Hacker Valley Studio

In this video Ronald Eddings and Chris Cochran discuss Layer 8 - The Human Element. It's vital to onboard and promote productivity, positivity, and creativity to Security Practitioners. Ron and Chris share tips on patching and updating Layer 8 for continued success.

Being an expert Threat Hunter is great, but how do you scale as fast as the adversary? Roberto Rodriguez (cyb3rward0g) joins the podcast and shares experience for breaking into cybersecurity and creating a community around scaling cybersecurity solutions.

In this episode of the Hacker Valley Studio podcast, Ron and Chris are joined by co-founders of Material Security, Ryan Noon and Abhishek Agrawal. They co-founded Material Security in 2017, today Ryan serves as the CEO, and Abhishek the CTO. Abishek has a background in engineering, infrastructure and analytics and his MBA from Harvard. Ryan’s background is in engineering and data analysis, and holds multiple computer science and security degrees from Stanford. Before they moved on to creating their own company, they worked together at DropBox.

While they both have a strong engineering background, they are developing a security product. Ryan explains that coding and engineering is why he’s able to work in cyber security, all his years of engineering helped him make a reliable and effective product. Abhishek agrees that both their different backgrounds have carried over into the security industry and says the lessons he learned in productivity and engineering have been incredibly useful. Despite these diverse backgrounds, Ryan says going into security was an easy decision. “Go to where the problems are,” he says. Around the time of the founding of Material Security, there were a lot of problems with email. Abhishek agrees, and says he’s always been interested in email and how it’s being destroyed by threats.

When hackers access your email, what are they looking for? Abhishek explains that they may be downloading all of its contents, or resetting passwords to services like Twitter or Instagram. Material Security works to ask those questions and stop the effectiveness of a breach in email security. This shifts the focus from all the ways someone may hack you, to the implications of that hack. Ryan likens it to a burglary, explaining that their security is less about all the doors and windows - ways to get into your home - but rather what someone may want once they’re inside.

There is a lot of hand wringing in startup land, Ryan says, but there is no one right way to do it. The startup can burn you out, and what made Material Security’s leadership work was the reliance on each other, both he and Abhishek and their third co-founder, Chris Park. For them, this was the magic answer, having a third person gives them a tie breaker and someone who could cut through the noise with clarity. Abhishek agrees, joking that they compliment each other by Ryan giving long detailed answers, and Abhishek can summarize his thoughts. In all seriousness, this balance of responsibility and strengths requires a level of trust and lack of ego but makes the team work smoothly. Having unique skill sets is important, but Abhishek explains overlap is important as well because you can speak the same language and push each other for the best solutions.

When you come from similar backgrounds, no one is the authority and ideas get pressure tested. One of the challenges is using this overlap of skills for good - not letting it paralyze you. Another challenge they faced is knowing where to question and press industry standards, versus where to accept and excel at current practices. When thinking over their challenges and journey they offer some advice to new founders. Ryan stresses, “stop trying to get into things.” People can fall into the trap of trying to get into college, programs, and industries, and end up giving up some of their productivity and creativity to others. He also encourages people to know their partners and communicate with them about everything. Abhishek says people should divorce the idea of leaving their job from starting a company. Instead you should decide if you’re ready to leave your current job and then if you want to go to a new company or start your own.

0:00 - Intro

1:40 - Listeners are introduced to co-founders of Material Security and the episode ahead.

3:05 - Ryan and Abhishek introduce themselves.

5:38 - How do engineering and cyber security intersect?

8:39 - Why did Ryan and Abhishek decide to go into security?

14:28 - Ryan and Abhishek explain what hackers do when they’ve gotten into email.

18:08 - How do Ryan and Abhishek navigate their relationship?

24:19 - Ron asks Ryan and Abhishek about the challenges of the founder’s journey.

26:45 - What piece of advice do they have for new founders?

Links:

Learn more about Material Security.

Learn more about Hacker Valley Studio.

Support Hacker Valley Studio on Patreon.

Follow Hacker Valley Studio on Twitter.

Follow hosts Ron Eddings and Chris Cochran on Twitter.

Learn more about our sponsor ByteChek....

Anne Marie Zettlemoyer is Vice President of Security Engineering and Divisional Security Officer at MasterCard. She’s a mentor to many cybersecurity practitioners and a visiting fellow at the National Security Institute at George Mason University

As far back as elementary school, making sure everyone was treated properly and respected was important for Anne. In college, despite not knowing the first thing about cycling Anne’s determination to do the right thing led her to participate in a 600-mile charity ride to raise money for research towards a vaccine against HIV.

Anne Marie started in Business and holds an MBA in Organizational Behavior and Corporate Strategy, she started on the business side and worked under many titles like Analyst, Controller, Auditor, and Strategist. About 12 or 13 years ago she fell in love with Security because it speaks to her mission of protecting and defending others.

Ron shares about how mentors have helped him learn cybersecurity and asks Anne Marie about when she’s helped others climb the security mountain. Anne Marie recalls being the only woman presenter at a Cybersecurity conference and receiving a certain lack of respect until she demonstrated exactly how much expertise and experience she had. She spoke to some other women in attendance and encouraged them to apply themselves in the same field assuring them that they could also succeed, two years later one of the people she encouraged had become Senior Security Engineer.

Chris asks about what it means to her to be able to show up with others now and whether she had someone like that for her own journey. Anne Marie shares about having to fight for everything herself. She expands that talent, grit, and many things are distributed throughout humanity but opportunity isn’t equally distributed. Anne Marie believes that those with the capability to find those who simply need an opportunity and lift them up have a certain responsibility to do so. That they can lift up those who will also lift up others. Ron asks Anne Marie about what it takes to make a great leader and supporter today. Anne Marie speaks a bit about leading from quiet influence and measures success more by effectiveness. The conversation shifts to how trust is needed when working to communicate risk and security decisions depending on who you’re working with as not everyone will share the same perspectives and backgrounds. Chris asks Anne Marie for a piece of advice for someone who may need someone to show up and protect them and she urges us to try new things, learn new things, expand our own possibilities. Anne Marie speaks about how showing up and trying to reach out can be enough to open new doors.

1:01 — Welcome back to the Hacker Valley Studio our guest this episode is Anne Marie Zettlemoyer.

2:43 — Anne’s amazing fluency in business and how she fell in love with security.

4:37 — The call Anne feels to respect others and make sure they’re respected.

6:48 — The causes to fight for even without complete preparation for the journey ahead.

8:58 — The extremes of a ride to do the right thing, and a helping hand to get you up a mountain.

11:30 — How you can never know the power of showing up for yourself.

13:30 — The power of showing up for others and being the only woman there.

15:34 — Two years after being the only woman cybersecurity presenter at a conference

19:04 — Anne shares about having to fight for everything herself.

20:30 — The responsibility for those that have the heart to find and uplift others.

22:00 — The conversation moves to topics about networking and great leadership.

24:00 — Why having a sense of humility is necessary for a leader and building a network.

25:30 — Learning to not re-invent the wheel.

27:20 — Creating a rounded perspective to build comprehensive solutions.

28:50 — Why you need trust from the folks you’re trying to protect.

31:00 — Advice for someone listening that needs someone to protect or stand up for them.

32:45 — Trying new things one step at a time can be enough.

Links

You can find Anne Marie Zettlemoyer on her Linkedin or her Twitter

Learn more about Hacker Valley Studio.

Support Hacker Valley Studio on Patreon.

Follow Hacker Valley Studio on Twitter.

Follow hosts Ron Eddings and Chris Cochran on Twitter.

Learn more about our sponsor AttackIQ and enroll in The AttackIQ Academy!

In this episode of Hacker Valley Studio podcast, Ron and Chris are joined by Jason Meller, Founder, and CEO of Kolide. Jason has over 10 years of experience in managing and leading security organizations. Jason’s interest in technology and cybersecurity began in the 1990s when he began programming in Visual Basic and building AOL Instant Messenger bots. Building offensive tools accelerated Jason’s interest in defending networks and helped him learn how much honesty plays part in building security solutions.

Jason mentions that the security monitoring software at most organizations have the same functionality as spyware or surveillance tools. In addition, these tools are designed to scrutinize all the actions that occur on a device. COVID-19 has increased the rate of organizations going through a digital transformation; as a result, users at an organization are not in a cubicle but at their home. This could mean that security teams have an extremely elevated level of access to devices without transparency as to what is being monitored to protect an organization. This is why Honest Security was created - to create a transparent relationship between security teams and end-users.

Jason has collaborated with Jesse Kriss from Netflix who is actively working towards incorporating user-focused security. Jason describes that organizations should build a culture based on trusting users, treating them like adults, giving them the tools that they need to do their job, and not treating them as suspects from day one. Instead, organizations and security teams should seek teachable moments by giving recommendations and educating users.

Throughout the episode, Jason describes situations that involve users and security team members maneuvering around security tooling obstacles to get their job done. Since working at home, traditional tools have created friction in the user experience. For instance, not having the ability to use USB ports on work devices, disabling corporate VPN to watch a YouTube video, and having to create a ticket to install software to help them with their job. When this friction is created, users will resort to using their personal devices for work activities and miss the opportunity to benefit from security. In some cases, there are “evil” applications found on a device created by a user - but often bad applications installed by users are Chrome extensions or helper utilities that are sending browsing history to a marketing firm.

In the Honest Security manifesto, there’s a section on empathetic intelligence, Jason describes this concept as thinking of the daily life users, thinking of what challenges are users attempting to solve in their workflow, and what part of that workflow could pose a risk to the organization. An example of this would be a security team member trying to empathize with someone who is a developer- and thinking of their daily workflow. When empathizing the security team may realize that the developer is attempting to fix issues on a production application. While fixing the production application, the developer may try to bring a copy of the application database to their local device. Creating a local copy of the database could pose a security risk the copy of the database is not deleted in a reasonable time or the user has their device auto-backup folders to their corporate or personal cloud storage solution (ie. Google Drive). Creating education for avoiding this mistake is a prime example of empathic intelligence when practicing Honest Security.

As the episode progresses, Jason goes into depth and explains more tenants of Honest Security - The goal is not to give unlimited power to the user or security team but to enable everyone to be in the position to make the right decisions and give appropriate recommendations. When consequences are articulated, users can understand that when maneuvering around security tools can pose a risk to their device and organization. Ie) disconnecting from the corporate VPN. When coaching and education are put as a priority when practicing security, James describes it as empowering the user to be successful and more transparent.

0:00 - Intro

2:28 - This episode features Jason Meller, Founder, and CEO of Kolide!

2:54 - Jason shares his background and his path into cybersecurity.

4:07 - What is Honest Security?

5:22 - Jason’s examples of dishonest security

8:08 - Collaboration with Netflix and User-Focused Security

16:00 - Jason describes Empathetic Security

19:17 - Tenants of Honest Security

35:32 - Wrap Up and Resources for Honest Security

Links:

Learn more about Jason Meller and connect with him on LinkedIn.

Learn more about Honest Security and read the manifesto.

Learn more about Jason’s company