In this episode of Unspoken Security, host AJ Nash welcomes Jeff Foley, founder and leader of the OWASP AMASS flagship project and Vice President and Distinguished Fellow of Research at ZeroFox. They dive into the critical importance of attack surface management (ASM) in cybersecurity, emphasizing the need for visibility from an adversarial perspective. Jeff explains how attackers spend most of their time on surveillance to deeply understand their targets; a vital component to improving the likelihood of being successful during any attack.

AJ and Jeff discuss the transition from government to commercial cybersecurity - including the challenges and opportunities - and Jeff shares his insights on how the commercial sector can benefit from the disciplined and thorough approaches used in government cybersecurity. He stresses the importance of ASM as a form of intelligence, advocating for organizations to identify and manage their attack surfaces as attackers do proactively.

The episode also covers the terminology and misconceptions surrounding ASM, with both AJ and Jeff agreeing that "attack surface management" may not fully capture the essence of the practice, suggesting "attack surface intelligence" as a more accurate term. They underscore the necessity for continuous monitoring and adaptation in a constantly evolving cyber threat landscape.

Finally, as with all episodes of Unspoken Security, our guest (Jeff, in this case), reveals a secret...something that - to this point - has remained unspoken. Like every episode, Jeff doesn't disappoint!

Support the Show.

In this episode of Unspoken Security, host AJ Nash welcomes Virgil Capollari, the founder of Adaptive Risk Strategies, to dive into the intricacies of insider threat programs. They discuss the often misunderstood aspects of these initiatives, emphasizing the importance of clear definitions and transparency to foster trust within organizations.

Virgil, leveraging his extensive experience in intelligence and risk management, highlights the fundamental elements required for an effective insider threat program. He stresses the necessity of executive buy-in and continuous training to maintain security awareness across all levels of an organization.

The conversation shifts to the delicate balance of maintaining confidentiality during
investigations while being transparent about processes and objectives. Virgil advises against excessive secrecy which could alienate the workforce the program aims to protect. Instead, he advocates for a collaborative approach to strengthen the program's effectiveness and ensure organizational security.

Finally, as with all episodes of Unspoken Security, AJ presses Virgil to share something he has never talked about before; something unspoken. Virgil responds with a powerful lesson about the risk of - and potential harm that can be caused by - cutting and pasting.

Support the Show.

In this episode of Unspoken Security, A.J. Nash and Adam Darrah (Senior Director of Dark Ops, ZeroFox) dive into the symbiosis between intelligence backgrounds and cybersecurity. With his roots in the CIA, Adam brings a nuanced perspective on transitioning these skills to private-sector cybersecurity, emphasizing the value of human insight and technical prowess.

The conversation underscores the blend of experience and innovation, where Adam's journey from the CIA to ZeroFox exemplifies leveraging governmental training in entrepreneurial landscapes. It reflects on the essential role of people in cybersecurity, challenging the notion that technology alone can safeguard digital realms.

Moreover, the dialogue navigates through the ethos of cybersecurity operations, highlighting the critical, yet often unappreciated, human element. It dispels the stereotype of cybersecurity work as purely technical, revealing the depth of human engagement in understanding and mitigating threats.

Finally, as with all episodes of Unspoken Security, Adam reveals what has been "unspoken" in his life up to this point...and it's another great reveal.

Support the Show.

In this episode of "Unspoken Security" - a turbo-charged special recorded live at the RSA Conference last week - host AJ Nash and guest Kayla Williams of DEVO dive into the evolving role of Chief Information Security Officers (CISOs) in today’s fast-paced cybersecurity landscape. Kayla, a seasoned CISO with a non-traditional background in governance, risk, and compliance (GRC), shares insights into the unique advantages and challenges of her career path. Her expertise in translating security into business terms fosters strong collaborations and aids in securing budgets—essential for driving security initiatives forward.

Kayla emphasizes the strategic importance of aligning security objectives with business goals, highlighting how security is not just a cost center but a growth driver in modern enterprises. Her approach underscores the necessity of communication skills and business acumen for CISOs, which are often overshadowed by the technical aspects of the role.

The conversation also touches on the interpersonal skills crucial for leading security teams, such as emotional intelligence and the ability to manage stress and team dynamics effectively. Kayla’s journey illustrates the broader impacts of security leadership, from fostering trust among customers to navigating the complexities of corporate governance and compliance. This episode is a must-listen for those interested in the broader implications of cybersecurity leadership and its integration with business strategies.

And, as usual, this episode ends with our guest telling us something that has so far gone unspoken...and Kayla overachieved by sharing two very interesting stories that I'm certain you'll want to hear.

Support the Show.

In this episode of Unspoken Security, host A.J. Nash continues his conversation with guests Ana Aslanishvili & Shawn Abelson from Pine Risk Management as they dive into the intricacies of security risk management, challenging the conventional separation between cyber and physical security. They emphasize the critical need for a holistic security approach, shedding light on common assumptions and practices that might not hold up under scrutiny.

Through engaging discussions, the trio uncovers the subtle yet impactful differences between penetration testing and red teaming, illustrating the value of viewing security measures through the lens of potential adversaries. This approach tests the effectiveness of existing security protocols and fosters a culture of continuous improvement and adaptation to evolving threats.

Listeners are treated to real-world anecdotes, from navigating the challenges of physical security assessments to the nuances of social engineering, offering a rare glimpse into the minds of security professionals who think outside the box to protect organizations from obvious and obscure vulnerabilities.

This episode serves as a reminder of the ever-blurring lines between physical and cybersecurity, urging professionals and organizations alike to adopt a more integrated and dynamic approach to safeguarding their assets.

Finally, as is customary on "Unspoken Security," Ana and Shawn each share something they hadn't previously talked about...something unspoken...and you're going to want to hear their stories.

Support the Show.

In this episode of Unspoken Security, host A.J. Nash welcomes Ana Aslanishvili and Shawn Abelson from Pine Risk Management. Together, they dive into the often-overlooked intersection of cyber and physical security. With a combined experience of 30 years, Ana and Shawn share their insights on the importance of integrating these two realms to fortify organizational defenses against evolving threats.

The conversation highlights the critical distinctions between penetration testing and red teaming. Ana and Shawn explain how red teaming goes beyond traditional pen testing by adopting an adversary's perspective, aiming to challenge and improve the existing security measures. This approach not only tests the effectiveness of physical and cyber security controls but also enhances the overall resilience of organizations against sophisticated attacks.

The episode sheds light on the synergy between intelligence and security practices. By
leveraging threat intelligence, Ana and Shawn illustrate how organizations can anticipate and mitigate potential security breaches. Their expertise underscores the necessity of a holistic security strategy that encompasses both cyber and physical aspects, urging businesses to reassess and strengthen their security posture.

Support the Show.

In this episode of Unspoken Security, AJ Nash is joined by Senior Threat Intelligence Analyst (and PhD candidate) Freddy Murre. Freddy brings his years of intelligence and security experience across military service and consulting into a discussion about one of the most common challenges many of us face: demonstrating the value of Intelligence.

Freddy and AJ discuss some of the consistent challenges they see in building intelligence-driven security programs, including educating leadership on the differences between data, information, and Intelligence, structured analytic techniques, and how to speak the language of leadership needed to secure and grow budgets. They go on to share their views on building trust and demonstrating value to leadership, as well as available tools to measure that value in objective, defensible ways.

As always, the show wraps up with our guest revealing something that had, to this point, gone "unspoken." Freddy, like every guest, didn't disappoint with his candid answers.

P.S. Freddy referenced his mind map project, so we wanted to ensure you could find it!
- https://github.com/Errum/IntelArchitectureMap

Support the Show.

In this episode of Unspoken Security, AJ Nash is joined by Roman Sannikov, the President of Constellation Cyber LLC. Before his current efforts conducting research and delivering Intelligence reports for various clients, Roman has led multiple teams focused on combatting threats in the Deep and Dark Web.

Roman and AJ give a brief overview of what we all mean when we say "Deep Web" or "Dark Web" to ensure we're all speaking the same language and then discuss the subcultures and self-regulation within some of the busiest criminal marketplaces. Roman provided insights into things that have changed over the last couple of decades (and what has remained the same) as cybercriminals have become more structured and professionalized.

The discussion turned to an exploration of things people often misunderstand when it comes to cybercriminal marketplaces and how easily people can go wrong in their choices for how to combat these threats. From there, the show focused on some of the myths and true stories from Roman's long and storied career as a resident within the cybercriminal underground, including some fascinating stories about his work on behalf of the FBI.

As always, the show wraps up with our guest revealing something that had, to this point, gone "unspoken." While I don't want to give too much away, Roman didn't disappoint when he revealed his "unspoken" truth.

Support the Show.