutions? GigaOM Research released a report earlier this year of the key criteria for evaluating phishing platforms. Some of the criteria they mentioned were phishing solutions that do and do not impede workflows, a security edge solution that's in-band vs. out-of-band, and do you need detonation chambers for potentially malicious emails. What criteria do Mike and James use to evaluate, and have they seen those criteria change from company to company? What criteria are not as important? What's Worse?! Failing as a professional or being a mediocre professional? What’s a CISO to do On Defense in Depth, my co-host Allan Alford said, "I think the lack of technical skills in a CISO is expected to a certain degree. You have to have the foundation, but I don't expect my CISOs to be rolling up their sleeves and doing a lot of the hands on work." I turned that quote into a meme image and it caused a flurry of response from the community. How much of applying of security controls that your staff currently does, could a CISO do themselves today? Let’s dig a little deeper What are our passion projects that are tangentially related to cybersecurity? Are we adopting any and how is it helping us stay mentally healthy during COVID? Tony Jarvis of Check Point brought this up. He suggested that we should be sharing our passion projects. What have been our passion projects? How have they helped our mood and our work? And have we been able to keep up with them?
Cyber Security Matters, hosted by Dominic Vogel and Christian Redshaw
In this episode of Cyber Security Matters, Dominic and Christian talk with Kelly Shortridge. Kelly's career began in Information Security and Data Analytics in Investment Banking. Along with this, she was also interested in the Infotech space, in which she saw lapses and holes in the industry that she passionately wanted to fix. Soon after, she created a startup which was eventually acquired by a large cybersecurity company. From there, Kelly realized that she loved solving real cybersecurity problems that customers have. Kelly researches applications of behavioral economics to information security and uses this knowledge in her current role as the VP of Product Management & Strategy in Capsule8. She discusses the different problems and issues happening in the Cyber Security industry and how we can improve the quality of the security services we provide to our clients. --- Cyber Security Matters is a partnered program of Conversations That Matter. This show is produced by Oh Boy Productions, video production, podcast and vidcast specialists located in Vancouver. To find out more, go to http://www.ohboy.ca #cybersecurity #computers #cybersec
In part one of my three part series on Cybermarketing in Covid time, I chat with Ryan Bunker, Business Development executive at pre-revenue start up Byos.io In parts two and three we will chat with Dean Nicolls of growth company Jumio and Atri Chatterjee of late stage company ForgeRock. Leaving RSA Byos.io was on a roll. Pre-revenue with a unique hardware solution to remote Wifi security, interest was high. Learn how Ryan Bunker has had to embrace the change brought by Covid and navigate changing user behavior, ITSec priorities, ZeroTrust clutter and more. Ryan discusses some of the unique challenges of having a hardware solution with no physical meetings to have! Ryan recommends you follow Kelly Shortridge , Paul Salamanca and the ever present Wendy Nather. You can follow Ryan at all the usual places, Linked In, Twitter and learn more about Byos.io’s unique solution here. Learn more about your ad choices. Visit megaphone.fm/adchoices
On today's episode, Guy Podjarny talks to Kelly Shortridge about security, microservices, and chaos engineering. Kelly is currently VP of product strategy at Capsule8, following product roles at SecurityScorecard, BAE Systems Applied Intelligence, as well as co-founding IperLane, a security startup which was acquired. Kelly is also known for presenting at international technology conferences, on topics ranging from behavioral economics at Infosec to chaos security engineering. In this episode, Kelly explains exactly what product strategy and management means, and goes into the relationships and tensions between dev, ops, and security and how that has changed. We also discuss container security and how it is different from any other end point security systems, as well as the difference between container security and microservices. Kelly believes that we are overlooking a lot of the benefits of microservices, as well as the applications for chaos engineering in security. Tune in to find out what changes Kelly sees happening in the industry, and see what advice she has for teams looking to level up their security!
In this episode of the Hacker Valley Studio podcast, we have the brilliant Kelly Shortridge sharing her thoughts on behavioral economics and cybersecurity. She also has a lesson or two for vendors in the cybersecurity space.Kelly's Websites: https://kellyshortridge.com/ and https://swagitda.com/
Sarah Bowen and Merle van den Akker interview Kelly Shortridge on how behavioural science is applied to information security.Kelly Shortridge is VP of Product Strategy at Capsule8. Before that, Kelly was the Product Manager for cross-platform detection capabilities at BAE Systems Applied Intelligence as well as co-founder and COO of IperLane. In her spare time, she researches applications of behavioural economics to information security, on which she’s spoken at conferences internationally. Finding Kelly Shortridge: Business: https://www.linkedin.com/in/kellyshortridge/ Personal: https://swagitda.com/ Capsule8: https://capsule8.com/ Secret link: https://www.techradar.com/uk/best/password-manager Research mentioned: Verizon data breach investigations report: https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf Questioning Behaviour Socials: Facebook: @QBpodcast (https://www.facebook.com/QBPodcast) Insta: @questioningbehaviour (https://www.instagram.com/questioningbehaviour/) Twitter: @QB_podcast (https://twitter.com/QB_Podcast) LinkedIn: @Questioning Behaviour (https://www.linkedin.com/groups/8928118/) Music: Derek Clegg “You’re the Dummy” https://derekclegg.bandcamp.com/
In today's episode, we will be talking with our good friend, Masha Sedova. Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the Co-Founder of Elevate Security, delivering the first people-centric security platform that leverages behavioral-science to transform employees into security super-humans. Before Elevate Security, Sedova was a Security Executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Sedova has been a member of the board of directors for the National Cyber Security Alliance and a regular presenter at conferences such as Black Hat, RSA, ISSA, Enigma and SANS. Listen in and get a deep understanding of the way social proof and behavioral science influence security awareness training. Masha suggested the following people to be aware of: Regina Spekter (http://www.reginaspektor.com/) and Kelly Shortridge (https://twitter.com/swagitda_?s=20). You can connect with Masha in the following ways: LinkedIn: https://www.linkedin.com/in/msedova/ and Twitter: https://twitter.com/ModMasha. At Tech & Main, we want to be YOUR technology partner. Let our 20+ years of expertise help you achieve the outcomes that are best for your business: cloud, SD-WAN, data center, security or anything else. We have engineers and project managers available to assist you. Call our office at 678-575-8515, email us at info@techandmain.com or visit us at www.techandmain.com. Thanks for listening! --- Send in a voice message: https://anchor.fm/techandmain/message
Ransomware has become an ugly fact of life for enterprises, and incorporating it into threat models and disaster recovery plans is a must. Kelly Shortridge of Capsule8 joins Dennis Fisher to discuss her untested hypothesis that achieving an economic equilibrium with professional ransomware attackers could be beneficial for both sides. Read Kelly's piece on this hypothesis here.
Kelly Shortridge, VP of Product Strategy at Capsule8, and Cyber Work podcast host Chris Sienko discuss how for introduce security teams early into the product development process, as well as cognitive biases in security decision-making at all levels of employment from analysts to CISOs. View the transcript, additional episodes and promotional offers: https://www.infosecinstitute.com/podcast. Join us in the fight against cybercrime: https://www.infosecinstitute.com.
All images and links for this episode can be found on CISO Series (https://cisoseries.com/open-this-email-for-an-exclusive-look-at-our-clickable-web-links/) You'll be dazzled by the clickability of our web links on this week's episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Aanchal Gupta (@nchlgpt), head of security for Calibra, Facebook. Aanchal Gupta, Head of Security for Calibra, Facebook, Mike Johnson, Co-Host, CISO/Security Vendor Relationship Podcast, David Spark, Producer, CISO Series Thanks to this week's podcast sponsor Expel. Expel is flipping today’s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have. On this week's episode Hey, You're a CISO, what's your take on this? Last month, Brian Krebs reported a breach from the 6th-largest cloud solutions provider PCM Inc. which let intruders rifle through Office365 email/documents for a number of customers. In response, listener Alexander Rabke, Unbound Tech, asked, "Would CISOs continue to do business with ‘security’ companies that are breached?" What's your recommendation for sales people who are at such an organization? How should they manage news like this? Ask a CISO We know there are plenty of pros and cons of telecommuting. I'm eager to hear from both of you how security leaders value telecommuting. What are the challenges to a CISO of managing a virtual staff? What's Worse?! We've got two extreme scenarios you'd never see in the real world. Why is everybody talking about this now? Mike, on LinkedIn you ranted about the term DevSecOps that it was a distraction and that "It's really no different (at a high level) than building security into an Agile development process, or a Waterfall process." I agree but I would argue that when DevOps was introduced it was about getting two groups working in tandem. At the time it was a mistake to omit security. Last year at Black Hat I produced a video where I asked attendees, "Should security and DevOps be in couples counseling together?" Everyone universally said, "Yes", but I was taken aback that many of the security people responded, "that they should just listen to me." Which, if you've ever been in couples counseling knows that the technique doesn't work. I argue that the term DevSecOps was brought about to say, "Hey everybody, you have to include us as well." Mike recommends Kelly Shortridge and Nicole Forsgren presentation at Black Hat 2019, "The Inevitable Marriage of DevOps and Security". Companies continue to take advantage of the economies of scale offered by multi-tenant cloud services, but complacency is dangerous. Multi-tenant cloud is often described as being like a big apartment building, but the big difference is that the walls that separate tenants from each other are not solid, but software. Software is built by humans which closes the circle: unpredictable humans in an unpredictable world. I’m not just talking about hacking here. What about compliance? GDPR’s austere and perhaps old-world view that data on a German citizen must stay in Germany, is nonetheless the law, and carries substantial fines for transgression. This requires data centers to be run from multiple countries, but so long as they’re connected by a cable no data is ever truly isolated. Future regulations affecting health records or patents or blockchain transactions might find themselves in limbo when it comes to coming to rest in a certain section of a certain cloud. For the moment, companies are focusing mostly on the cost-efficiencies of shacking up with other tenants in the same building, but very soon, this too might not be enough. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. The great CISO challenge Lauren Zink of Amtrust posted an article from Infosec Institute asking, "What are you to do with repeat offenders in social engineering exercises?" The article offers some helpful suggestions. In the discussion, there was some pointing fingers at security training designed to purposefully trick employees. Have either of you had to deal with repeat offenders? What did you do? What's your advice for other security leaders... and HR?
My guest this week is Kelly Shortridge, VP of Product Strategy at Capsule8, and we’re talking about infosec. We get into some interesting discussion: threat modeling, foundational security defense, why you’re totally screwed if a nation-state is after you (tip: they’re probably not), and why chaos engineering and ephemeral infrastructure is actually great for security. Also, we totally crap on security vendor FUD for a bit and how to choose security tools that actually work.
Kelly Shortridge (@swagitda_) is the Vice President of Product Strategy at Capsule 8, a security platform that detects and defends your entire Linux production environment. Her background is in economics and behavioral economics, a perspective that has helped her call out the cognitive biases behind security decision making. On this episode, we talk about how to think clearly about security, how to be a therapist for Chief Information Security officers, and how the dragons from Game of Thrones relate to this industry. --- Send in a voice message: https://anchor.fm/sandbox/message
Last year, investors poured $5 billion in cybersecurity startups. The whole industry will be worth $170 billion in three years, according to a recent estimate. There’s so many infosec companies it's hard to keep track of them. And yet, are we all really secure? Is the infosec industry really keeping us safe? Is it even focusing on the right problems?Next week, tens of thousands of people will meet in San Francisco for the year’s biggest information security gathering focused on business: the RSA Conference.Kelly Shortridge is the vice president of product strategy at Capsule8, a New York City-based security startup. Kelly has a background in economics, investment banking, and has studied the infosec market. She’s here today to help us understand why the infosec industry is so big, and what’s wrong with it. See acast.com/privacy for privacy and opt-out information.
Last year, investors poured $5 billion in cybersecurity startups. The whole industry will be worth $170 billion in three years, according to a recent estimate. There's so many infosec companies it's hard to keep track of them. And yet, are we all really secure? Is the infosec industry really keeping us safe? Is it even focusing on the right problems?Next week, tens of thousands of people will meet in San Francisco for the year's biggest information security gathering focused on business: the RSA Conference.Kelly Shortridge is the vice president of product strategy at Capsule8, a New York City-based security startup. Kelly has a background in economics, investment banking, and has studied the infosec market. She's here today to help us understand why the infosec industry is so big, and what's wrong with it. See acast.com/privacy for privacy and opt-out information.
CISO/Security Vendor Relationship Podcast and Series has moved to CISOSeries.com. We're no longer buying their albums because we've had enough of the "can do no wrong" toxic culture of cybersecurity rock stars. On this episode of the CISO/Security Vendor Relationship Podcast we are elevating the little known indie InfoSec professionals. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is independent analyst, Kelly Shortridge (@swagitda_). Follow her musings at Swagitda. This episode is sponsored by Vulcan Cyber, your automated vulnerability remediation solution. Put an end to manual-only patch management and reduce vulnerability risk with a cloud-based solution that bridges the vulnerability remediation gap. Automate and orchestrate the vulnerability remediation process with Vulcan Cyber. On this episode: Why is everybody talking about this now? We do a health check on where we are in terms of security enabling the business. What have been the greatest strides and where are we falling behind? We reference a post by CISO of Mitel, Allan Alford. Please, Enough. No, More. We discuss the phenomenon of cybersecurity rock stars and why their “they can do no wrong” pass is toxic to the industry. What’s Worse?! Tip of the hat to Kip Boyle, CEO of Cyber Risk Opportunities for this week’s question. Ask a CISO The phenomenon of security buzzwords. When is it actually used to describe a product and when is it used to fill up space in a marketing campaign? What’s a CISO to do? We talk about people being the problem in security, but it’s not in the way you think it is.
Kelly Shortridge (@swagitda_) spoke with us about the intersection of security and behavioral economics. Kelly’s writing and talks are linked from her personal site swagitda.com. Kelly is currently a Product Manager at SecurityScorecard. Thinking Fast and Slow by Daniel Kahneman What Works by Iris Bohnet Risky Business, a podcast about security Teen Vogue’s How to Keep Your Internet Browser History Private Surveillance Self-Defense from EFF, including security for journalists as mentioned in the show Bloomberg’s Matt Levine Twitter suggestion @SwiftOnSecurity, @thegrugq, and @sawgitda_.
The O’Reilly Security Podcast: How adversarial posture affects decision-making, how decision trees can build more dynamic defenses, and the imperative role of UX in security.In this episode, I talk with Kelly Shortridge, detection product manager at BAE Systems Applied Intelligence. We talk about how common cognitive biases apply to security roles, how decision trees can help security practitioners overcome assumptions and build more dynamic defenses, and how combining security and UX could lead to a more secure future.Here are some highlights: How the win-or-lose mindset affects defenders’ decision-making Prospect theory asserts that how we make decisions depends on whether we’re in the domain of gains mindset or the domain of losses mindset. An appropriate analogy is to compare how gamblers make decisions. When gamblers are in the hole, they're a lot more likely to make risky decisions. They're trying to recoup their losses and reason they can do that by making a big leap, even if it's unlikely to succeed. In reality, it would be better if they either cut their losses or made smaller, safer bets. But gamblers often don’t see things that way because they’re operating in a domain of losses mindset, which is also true of many security defenders. Defenders, for the most part, manifest biases that make them willing to make riskier decisions. They're more willing to implement solutions against a 1% likelihood of attack rather than implementing the basics—like two factor authentication, good server hygiene, and network segmentation. We see a lot more defenders buying those really niche tools because, in my view, they're trying to get back to the status quo. They’re willing to spend millions on incident response, particularly if they've just experienced an acute loss, like a data breach. If they had spent those millions on basic controls, they likely wouldn't have had that breach in the first place. Planning dynamic defenses and overcoming assumptions with decision trees Defenders frequently have static strategies. They aren't necessarily thinking next steps in how attackers will respond if they implement two factor authentication, antivirus software, or whitelisting. Decision trees codify your thinking and encourage you to figure out how an attacker might respond to or try to work around your initial defenses, not just your first step. Different branches show how you think an attacker could move throughout your network to get to their end goal. By including your defensive strategies and the probability of success for each, you're essentially documenting your assumptions about how likely your defensive tools are to work, and how likely attackers are to use certain moves. That means if you have a breach or incident, or if you get new data on attacker groups, you can start to refine your model. You can identify where your assumptions might have fallen through. It keeps you honest with tangible metrics, which is important in addressing cognitive biases. Knowing where you failed improves your defenses. It shows how your assumptions need to be tweaked. Why security needs UX—and vice versa We've done a terrible job as an industry of incorporating UX into security design. People lament all the time, regardless of product, that security warnings aren't worded correctly. Either they scare users or people blindly click through them. No one seems focused on how to effectively incorporate security into product design itself. Designers or developers often view security as a complete nuisance—necessary but, in many ways, a hindrance. Security professionals often view UX as a waste of time, and blame insecurity on users who click on things they shouldn’t. Security and UX need to meet in the middle. This is an area that is ripe for opportunity and needs to be explored because it could make a meaningful change in the industry. Using UX to encourage users to make better or more secure decisions as they conduct their various IT activities would have a huge impact on security.
The O’Reilly Security Podcast: How adversarial posture affects decision-making, how decision trees can build more dynamic defenses, and the imperative role of UX in security.In this episode, I talk with Kelly Shortridge, detection product manager at BAE Systems Applied Intelligence. We talk about how common cognitive biases apply to security roles, how decision trees can help security practitioners overcome assumptions and build more dynamic defenses, and how combining security and UX could lead to a more secure future.Here are some highlights: How the win-or-lose mindset affects defenders’ decision-making Prospect theory asserts that how we make decisions depends on whether we’re in the domain of gains mindset or the domain of losses mindset. An appropriate analogy is to compare how gamblers make decisions. When gamblers are in the hole, they're a lot more likely to make risky decisions. They're trying to recoup their losses and reason they can do that by making a big leap, even if it's unlikely to succeed. In reality, it would be better if they either cut their losses or made smaller, safer bets. But gamblers often don’t see things that way because they’re operating in a domain of losses mindset, which is also true of many security defenders. Defenders, for the most part, manifest biases that make them willing to make riskier decisions. They're more willing to implement solutions against a 1% likelihood of attack rather than implementing the basics—like two factor authentication, good server hygiene, and network segmentation. We see a lot more defenders buying those really niche tools because, in my view, they're trying to get back to the status quo. They’re willing to spend millions on incident response, particularly if they've just experienced an acute loss, like a data breach. If they had spent those millions on basic controls, they likely wouldn't have had that breach in the first place. Planning dynamic defenses and overcoming assumptions with decision trees Defenders frequently have static strategies. They aren't necessarily thinking next steps in how attackers will respond if they implement two factor authentication, antivirus software, or whitelisting. Decision trees codify your thinking and encourage you to figure out how an attacker might respond to or try to work around your initial defenses, not just your first step. Different branches show how you think an attacker could move throughout your network to get to their end goal. By including your defensive strategies and the probability of success for each, you're essentially documenting your assumptions about how likely your defensive tools are to work, and how likely attackers are to use certain moves. That means if you have a breach or incident, or if you get new data on attacker groups, you can start to refine your model. You can identify where your assumptions might have fallen through. It keeps you honest with tangible metrics, which is important in addressing cognitive biases. Knowing where you failed improves your defenses. It shows how your assumptions need to be tweaked. Why security needs UX—and vice versa We've done a terrible job as an industry of incorporating UX into security design. People lament all the time, regardless of product, that security warnings aren't worded correctly. Either they scare users or people blindly click through them. No one seems focused on how to effectively incorporate security into product design itself. Designers or developers often view security as a complete nuisance—necessary but, in many ways, a hindrance. Security professionals often view UX as a waste of time, and blame insecurity on users who click on things they shouldn’t. Security and UX need to meet in the middle. This is an area that is ripe for opportunity and needs to be explored because it could make a meaningful change in the industry. Using UX to encourage users to make better or more secure decisions as they conduct their various IT activities would have a huge impact on security.
© 2020-2025 Ivy Podcast Discovery LLC
