In this episode of Unspoken Security, host AJ Nash welcomes Jeff Foley, founder and leader of the OWASP AMASS flagship project and Vice President and Distinguished Fellow of Research at ZeroFox. They dive into the critical importance of attack surface management (ASM) in cybersecurity, emphasizing the need for visibility from an adversarial perspective. Jeff explains how attackers spend most of their time on surveillance to deeply understand their targets; a vital component to improving the likelihood of being successful during any attack.

AJ and Jeff discuss the transition from government to commercial cybersecurity - including the challenges and opportunities - and Jeff shares his insights on how the commercial sector can benefit from the disciplined and thorough approaches used in government cybersecurity. He stresses the importance of ASM as a form of intelligence, advocating for organizations to identify and manage their attack surfaces as attackers do proactively.

The episode also covers the terminology and misconceptions surrounding ASM, with both AJ and Jeff agreeing that "attack surface management" may not fully capture the essence of the practice, suggesting "attack surface intelligence" as a more accurate term. They underscore the necessity for continuous monitoring and adaptation in a constantly evolving cyber threat landscape.

Finally, as with all episodes of Unspoken Security, our guest (Jeff, in this case), reveals a secret...something that - to this point - has remained unspoken. Like every episode, Jeff doesn't disappoint!

Support the Show.

In this episode of Unspoken Security, host AJ Nash welcomes Virgil Capollari, the founder of Adaptive Risk Strategies, to dive into the intricacies of insider threat programs. They discuss the often misunderstood aspects of these initiatives, emphasizing the importance of clear definitions and transparency to foster trust within organizations.

Virgil, leveraging his extensive experience in intelligence and risk management, highlights the fundamental elements required for an effective insider threat program. He stresses the necessity of executive buy-in and continuous training to maintain security awareness across all levels of an organization.

The conversation shifts to the delicate balance of maintaining confidentiality during
investigations while being transparent about processes and objectives. Virgil advises against excessive secrecy which could alienate the workforce the program aims to protect. Instead, he advocates for a collaborative approach to strengthen the program's effectiveness and ensure organizational security.

Finally, as with all episodes of Unspoken Security, AJ presses Virgil to share something he has never talked about before; something unspoken. Virgil responds with a powerful lesson about the risk of - and potential harm that can be caused by - cutting and pasting.

Support the Show.

In this episode of Unspoken Security, A.J. Nash and Adam Darrah (Senior Director of Dark Ops, ZeroFox) dive into the symbiosis between intelligence backgrounds and cybersecurity. With his roots in the CIA, Adam brings a nuanced perspective on transitioning these skills to private-sector cybersecurity, emphasizing the value of human insight and technical prowess.

The conversation underscores the blend of experience and innovation, where Adam's journey from the CIA to ZeroFox exemplifies leveraging governmental training in entrepreneurial landscapes. It reflects on the essential role of people in cybersecurity, challenging the notion that technology alone can safeguard digital realms.

Moreover, the dialogue navigates through the ethos of cybersecurity operations, highlighting the critical, yet often unappreciated, human element. It dispels the stereotype of cybersecurity work as purely technical, revealing the depth of human engagement in understanding and mitigating threats.

Finally, as with all episodes of Unspoken Security, Adam reveals what has been "unspoken" in his life up to this point...and it's another great reveal.

Support the Show.