Resilient Cyber

Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties?Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it?Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business.Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction?Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level?  Nikki - What does cyber resiliency mean to you?

The podcast discusses the importance of visualizations in vulnerability management and how they help non-technical individuals understand the need for vulnerability management. It also explores the process of selecting vulnerabilities for the CAV list and the challenges faced by CISA. The significance of leveraging commercial threat intelligence, prioritizing vulnerabilities, and managing vulnerability backlogs is highlighted. The speaker shares their journey in the cybersecurity field and emphasizes the importance of addressing cyber resilience.

Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close?Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud providers? Chris: You recently contributed to a report with the Atlantic Council about the systemic risks of Cloud and Critical Infrastructure. Can you speak on that a bit? What are your thoughts about systemic risks are more and more of our critical infrastructure and national security systems now become reliant on cloud?Chris: While we know most cloud security incidents are due to customer misconfigurations, we've recently seen some major hyperscaler CSP's experience some very damaging incidents that impacted many. Do you think these incidents are causing some organizations and industries to second guess their plans for cloud adoption or lead to trust issues in Cloud?Nikki:  One of my biggest concerns in cloud environments is Identity and Access Management (IAM) - especially in complex development environments. What are some of the major configuration challenges around IAM in cloud?  Nikki: What is your favorite cloud security statistic?Nikki:  I have to bring in the people angle - do you think that current tech teams have the skills and tools they need to manage cloud environments? Do you have any references or skills you recommend as teams build bigger cloud environments?Chris: On the people front, we know misconfigurations reign supreme for cloud security incidents. Do you think organizations are waking up the reality that they have to invest in their workforce when it comes to adopting technologies such as Cloud?Chris: We know you have your fwd:cloudsec event which has become an industry staple for learning and information sharing on cloud security. How did the event come about and what does the future look like for it?

The podcast discusses the convergence of technology and digital policy, emphasizing the need for collaboration between businesses, startups, and policy makers. They explore the unintended consequences of policy written by those unfamiliar with technology and discuss how to avoid them. The launch of the U.S. Cyber Trust Mark program for IoT labeling is highlighted, along with the balance between regulatory push and innovation. The increased push for cybersecurity in governing publicly trading companies is also discussed. Listeners can learn more about Open Policy's efforts in digital policy and regulation.

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this?- What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no?- In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud?- There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now?- The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base?- On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout?- Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm?- You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front?- Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020?Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently?Nikki -  We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm?Nikki -  Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you

You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?What does cyber resiliency mean to you?

Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it?Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering?Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure?Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?

- First off, can you each tell us a bit about your backgrounds and experience in the space?- What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see?- What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role?- While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS?- No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM?- Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?

Nikki - What does cyber resiliency mean to you?Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment? Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we're headed as a nation on the Cyber front and do you think we could be doing more, and if so, what in particular?Chris - I recently saw you made comments regarding Cloud Service Providers (CSP) and their lack of being designated as critical infrastructure I believe. I have seen similar comments from the OCND, due to how critical CSP's, especially major IaaS providers are to the nation. Why do you think they have avoided this designation as long as they have?Nikki - There are a lot of us in cybersecurity that got into it to help defend our nation and protect our country (myself included). Are there ways that other cyber defenders or technical professionals can get involved or any resources you would recommend? Nikki - I don't see a ton in legislature or in the Executive Order about the human element behind cybersecurity and our challenges with risk management. Do you foresee any legislation or anything that may come out around how to protect our users and even our security practitioners? Chris - I mentioned the NCS earlier, a big part of that was shifting market forces, the idea of software liability and also safe harbor. What are your thoughts on this topic?Chris - CISA recently released "Secure-by-Design/Default" guidance for software suppliers and manufacturers. I wrote an article recently tracing the advocacy for "secure by design" back 50 years to the Ware Report. Yet here we are, still advocating for the same concepts. What do you think it will take for this to become a requirement rather than a recommendation and how important is this paradigm shift for national security?