Resilient Cyber

In this episode we sit down with Chloe Messdaghi, Head of Threat Intelligence at HiddenLayer, an AI Security startup focused on securing the quickly evolving AI security landscape. HiddenLayer was the 2023 RSAC Innovation Sandbox Winner and offers a robust platform including AI Security, Detection & Response and Model Scanning.- For folks now familiar with you or the HiddenLayer team, can you tell us a bit about your background, as well as that of HiddenLayer?- When you look at the AI landscape, and discussions around securing AI, what is the current state of things as it stands now? I would recommend checking out the "AI Threat Landscape Report" you all recently published.- Many organizations of course are in their infancy in terms of AI adoption and security. I know the HiddenLayer team has really been advocating concepts such as AI Governance. Can you talk about how organizations can get started on this foundational activity?- HiddenLayer published a great two part series on an "AI Step-by-Step Guide for CISO's", can you talk about some of those recommendations a bit?- You all also have been evangelizing practices such as Red Teaming for AI and AI Models. What exactly is AI Red Teaming and why is it so critical to do?- Another interesting topic is how we're beginning to look to Govern AI, both here in the U.S. with things such as the AI EO, and in the EU with the EU AI Act. What are some key takeaways from those, and what do you think about the differences in approaches we're seeing so far?

- For folks not familiar with you and your background, can you tell us a bit about that?- How about Resourcely, how did it come about and what problem did you set out to tackle?- Why do you think Cloud Misconfigurations are still so pervasive, despite being fairly well into the Cloud adoption lifecycle?- How have organizations traditionally tried to handle secure configurations, in terms of establishing them, maintaining them, monitoring for drift and so on?- Where do you think we're headed, I know you all recently had your capability go GA and you discuss concepts such as blueprints, frameworks, paved paths etc. - You've been talking a lot about the Death of DevSecOps. Let's chat about that, what case are you making with regard to DevSecOps and where the industry is headed?

- First off, for folks now familiar with your background, can you tell us a bit about yourself?- You made the leap from working for a firm to founding your own talent and recruiting company. Can you tell us about that decisions and experience?- Before we dive into specific topics, what are some of the biggest workforce trends you are seeing in cyber currently? I have seen you talk about the pendulum shift from workers to employers on aspects like remote roles, and so on. What is the current dynamic across the cyber landscape broadly at the moment?- The cyber workforce is often discussed painfully, with talks of struggles to attract and retain technical talent, but I feel like it isn't just a headcount problem. We also often see absolutely awful PD's and processes that impact organizations hiring abilities. What are your thoughts here?- You're often seeking out some of the best talent for leading organizations. What sort of experiences, qualities and characteristics do you find yourself looking for in candidates that make them stand out from the broader workforce?- Conversely, what are some things you see organizations doing the best that really set them apart from others when it comes to building amazing security teams?- What can folks be doing to try and best position themselves for their dream role? What are key things to keep in mind and emphasize from an expertise, personal branding, resume and other factors perspectives?

Daniel Shechter, co-founder of Miggo, shares his journey from the Israeli Defense Forces to pioneering Application Detection and Response (ADR) in cybersecurity. He explains the increasing complexity of application security in modern tech environments, including Cloud and microservices. Shechter addresses the struggle organizations face with vulnerability overload and offers insights on balancing proactive security with operational realities. He also highlights the critical role of AI in enhancing cyber resiliency against evolving threats.

- First off, for those that don't know you or your work, would you mind telling us a bit about your background?- You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes?- In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems?- You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be?- One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind?- Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two?- What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?

- First off, for folks that don't know you, can you tell us a bit about your current role and background?- On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on?- What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on?- I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners?- CMMC- We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect?- Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense?- Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why?- DevSecOps thoughts

- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?- What exactly is the GitHub Advisory Database and what is the mission of the team there?- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?- You're also involved with the CVE program, can you tell us about that?- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?

- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?

- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in?- Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience?- You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on?- The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on?- When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads?- You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?

- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are?- We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at?- When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform?- There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space?- We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?