Resilient Cyber

Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I'm always curious because there is such a niche space within cybersecurity and I love meeting other researchers. How do you think cyber benefits from research and vice versa?Chris - You also recently had some content regarding doing a deep dive into Nation State threats. We're increasingly seeing cyber play a part in nation state conflicts, why do you think that is, and can you touch on how this plays into regulatory fallout as well?  Nikki - I want to talk about your blog post about "The Blob" - you talk about how people use some similar terminology and language (false messaging) to steer the conversation in security tooling. Can you talk a little bit more about this concept and what you think it means to the industry? Chris - You have been having conversations about Detection Engineering. Can you talk about how it is different from legacy/traditional SecOps and what the future of Detection Engineering and Detections-as-Code looks like? Nikki -  What does cyber resiliency mean to you?

- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM?- There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both?- TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities?- Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation?- What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. - The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?

Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties?Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it?Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business.Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction?Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level?  Nikki - What does cyber resiliency mean to you?

The podcast discusses the importance of visualizations in vulnerability management and how they help non-technical individuals understand the need for vulnerability management. It also explores the process of selecting vulnerabilities for the CAV list and the challenges faced by CISA. The significance of leveraging commercial threat intelligence, prioritizing vulnerabilities, and managing vulnerability backlogs is highlighted. The speaker shares their journey in the cybersecurity field and emphasizes the importance of addressing cyber resilience.

Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close?Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud providers? Chris: You recently contributed to a report with the Atlantic Council about the systemic risks of Cloud and Critical Infrastructure. Can you speak on that a bit? What are your thoughts about systemic risks are more and more of our critical infrastructure and national security systems now become reliant on cloud?Chris: While we know most cloud security incidents are due to customer misconfigurations, we've recently seen some major hyperscaler CSP's experience some very damaging incidents that impacted many. Do you think these incidents are causing some organizations and industries to second guess their plans for cloud adoption or lead to trust issues in Cloud?Nikki:  One of my biggest concerns in cloud environments is Identity and Access Management (IAM) - especially in complex development environments. What are some of the major configuration challenges around IAM in cloud?  Nikki: What is your favorite cloud security statistic?Nikki:  I have to bring in the people angle - do you think that current tech teams have the skills and tools they need to manage cloud environments? Do you have any references or skills you recommend as teams build bigger cloud environments?Chris: On the people front, we know misconfigurations reign supreme for cloud security incidents. Do you think organizations are waking up the reality that they have to invest in their workforce when it comes to adopting technologies such as Cloud?Chris: We know you have your fwd:cloudsec event which has become an industry staple for learning and information sharing on cloud security. How did the event come about and what does the future look like for it?

The podcast discusses the convergence of technology and digital policy, emphasizing the need for collaboration between businesses, startups, and policy makers. They explore the unintended consequences of policy written by those unfamiliar with technology and discuss how to avoid them. The launch of the U.S. Cyber Trust Mark program for IoT labeling is highlighted, along with the balance between regulatory push and innovation. The increased push for cybersecurity in governing publicly trading companies is also discussed. Listeners can learn more about Open Policy's efforts in digital policy and regulation.

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this?- What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no?- In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud?- There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now?- The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base?- On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout?- Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm?- You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front?- Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020?Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently?Nikki -  We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm?Nikki -  Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you

You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?What does cyber resiliency mean to you?

Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it?Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering?Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure?Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?