Security. Some assembly required.Security is HARD, and 'real security' is a compromise between usability and security while knowing you're still accepting risk.This podcast alternates between interesting interviews and news analysis every other week - tune in, subscribe and join the conversation on REAL security issues relevant to your enterprise.Read the blog > along on Twitter >
DtSR Episode 283 - Testing Security Into Applications
13/02/2018 Duration: 49minThis week an old friend, Vinnie Liu of Bishop Fox, joins Raf and James to talk about the history of App Sec. We started trying to test ourselves secure, and we continue to come back to it - so this episode is a walk down memory lane and a glimpse into the future of application security. Don't forget to like us on iTunes and share with your colleagues! Guest Vinnie Liu ( @VinnieLiu ) - Vincent Liu (CISSP) is a Partner at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. With nearly two decades of experience, Vincent is an expert in security strategy, red teaming, and product security; and at Bishop Fox, he oversees firm strategy and client relationships.
DtSR Episode 282 - DDoS - Past, Present, and Future
06/02/2018 Duration: 43minJoin us this week on Down the Security Rabbithole as Barrett Lyon (who knows a thing or two about DDoS) is our guest to talk about the evolution of the art and science of kicking people off of a network. Barrett is the authority on DDoS, with over 20 years in the field, going back to when angry teenagers flooded each other off of IRC servers. This is a fun episode that walks through DDoS - where it came from, how it evolved, and what we can expect in the future. TLDR; yes ...your fridge may one day DDoS your toaster. Guest Barrett Lyon ( @BarrettLyon ) - Barrett Lyon is the Vice President of Research and Development for the Neustar Security Solutions’ portfolio. He spearheads the development of innovative new products and solutions for the company’s industry-leading DDoS, DNS and cybersecurity solutions. Mr. Lyon is a serial entrepreneur and a well-respected cybersecurity thought leader with experience building leading edge network services and infrastructure. Prior to Neustar, Mr. Lyon founded Defense.
DtSR Episode 281 - Exploiting and Defending Human Behavior
30/01/2018 Duration: 49minThis week, go Down the Security Rabbithole with James and Raf as they host Robert Sell. Robert took 3rd place at the Defcon SECTF (Social Engineering Capture-the-Flag) in 2017 and he has some lessons to you in the enterprise. "Social Engineering" (while a ridiculous and non-descriptive term) is a real attack vector. How are you defending your enterprise? Listen in. Then talk back on Twitter at #DtSR or LinkedIn! Guest: Robert Sell ( @RobertESell & )
DtSR Episode 280 - A Cloud Container Security Primer
22/01/2018 Duration: 45minThis week, Chris Rosen from IBM joins us to talk about cloud containers - and the security (or lack thereof) of them. There is a paradigm change coming which significantly impacts security - if we're ready for it. Chris talks us through the dramatic changes (or maybe not) of doing cloud security with containers and the impact to the shared responsibility model. Join us, and let us know what you think by leaving us a comment, either here or on iTunes. Guest Chris Rosen -
DtSR Episode 279 - Deeper Down the SDP Rabbithole
16/01/2018 Duration: 44minThis week, Jason Garbis re-joins the podcast to go past the Primer (Episode 257) and dive deeper into SDP (Software Defined Perimeter) with a discussion on cloud and relevance to the re-invention of the data center and related infrastructure. Related DtSR listening: Zero Trust Model w/ John Kindervag: Software Ate the Perimeter w/Jason Garbis:
DtSR Episode 278 - The Meltdown Over Spectre
09/01/2018 Duration: 43minWelcome Down the Security Rabbithole. This week we bring Jeff Schilling from Armor to talk about Spectre and Meltdown - the two hottest topics of the security right now and for the foreseeable future. While you listen to us talk, check out these links: And the obligatory "I patched and things got worse" post:
DtSR Episode 277 - An Outside In Look at Security and Innovation
02/01/2018 Duration: 46minHappy New Year, 2018. Friends, thanks for listening! I can't believe this podcast is still going strong after all these years and 277 episodes. I started this podcast with an idea - give you something to listen to that was office-friendly, informative, and focused on advancing our trade. Over the years I've gotten some encouraging comments from people ranging from those trying to get into our industry, to those who are leading large organizations' security practices. I'm encouraged by you all, and thank you for supporting us. Now, let's get on with 2018. On this first episode of 2018, James and I welcome Ben Kepes who is a long-time friend of mine and and industry analyst. Ben isn't your typical analyst though, because he has a healthy dose of skepticism, an eye for bullsh**, and he's trusted by vendor and buyer alike. Oh, also, he's a Kiwi so he's got that going for him too. Sit back, enjoy, and leave us a comment if you are so moved.
DtSR Episode 276 - Game Changer in ICS (no FUD edition)
26/12/2017 Duration: 44minWhat: In this episode we get the facts on the recent game-changing malware/attacks that appear to be nation-state sponsored attacking critical safety systems in industrial controls (ICS). Why: You've probably read about it, and depending on what you read you may only have the hype or half the story. Who: As always, Sergio Caltagirone from Dragos is the master at telling a great story, from just the facts. He's part of the team that did the analysis, wrote the narrative, and then ended up on countless phone calls explaining it to executives and national security types. He knows his craft. Links: Dragos blog about the topic: Fireeye's version: We invited him on this special episode to give you the inside story, to separate some of the hyperbole from reality - so listen up.
DtSR Episode 275 - Beyond 2017 A New Hope
19/12/2017 Duration: 44minFor episode 275 we are once again joined by the one and only Haroon Meer ( @haroonmeer ) to follow up on his conversation from September 2016 titled "What will get us there". If you've not had a chance to listen to that show, you absolutely should do that first. Haroon shares his perspective including... "The cloud has won" Fundamentals are still hard, we're still largely failing at them Hackers make the best engineers when you give them a problem to solve Where do we go from here, into 2018, is there hope?
DtSR Episode 274 - Let's Talk Power Grid
13/12/2017 Duration: 38minThis week, Patrick Miller returns (another boomerang guest from the way-back machine) to talk about the energy grid. It turn out, things aren't super different from 5 years ago, but some things have changed. Patrick and I discuss resiliency (over actual security) in the grid, and focus on transmission, generation, and "getting it all working again" from a life safety perspective. It's a fascinating discussion, don't miss it! ** Apologies for some of the audio quality, we had "choppy" issues on Skype and I edited the best I could.
DtSR Episode 273 - Automate or Die (w/Demisto)
05/12/2017 Duration: 29minJoin James and Rafal, one last time, live from Enfuse Conference (Las Vegas, NV) this past summer. In this episode, we track down a personal friend of Raf's - Bob Kruse, Demisto, VP Sales & Alliances, and talk about the need for the enterprise to automate and orchestrate. Oh, also, Bob pretty much said by 1 year from the recording of that episode he would get an "Automate or Die" tattoo. So just to be on the safe side, we'll give him until next year, about this time. Game on, Bob.
DtSR Episode 272 - Innovation, Startups, and the Security Bubble
28/11/2017 Duration: 42minThis week, Grant and Mark join me live and in person in Las Vegas at the Amazon AWS re:Invent conference to talk about the security marketplace, innovation, "the bubble" and more. Here's the announcement we talked about at the opening of the show McAfee announces agreement to buy SkyHigh Networks: Guests: Mark Arnold ( @lotusebhat ) Grant Sewell ( @GrantSewell )
DtSR Episode 271 - The Secrets of Influence Through Communication
21/11/2017 Duration: 45minThis week James and I are fortunate enough to have one of the best keynote speakers I've ever seen on the show. He's an amazing speaker, a brilliant magician and a sharp dresser - this guy is the real deal. Straight off the keynote stage at the Security Advisor Alliance (SAA) Summit in Denver ... ok maybe not straight off, Vinh Giang joins us to talk about how to influence people while you're up there giving a talk or speech. Grab something to take notes with - trust me, this one is chock full of brilliant nuggets. Guest: Vinh Giang ( Twitter: @AskVinh and Facebook: ) is a brilliant self-made public speaker, magician, and all-around snappy dresser.
DtSR Episode 270 - Secrets of InfoSec at Scale
15/11/2017 Duration: 50minLadies and gentlemen - we have our first 3-time guest! Brandon Dunlap, my good friend and industry titan, joins the podcast for his third trip down the rabbit hole. In this episode Brandon Dunlap (@bsdunlap) and I talk through the challenges of security at scale, in person and live from Seattle. In the previous two episodes that Brandon has done on this show we've talked about the challenges of scaling information security teams, and this time we go deep into the strategies that work, where the lines are drawn and some lessons learned form a very successful career doing exactly this - infused at scale. The previous two appearances of Brandon on this show are: Outsourced by Better - DtSR Episode 202 - Outsourced but Better Managing Security with Outsourced IT - DtSR Episode 158 - Managing Security with Outsourced IT We invite you to listen, take notes, and converse with us on #DtSR on Twitter, or on this post on LinkedIn.
DtSR Episode 269 - Industrial Internet of Things (IIOT)
07/11/2017 Duration: 48minThis week, we have a repeat guess with Robert M. Lee joining our show to talk about the Industrial Internet of Things. Rob's just finished a conference his company, Dragos, Inc, just started to educate and help increase awareness and research for the Industrial Internet of Things. Whether you think you know what the IIOT is, or whether you can admit to yourself you need to be know more - this podcast will have it all. We also reference a podcast with Dr. Timothy Chou (link: DtSR Episode 250 - Deconstructing the Internet of Things ). If you haven't read his book, "Precision" (link: ) it's the basis for a lot of this discussion. Thanks to Rob again for being on the show!
DtSR Episode 268 - CISOs Survival Guide
31/10/2017 Duration: 55minWelcome down the Security Rabbithole, friends and colleagues! This week, my guest is Larry Whiteside, Jr. (we know him as the best dressed man in InfoSec). Larry joins the podcast while James is out to discuss the life and times of a CISO. He has extensive experience as a CISO and security leader, working across multiple market verticals from energy to healthcare, in addition to being a former colleague advising CISOs. Larry dispenses his brand of knowledge with a little bit of an edge, a little dose of realism, and a lot of fun. If you've never had the pleasure of working with Larry - it's something I advise you do at some point in your career. He's even been referred to as the "CISO Whisperer" by people who know and have worked with him. All else failing, Larry can always give you fashion advice, and up your sock game. Game on!
DtSR Episode 267 - Cyber Security Awareness Month Wrap
24/10/2017 Duration: 36minThis week, James and Raf cover the tail-end of Cyber Security Awareness Month. It's been an interesting week of news and of course let's talk about awareness. Have you completed your mandatory training? -- This weeks' talking points Namaste Health Care security incident, announcement Pay attention to how this article is worded, we've covered this before with Sean and Michael too When you don't know, you have to report the worst-case Focuses spotlight on knowing what's in your environment, and having a plan for not only technical IR but communications How would your organization report? Are you ready to be better? DHS Imposes DMARC on Federal Agencies Any time we can add to the security measures over email, bonus We already know email is the #1 way bad things get disseminated This is not set-and-forget, you need to make sure it's working!
DtSR Episode 266 - Leadership Perspective with Michael
17/10/2017 Duration: 57minThis week we're getting the band back together! Michael Santarcangelo joins us for a segment we'll be featuring regularly (look for is every 6 weeks or so) on the leadership perspective. Security could use some leadership, and we will be enlisting Michael to talk about current events and lessons for leadership. Tune in, and you may just end up with something you can use in your day job.
DtSR Episode 265 - Privacy and Paranoia
10/10/2017 Duration: 47minThis week's Down the Security Rabbithole Podcast asks - "Are you paranoid enough about your privacy? or do you simply not have any?" with a couple of gentlemen who would know. Join James and Raf as we go down the rabbit hole one more time, this time talking about the breadcrumbs, fingerprints, and digital privacy violations you voluntarily give up in your everyday life. It's a little scary, but the trade-off we make for the sake of convenience is very real. Grab your tinfoil hat and your burner phone and enjoy!
DtSR Episode 264 - Windows Forensics Then and Now
03/10/2017 Duration: 41minThis week, Harlan Carvey joins James and I to talk about the evolution of Windows forensics over the last decade and half or so. Harlan has more experience than most when it comes to diving into the Windows machine from a forensics perspective and is a well-spoken author of many books and blogs. Guest Harlan Carvey ( @keydet89 ) - Digital forensics and incident response analyst with past experience in vulnerability assessments and penetration testing. Conducts research into identifying and parsing various digital artifacts from Windows systems, and has developed several innovative tools and investigative processes specific to the digital forensics analysis field. Developer of RegRipper, one of the most widely used tools for Windows Registry analysis. Has developed and teaches several courses, including Windows Forensics, Registry, and Timeline Analysis. Harlan's Blog: Harlan on LinkedIn: