Adversarial Content

— Browse our blog posts, articles, and episodes of The Adversarial Podcast
The Adversarial Podcast Ep. 13 - East/west coast CISOs, top CISO expenses in 2024, crypto regulation

In this episode of The Adversarial Podcast, Jerry, Mario, and Sounil bring their adversarial insights to a packed discussion of the latest topics in enterprise cybersecurity. The Adversarial Podcast - East Coast vs. West Coast CISOs: The trio explores the divide between East Coast and West Coast CISOs. Is the East too focused on risk? Does the West overfit to AppSec and "shift-left" practices? - 2024 CISO Budget Report: Where are CISOs spending their increasing budgets in 2024? The hosts

The Adversarial Podcast Ep. 11 - incoming Trump administration, Microsoft's leaked SaaS creds, and software liability policy

Introduction: * The episode opens with a discussion on securing devices for employees traveling to high-risk countries, like China, as a way to protect corporate data and maintain customer trust. * Hosts Jerry, Sounil, and Mario welcome listeners and discuss recent events, including the FS-ISAC Fall Summit in Atlanta and geopolitical implications of the recent election. Key Topics: 1. Geopolitical Risks: * The group explores China's espionage activities and Russia's geopolitical maneuv

The Adversarial Podcast Ep. 10 - the CISO job market, CRQ, beg bounties, cryptography...

The Adversarial Podcast Ep. 10 - the CISO job market, CRQ, beg bounties, and cryptography (00:00) Intro (5:15) The CISO job market: present and future (25:57) Handling beg bounties and VDP (41:30) Quantum cryptography – how important is cryptography, really? Stories: * “Chinese Researchers Reportedly Crack Encryption With Quantum Computer” - https://www.pcmag.com/news/chinese-researchers-reportedly-crack-encryption-with-quantum-computer Hosts: * Jerry Perullo: https://www.l

The Adversarial Podcast Ep. 9 - NIST password guidelines, CUPS vulnerabilities, breach vs. hack

The Adversarial Podcast Ep. 9 - NIST password guidelines, CUPS vulnerabilities, breach vs. hack Episode notes (00:00) Intro & NIST’s new password complexity requirements (13:19) CUPS vulnerability: critical or a distraction (31:26) Federal standards for cybersecurity in health care: should legal responsibility fall on individuals? (47:30) What constitutes a hack vs a breach? Stories: * “NIST Drops Password Complexity, Mandatory Reset Rules” - https://www.darkreading.com/identity-ac

The Adversarial Podcast Ep. 8 - Pagers and Supply Chain Attacks, GitHub stealers, “Founder Mode”

(00:00) Intro (02:24) Exploding pagers: are psychological attacks worse than breaches? (20:21) Are credit card breaches still a concern in 2024? (24:57) Infostealer delivered through GitHub Issues: how are trustworthy services being abused? (31:45) Founder mode: when is it time to switch from "founder mode" to "manager mode?" (44:02) Is open-source more secure than closed-source? The Adversarial Podcast Ep. 8 - Pagers and Supply | RSS.com Stories and books mentioned: * “Israel plant

The Adversarial Podcast Ep. 7 - Security Certs, Vulnerability Disclosure, and Effective Security Controls

Episode notes Listen as CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the value of security exams and question the relevance of certain certifications in today’s industry. Then, they debate into the vulnerability disclosure process, exploring how CVEs impact companies outside the SaaS world and whether CISA’s "Secure by Design" initiative is truly effective across industries. Finally, they discuss security misprioritization, from school systems to corporate desktops,

The Adversarial Podcast Ep. 6 - SSN Leaks, Cloud Misconfigurations, and Passkeys

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they debate the impact of SSN leaks, discuss the effectiveness of recently implemented ransom payment bans in Miami, and recently reported AWS misconfigurations. Then, listen as they debate passkeys, vulnerability management, and board reporting. The Adversarial Podcast Ep. 6 - SSN Leaks, Cloud M | RSS.com 00:00 Intro 02:17 Social Security Number breach 14:48 Ransomware payment bans 21:47 AWS

The Adversarial Podcast Ep. 5 - Why Boards want more Joe Sullivans and Tim Browns and less CISOs - Jerry Perullo live at Evanta

Episode notes Speaking live at the Evanta CISO Summit in Atlanta in June 2024, host Jerry Perullo talks candidly about why CISOs are failing to land Board Director roles. The Adversarial Podcast Ep. 5 - Why Boards want mo | RSS.com

The Adversarial Podcast Ep. 4 - CrowdStrike Lawsuits, Overhyped Exploits, and Fake Remote Employees

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they discuss upcoming lawsuits related to the recent CrowdStrike outage, switching costs, overhyped security vulnerabilities and their effect on practitioners' responsibilities, fake employees from North Korea, the information stealers and the state of password managers, and the increasing threat of deepfakes. The Adversarial Podcast Ep. 4 - CrowdStrike Lawsui | RSS.com Stories * “CrowdStrike i

The Adversarial Podcast Ep. 3 - CrowdStrike, Wiz Acquisition Rumors, and SolarWinds

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent Crowdstrike outages, PR in the recent Wiz acquisition rumors, stakeholder value in Rapid7, and the SEC dropping charges in the SolarWinds case. Stories: - Activist Jana has a stake in Rapid7. There are two paths to bolster value at the cybersecurity company: https://www.cnbc.com/2024/06/29/two-paths-for-jana-to-bolster-shareholder-value-at-rapid7.html - Google Near $23

The Adversarial Podcast Pilot – Cybersecurity Investments, Secure Configurations vs. Code, and Risk Management

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they reflect on the state of cybersecurity investments in 2024, debate the importance of configuration vs. code security, and discuss the importance of governance in risk management. Stories: * ‘There’s A Lot Of Noise’ — VCs Trying To Find Clarity In Cluttered Cyber AI Landscape: https://news.crunchbase.com/cybersecurity/venture-funding-ai-wiz-ma-rsa/ * Wiz raises $1B at a $12B valuation to expan

The Adversarial Podcast Ep. 1 - Snowflake, Shared Fate, and the Gili Ra’anan Model

In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent wave of cyber-attacks using Snowflake and the model of shared fate. They debate the effectiveness of banning ransom payments and explore the complexities of cybersecurity regulation, using recent events involving UnitedHealth and Jerry's former employer as case studies. The conversation also touches on the ethical dilemmas CISOs face when interacting with venture capital, highlighting pers

The Risk Acceptance Myth

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Overrated? On TPRM, SBOM, Solarwinds, and Supply Chain Security

We've all run to the same side of the boat on supply chain security when it comes to cyber. Rather than chasing the Sisyphean (and antithetical to modern product-development philosophy) task of ensuring our suppliers deliver perfectly secure software, we should be expected to architect and deploy our dependencies with the assumption they will be compromised at some point, minimizing the amount of impact that could have and ensuring we could detect such an issue timely. To expound on it, I'll sa

Encryption is Overrated

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Bad CISO Archetypes

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Vulnerability management is dead. But GRC is hiring...

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing

How much AppSec is too much?

I've been using the term "West Coast CISO" a lot lately. While it feels like CISOs used to be either network/infrastructure CISOs or risk manager CISOs, now the split is having to make room for the CISO heavily focused on code security. The image is one of a CISO born in the cloud, focused on delivering (security) bug-free code, and thus focusing architecturally on CI/CD, change control, and automation, to oversimplify. This emphasis on code is contrasted with network controls and discussion of

IOCs aren't for blocking - they are for control validation

There is a misconception out there that security departments should be ingesting feeds of Indicators of Compromise (IOCs) and loading them into firewalls, endpoint software, and proxy configurations as soon as possible. This perception is amplified by product marketing focused on the task, and it's easy to get caught up in the idea that this is our mission. By the time an IOC has been published in an intelligence report, there is a high likelihood it has been neutralized. Imagine a command & co

Patching is Overrated

Patching became a household term during the Equifax security breach and Congressional hearings. While IT maintenance and hygiene have their place in running a secure environment, over-emphasis can distract limited resources from more important tasks or trigger operational risks. Patches are only relevant when a security vulnerability is known and addressed by a vendor. So whether it is a 0-day vulnerability discovery without a patch yet available or just the unavoidable window between the time

It's not the 2FA.. it's the 1TP!!!

Multifactor authentication (MFA / 2FA) is arguably the most powerful security control deployed over the past 20 years. But it dawned on me that it isn't multi that's really getting it done. It's the fact that one of those factors has been a one-time-password (OTP or 1TP) in a token or app that changes every 60 seconds. The unwritten math about MFA is that a single factor is difficult to compromise, and thus two of them = difficult^2. But in reality our static credentials have become easy thanks