All episodes

The CISO's Dilemma: Balancing Security, Innovation, and Burnout with Ross Young

Unraveling the Mysteries of Privacy Engineering: A Deep Dive with Apoorvaa Deshpande

TLDR; 1. Privacy engineering focuses on implementing privacy best practices for users and organizations. The core focus is user's privacy and responsible handling of their data. Finding the balance between experience and fatigue is key. 2. Privacy by design enables teams to incorporate privacy engineering practices to each

Getting Started with Cloud Pentesting with Scott Weston

TLDR; * gcpwn (modeled after Pacu) is a great tool for pentesting covering enumeration and lateral movement. There are many more capabilities coming up soon with support for more Services and APIs. * Annual Pen Testing is a good start. But, pentesting should be as close to continuous as possible. It helps

Mastering Zero Trust: A Comprehensive Guide with Dr. Natalia Semenova

TLDR; * Zero Trust is a continuous journey. It’s not like a set it and forget it type of program. Organizations need to invest not only to set it up initially but also to keep monitoring and improving the program. * For adoption of zero trust, some of the biggest challenges

The Ultimate Guide to Cloud Security: A Deep Dive with Richard Stiennon

TLDR; * Vendor / Platform selection should be based on organization goals. CISOs & Security leaders should prioritize selection based on current posture and look at achieving a set of future goals vs compliance needs or by following a checkbox approach. * Vendor health is an important aspect of determining a platform/vendor.

Mastering Cloud Incident Response with Hilal Ahmad Lone

TLDR; * Having a defined Incident Response Process and Alignment among the team are key for a successful Incident Response Program * Monitor your MTTD and MTTR and use that to constantly improve your Incident Response Program. * When it comes to the Security of your organization, Open Source or Native security tools

Rethinking the Framework: Addressing Inherent Cybersecurity Risks with Gretchen Ruck

TLDR; * GenAI Tools are good at generic information. But, it often lacks contextual awareness. Building contextual awareness it into the GenAI tooling to get the maximum benefit of this technology trend. * Data privacy & Privacy Enhancing Technology (PET) plays a critical role in organisation’s GenAI strategy. Enough guardrails should

Auto Remediation on AWS with Lily Chau

TLDR; * There are two essentials to focus in cloud security. Strong security foundations / baselines for preventive measures and remediations for drifts from a reactive measures stand point. * Biggest challenge with remediation programs is buy-in from other stakeholders like Engineering, DevOps, Leadership. To get the buy-in, show the current MTTR vs

Demystifying Identity and Access Management with John Giglio

TLDR; * In an organization, the IAM landscape is always a moving target. So, understand the organizational structure and usability of cloud services before setting up the foundation. * Security vs Compliance is an age-old debate. When the security basics are implemented the right way, compliance automatically follows. * For data perimeter security,

The intersection of Security and Human Behavior ft. Classie Clark

TLDR; Thanks, Cassie for the fun conversation. Here’s a summary of our conversation: * To enhance security program effectiveness, infuse security into daily practices of engineering and others. A simple example could be doing a security review as part of the code review process in SDLC. * Training and Awareness programs

Building Security Foundation and Security Boundaries with Kushagra Sharma

TLDR; * Security baseline along with security boundaries define the security foundation for Organizations. There are various types of security baselines organizations should incorporate like Network, IAM, Infra, and Data. * Baselining is a continuous process. Define it, measure it, monitor it, and refine it using internal and external audits & findings.

Trust & Security: The Cornerstones of a Resilient Organization! With Sandeep Agarwal

TLDR; * For organizations, alignment between Revenue Goals vs Cost vs Risk is key for success. Instead of teams working in isolation, collaborate to improve the security of the organization. * Security is seen as a team of No. Instead of saying No, security teams should show the path to Yes for

Understanding the Continuous Security and Incident Response Landscape

TLDR; Thanks, Jan, for the insightful conversation. Here are a few things that I gathered. * For the compliance and security debate, understand different personas and their agendas, have a governing body that works with all of these personas, and helps with prioritization. * Always start with basic security practices and focus

Network Security Fortress: Master Network Segmentation with Tom Adamski

This episode dives deep into network segmentation - your secret weapon for building a secure and scalable network. We'll discuss best practices, tackle implementation challenges, and explore how to integrate segmentation with Zero Trust.

Understanding the role of logging and monitoring in detective controls with Kailash Havildar

TLDR * Standardization of logs is very important when designing a Centralized Logging and Monitoring solution. Both from a security and also from an engineering perspective. * When it comes to Logging, start with User Logs, System Logs, Config Logs, Network Logs, in that order to analyze for Detecting Security issues. * For

Building Cybersecurity Teams with Matthew Marji

TLDR; * Communication, both written and oral, are key skills for security engineers and organizations should evaluate for this during the hiring process. * For startups while hiring, assessing the business risk has a huge impact because it helps you decide whether to hire a contractor or a pen tester or a

Understanding Threat Modeling and Secure by Design Concept with Adam Shostack

TLDR; * Secure by design is a key step in building a healthy security program. It should not be done, or rather it should be done while designing and building applications and not as an afterthought. * When it comes to threat modeling, taking a pause and asking questions about possible threats

Conquering Enterprise Risk Management with Amit Subhanje

TLDR; * Risk Management should not only be reactive. It has to have the right balance between proactive and reactive strategies. * Continuous training and awareness programs are key for running a healthy and successful security program. Also, when it comes to training, it should be targeted vs generic. * Security is a

Exploring the World of Incident Response and Detection with Pablo Vidal

TLDR; * In order to ensure success of security programs, security engineers should not work in Isolation. Instead, they should collaborate across teams and organization. * For Incident Detection and Response, organizations should have a rubrik. It reduces the stress on engineers to figure out the right plan of action and next

Building Cybersecurity Teams and Virtuous Circle With Clients ft. Jesse Miller

TLDR; * Create and Practice a Culture of Knowledge, Learnings and Growth. This not only helps you in hiring new Security Roles but also helps in Retaining them. * For a Startup, hire a generalist as a First Role. This helps in Building the Trust and relationship foundation between Security and other

Beyond the Basics: Understanding Threat Hunting and Security Research with Josh Pyorre

TLDR; * Threat researchers use threat hunting to learn about trends, and correlations, to narrow focus of the research. And they use this information to watch for other threats and also to help bring awareness in organizations. * Threat research needs creative and out-of-the-box thinking. By following a checklist, threat researchers often

Keeping Pace with Cloud Security: A Guide to Maturity Models with Rich Mogull

TLDR; * When it comes to Cloud Security, it needs a mindset shift vs on-prem security. And Cloud Security Maturity Model helps with that. * Biggest challenge with Adoption of Cloud Security Maturity Model is expectation setting. Work with Leadership to set the right expectations. * Before acting on Maturity Model, evaluate the

The Cloud Security Saga with Joseph South

TDLR; * When it comes to Cloud Security, focus on Basic & Common Misconfigurations first. Only after all of those are resolved, pay attention to edge cases. * For the Prevention of Cloud Security risks, ensure the Pipeline is Secure. The Infrastructure getting deployed into the Cloud environment is secure and does

Understanding the concepts of Supply Chain Security, Container Images, SBOMs, and more with Aung

TLDR; * Software Bill of Material (SBOM) is key for Supply Chain Security. It helps organizations understand dependencies and vulnerabilities associated with the dependencies. * To analyze SBOMs, utilize a Software Composition Analysis (SCA) Tool and integrate is as part of CI/CD Process. * Some of the best practices of Image Signing

Navigating the Identity and Access Management Landscape with Joseph South

TLDR; * Security of Cloud IAM requires a different mindset than traditional IAM. Once credentials are breached, attackers gain access to all infrastructure in a Cloud environment. This is one of the Primary Reasons why IAM is the new Perimeter. * To address IAM security gaps, start with Tagging of IAM Resources,

Unlock the Secrets to Successful Cloud Security with Andre Rall

TLDR; * IAM is the critical component when moving workloads from On-Prem to Cloud. Special attention should be paid to Right Sizing of Permissions early on as part of Cloud Security strategy. * Visibility of Cloud Assets is important. Implement Automation for workloads and follow DevSecOps best practices to ensure Security is

Guardian Code: Safeguarding Applications in the AI Era with Jim Manico

TLDR; * When it comes to Code generation using Gen AI tools, Trust but Verify. Always run those through your DevSecOps pipelines for Static & Dynamic Scans. * During Prompt engineering, stay away from feeding sensitive information and ask for Low Cyclomatic Complexity recommendations. It’s simpler and easier to maintain. * On

Guardians of Trust: Navigating Third-Party Risk Across Business Realms with Jeffrey Wheatman

TLDR; * Vendor Security Questionnaires are not enough because they are out of date a month after its filled. Continuous assessment is more important than one time vendor security questionnaire. * Prioritization of Vendors and their security is key to not get overwhelmed with massive number of vendors. it can be driven

Security that speaks to heart; understanding emotional intelligence and third-party risk management with Shivani Arni

TLDR; * From a culture perspective, create an environment where your Team feels comfortable in taking Risks. Without Risk Taking, there’s no Innovation. * When it comes to Security, show the ROI to the Leadership and do not forget to recognize effort and celebrate small wins. * Assign Tiers to vendors based

Identity and Access Management in the Cloud: Beyond Mere Access Control

TLDR; * To Show Value of IAM improvements to Leadership, map them to outcomes like Cost Improvement from Audit/SOX perspective, Developer Productivity Gains via Provisioning improvements and MTTD & MTTR from Incident Response perspective. * To keep Cloud Security complexity to minimum, bring all your data sources (like SIEM, SOAR, IDS/

Unleash the power of DevSecOps and Cloud-Native Security with Kayra Otaner

TLDR; * Organizational alignment is the most important factor for Security roadmap. Pro tip - when speaking with Business, Security Teams should use the Business Language instead of Technical Language. * Build a One team culture. Brown Bags, Lightning Talks, Dojos, etc are great ways to collaborate with Engineering and Product teams

Revolutionize your approach to SDLC using DevSecOps techniques with Matt Tesauro

TLDR; * Context is key. When looking at Vulnerabilities do not just look at CVSS Base score, instead, understand your Risk Profile and add the Environmental elements for better prioritization. * In order to adhere to DevSecOps practices, be pragmatic. Instead of a Big Bang approach, start small and iterate to incorporate

Shielding Your Supply Chain: Strengthening Security Measures with Francois Proulx

TLDR; * For Application Security, start with Threat Modeling including Context. Look at all our architecture diagrams and start evaluating from an attacker's mind. * When using Open Source dependencies, start with a Baseline Vulnerability Scan and do a continuous process to review and evaluate dependencies. * Understand dependencies, SBOM to

Understanding Vulnerability Management, Supply Chain Security, & SBOMs with Yotam Perkal

TLDR; * Context is key when it comes to Vulnerability Management. Instead of focusing on Vulnerabilities by severity, organizations should evaluate the exploitability and actively exploited vulnerabilities for Prioritization. * When looking at Vulnerabilities do not take CVSS Base score at face value, organizations should understand & utilize Temporal and Environmental elements

Navigating Threat Modeling and Vulnerability Management Challenges with Kalyani Pawar

TLDR; * Detailed Understanding on particular capability with overview of entire architecture is very important from a Threat Modeling perspective. * Create Checklists to scale security in an organization. Involve all teams, and when possible invest and nurture a security champions program. * Security is a journey not a destination. Celebrate small wins.

Understanding the Role of Asset Management and Kubernetes in the Cloud with Kesten Broughton

TLDR; * When it comes to asset management, always start from outside in, like DNS, to understand your dangling subdomains or public IPs, which are sort of overexposed and work your work towards inside of your infrastructure. * For asset inventory, get data from multiple sources so that you can use that

Practical strategies for defending a Kubernetes cluster with Divyanshu Shukla

Host: Welcome to the final chapter of Kubernetes Learning series. In part one we learned about Kubernetes and workloads in general along with some open-source tools. In part two we learned about approaches for attacking Kubernetes clusters from a red teaming perspective and also understanding attackers mindset while exploiting clusters.

Restorative Justice Framework: A New Way to Solve Conflict with Michele Chubirka

TLDR; * First Security hire for an organization should be a Generalist and has necessary soft skills to work with other teams to improve overall security. Soft Skills and Relationship building is key at the early stage of an organization. * Security Champions are important for a successful Security program implementation. Collaborate

Workshop on Attacking a Kubernetes Cluster

Host: Welcome to another part of Kubernetes Learning series. In part one, we focused on Kubernetes and workloads in general, along with some open-source tools. Today in part two, we will focus on approaches for attacking a Kubernetes cluster from a red teaming perspective. This also helps in understanding how

Master the art of Incident Response, Digital Forensics, and Threat Intelligence with Gerard Johansen

TLDR; * Playbooks have an important role in the Incident Response Process, from all aspects, including Evidence Collection, Triage, Retrospection. * There are 4 key factors which need to be understood in Incident Response - Initial Access, Execution, Lateral Movement and Command & Control. * Training your engineers on Architecture (Cloud or Hybrid

Attacking and Defending Kubernetes Cluster with Divyanshu Shukla

Host: Hi everyone. Thanks for tuning into another episode of Scale to Zero. I'm Pursottam, co founder and CTO of Cloudanix. Today's topic includes Kubernetes Security, both from an attack perspective and also from a defense perspective. We'll be doing this slightly differently than

Cloud-Native Realm: A Comprehensive Look at Kubernetes Security with Steve Giguere

TLDR; * Kubernetes is not a solution for all. It always depends on the use case. It depends on the growth stage of the company, expertise in the team, and few more. Surprisingly, monoliths could be a better solution sometimes. * Automation is a key practice while adopting Cloud Native Security. Shift

Digging Deeper on DevOps & DevSecOps with Kyle Fossum

TLDR; * Security is definitely an additional overhead for DevOps practices. Self-Serve tooling helps ease the gap between Engineering and Security. * Some of the best practices of DevOps are: Do not embed secrets in Code. Follow Standardization via Config Management, automation (IaC) and Observability. * It’s highly recommended to use Hardware

Master Application Security, Threat Modeling, and Security Resilience with Dustin Lehr

TLDR; * For an organization starting to incorporate Security into their systems, start right (as in securing your Production Systems) and make progress towards securing the Source Code. This helps bridge the gap between best case scenario and current state. * Security is not always the highest priority. Depending on the stage

Uncovering The Secrets Of Threat Modeling With Brook Schoenfield

TLDR; * Threat Modeling is a continuous activity and should be part of every phase of SDLC starting from Design phase itself. * For Threat Modeling, start with something as simple as STRIDE framework and as the organization matures, review and utilize other frameworks as needed. * For resource constrained organizations, start with

Comprehending Security Culture with Ariel Shin

TLDR; * Finding right balance between Production Speed and Security is all about right Prioritization. It’s a shared responsibility between Security & other teams. * Security Team is an advisor where as Product & Engineering owns the implementation. So, building relationship with other Teams is highly important. * Empathy is one of

Learning Application Security With Chris Romeo

TLDR; * Security Tools does not mean AppSec. There are other factors to Security as well like People, Process and Governance. * For resource constrained organizations, start with Open Source to improve Security for high impact areas before investing in Wholistic & Expensive Tools. * Instead of following all the best practices like

Data Loss, DevOps, and More!

TLDR; * Threat modeling is key for incorporating security in each phase of SDLC. More importantly, training the team to look out for gaps in security and then using that for threat modeling will have the highest return for organizations. * When working with other teams and execs show how security can

Bizzare Cloud Security Facts With Gaurav Batra

Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. Today we have Gaurav Batra with us. Gaurav is the Founder & CEO of CyberFrat (A Cross-Training Platform for Nexgen Cybersecurity & Risk Leaders). Earlier he was a Global Information Security & Cloud Expert at Mondelez International. Gaurav,

Understanding Cyber Security With Aseem Rastogi

Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. Today we have Aseem Rastogi with us. Aseem is the Head of CyberSecurity and Compliance at Meesho. Prior to joining Meesho, he was leading the CyberSecurity & Compliance efforts at RazorPay. Aseem, Thank you so much for joining