Videos on Securosis

Multicloud: Deployment Structures and Blast Radius

Wed, 07 Aug 2019 00:00:00 +0000

In this, our second Firestarter on multicloud deployments, we start digging into the technological differences between the cloud providers. We start with the concept of how to organize your account(s). Each provider uses different terminology but all support similar hierarchies. From the overlay of AWS organizations to the org-chart-from-the-start of an Azure tenant we dig into the details and make specific recommendations. We also discuss the inherent security barriers and cover a wee bit of IAM.

Firestarter: So you want to multicloud?

Thu, 01 Aug 2019 00:00:00 +0000

This is our first in a series of Firestarters covering multicloud. Using more than one IaaS cloud service provider is, well, a bit of a nightmare. Although this is widely recognized by anyone with hands-on cloud experience that doesn’t mean reality always matches our desires. From executives worried about lock in to M&A; activity we are finding that most organizations are being pulled into multicloud deployments. In this first episode we lay out the top level problems and recommend some strategies for approaching them.

Firestarter: 2019: Insert Winter is Coming Meme Here

Mon, 07 Jan 2019 00:00:00 +0000

In this year-end/start firestarter the gang jumps into our expectations for the coming year. Spoiler alert- the odds are some consolidation and contraction in security markets are impending… and not just because the Chinese are buying fewer iPhones.

re:Invent Security Review

Mon, 17 Dec 2018 00:00:00 +0000

It’s that time of year again. The time when Amazon takes over our lives. No, not the holiday shopping season but the annual re:Invent conference where Amazon Web Services takes over Las Vegas (really, all of it) and dumps a firehouse of updates on the world. Listen in to hear our take on new services like Transit Hub, Security Hub, and Control Tower.

Firestarter: Hardware Hacks and Lift and Pray

Thu, 04 Oct 2018 00:00:00 +0000

Did China manage to hardware hack the Apple and Amazon data centers? Or did Bloomberg get it wrong? And what the heck can you do about it anyway? This week we start with a discussion of today’s blockbuster security news, before shifting gears back to cloud. It turns out most organizations are having to lift and shift to cloud, even when that is not ideal. We talk about some of your options, even facing ridiculous management timelines.

Firestarter: Black Hat and AI… What Could Go Wrong?

Tue, 28 Aug 2018 00:00:00 +0000

In this episode we review the lessons of this year’s Black Hat and DEF CON. In particular, we talk about how things have changed with the students we have in class, now that we’ve racked up over 5 years of running trainings on cloud security. then we delve into one of the biggest, and most confusing, trends… the mysteries of Artificial Intelligence and Machine Learning. Considering our opinions of natural intelligence, you might guess where this heads…

It’s a GDPR Thing

Fri, 06 Jul 2018 00:00:00 +0000

Mike and Rich discuss the ugly reality that GDPR really is a thing. Not that privacy or even GDPR are bad (we’re all in favor), but they do require extra work on our part to ensure that policies are in place, audits are performed, and pesky data isn’t left lying around in log files unexpectedly.

Firestarter: The RSA 2018 Episode

Thu, 12 Apr 2018 00:00:00 +0000

This week Rich, Mike, and Adrian talk about what they expect to see at the RSA Security Conference, and if it really means anything. As we do in most of our RSA Conference related discussions the focus is less on what to see and more on what industry trends we can tease out, and the potential impact on the regular security practitioner. For example, what happens when blockchain and GDPR collide? Do security vendors finally understand cloud? What kind of impact does DevOps have on the security market? Plus we list where you can find us, and, as always, don’t forget to attend the Tenth Annual Disaster Recovery Breakfast!

Firestarter: Auditors, Assessors, and Cloud.. Oh My!

Mon, 19 Mar 2018 00:00:00 +0000

This week the gang discusses Rich’s recent discussions with some clients struggling to deal with auditors and assessors who don’t really understand cloud computing.

Firestarter: Best Practices for Root Account Security and… SQRRL!!!!

Mon, 05 Feb 2018 00:00:00 +0000

Just because we are focusing on cloud fundamentals doesn’t mean we are forgetting the rest of the world. This week we start with a discussion over the latest surprise acquisition of Sqrrl by Amazon Web Services and what it might indicate. Then we jump into our ongoing series of posts on cloud security by focusing on the best practices for root account security. From how to name the email accounts, to handling MFA, to your break glass procedures.

Firestarter: Architecting Your Cloud with Accounts

Wed, 31 Jan 2018 00:00:00 +0000

We are taking over our own Firestarter and kicking off a new series of discussions on cloud security… from soup to nuts (whatever that means). Each week for the next few months we will cover, in order, how to build out your cloud security program. We are taking our assessment framework and converting it into a series of discussions talking about what we find and how to avoid issues. This week we start with architecting your account structures, after a brief discussion of the impact of the Meltdown and Spectre vulnerabilities since they impact cloud (at least for now) more than your local computer.

Firestarter: Old School and False Analogies

Wed, 31 Jan 2018 00:00:00 +0000

This week we skip over our series on cloud fundamentals to go back to the Firestarter basics. We start with a discussion of the week’s big acquisition (like BIG considering the multiple). Then we talk about the hyperbole around the release of the iBoot code from an old version of iOS. We also discuss Apple, cyberinsurance, and the actuarial tables. Then we finish up with Rich blabbing about lessons learned as he works on his paramedic again and what parallels to bring to security. For more on that you can read these posts: https://securosis.com/blog/this-security-shits-hard-and-it-aint-gonna-get-any-easier and https://securosis.com/blog/best-practices-unintended-consequences-negative-outcomes

Firestarter: An Explicit End of Year Roundup

Thu, 21 Dec 2017 00:00:00 +0000

The gang almost makes it through half the episode before dropping some inappropriate language as they summarize 2017. Rather than focusing on the big news, we spend time reflecting on the big trends and how little has changed, other than the pace of change. How the biggest breaches of the year stemmed from the oldest of old issues, to the newest of new. And last we want to thank all of you for all your amazing support over the years. Securosis has been running as a company for a decade now, which likely scares all of you even more than us. We couldn’t have done it without you… seriously.

Firestarter: Breacheriffic EquiFail

Fri, 15 Dec 2017 00:00:00 +0000

This week Mike and Rich address the recent spate of operational fails leading to massive security breaches. This isn’t yet another blame the victim rant, but a frank discussion of why these issues are so persistent and so difficult to actually manage. We also discuss the rising role of automation and its potential to reduce these all-too-human errors.

Evils of the Minimum Viable Cloud.

Tue, 31 Oct 2017 00:00:00 +0000

The team is back from the dead, and so are some really crappy cloud ideas.

How to Tell When Your Cloud Consultant Sucks

Mon, 07 Nov 2016 00:00:00 +0000

Mike and Rich had a call this week with another prospect who was given some pretty bad cloud advice. We spend a little time trying to figure out why we keep seeing so much bad advice out there (seriously, BIG B BAD, not just OOPSIE bad). Then we focus on key things to look for, to figure out when someone is leading you down the wrong path in your cloud migration.

Where to start?

Tue, 31 May 2016 00:00:00 +0000

It’s long past the day we need to convince you that cloud and DevOps is a thing. We all know it’s happening, but one of the biggest questions we get is “Where do I start?” In this episode we scratch the surface of how to start approaching the problem when you don’t get to join a hot unicorn startup and build everything from scratch with an infinite budget behind you.

What the hell is a cloud anyway?

Tue, 03 May 2016 00:00:00 +0000

In our wanderings we’ve noticed that when we pull our heads out of the bubble, not everyone necessarily understands what cloud is or where it’s going. Heck, many smart IT people are still framing it within the context of what they currently do. It’s only natural, especially when they get crappy advice from clueless consultants, but it certainly can lead you down some ugly paths. This week Mike, Adrian and Rich are also joined by Dave Lewis (who accidentally sat down next to Rich at a conference) to talk about how people see cloud, the gaps, and how to navigate the waters.

The Rugged vs. SecDevOps Smackdown

Tue, 15 Mar 2016 00:00:00 +0000

After a short review of the RSA Security Conference, Rich, Mike, and Adrian debate the value of using labels like “Rugged DevOps” or “SecDevOps”. Rich sees them as different, Mike wonders if we really need them, and Adrian has been tracking their reception on the developer side of the house. Okay, it’s pathetic as smackdowns go, but you wouldn’t have read this far if we didn’t give it an interesting title.

RSA Conference- the Good, Bad, and the Ugly

Wed, 17 Feb 2016 00:00:00 +0000

Every year we focus a lot on the RSA Conference. Love it or hate it, it is the biggest event in our industry. As we do every year we break down some of the improvements and disappointments we expect to see. Plus, we spend a few minutes talking about some of the big changes coming here at Securosis. We cover a possibly-insulting keynote, the improvements in the sessions, and how we personally use the event to improve our knowledge.

2015 Wrap Up and 2016 Non-Predictions

Wed, 09 Dec 2015 00:00:00 +0000

Rich, Mike, and Adrian highlight the big trends from the year and where our expectations were right and wrong. We teeter on the brink of predictions, but manage to pull ourselves back from falling into that chasm of idiocy. Mostly.

The Blame Game

Mon, 16 Nov 2015 00:00:00 +0000

Get hacked? Blame China. Miss a quarter? Blame China. Serve malware to everyone visiting your site? Don’t take responsibility, just blame your anti-ad-blocking vendor. Or China. Or both. Look, we really can’t keep track of these things, but in this episode Mike and Rich talk about the lack of accountability in our industry (and other industries). One warning… a particular analogy goes a little too far. Maybe we need the explicit tag on this one.

Get Your Marshmallows

Mon, 02 Nov 2015 00:00:00 +0000

Last week we learned that not only did Symantec mess up managing their root SSL certificates, but they also botched their audit so bad Google may remove them from Chrome and other products. This is just one example in a long history of security companies failing to practice what they preach. From poor code development practices to weak internal controls, the only new thing in this instance is the combination of getting caught, potential consequences, and a lack of wiggle room.

re:Invent Yourself (or else)

Tue, 20 Oct 2015 00:00:00 +0000

A bit over a week ago we were all out at Amazon’s big cloud conference, which is now up to 19,000 attendees. Once again it got us thinking as to how quickly the world is changing, and the impact it will have on our profession. Now that big companies are rapidly adopting public cloud (and they are), that change is going to hit even faster than ever before. In this episode the Securosis team lays out some of what that means, and how now is the time to get on board.

MAD Karma

Wed, 12 Aug 2015 00:00:00 +0000

Way back in 2004 Rich wrote an article over at Gartner on the serious issues plaguing Oracle product security (the original piece is long down, but here is an article based on it). It lead to a moderately serious political showdown, Rich flying out to meet with Oracle execs, and, eventually, their move to a quarterly patch update cycle (due to the botched patch, not Rich’s article). This week, Oracle’s 25-year veteran CISO Mary Ann Davidson published a blog post decrying customer security assessments of their products. Actually, let me rephrase, she pretty much threatened them with legal action for evaluating Oracle products using tools that look at the application code. Then she belittled security research in general, informed everyone to trust them since they find nearly all the bugs anyway (not that they seem to patch them in a timely fashion), and… you get it.

Living with the OPM Hack

Thu, 16 Jul 2015 00:00:00 +0000

And yep, thanks to his altruistic streak even Rich is affected. We don’t spend much time on blame or the history of it, but more the personal impact. How do you move on once you know much of your most personal information is now out there, you don’t know who has it, and you don’t know how they might want to use it?

We Don’t Know Sh—. You Don’t Know Sh—.

Tue, 26 May 2015 00:00:00 +0000

Once again we have a major security story slumming in the headlines. This time it’s Hackers on a Plane, without all the Samuel L goodness. But what’s the real story? It’s time to face the reality that the only people who know are the ones who aren’t talking, and everything else you hear is most certainly wrong

RSAC wrap-up. Same as it ever was.

Mon, 04 May 2015 00:00:00 +0000

Do bigger numbers mean we are any better than last year? And how can we possibly balance being an industry, community, and profession simultaneously? Not that we answer any of that, but we can at least keep you entertained for 13 minutes.

Using RSA

Tue, 31 Mar 2015 00:00:00 +0000

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan.

Cyber Cash Cow

Mon, 16 Mar 2015 00:00:00 +0000

Last week we saw a security company hit the $2.4B valuation level. Yes, that’s a ‘B’, as in billion. This week we dig into the changing role of money and investment in our industry, and what it might mean. We like to pretend keeping our heads down and focusing on defense and tech is all that matters, but practically speaking we need to keep half an eye on the market around us. It not only affects the tools at our disposal, but influences the entire course of our profession.

Cyber vs. Terror (yeah, we went there)

Mon, 02 Mar 2015 00:00:00 +0000

Last week the US Director of National Intelligence said cyberattacks are a greater risk than terrorism. This week we debate what that means, and whether terminology is getting so muddled that it becomes meaningless. Plus we rip into Rich’s post claiming security people need to stop thinking of themselves as warriors, and start thinking like spies.

Cyber!!!

Mon, 16 Feb 2015 00:00:00 +0000

Last week President Obama held a cybersecurity summit out in the Bay Area. He issued a new executive order and is standing up a new threat sharing center. This is in response to ongoing massive attacks such as the Anthem breach and (as we heard this weekend) hundreds of millions stolen in bank thefts. But what does it all mean to security pros and the industry? The truth is, not much in our day-to-day (yet), but you certainly had better pay attention.

It’s Not My Fault!

Mon, 09 Feb 2015 00:00:00 +0000

Rich, Mike, and Adrian each pick a trend they expect to hammer us in 2015. Then they talk about it, probably too much. From threat intel to tokenization to SaaS security.

2015 Trends

Mon, 26 Jan 2015 00:00:00 +0000

Rich, Mike, and Adrian each pick a trend they expect to hammer us in 2015. Then we talk about it, probably too much. From threat intel to tokenization to SaaS security.

Full Toddler

Mon, 19 Jan 2015 00:00:00 +0000

Yes, people, the disclosure debate is still alive and kicking. But now it is basically a pissing match between two of the largest tech companies. With Google setting rigid deadlines, and Microsoft stuck on their rigid schedule, who will win? Grab the popcorn as we talk about egos, internal inconsistencies, and why putting the user first is so damn hard.

Predicting the Past

Tue, 16 Dec 2014 00:00:00 +0000

In our last Firestarter for this year, Mike, Adrian, and I take on some of the latest security predictions for 2015. Needless to say, we aren’t impressed. We do, however, close out with some trends we are seeing which are likely to play out next year, and are MOST DEFINITELY NOT PREDICTIONS.

Numbness

Mon, 24 Nov 2014 00:00:00 +0000

SSLmageddon V12. Polar Vortices. Ebola. APT123. We live in an era when every week it seems some massive new vulnerability, exploit, or attack is going to take down society. This week Rich, Mike, and Adrian tackle the endless progression of bad news; and how to maintain focus when everyone wants you to save the children.

It’s All in the Cloud

Mon, 27 Oct 2014 00:00:00 +0000

Adrian is out, so Rich and Mike cover the latest Amazon Web Services news as their big re:Invent conference closes in. We start with the new Frankfurt datacenter, and how a court case involving Microsoft could kill off the future of all US-based cloud companies (it’s always the little things). Then we discuss directory services in the cloud, and how this indicates increasing cloud adoption and maturity at a pace we really haven’t ever seen before.

Hulk bash

Mon, 06 Oct 2014 00:00:00 +0000

Mike, Adrian, and I start off a little rough around the edges, but eventually get to the point. Travel is taking its toll so we won’t be able to keep our usual weekly schedule, but we will stay as close as possible – until I run off to Amsterdam for a week, for Black Hat Europe. We catch up on the inane for a few minutes, before jumping into a discussion of the bash vulnerability and disclosure debacle. We agree it is often valuable to analyze an event after the initial shock waves (See what I did there? Shellshock? Shock waves?). Today we focus on the deeper implications and how the heck a disclosure could be so bungled. Plus a little advice on where to focus your patching efforts.

Apple Pay

Tue, 16 Sep 2014 00:00:00 +0000

After a short break, the boys are back and here to talk about Apple. No, not the new wrist-mounted toy, but the first mobile payment system you might actually use. Or so says Rich’s Macworld editor, based on his article title.

You Can’t Handle the Gartner

Mon, 18 Aug 2014 00:00:00 +0000

After our little Black Hat and DEF CON induced hiatus, the boys are back to talk about the latest vendor suing Gartner. Yes, there is a Gartner Tax. No, it isn’t what you think. No, there is no pay for play. Yes, there are better ways to handle this. Yes, end users love Magic Quadrants no matter how much you trash talk them. And yeah, somehow we know a bit about how all this works from all sides.

Hacker Summer Camp

Tue, 22 Jul 2014 00:00:00 +0000

In the latest Firestarter, Rich, Mike, and Adrian discuss the latest controversial research to hit the news from HOPE and Black Hat. We start with a presentation by Jonathan Zdziarski on data recoverable using forensics on iOS. While technically accurate, we think the intent he ascribes intent to Apple shows a deeply flawed analysis. We then discuss a talk removed from Black Hat on de-anonymizing Tor. In this case it seems the researchers didn’t really understand the legal environment around them. Both cases are examples of great research gone a little awry.

China and Career Advancement

Mon, 14 Jul 2014 00:00:00 +0000

This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk.

G Who Shall Not Be Named

Mon, 30 Jun 2014 00:00:00 +0000

This week they discuss some of the latest news from a particular conference held out in Washington DC last week which Mike stopped by (well, the lobby bar) and Rich used to help run.

Apple and Privacy

Tue, 17 Jun 2014 00:00:00 +0000

Rich and Adrian join up to talk about some interesting developments in Apple privacy, and how Apple may be using it to get some competitive advantage.

Sputnik or Sputput

Mon, 02 Jun 2014 00:00:00 +0000

The question of the day is: Are we in a Sputnik moment? Did the Target breach shake things up so much that security is moving up the chain? Or are these short-term reactions, which will fade with our memories of what happened?

Wanted Posters and SleepyCon

Tue, 20 May 2014 00:00:00 +0000

We apologize for the quality of this week’s show… but Rich is on the road and can’t seem to understand the word ‘bandwidth’.

3 for 5- McAfee, XP, and CEOs

Mon, 12 May 2014 00:00:00 +0000

A lot is going on in security land, so Rich, Mike, and Adrian return with another 3 for 5 episode.

There Is No SecDevOps

Mon, 05 May 2014 00:00:00 +0000

Adrian is off at the altar of Buffett (the other one – not the one I wear a coconut bra for), so Mike and I delved into SecDevOps, triggered by a post from Andrew Storms over at DevOps.com.

The Verizon DBIR

Mon, 28 Apr 2014 00:00:00 +0000

After missing a week, Rich, Mike, and Adrian return to talk about birthdays, the annual Verizon Data Breach Investigations Report, and child-induced alcohol consumption.

Three for Five

Sun, 13 Apr 2014 00:00:00 +0000

In this week’s Firestarter the team makes up for last week and picks three different stories, each with a time limit. It’s like one of those ESPN shows, but with less content and personality.

The End of Full Disclosure

Mon, 24 Mar 2014 00:00:00 +0000

Last week we held a wake for Windows XP. This week we continue that trend, as we discuss the end of yet era – coincidentally linked to XP.

An Irish Wake

Wed, 19 Mar 2014 00:00:00 +0000

We originally recorded this episode on St. Patty’s Day and thought it would be nice to send off Windows XP with a nice Irish wake, but Google had a hiccup and our video was stuck in Never Never Land for an extra day. To be honest, we thought we lost it, so no complaints.

RSA Postmortem

Tue, 11 Mar 2014 00:00:00 +0000

We are all rested and recovered from RSA (yeah, right) and it’s time to review the week and what we think. Did we mention security is back, baby?! That’s right – it is clear budgets are now free, and the stink of desperation is fading.

Happy Hour- RSA 2014

Fri, 21 Feb 2014 00:00:00 +0000

Okay, not really, but we hope you enjoy this beer-fueled extended episode of the Securosis Firestarter. Clocking in at a full hour, we prep and review the upcoming RSA show, which is really our way of covering how we think the year in the security industry will look.

Payment Madness

Mon, 17 Feb 2014 00:00:00 +0000

This is our last regular Firestarter before we record our pre-RSA Quarterly Happy Hour.

This week, after a few non-sequiturs, we talk about the madness of payment systems. It seems the US is headed towards chip and signature, not chip and PIN like the rest of the world, because banks think American are too stupid to remember a second PIN.

Mass Media Abuse

Tue, 11 Feb 2014 00:00:00 +0000

In this week’s Firestarter we talk about the Book of Mormon (the play, not the other thing), biking while intoxicated, and the ongoing predilection of mass media to abuse the truth about security for ratings. Because, NBC and Sochi, and we have a question. Please drop us a line in the comments or on Twitter if you’d like us to also post the Firestarter as an audio-only podcast.

Inevitable Doom

Mon, 03 Feb 2014 00:00:00 +0000

Okay, let’s just ignore the first part of this Firestarter where we talk about the Denver Broncos, okay? We recorded it on the Friday before the game and, well, enough said.

Government Influence

Mon, 27 Jan 2014 00:00:00 +0000

In this week’s Firestarter Rich, Mike, and Adrian (until his computer died) discuss the importance (or lack thereof) of the security industry and community in influencing government.

Target and Antivirus

Mon, 20 Jan 2014 00:00:00 +0000

In this week’s Firestarter Rich, Mike, and Adrian discuss the latest in the Target relevations and whether over-reliance on antivirus is to blame once again.

Crisis Communications

Mon, 13 Jan 2014 00:00:00 +0000

Okay, we have content in this thing. We promise. But we can’t stop staring at our new title video sequence. I mean, just look at it!

The NSA and RSA

Mon, 06 Jan 2014 00:00:00 +0000

Hey everyone. It’s a new year and time for new stuff from your pals here at Securosis.

We used to run a Monday-morning ‘Firestarter’ post to get people thinking for the week. We decided to revive it with a twist. We are restarting the Firestarter as a weekly short video (15 minutes or so is our target). As we work out the details we also plan to push it out as a podcast, and once every month or so we will run a longer episode to dig deeper into a topic.