While non-profit doesn't mean "no budget" when it comes to cybersecurity, a lot of smaller to mid-sized non-profits operate on a shoestring, with little to no money for cybersecurity talent or spending. This is where Sightline Security steps in. Sightline's founder and CEO, Kelley Misata joins us today to explain how her own non-profit helps other non-profits improve their cybersecurity posture.

Show Notes: https://securityweekly.com/esw-341

High School students represent the very beginning of the pipeline for the Cyber industry. What are the attitudes and perspectives of these young people? How can we attract the best and brightest into our industry?

Show Notes: https://securityweekly.com/vault-esw-5

Finally, in the enterprise security news,

1. Lots of new security startups with early stage funding
2. SentinelOne picks up Chris Krebs and Alex Stamos’s consulting firm
3. PE firm picks up ActiveState - a company I haven’t thought about since I last downloaded ActiveState Perl 1000 years ago
4. Microsoft announces the limited release of Security Copilot
5. Semgrep releases a secrets scanner
6. AGI predicted to come much sooner than you might expect
7. NY State doubles down on cybersecurity regulations to protect its hospitals
8. the young hackers behind Mirai, one of the biggest botnets ever
9. Ransomware groups snitch on businesses to the SEC

Show Notes: https://securityweekly.com/esw-340

We regularly cover significant breaches on this podcast, but it is rare that we have enough information about a major breach to cover in enough detail to devote an entire segment to. Today, we dive into lessons learned from the breach of Okta's customer support system that targeted some other major security vendors.

This is part of a troubling trend, where the target of an attack only serves as a jumping off point to other organizations. China's 2023 attack of Microsoft is an example of this. It was easier to attack Microsoft 365, one of the world's largest business SaaS platforms, than to go after each of the 25 individual targets these Chinese actors needed access to.

Traditionally, we've thought of lateral movement as something that happens within a network segment, or even within a single organization. Now, we're seeing lateral movement between SaaS platforms, between clouds, from third party vendors to customer, and even from open source project to open source adopters.

In this segment, we'll cover five key lessons learned from Okta's breach, from information shared by Okta and three of its customers: 1Password, Cloudflare, and BeyondTrust.

1. Protect Your Session Tokens
2. Monitor for Unusual Behavior
3. SaaS Vendors Are Common Targets
4. Zero Trust Principles Work
5. MFA Isn't a Binary (on or off) Control

Segment Resources

• https://www.valencesecurity.com/resources/blogs/five-lessons-learned-from-oktas-support-site-breach

Show Notes: https://securityweekly.com/esw-340

Once again, Theresa Lanowitz joins us to discuss Edge Computing, but with a twist this time, as Mani Keerthi Nagotu from SentinelOne joins us as well! As a field CISO, Mani knows all too well the struggles security leaders are going through, given the current market and threat landscape:

• Maybe not less budget, but more pressure to produce results and justify spending
• Security leaders being held personally accountable for performance
• Potential layoffs, and the need to achieve the same goals with less labor and tool overhead

Segment Resources

• https://cybersecurity.att.com/insights-report

This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them!

Show Notes: https://securityweekly.com/esw-340

During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds.

We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes.

Show Notes: https://securityweekly.com/esw-339

We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for?

Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future.

Show Notes: https://securityweekly.com/esw-339

Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today.

Show Notes: https://securityweekly.com/esw-339

Oh, the HARror! Sanitizing HAR files is not as easy as some might lead you to believe. CISA funds Cyber.org for K-12 cyber education and ORNL creates a Center for AI Security Research (CAISER). Cloudflare creates a tool out of spite, and CISA creates a tool you shouldn't use in production? Biden's EO on "Safe, Secure, and Trustworthy AI" and the Top Five Things you need to know about how GenAI is used in Security Tools.

Five lessons learned form Okta's latest breach, should ransom payments be illegal, and why ransomware victims can't stop paying ransoms. We discuss the impact of the charges made against Solarwinds and its CISO by the SEC, the 2023 ISC2 Cybersecurity Workforce Survey, and Microsoft's latest open letter on security.

Finally we wrap up discussing a delicious $8M Series A for better bagels!

Show Notes: https://securityweekly.com/esw-338

There is little to no organization of data within companies in 2023. We're all guilty of this at some level. The download folders and desktops on our personal machines are a mess. File servers, and cloud storage services are a mess. In Microsoft's recent data leak, AI researchers even had PC backups stored along side machine learning models for whatever reason.

Data is hard to classify, organize, and monitor. By designing for convenience, we've created convenience debt that now has to be paid down. In this segment we talk to Jackie McGuire about what needs to happen to accomplish this, at the enterprise level, and at scale.

Even if we can one day address the challenge of tracking and labeling data, we'll still have the challenge of addressing data integrity and resilience, which we'll also discuss if we have time!

Segment Resources: https://www.darkreading.com/risk/it-s-time-to-assess-the-potential-dangers-of-an-increasingly-connected-world-

Show Notes: https://securityweekly.com/esw-338

In this segment, we discuss the current state of the market recovery with Hank Thomas, founder of Strategic Cyber Ventures.

We've got market questions, like:

• What has changed in the last year?
• Are IPOs coming back any time soon?
• How large is the cybersecurity death pool?
• What do early and mid-sized startups need to do to survive in the current market?

Show Notes: https://securityweekly.com/esw-338