Three Buddy Problem

Founding-member of the Google security team Heather Adkins joins the conversation to stress the importance of defenders playing the "long-game," the need for meaningful culture-change among security leaders, the expansion of zero-trust beyond identities and devices, and some thoughts on the future of electronic voting. Sponsored by Eclypsium: Eclypsium ships an enterprise device platform that provides visibility and mitigation for malicious activity all the way down to the firmware and hardware level. Think of it as one platform to discover, inventory, assess risk, patch, and detect compromises and supply chain breaches across your entire fleet of devices. Request a demo at Eclypsium.com.

Facebook product security leader Collin Greene joins the show to discuss philosophies around securing code at scale, the pros and cons of relying on bug-bounty programs, the humbling lessons from being on the wrong side of a malicious hack, and why "shift-left" should be the priority for every defender.

Former head of offensive security research at NVIDIA Alex Matrosov joins the show to talk about the state of security at the firmware layer, the need for specialized reverse engineering skills, the limits of bug-bounty programs for hardware research, and the future of advanced malware analysis.

Charles Nwatu is an engineering manager in Netflix's Security, Technology Assurance & Risk organization. He joins Ryan on the show to talk about a career pivot from U.S. gov service into cybersecurity in Silicon Valley, the exciting parts of compliance and risk management, and why newcomers should consider jobs in SOCs to kickstart security careers.

Director of Internet Analyis at Kentik, Doug Madory, joins the podcast to shed light on the mysterious appearance of unused IPv4 space belonging to the US Department of Defense: the strange connection to a Florida company now managing the world's largest honeypot; the odd Inauguration Day timing of this discovery;, and why enterprise network defenders should pay very close attention.

Sponsored by Eclypsium Chris Castaldo has a fascinating career in cybersecurity. A U.S. army veteran who dabbled in tech during the early 2000s dot-com boom before settling on security, Castaldo is now CISO at Crossbeam and a decision-maker with a bird's eye view into how the should be protected. Castaldo joins Ryan on the show to talk about his new book on securing the startup, why he's the rare CISO that loves security vendor briefings and demos, and his vision of the CISO's top priorities.

Shubham Shah is a brilliant hacker who quit his pen-testing job to hack for cash in bug-bounty programs. He quickly mastered the game of automating automating pre-breach reconnaissance and zero in on common webapp programming and configuration errors. Shubs, now co-founder at Assetnote, joined Ryan on the show to talk about the stressful life of a fulltime bug-bounty hunter, advancements in web app security defense, and how automation is completely rewriting the bug-discovery business.

Newly appointed Executive Editor at VentureBeat Fahmida Rashid joins the show to talk about her introduction to computer networking in school, her winding path into cybersecurity journalism, the security stories worth telling, the venture capital ecosystem, and the surge in unicorn cybersecurity startups.

Microsoft's David Weston joins Ryan on the show to discuss a new report that shows 83% of organizations have been hit by a firmware attack in the last two years. As businesses continue to under-invest in resources to prevent firmware attacks, Weston warns about the inevitability of advanced attacks at the 'invisible' layer, the absence of skills and tools to find malicious activity in firmware, the nightmare of navigating the patching treadmill, and exciting tech innovation in the space.

At age 16, Lena Smart finished high school and went into the workforce. At the time, a university degree and advanced education were not available to her in a single-parent household in Scotland. Today, she is CISO of MongoDB, a $16 billion company with thousands of employees around the world and she is a leading voice on education and talent-identification in cybersecurity. Lena joins Ryan on the show to tell stories from her childhood, the decisions that carved a path for a successful career in security, the anguish of imposter syndrome, the joys of building a modern security program, and impressive tech innovation moving the security needle.

Patrick Howell O’Neill is the cybersecurity senior editor for MIT Technology Review. In this out-of-band episode of the show, Patrick joins Ryan to discuss his latest scoop on Google Project Zero's visibility into malware used in a Western .gov counter-terrorism operation, the tricky nature of attributing nation-state backed attacks, Apple's iOS becoming a hot target and the controversies surrounding all of these conversations. Follow Patrick on Twitter.

After a 20-year career working in the offensive security reseach trenches, security industry pioneer Nico Waisman made the transition to defense to head up privacy and security efforts at ride-sharing firm Lyft. Waisman joins Ryan Naraine on the show to talk about early hacking in Argentina, the contributions of non-Americans to the security industry, and much much more...

Ron Brash joins Ryan Naraine on the show to talk about the recent water supply hack, the state of security in ICS/SCADA installations, the checklist of affordable things for critical infrastructure defenders, and the things we should worry -- and not worry -- about. Ron is Director of Cyber Security Insights at Verve Industrial Protection, a critical infrastructure-focused organisation that sells services and products that work across IT and OT environments for effective cyber security, controls and management.

This is the republication of an interview first conducted in March 2013 with then-VUPEN chief executive Chauki Bekrar. The audio file was lost in several podcast platform transfers and I'm glad to be able to retain this interview for historical purposes. The recording was conducted in the hallways of the CanSecWest Pwn2Own hacking contest in 2013 where Bekrar's team of hackers demo'd a zero-day attack against Microsoft Internet Explorer 10 on Windows 8, an exploit that bypassed all mitigations including the browser sandbox. We chat about the controversies surrounding the sale of zero-day vulnerabilities and exploits, his company’s business dealings and the work that goes into winning the CanSecWest Pwn2Own hacker contest. (Please excuse the audio quality and background chatter, this was recorded with a small handheld device in a noisy room).

Journalist-turned-intel analyst Selena Larson joins the podcast to discuss the nuances of cybersecurity journalism, making the shift to analyzing intelligence and writing for a private audience, the ransomware epidemic, and the state of critical infrastructure security.

Gusto chief security officer Fredrick 'Flee' Lee talks about his passion for democratizing security, solving problems for small businesses, the responsibilities of being a black security leader, and the people and experiences that influenced him along the way.

TechCrunch security writer Zack Whittaker stumbled into journalism while in college and has carved a successful career covering cybersecurity the last decade. He joins the podcast to talk about landing at ZDNet out of university and some lucky breaks along the way. Zack also talks about the trials of living and working with Tourette syndrome.

Netflix security leader Jason Chan talks about the connections between ultra-marathons and running a robust security program, his view of the defender's top priorities, the talent shortage in cybersecurity, and the shifting patterns that drive secure code delivery.

After a career in government that included physical security work for the U.S. State Department, Matt Honea transitioned to Silicon Valley and turned his attention to the cyber-insurance space. He joins the podcast for a frank discussion on cyber-insurance, ransomware payments and trends, and his opinions on innovation in security.

Cybersecurity journalist and author Andy Greenberg joins the podcast to talk about his career as a journalist, the ins-and-outs of negotiating a big story with sources, the intricacies of writing a good book, and some of his biggest stories to date.

After a career in diplomacy at the U.S. State Department, Uber's Brooke Pearson headed to Silicon Valley to find a new path in cybersecurity. We chat about her early interest in Russia and international relations, a life-changing chance encounter during an airport layover, using non-traditional skills to find success in tech, and her passion for helping minorities find meaningful careers in security.

[ DISCLAIMER: These are the personal opinions of Tim MalcomVetter and do not construe an official endorsement or business relationship of his employer with any product or service. ] Walmart Red Team lead Tim MalcomVetter joins the podcast to talk about red-team/blue team dynamics, the adversarial relationship between the two sides, the mentality of a determined attacker, and why everyone in cybersecurity should give jiu-jitsu a try.

Hacker-turned-entrepreneur Matt Suiche reminisces about the hacking scene in France, his introduction to memory forensics and how his research led to presenting at Microsoft's Blue Hat, the grind of building and selling a company, and his passion for supporting young security researchers in developing countries.

AT&T Cybersecurity's Jaime Blasco talks about falling in love with security as a high-school student in Spain, finding a career path in pen-testing and offense, shifting to building defensive technologies and his current passion for exploring the value of machine learning.

Mobile security pioneer Collin Mulliner talks about the early days of hacking PalmOS devices, the current state of smartphone platforms, his work on securing self driving cars, and why he built and open-sourced a firmware analyzer tool.

Hitch Partners principal Michael Piacente dishes on the cybersecurity job market during an economic crisis, the intricacies of recruiting top-flight security talent, the high rate of turnover among CISOs, and why companies should spend more time on writing better job descriptions.

Security industry pioneer Dave Aitel dishes on entrepreneurship, fostering a "one team, one parking lot" culture, how lessons from his time at the NSA still guides his decisions, and his approach to blunt, honest marketing. We also discuss a shared passion for Brazilian Jiu-Jitsu and his work supporting Project Grapple in Miami.

Former Chief Security Scientist at Bank of America, Sounil Yu, explains why he created the Cyber Defense Matrix framework and how organizations are using it to drive visibility and security decisions in multiple places. We discuss securing "cattle vs pets," the next era of security innovation, and the increasing security poverty line that hurts small- and medium-sized businesses.

In an industry where 10-15% of staff are women, Akamai's security team is 40% women and growing. Chief security officer Andy Ellis joins the podcast to share lessons on practical things -- some subtle, some major -- that pushed real diversity on Akamai's security team.

Veteran malware hunter Costin Raiu talks about writing his own an anti-virus program as a teenager in Romania, his work tracking advanced threat actors globally, and why he assumes his computer is compromised by at least three APT groups.

Flashpoint chief executive Josh Lefkowitz talks about how his previous work as a counter-terrorism analyst underscored the value of contextual threat-intelligence, his company's approach to gathering and analyzing data, and his mission to be an extension of a client's security team.

BlackBerry security response executive Christine Gadsby joins the podcast to talk about tough decisions around shipping secure software, the challenges of securing supply chain dependencies, BlackBerry's new ransomware recovery feature, and her upcoming Black Hat 2018 presentation.

Cybersecurity industry veteran Chad Loder talks about his time as co-founder of Rapid7, the decision to acquire Metasploit, lessons learned from moving to the CISO chair and why the industry still struggles with security awareness training.

Chris Castaldo, senior director of cybersecurity at 2U, Inc., joins Ryan on the podcast to talk about building a threat model for digitizing the education sector, his top priorities as a defender, new solutions that impress him, and why it's important to get independent third-party security assessments.

Founder and CEO of Wire Security, Wim Remes, joins the podcast to discuss the intricacies of penetration testing, red-teaming, bug bounty programs, and calls for defenders to embrace continuous pen-testing.

Lacework Chief Security Architect Dan Hubbard joins the podcast to discuss his new research on container security, the challenges of securing cloud deployments, and why technological advancements have widened attack surfaces.

David Weston manages the Windows Device and Offensive Security Research teams at Microsoft. He joins the podcast to talk about how proactive red-team exercises push major mitigations to Microsoft's products and the current state of security in the Windows ecosystem.

SVP and Chief Information Security Officer (CISO) at Lending Club, Rich Seiersen, digs into the nuts and bolts of defending a financial services firm, his approach to finding quality cybersecurity talent, and the importance of confronting security with data. (Recorded during fireside chat at SecurityWeek’s CISO Forum).   https://securityconversations.com/wp-content/uploads/2018/06/rich_seierson.mp3

Founder and CEO of GreyNoise Intelligence Andrew Morris (andrew___morris) talks about his “anti threat-intelligence” company, the ways SOCs are using it to filter through scanning noise and the trials and tribulations of bootstrapping a start-up.   https://securityconversations.com/wp-content/uploads/2018/05/andrew_morris.mp3

Managing Partner at YL Ventures, Yoav Leitersdorf (ylventures), explains the surge in cybersecurity investments in Israel, the priorities for his $75 million fund and which sectors are ripe for the picking.   https://securityconversations.com/wp-content/uploads/2018/05/ep30-yoav_leitersdorf.mp3

Principal Security Researcher at Recorded Future’s Insikt Group, Juan Andrés Guerrero-Saade (juanandres_gs), explains the nuances of good threat intelligence, sheds light on nation-state hacker activity and warns that adversaries don’t have to be “sophisticated” to launch successful attacks.   https://securityconversations.com/wp-content/uploads/2018/05/juan_andres_guerrero_saade.mp3

The founder and CEO of Dragos, Inc. Robert M. Lee (RobertMLee) cuts through the hype around threats to critical infrastructure and offers a matter-of-fact take on active defense, “hacking-back,” and nation-state espionage operations.   https://securityconversations.com/wp-content/uploads/2018/05/ep28-robert-m-lee.mp3

VP of Product at RiskIQ Brandon Dixon (@9bplus) delves into nation-state cyber operations, explains why it’s dangerous to underestimate North Korea’s capabilities, and his passion for roasting the perfect coffee bean. https://securityconversations.com/wp-content/uploads/2018/05/ep27-brandon-dixon.mp3

Slack security architect Ryan Huber talks about the gargantuan task of defending an organization with 8 million daily active users, burnout, and fatigue in security teams and a range of issues around bug bounties and penetration testing.

Chief Technology Officer at Quarkslab Ivan Arce (@4dgifts) tells stories about the birth of penetration testing platforms, the concentration of hacking talent in Argentina, and his focus on security problems in the Android ecosystem. https://securityconversations.com/wp-content/uploads/2018/05/ivan_arce_01.mp3

Founder and CEO of Fyde (@FydeApp) Sinan Eren discusses the “iOS-ification” of platforms and the security ramifications, the dangers of running AV software, the iOS vs. Android security argument, and his new venture to address mobile phishing attacks. https://securityconversations.com/wp-content/uploads/2018/05/Ep-24-sinan_eren.mp3

Founder and CTO at Senrio Stephen Ridley (@s7ephen) talks about the abysmal state of IoT security, his recent exploitation of an IP camera, and router to exfiltrate corporate data and his experience as a minority in the security industry. https://securityconversations.com/wp-content/uploads/2018/04/Ep23-stephen-ridley.mp3

Founder and CEO at MKACyber Mischel Kwon joins the podcast to address the state of the SOC (Security Operations Center) and how businesses should deal with issues around excessive alerts, incident response times, and outdated metrics.

CISO and VP of Strategy at Digital Shadows Rick Holland discusses his path in the information security industry, advancements in the threat intel space, and his passion for good bar-b-que.

Latacora Security founder Thomas Ptacek joins the podcast to weigh in on the cybersecurity skills shortage, his approach to recruiting and hiring, and what needs to be done to address diversity in the industry.