Podcasts

Adam and I have just returned from Black Hat and DEF CON in Las Vegas, so in this week’s show we’re going to have a look at the infosec news we missed over last couple of weeks. We did plan to recap Black Hat in this podcast, but we’ve wound up a bit short on space so I’m busting that out into a separate podcast that I’ll publish on Monday. So this podcast will just be a discussion around news plus a sponsor interview.

The news we’re covering:

• Australia’s new surveillance/”anti-encryption” laws
• Intel SGX vulnerability research
• Taiwan Semiconductor WannaCry woes
• Details on CYBERCOM op against ISIS
• Reddit pwnage
• Bitcoin investor sues AT&T over $23m loss
• FIN7 arrests
• CIA’s loss of scores of China assets may have been hack-related
• Massive ATM cashout and SWIFT attack hits Indian bank
• Much, much more

Bugcrowd CTO Casey Ellis joins us in this week’s sponsor interview to talk about a few things – firstly, how some research presented at Black Hat by the team at Portswigger is a sign that serious research teams are using bounties to cash in on their serious security research. Then we’ll be talking about the Bugcrowd University initiative and a reboot of the disclose.io project.

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we hear from Greg Shipley. Greg works at an initiative spun up by In-Q-Tel called Cyber Reboot. Its goal is to develop open source tools that can push things forward in security – things the private sector aren’t doing.

He’ll be telling us about some changes his colleagues have made to tcpdump, which, if they ever manage to get the changes adopted, could actually be quite useful to the security community.

This week’s show is brought to you by Duo Security! And Duo’s very own Dave Lewis will be joining us this week to talk about the roadblocks you might face if you’re trying to head down the BeyondCorp road to the deperimiterised nirvana!

Adam Boileau drops in to discuss the week’s news, including:

• COSCO shipping ransomwared into oblivion
• DHS warning on impending ERP attacks
• Charges against SIM-swap cryptocurrency thief
• Google’s “Shielded VMs”
• Google’s launch of its own hardware security tokens
• Master134 malvertising campaign
• New Kronos version
• NetSpectre attacks
• Bluetooth bugs
• Much, much more

Links to everything are below, and you can follow Patrick or Adam on Twitter if that’s your thing.

What you’re about to hear is a long form interview with Zane Lackey, a former pentester turned director of security engineering for Etsy turned co-founder and CSO of Signal Sciences.

Signal Sciences can be broadly, kinda described as “next generation WAF”. If you do have a requirement for a waffy, raspy thing, then you absolutely need to check out Signal Sciences.

They give you visibility in to attacks against your applications, and even auto-blocking a bunch of them without that turning into a cascading horror-show.

Signal Sciences’ product has a really strong emphasis on assisting organisations who are running DevOps shops. And it makes sense, Zane’s key achievement at Etsy was managing the security of that company’s Devops transition.

He’s actually just written an O’Reilly book, Building a Modern Security Program. So, he joined me to talk about his book, what’s in it, about DevSecOps more generally, and about some new stuff Signal Sciences has been working on.

We didn’t have space to run a feature in this week’s show, mostly because we had three weeks of news to catch up on because of my holiday. Adam Boileau is away on a company retreat this week, so Haroon Meer is this week’s news guest.

We talk about:

• The Russia indictment
• Chrome now marks http sites as “not secure”
• Julian Assange is close to being turfed out of his London digs
• Microsoft’s midterm meddling misfire
• Singapore loses 1.5m health records
• Some cool research from Talos and Cyberark
• Azimuth Security acquired by L3
• The npm supply-chain attack
• Chrome site isolation
• And much more!

This week’s sponsor is ICEBRG. And ICEBRG just announced today that it’s been acquired by Gigamon, which is pretty big news for them. So we’ll spend a couple of minutes talking about that with ICEBRG’s Jason Rebholz. Then we’ll be talking to Justin Warner about a pretty cool Flash 0day they found hiding in a Microsoft Office document. That was some pretty cool work, and the attackers in that case did some pretty novel things in terms of keeping their payload away from prying eyes. Obviously they didn’t do a good enough job or we wouldn’t be talking about it, but there are some new techniques there, fun stuff.

*****NOTE: At one point I get Jason Rebholz’s name wrong. I call him Justin Rebholz by accident. Apologies for the error, Jason!

There’s no weekly show this week, I’m on a beach somewhere tropical right now and I prepared this one so we’d have something to run while I’m away. The Soap Box is one of our wholly sponsored podcasts here at Risky Biz HQ – vendors pay to come on to talk about what’s on their mind.

And this week we’ve got Cylance’s very own Chris Sestito joining us. He heads threat research for Cylance, the AV company.

Cylance is a relatively new company – they’ve been around about six years now – and regular listeners would have heard me credit them for almost singlehandedly shaking up the AV industry.

They built a machine learning model for detecting malware that was effective enough to actually challenge the incumbents, who until then, had a stranglehold on the market. Cylance’s fortunes rose further when it played an instrumental part in detecting and cleaning up malware used against the US office of personnel management, or OPM.

That was a big moment, because from there it seemed like all of a sudden EVERYONE was a machine learning company. I’m sure a lot of people listening to this podcast are so sick to death of hearing pitches from vendors about machine learning.

But the thing is, Cylance was built on machine learning and they are still 100%, 24-carat true believers. Chris Sestito joined me to talk about driving machine learning model development with threat research, dodgy machine learning marketing and more.

Snake Oilers is a wholly sponsored podcast series we a few times a year here at Risky Biz HQ. The idea is we get a bunch of vendors together and they pitch their tech in a straightforward way. Less “stops advanced cyber threats” and more “here’s what our stuff does and how it works”.

You’re hearing this instead of a weekly show because I am currently on a beach somewhere tropical.

We’ve got two vendors in this edition of ‘Oilers: next-gen SIEM platform company Exabeam and email filtering giant Proofpoint.

Our sponsor guest from Proofpoint is Ryan Kalember. Ryan is the SVP of cybersecurity strategy at Proofpoint, and regular listeners would have heard him pop up here and there on other Risky Business podcasts.

Ryan knows an awful lot about email security and he’s joining us this week to talk about a few things. A big selling point he wants to hit home this week is that Proofpoint offers its clients dedicated IPs for their outbound mail servers. That means you won’t be blocked when someone else using the same IP for outbound mail starts sending spam. Believe it or not this is a thing that happens to users on other mail filtering platforms. From there Ryan spells out Proofpoint’s approach to combating credential phishing. Aaaaand we talk about other stuff too. We started off by talking about how some organisations are getting blocked because their filtering provider is sharing IPs between clients.

Exabeam also drops in to talk about what a next gen SIEM actually is. From day one Exabeam was a startup that meant business. As you’ll hear, they started off as a SIEM-helper, and they’ve gradually built out their product from there. Now they’re going after the established SIEM market – think Splunk, Arcsight, those types of products. Despite only being five years old, Exabeam has quickly established itself as a real player in the SIEM market.

And why not? They make a compelling argument that the most popular SIEM products have gone stale. Anu Yamanan is the VP of products at Exabeam and she’s here to explain the general pitch behind all next generation SIEM gear. The idea is to go beyond the event log and build a timeline of events that actually has context around it. SOC analysts, SIEM specialists and CSOs will be interested to hear what she has to say here.

On this week’s show we’re chatting with a PR pro who specialises in information security. Melanie Ensign currently works at Uber, but she also served as a security PR for Facebook and before that, AT&T. She drops in this week to talk about how you can work with the PR professionals in your organisation to help tell your security story to the wider world. She also has some great tips for infosec professionals who might be a bit nervous about dealing with journalists.

In this week’s sponsor interview we’re joined by Julian Fay, the CTO of Senetas.

Senetas has a long history of making layer 2 network encryptors, but they are branching out in all sorts of ways these days. One thing they’re doing now is working on approaches to network encryption that play nicely with software-defined WAN. The days of hauling all your network traffic back to a single choke point are numbered – Julian thinks in the near future you’ll have some sort of CPE device that actually implements different types of encryption on different types of traffic crossing your border. So, Senetas has actually built that gear and we’ll be hearing about why.

Adam Boileau joins the show to talk about the week’s security news:

• Some very cool LTE research
• Equifax manager charged with insider trading
• Ticketmaster’s bad week
• The US DoD’s very own app store
• Weird, maybe, possibly-but-probably-not OPM-related fraud
• MOAR Rowhammer stuff affecting ‘droid handsets

Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

No feature interview in this week’s show, we go long on news instead. Adam Boileau joins the podcast to talk through the week’s infosec news, including:

• Confusion reigns in David Sanger vs FireEye spat
• Reality Winner pleads guilty
• PEXA property settlement platform users fleeced
• US Supreme Court decides location info requires a warrant
• The Apple unlock bug that wasn’t

This week’s show is brought to you by Thinkst Canary. Thinkst’s very own Marco Slaviero joins us in this week’s sponsor segment to talk about how some vendors are derping out when it comes to creating needlessly complicated “deception platforms”.

Links to everything are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

First up in this edition of Snake Oilers we speak with Rapid7. Listeners of the regular show would have heard me talk about their UserInsight software for years. That’s because I knew people who used it and they swore by it. UserInsight was user and entity behaviour analytics (UEBA) software that was massively ahead of its time. It was very good at spotting weird things happening on your network when it comes to dumped or compromised creds popping up in weird places.

Well, InsightIDR is basically where UserInsight wound up, and yeah, it’s morphed in to a product that’s half SIEM and half EDR.

Every Tom, Dick and Harriett seems to be offering EDR software these days, and every next-gen SIEM company is becoming more and more UEBA-centric, so what Rapid7 has created here is something in between. InsightIDR product manager Eric Sun will tell us all about it.

Next up we’ll hear the simplest pitch in this podcast, from Airlock Digital. They’re an Australian company that makes whitelisting software that’s actually useable. If your organisation has tried implementing whitelisting through Microsoft’s Applocker then you know how badly it sucks. These guys have created a simple but useable whitelisting solution.

I’ve been to the booth! I’ve seen the demo! Airlock Digital co-founder David Cottingham is our guest on their behalf. In addition to being a founder, David is also the author of the SANS course SEC480: which covers the ASD top 4 – number one on that list is whitelisting. He has experience in the federal government implementing whitelisting and after seeing just how badly other products suck, he and his mates founded Airlock Digital. So yeah, if you’re whitelist-curious or if you’re sick of dealing with Applocker, then you really, really should stick around for that one.

After that we’re checking in with Stephan Chenette of AttackIQ. They make attack simulation software, but in response to customer demand they’ve actually taken it to its logical extension - they’re now offering modules you can use to test your SOC staff, or, if you outsource, you can use these modules to test your MSSP. Throw some alerts at them and see what comes back – get scores for individual SOC operators. Hey, even if you ARE an MSSP you might want to use this software to see who to promote in your SOC. That’s interesting stuff.

On this week’s show we’re chatting with Alex Tilley. He’s with Secureworks in Australia these days, but before that he spent a big chunk of his career with the Australian Federal Police.

He did a presentation a few weeks back at the AusCERT conference all about what fraud crews are up to these days. He’ll be joining us to walk through how much damage West African crime groups are doing with compromised office 365 accounts. We also talk a bit about trends in money muling, because that game has really changed.

This week’s show is brought to you by Cylance, and in this week’s sponsor interview we’ll be chatting with Cylance’s very own Jim Walter about how ransomware hasn’t really gone anywhere, despite most of the tech press getting sick of writing about it.

Adam Boileau, as usual, joins us to talk about the week’s news, including:

• The Vault7 guy is totally screwed
• US Senate scuttles Trump’s plan to save ZTE
• Chinese pwning satellite comms, telcos
• Olympic Destroyer crew is back

Links to everything are below and you can follow Patrick and Adam on Twitter if that’s your thing.