Insights into Security Research and Internet Mapping

1 00:00:00
Speaker 1: I was going.

00:00:00
Emily, it's great to finally have you on.

00:00:03
I feel like we've been trying to schedule this thing for, I

00:00:07
mean, what seems like an entire year at this point.

00:00:09
Speaker 2: Yeah, no, I'm glad we could finally finally make it

00:00:12
work, make it happen.

00:00:13
So, yeah, I'm excited to be here and to chat with you.

00:00:17
Speaker 1: Yeah, absolutely so.

00:00:19
You know, Emily, I always start everyone off with telling their

00:00:22
background because I feel, like you know, for a wide variety of

00:00:27
people that may be listening to the podcast, if they want to

00:00:31
get into security, it's important for them to hear you

00:00:35
know a different background, right For them to hear it and

00:00:39
know like, oh well, if they did it, maybe this is possible for

00:00:42
me.

00:00:43
So what's your background?

00:00:45
How did you get into IT?

00:00:46
How did you get into security?

00:00:48
You know, maybe, what peaked your interest in those areas to

00:00:53
make you go down this kind of crazy rabbit hole of

00:00:56
cybersecurity?

00:00:57
Speaker 2: Yeah, yeah, yeah.

00:00:59
So I love this because I feel like I often get asked you know,

00:01:03
how do I get in?

00:01:04
As if there's sort of this one core or ideal path and really

00:01:08
the reality is very different.

00:01:09
Like I think, as you probably know, like lots of different

00:01:12
ways to get into this industry.

00:01:14
So I, for me, I was really interested in like computers.

00:01:22
As a kid I kind of, like you know, did the whole, you know,

00:01:25
learn how to build websites and write HTML and notepad and like

00:01:28
all of that kind of stuff, and so that was really interesting

00:01:33
to me and I had no idea that that was actually a thing you

00:01:35
could do, is like a job, because I think this was a little bit

00:01:38
before I don't want to date myself too much, but this is a

00:01:41
little bit before that was like a big, a big thing.

00:01:43
This was before tech was such a big thing and such a like

00:01:47
highly sought after career, and so it was very into that.

00:01:51
I really loved it.

00:01:52
And then when I went to undergrad, I wanted to do

00:01:55
computer science and I was actually told by a very well

00:01:59
meaning person but that it would be too hard for me that I

00:02:03
wasn't caught out to do CS and I listened, which I wish I hadn't

00:02:08
, and I would encourage anyone who hears that to not listen

00:02:11
like.

00:02:11
If it's something that you really feel pulled to do like,

00:02:13
go for it.

00:02:14
And I ended up doing psychology instead.

00:02:17
But this turned out to be kind of a great thing because I spent

00:02:20
about a year and a half working in a research lab, stayed and

00:02:24
did like an undergrad honors thesis and all that and I

00:02:26
through that I really discovered that I loved research.

00:02:29
I loved the idea of kind of like carving out new information

00:02:33
and figuring out new, new facts and uncovering new, new pieces

00:02:37
of the puzzle.

00:02:38
You know, in that case it was around cognitive psychology.

00:02:40
But that was really kind of the first inkling to me that like

00:02:44
research was a thing I was interested in.

00:02:47
And I went on to like I worked for a neuro marketing company

00:02:50
for a couple of years, which is wholly unrelated to what I do

00:02:54
now.

00:02:54
But then I got my first job in tech about 10 years ago now and

00:03:01
I was a quant essentially for a user research team.

00:03:05
So they brought me in to help essentially identify customers,

00:03:09
as I was working at a software company and the user research

00:03:13
team there wanted to find interesting customers to talk to

00:03:17
, to interview, and so my charge was go look in our user

00:03:21
database and find people who are doing interesting things with

00:03:24
our platform.

00:03:25
So you can probably kind of start to put the pieces together

00:03:29
like oh, this is, this is anomaly detection, you're

00:03:32
looking for weird things and very large sets of data.

00:03:34
And so I did that for a few years and that's really where

00:03:38
I'd say like I honed my like programming skills and kind of

00:03:41
got more, more experience like with databases, with actually

00:03:43
writing code to, like you know, analyze data, doing

00:03:46
computational analysis and things like that.

00:03:48
And so I did that for a few years and I still always kind of

00:03:53
felt pulled a little bit toward security.

00:03:56
Like I read 2600 and like hacking magazines like at

00:04:01
various points in my life and I was just really, really

00:04:04
interested in it.

00:04:05
And somehow an opening came available on our security team,

00:04:11
the company where I worked at the time, and I had no business

00:04:15
applying for it.

00:04:15
Frankly, like I still don't know how I wound up getting

00:04:19
getting the role, but I wound up getting a position on the

00:04:23
security team and it was like I feel like that's what you know.

00:04:26
You think back about your life and you think about these

00:04:28
branching points of like the decisions you've made and I feel

00:04:31
like this is still one of probably the most impactful

00:04:34
decisions I ever made was taking that role and it was actually

00:04:41
kind of a hard, hard thing to step into because I got on the

00:04:44
team and I was so excited.

00:04:45
Everyone was super nice, like just really wonderful.

00:04:47
But everyone on the team was either an application security

00:04:52
engineer, just like software security engineer, or they were

00:04:55
a pen tester.

00:04:56
Speaker 1: And I was like well.

00:04:57
Speaker 2: I'm not.

00:04:57
I don't.

00:04:58
I'm not one of those Like I can write code but I'm not a

00:05:00
software engineer.

00:05:01
I can kind of figure things out but I'm not a pen tester.

00:05:04
And so I had to spend some time kind of figuring out like how

00:05:09
my skills actually fit into this broader team.

00:05:12
And it turned out that in that particular scenario you know, I

00:05:16
had been at the company for a while, I knew the data, I knew

00:05:19
the user data quite well in our databases, and so that actually

00:05:24
put me in a good position to be able to help, from a security

00:05:27
perspective, find unusual things that were going on in our

00:05:31
environment and user accounts against the application, like

00:05:34
all of that kind of kind of domain right, and so it enabled

00:05:38
me to actually carve out another sort of like subgroup on the

00:05:41
team which became the blue team for our org.

00:05:45
So that was really really cool and rewarding.

00:05:47
Kind of going from I have no idea what I'm doing here to

00:05:50
everyone, kind of going you'll figure it out, it'll be fine,

00:05:53
and then being able to kind of say, no, actually there is a

00:05:57
place for these skills here.

00:05:58
I think you know, coming from sort of the analytics and data

00:06:01
place, data, data world, there are a lot, there's a lot of need

00:06:06
for those skills in security and it's not getting, it's not,

00:06:10
it's not going away.

00:06:10
I'll say and yeah, so I spent a few years there and worked on a

00:06:16
couple of big projects where I felt like I was really, I really

00:06:20
wanted to get into security research.

00:06:21
That was really just like what was calling me Incident response

00:06:24
got really really a lot after a while like I just wanted to

00:06:27
sleep and not have a pager and so, yeah, had a couple of

00:06:33
different roles in security, engineering and research and now

00:06:37
, and for the last almost two years, I've been at Census.

00:06:40
So I am a senior researcher here and lead the security

00:06:44
research team.

00:06:45
And yeah, I mean it's.

00:06:47
I feel I feel so lucky to get to get to do, to do this every

00:06:52
day.

00:06:52
The internet is a wild, weird place, but man, it's fun.

00:06:58
Speaker 1: Yeah, it's really, you know, it's.

00:06:59
It's interesting how, like, the internet came about and now we

00:07:04
all have careers based on the internet, you know, and it's

00:07:08
like we all have, you know, a million different niches and

00:07:13
areas of specialty and things like that.

00:07:15
It's just, it's really, it's fascinating, you know, because,

00:07:19
like I'm sure, those people that you know cobbled this thing

00:07:22
together right in the beginning, like they never, they never

00:07:26
imagined that.

00:07:27
You know, that there would be security issues and security

00:07:31
researchers and things like that .

00:07:34
It's just, it's fascinating to me, yeah.

00:07:36
Speaker 2: Yeah, well, I mean, if you think back, like if going

00:07:39
back to like the late 80s, when when you had like the Cuckoo's

00:07:42
egg cliff stole kind of, the first really big like intrusion,

00:07:46
like computer network intrusion , that kind of you know,

00:07:49
captured the public's imagination, I guess, or

00:07:52
interest, that was fascinating.

00:07:54
And you go back and you read that book now and you're like,

00:07:57
wow, I can't believe there were.

00:07:59
There were no protections, there were no.

00:08:01
You could just kind of like dial up and log in and there was

00:08:03
no.

00:08:03
Like things have changed so much and it's such an

00:08:07
interesting it's been.

00:08:09
It's interesting to see, like you know, going back and reading

00:08:11
that now and seeing kind of how things have changed and all the

00:08:15
different needs we have as we kind of shift more and more into

00:08:18
this very like online space in our lives.

00:08:22
Speaker 1: Yeah, yeah, it's a.

00:08:24
It's a completely different world because of it.

00:08:26
Yeah, so when you, when you were applying, you know, to that

00:08:32
first security role, that first security team, you know, you

00:08:37
said that you know you basically had, you know, no business

00:08:41
applying to the team or the role or anything like that.

00:08:43
How did you overcome that?

00:08:45
Because there's a lot of people out there that you know see

00:08:49
roles on the internet and if they're not 100% a match, if

00:08:53
they don't have everything on the list, like they don't even

00:08:55
consider it.

00:08:56
You know, and for me, you know, with my background, I mean I

00:09:03
did over 300 interviews before I got into security, you know,

00:09:10
and that was the most frustrating part, and I was

00:09:13
applying to things that you know , I was 50% a match for I would

00:09:18
meet the, I guess, the social skill part of it, but I wouldn't

00:09:23
meet, you know, half of the mental skill or the technical

00:09:27
skill part of it.

00:09:27
You know, so how did you, how did you overcome that part of it

00:09:31
?

00:09:31
Was there anything that you did that you know helped you

00:09:36
through it?

00:09:37
Or did you just say screw it?

00:09:38
I'm going to see where this goes.

00:09:40
Speaker 2: It was a little bit of both.

00:09:41
So I totally want to like double down and say to anybody

00:09:46
who's listening if you see something that's interesting to

00:09:49
you and like you know you've been working on those skills and

00:09:51
you don't meet like 50% of the job criteria, apply anyway.

00:09:55
Like, do it anyway.

00:09:56
We tend to self-select out for a lot of things that we would

00:09:59
actually be really good fits for .

00:10:01
So, like, do it anyway.

00:10:02
And this was kind of that like, and to give some more context

00:10:06
for this, in my case it was a little bit of a special

00:10:09
situation because it was an apprenticeship program, so kind

00:10:14
of like an internal internship, where the applicant got like

00:10:18
three months to go join this new team, kind of see if it's a

00:10:20
good fit and then if at the end of the three months it was, then

00:10:23
you'd get hired onto the team and if not, you had the safety

00:10:27
net of your existing position to sort of fall back into.

00:10:30
So I want to fully acknowledge like I had a lot of safety nets

00:10:33
and kind of training wheels and sort of like.

00:10:36
This was a very unique situation .

00:10:38
But in terms of preparing and kind of getting ready, I leaned

00:10:43
really heavily on the experience I did have.

00:10:45
I was like you know, I've been here several years, I know the

00:10:50
user data, I understand the application, I understand, you

00:10:52
know, from a user perspective, I understand where things are in

00:10:56
the database, like I know kind of where the like the skeletons

00:11:01
in the closet are, if you will.

00:11:02
And so I kind of leaned on the things that I knew were my

00:11:05
strengths, which I think is always a good strategy, right,

00:11:09
like leaning on things that you know, that you know very well,

00:11:14
and kind of going from there and saying like, hey, this is what

00:11:17
I can bring to the team and also showing that you know, I kept

00:11:21
up with security news.

00:11:22
Even then, you know, like following certain RIP Twitter I

00:11:26
guess but like certain accounts on Twitter, or like you know

00:11:31
different blogs, different security kind of influencers.

00:11:33
Even back then I was ready to talk about that and say like

00:11:38
here's how I kind of learn things, here's what I'm

00:11:40
interested in, here's what you know, here's my plan or here's

00:11:43
kind of what I envision being able to do in this role.

00:11:48
And so, yeah, I would say just like really leaning on your

00:11:50
strengths, because the wonderful thing about security, I think,

00:11:55
is that there's a lot of space for a lot of different skills

00:11:59
and I think for those of us who kind of got into it a little bit

00:12:03
before the before, it got really really cool to be in

00:12:06
security, like it became a thing Like I think you know, now

00:12:10
we're seeing degree programs and like boot camps and all that.

00:12:13
Like a little bit before that, I think you kind of just had to

00:12:16
be like, hey, here's what.

00:12:17
I know how to do, I'm really good at this thing and I think I

00:12:20
can, I can, add some value because this is my area of

00:12:25
expertise, yeah, so I feel like that.

00:12:28
You know, your mileage may vary .

00:12:29
Again, everybody's got a different background and

00:12:31
different experience, but for me that's kind of what I what I

00:12:34
tried to lean on.

00:12:37
Speaker 1: So did you know the hiring manager beforehand or

00:12:41
anyone on the team beforehand?

00:12:44
Speaker 2: I had like met them briefly at different like

00:12:47
company functions.

00:12:48
But I actually did go and like talk to the hiring manager a

00:12:51
little bit ahead of time and I was like hey, I'm really

00:12:53
interested in this.

00:12:54
I just want to let you know I'm going to be putting my

00:12:55
application just to kind of chat with him and let him know.

00:13:00
Like hey, I probably don't have a really strong chance at this,

00:13:04
but I'm going to give it a shot .

00:13:06
But apart from that, no, like I really didn't know anyone on

00:13:09
the team at the time.

00:13:11
Speaker 1: Yeah, I have a good friend of mine that I actually

00:13:15
grew up with and he went down a totally different path in life

00:13:20
and he's, you know, warehouse worker and he's he's been doing

00:13:23
that for like 15 years at this point and he's kind of miserable

00:13:28
, you know, and so he's always been interested in IT and

00:13:33
security and I always told him like, hey, man, you're, you're

00:13:36
literally working at a giant company.

00:13:38
I guarantee you they have, you know, not just one security team

00:13:42
, they have like probably five or 10 security teams.

00:13:45
Like all you need to do is just reach out to someone in IT and

00:13:50
go from there, you know, and like I feel like it's that

00:13:57
actually doing that, you know, and saying, saying to himself

00:14:01
like oh, it's okay for me to do this, which like holds him back

00:14:06
from actually making that a progress, you know, and yeah,

00:14:09
it's a daunting thing, but at the same time, what do you have

00:14:13
to lose, you know, like what do you really have to lose in this

00:14:18
situation?

00:14:19
If you're unhappy, probably not making enough money, you know,

00:14:24
and an email is standing in between you and you know, a

00:14:29
happier, more fulfilling future, like, why not send the email?

00:14:34
Speaker 2: Yeah, I mean it's scary to put yourself out there

00:14:36
Like I have.

00:14:37
I've talked with folks, I have friends who have been in similar

00:14:40
situations and it's like it can be, I think, crippling for some

00:14:45
folks too, because they're like , why don't want to?

00:14:46
I don't know, is this okay to do?

00:14:48
Like it's just, it's not clear always, I think, that kind of

00:14:51
norms around it.

00:14:52
But to your point, like shoot your shot, like you get one

00:14:56
chance at this, like do do it.

00:14:58
Like the only thing that's going to happen, like the worst

00:15:01
thing that's going to happen is they're going to say no or just

00:15:03
not respond and like, yeah, that does burn a little bit, it

00:15:06
stings a little bit, especially the first few times.

00:15:08
But you start to get a little more resilient and you start to

00:15:11
realize like no, I can do this, like I am worth putting myself

00:15:16
out there, like I know things, I have skills I can offer, like

00:15:20
you know.

00:15:20
And I think just showing that initiative sometimes can go a

00:15:23
long way.

00:15:25
Speaker 1: Yeah, when, when someone tells me no with a job

00:15:28
and I don't know why I've always been like this like okay, onto

00:15:31
the next one, you know like I'm going to waste any time like

00:15:34
they didn't like me for whatever reason, you know, when

00:15:38
interviews go really well, I'll like I'll dwell on it a little

00:15:42
bit.

00:15:42
I'll be like man, I was really frustrating, like you know.

00:15:46
Why did I not get that?

00:15:48
Speaker 2: Right.

00:15:49
Speaker 1: Right.

00:15:49
But yeah, it's.

00:15:51
You know, I feel like you almost have to be a bit of a

00:15:55
like a mercenary.

00:15:56
You know at some point, right, like you got to, you got to be.

00:16:01
You know, give it a mission.

00:16:02
You got to give yourself a mission and then you got to not

00:16:05
care how it gets done.

00:16:06
You know like it gets done, how it gets done and don't ask any

00:16:10
questions.

00:16:11
Yeah.

00:16:13
Speaker 2: I mean and that's the thing too is like you just kind

00:16:16
of have to be willing to keep pushing and it's so.

00:16:19
Again, it's exhausting, like I know.

00:16:22
I see stories all the time of people who, like they've

00:16:25
hundreds of applications, all of these things.

00:16:27
But, like you, you will find the right thing when, like you

00:16:32
just have to keep pushing.

00:16:33
Um, and I would say, like, if there's folks on LinkedIn or,

00:16:38
you know, twitter or Mastodon or wherever that like reach out to

00:16:41
people like you know, again the worst folks can say is like no,

00:16:45
I can't, or like just not respond.

00:16:47
But like, get people's perspectives.

00:16:49
Like, if you're continuing to get rejections and you're not

00:16:52
quite sure why, like get some extra eyes on your resume, get

00:16:55
some extra eyes and like do a mock interview with some folks,

00:16:58
some friends, or something like that.

00:17:00
Um, you know, because there are definitely ways to improve at

00:17:04
that and like it's.

00:17:06
I think it's especially weird, for I mean, for me it's really

00:17:10
weird.

00:17:10
I know, for a lot of folks in the industry it's weird.

00:17:12
It's weird to feel like you kind of have to market yourself.

00:17:14
Um, because that feels very unnatural, I think, to a lot of

00:17:18
us who are like I don't want to, I just want to like sit and do

00:17:21
computer things Like this is my happy place.

00:17:22
I really want to be thinking about like what is my personal

00:17:25
brand or all of that kind of stuff, but like it really can

00:17:30
help in terms of like you know folks, kind of knowing your name

00:17:33
, folks, knowing who you are, um , you know being being somebody

00:17:38
who's putting you know, writing a blog, publishing posts on

00:17:41
LinkedIn or different things like that.

00:17:43
Like those things can help.

00:17:45
I mean, it's nothing is guaranteed, but like thinking

00:17:48
about how you're putting yourself out there and kind of

00:17:50
the public presence that you have, uh, can can help,

00:17:54
especially like in those early, kind of early stages where

00:17:56
you're trying to break in.

00:17:58
I think.

00:18:00
Speaker 1: Yeah, you know, and when you're doing that, I always

00:18:03
thought that I didn't have anything unique or valuable

00:18:07
enough to like provide to the industry.

00:18:09
Right, why am I creating some you know extravagant LinkedIn

00:18:14
posts or a blog post?

00:18:15
Right, like I don't have anything special, like I'm

00:18:18
nobody, um, but it gives you a voice, really, when you don't

00:18:24
really have a voice outside of it.

00:18:26
You know, and you know you're not going to be able to do that.

00:18:28
It's very easy to snowball the interactions and the views and

00:18:33
downloads right, like with a podcast or a blog or anything

00:18:36
like that, and I found that it's actually really beneficial.

00:18:43
Like I've gotten opportunities just because I started that blog

00:18:47
and I started this podcast.

00:18:49
Right, I've gotten opportunities I never would have

00:18:52
, I never would have even been considered for, I never even

00:18:56
would have considered myself for them.

00:18:58
It only benefits you because, as you're doing it, you're

00:19:04
developing other skills.

00:19:06
You're developing new skills of how to think about a technical

00:19:10
topic and then write it in the way that many people can consume

00:19:15
it.

00:19:15
That's something that's actually really unique.

00:19:19
That published authors even struggle with is actually taking

00:19:24
a technical topic and dumbing it down.

00:19:27
Enough, I mean, I don't want to say dumbing it down, but like

00:19:30
yeah, like making it accessible.

00:19:32
Yeah, you're taking it down to its most basic parts and you can

00:19:35
say like OK, if I can visualize this, I can build everything

00:19:39
else off of it.

00:19:41
Speaker 2: Yeah.

00:19:41
Yeah, I mean yeah, sorry, go ahead.

00:19:45
Speaker 1: No, you go ahead.

00:19:47
I wasn't going to say anything of value.

00:19:50
Speaker 2: I doubt that, but I just want to like piggyback on

00:19:53
that because I it's folks.

00:19:55
Folks I get people asking, well , like how do I get into

00:19:58
security research or what skills do I need to have?

00:19:59
And I think writing and effective communication is one

00:20:02
of the most underrated skill sets.

00:20:04
Like nobody is going to care about the really cool zero day

00:20:10
you just found, like in anything , if you can't effectively

00:20:13
communicate why it matters like nothing.

00:20:15
Nothing is going to change that .

00:20:18
And so being able to to like communicate those ideas

00:20:22
effectively and at different levels like you know, in my role

00:20:25
now, like I have to talk to folks who are, you know, who are

00:20:29
other researchers, who are deeply in the weeds, like I am,

00:20:31
and also like folks at the executive level so being able to

00:20:35
kind of go between those two levels and figure out like well,

00:20:38
what's important to like bubble up to folks who maybe don't

00:20:41
want all the weeds, don't have time for it or that's just not

00:20:44
their, their wheelhouse Like being able to do that and figure

00:20:47
out like what is my like, what is the executive summary of what

00:20:50
I'm trying to say?

00:20:51
Essentially, it's really important and I know it's not

00:20:53
like the most exciting thing, but it's so so critical for

00:20:57
being able to, like, get get your work noticed, get your work

00:20:59
kind of help, push it forward, to help others understand the

00:21:04
impact that you might be having or could have.

00:21:06
Being able to communicate is just, especially in a written

00:21:11
form, is just so, so important.

00:21:12
I can't, I don't know, I can't understate that or I can't

00:21:16
overstate that enough.

00:21:18
Speaker 1: Yeah, you know, when I was working for a credit

00:21:22
bureau Actually, this was the only time that I ever had a

00:21:28
technical writer on the team and she was, you know, fresh out of

00:21:32
college studied English.

00:21:34
You know, maybe the most boring topic to me, like when I took I

00:21:39
delayed taking.

00:21:40
I had two English classes to take an undergrad and I delayed

00:21:43
taking them both until like senior year because I hated them

00:21:47
so much and everyone's like, oh , you're the oldest person in

00:21:51
here, like we're all freshmen.

00:21:52
I'm like, yeah, I hate English so much.

00:21:55
Speaker 2: Yeah.

00:21:56
Speaker 1: Like I'm already speaking it?

00:21:57
Why do I need to learn about it ?

00:21:59
You know, that was just my mentality with it, but it was

00:22:04
really helpful for her to be there.

00:22:08
Right, that had that different, totally different skill set.

00:22:11
Right, she's not technical at all.

00:22:13
So when we're talking about technical things and she has to

00:22:16
take notes and create a paper about a community post, whatever

00:22:20
it is, you know she she would have to slow us down, be like,

00:22:25
hey, break this thing down for me.

00:22:27
You know, why does it work like this?

00:22:29
Why does this make sense?

00:22:30
Why did you say this?

00:22:32
You know, and she also learned a lot, and now she's moving into

00:22:36
more technical roles, you know, just from that experience,

00:22:40
which is really it's really interesting.

00:22:42
Speaker 2: You know, I never would have thought that that was

00:22:45
a possibility, you know yeah, I mean I worked with someone who

00:22:50
excellent pen tester, one of the best I've worked with who in

00:22:53
terms of like writing reports, thinking through ideas,

00:22:56
collaborating with others and just obviously the skill set

00:22:59
that he had he was like a masters in literature, Like no,

00:23:04
no, like formal educational background and it like totally

00:23:06
different, but it gave him this different perspective and it

00:23:09
gave him a way to be able to really clearly communicate the

00:23:13
ideas and the things that he was finding and it just, I mean, it

00:23:16
just made him a stellar pen tester.

00:23:18
Like he was just fantastic at his job because he could

00:23:21
actually talk about at multiple different levels like what he

00:23:24
was finding, why it mattered.

00:23:25
Why should we care?

00:23:26
Why do we need to patch this?

00:23:27
It was just, yeah, I think having those like different

00:23:33
backgrounds on a team is so, so important because you get all

00:23:37
that different perspective.

00:23:38
Speaker 1: Hmm, so you know, let's dive into what a security

00:23:43
researcher is and what your, what your day to day looks like.

00:23:46
You know, are you?

00:23:47
Yeah, we'll just start with that before I start diving into

00:23:51
my million questions.

00:23:53
Speaker 2: Yeah.

00:23:53
So security researcher, I think , is one of those very, very

00:23:56
broad terms that can mean a lot of different things depending on

00:23:59
where you are.

00:24:00
In some cases, you know these are folks who are doing exploit

00:24:05
development or research or vulnerability research.

00:24:07
In some cases, you know they're working at vendors and they're

00:24:11
they're studying things that are happening on endpoints, that

00:24:15
their vendors are watching.

00:24:16
So for us, for me and for my team, you know we we sit, we sit

00:24:21
with access to this really really comprehensive map of the

00:24:25
Internet.

00:24:26
So Internet wide scan data, the entire IPV for space, and so

00:24:30
really for us there's a, there's a couple of like kind of, I

00:24:34
think, common paths that our day might take.

00:24:36
On one hand, there's a lot of just exploratory data analysis.

00:24:41
Like the Internet's a really big place, really weird place.

00:24:43
There's lots and lots of stuff.

00:24:45
To you know, there's always new rocks to kick over.

00:24:47
So in the case that like there are fewer internet fires than

00:24:53
usual, like we'll do some exploratory stuff will dig.

00:24:55
Well, like I noticed this weird thing, I want to look into it,

00:24:58
and so like just kind of the natural curiosity takes over and

00:25:02
then, kind of on the flip side, is the slightly more reactive

00:25:05
work when you know a CV comes out that's like critical or says

00:25:10
add something to the kev list.

00:25:11
Or you know there's something really going on in the security

00:25:14
news cycle and if that's something that we have the

00:25:17
ability to see as in like it affects a public internet facing

00:25:20
device, will go and look for it in our data and try to

00:25:24
understand.

00:25:24
You know how broad is the impact of this particular

00:25:27
vulnerability.

00:25:28
You know how many hosts, where are these hosts located?

00:25:31
Are there particular autonomous systems that are really

00:25:34
affected by it?

00:25:34
And so that's kind of the more reactive piece.

00:25:38
So it just sort of depends on, kind of like, what's happening

00:25:40
in the world, what we end up looking at, and we also, like I

00:25:44
say what's happening in the world because there's also the

00:25:47
geopolitical angle to that as well.

00:25:48
You know, when there are conflicts or very big things

00:25:53
happening, whether they're natural disasters or other

00:25:56
things, from our perspective we want to better understand.

00:25:58
You know what is internet connectivity, look like there

00:26:02
and what can we say about.

00:26:03
You know operational technology in these regions.

00:26:06
What can we learn based on kind of patterns around them being

00:26:11
online versus offline?

00:26:12
So what color can we add to those stories and context can we

00:26:16
add to those.

00:26:17
So yeah, it's kind of a mixed bag of things and again, that's

00:26:22
pretty unique to sort of what we have access to, a census and

00:26:26
sort of what we do.

00:26:27
But more broadly, like, I think security research is just a lot

00:26:32
of being very curious about whatever data you have at hand.

00:26:37
Speaker 1: So what?

00:26:37
What is census?

00:26:38
What?

00:26:38
What do you guys do?

00:26:41
Speaker 2: Yeah, so there's two pieces to what we do.

00:26:43
So on the one hand, we have our exposure management or tax

00:26:48
surface management platform.

00:26:49
So if you've been in IT, you've been in security, you know that

00:26:53
asset management is not really an easy thing.

00:26:55
It's kind of a pain, and so the idea there is that we help

00:27:00
teams identify all of the things on the Internet that they own,

00:27:02
that they're going to be able to get access to, that they own,

00:27:04
that their company owns, ideally making it easier for them to

00:27:08
sort of administrate them.

00:27:08
If there are problems with them , like end of life software, or

00:27:13
maybe we think you're running something that might be

00:27:15
vulnerable to this new CDE that's popping off, we want to

00:27:17
let you know about it.

00:27:18
So that's one big piece of what we do.

00:27:22
And the other big piece is census search and data, and this

00:27:26
is near and dear to my heart because this is what my team and

00:27:28
I really really focus on.

00:27:31
So census scans the entire IPv4 space all day, every day, and we

00:27:36
maintain this, this comprehensive map really, of the

00:27:38
Internet.

00:27:38
So Internet connected devices, edge devices you can go to

00:27:43
census search, dot, census, dot, io, and and find these things

00:27:49
in our data and start to look and investigate them.

00:27:50
So where this gets really cool is if you're a security

00:27:54
researcher, maybe you want to investigate some recent threat

00:27:57
actor activity and you want to understand what you're doing and

00:27:59
you want to understand more about their infrastructure so

00:28:02
you can use our data.

00:28:02
We have both the host data set so all of those IPv4 and some

00:28:07
IPv6 hosts and we also have a certificate data set.

00:28:10
So we ingest lots of CT logs, we ingest lots of certificates

00:28:17
on the order of billions, and so that also is a really

00:28:21
interesting data set to play with in terms of looking for

00:28:26
interesting infrastructure based on based on certificates.

00:28:28
So it's kind of census in a nutshell.

00:28:33
Speaker 1: By chance?

00:28:35
Did you see any sort of I guess new infrastructure stand up or

00:28:41
new attacks launched before or even during the Russia US Korean

00:28:49
conflict and now Israel Hamas conflict?

00:28:51
Did you, did you see any, any kind of digital precursors?

00:28:57
Speaker 2: Yeah, so I can't get into super detailed response

00:29:00
here, but yes, these were, these have both been things that

00:29:03
we've we've followed pretty closely and just trying to get a

00:29:06
better handle on again, like some of the things that we're

00:29:09
often interested in these scenarios are you know what is

00:29:13
operational technology infrastructure look like leading

00:29:16
up to, during the, during these types of events?

00:29:19
So, yes, there are definitely changes you can start to track

00:29:24
and start to see, unfortunately, when these things unfold.

00:29:29
Speaker 1: Yeah, it's really interesting because I feel like,

00:29:32
you know, in the in the digital age of, like, big data, you

00:29:37
know, I feel like, before a you know physical kinetic attack

00:29:43
ever happens, there's typically, you know, some sort of attack

00:29:48
or preparation in cyberspace, right.

00:29:53
And so I've had, on other people that you know have looked

00:29:58
specifically at Russia, ukraine, and they're a little bit more,

00:30:03
I guess, liberal with what they say, because they're a little

00:30:05
bit closer to the battlefield, so to speak, and it's just, it's

00:30:10
just a fascinating area, you know, because it's it's like a

00:30:13
developing, it's almost like a developing space of security

00:30:17
right in front of us, of identifying like, oh, something

00:30:21
might be going on over here or, you know, like, whatever it

00:30:24
might be.

00:30:25
Because you know, as, as I guess, kinetic attacks are kind

00:30:30
of, they're kind of, you know, basic or very standard and you

00:30:36
know what they are and how they're deployed and things like

00:30:38
that.

00:30:38
The cyberspace side of it is that new evolving field that now

00:30:45
countries are diving more into.

00:30:47
That you know, it's interesting to see, like even how the NSA

00:30:52
uses cyber cyberspace.

00:30:54
You know, like it's really fascinating to see that.

00:30:59
Speaker 2: Yeah, one thing that was super interesting to me

00:31:02
during the kind of the ramp up of the Russia Ukraine conflict

00:31:08
was the Ukrainian it army sort of self organized group of folks

00:31:12
on telegram who are just like we're going to try and attack

00:31:16
Russian infrastructure.

00:31:17
And it was just this sort of kind of ad hoc group of folks

00:31:21
who were trying to like DDoS, different Russian sites or you

00:31:24
know, do what they could to have some kind of impact, to like

00:31:27
impose cost and difficulty on Russia.

00:31:30
And I don't actually know like how impactful it was.

00:31:33
I know there have been, there have been some studies that have

00:31:35
come out that have talked about that.

00:31:36
I haven't looked super deeply into them and like that's a

00:31:39
fascinating thing to is you have , you know, and at one point I

00:31:43
want to say it was like somebody high up in government in

00:31:48
Ukraine was like, hey, we're developing an it army, come join

00:31:51
us.

00:31:51
And I cannot remember his, his exact position or title, but it

00:31:55
was like this call to cyber arms , so to speak, of like, hey,

00:31:59
we're doing this, like you know, hop in, we're going to go,

00:32:02
we're going to go try and, like you know, lob some attacks

00:32:05
toward Russia.

00:32:06
And so that was just fascinating to me to see like

00:32:10
such a large scale kind of civilian orchestrated thing.

00:32:15
And so, yeah, I think you're right, like I think this is a

00:32:19
very interesting time, like we've seen, you know, kind of

00:32:25
precursors to these sorts of things in the past.

00:32:27
But I feel like this is really like this is the new way forward

00:32:32
, like this is how things will go going forward.

00:32:35
And so you know, if a nation is spending a lot of time

00:32:39
developing offensive technology and kind of letting the

00:32:42
defensive piece of it from a cyber perspective sort of fall,

00:32:47
I think, just broadly speaking, I think that's a huge disservice

00:32:50
because, you know, while the exploits are cool, like you've

00:32:54
got to be able to defend, you've got to be able to detect and

00:32:57
defend these types of things.

00:33:00
Speaker 1: Right, yeah, you know , with the IT Army of Ukraine,

00:33:04
when, when that was actually starting you know I'm not a

00:33:08
hacker by any means, like I can spell the word, but like, when

00:33:11
it comes to actually hacking things, you know, I'm not the

00:33:14
person that you should be going to ever.

00:33:16
And when that stood up, you know, I went onto the website to

00:33:21
see, like you know, like okay, you know, how successful could

00:33:25
this really be.

00:33:26
Like it's Russia, you know, like Russia has a pretty good

00:33:28
cyber warfare program.

00:33:29
You would think, like they have this stuff locked down,

00:33:33
probably better than ours even.

00:33:35
You know, because they don't have as many.

00:33:37
You know, I view it as they don't have as many like politics

00:33:41
in between their engineers and what actually needs to get done.

00:33:45
And I was on the site, and I mean constantly.

00:33:50
This is a site of hundreds of targets and the entire time that

00:33:54
I was on the site, every single thing was down.

00:33:58
Speaker 2: Yeah, yeah, so there were there were all of these

00:34:00
like coordinated DDoS campaigns and like they were just sending

00:34:03
like multiple requests obviously as a DDoS would, but like it

00:34:06
was just this in browser thing, like they made it very easy to

00:34:10
actually do, which I thought was fascinating.

00:34:12
So, like I it was, it was kind of interesting to see that like

00:34:18
yeah, they actually did like DDoS a bank or like other

00:34:21
different like services and companies.

00:34:22
It was like, oh, this is, this is an interesting phenomenon.

00:34:26
Like I don't think I've ever actually seen this play out in

00:34:29
my lifetime like this.

00:34:32
Speaker 1: Yeah, I don't think anything, maybe.

00:34:37
I mean was like the last time, you know, a large group of

00:34:42
people came together and achieve something.

00:34:44
Might have been like the collapse of the Soviet Union,

00:34:47
you know, like when they had the protest across Europe, right

00:34:49
like yeah maybe I don't know, you know, the first one in cyber

00:34:55
war fair like for sure, cyberspace for sure.

00:34:59
Speaker 2: Yeah, yeah, definitely, like I think that

00:35:01
was just what was so like I even still looking back, like it

00:35:06
just almost doesn't even feel real, which is maybe and I don't

00:35:10
mean that to sound insensitive like I know it's very real for

00:35:12
folks who are experiencing like the direct impact of it.

00:35:15
But you know, kind of sitting back from a, from a strictly

00:35:19
like cyber perspective, just what a fascinating kind of like

00:35:26
of unfolding of events, I guess.

00:35:28
Speaker 1: Yeah, so you talked about, you know, shoring up the

00:35:33
deep defenses and ensuring that you're good on the defense side.

00:35:37
How, how do you go about doing that?

00:35:40
Because so for companies, for large companies, that is a

00:35:47
seemingly unsurmountable task that you will just forever, you

00:35:52
know, be doing.

00:35:53
You're never going to be on top of it, you're never going to be

00:35:55
in front of this thing.

00:35:56
You know you're always kind of trying to play catch up, right,

00:36:02
and there's a lot of different facets to that in and of itself.

00:36:07
But then when we talk about a country and the critical

00:36:11
resources within the country and the different, you know

00:36:15
companies that you know are small businesses.

00:36:20
You know one person owns it, runs it, does everything

00:36:23
themselves.

00:36:24
They have one contract with the government.

00:36:26
That's all that they do for 40 years.

00:36:28
You know who cares about IT at that company.

00:36:32
Right, like this guy's doing all the work.

00:36:34
You know how, like where do you ?

00:36:38
Where do you start?

00:36:39
You know how do you?

00:36:41
How do you get ahead of this thing?

00:36:43
Can you get ahead of this thing , or is it just forever a losing

00:36:46
battle?

00:36:47
Speaker 2: So I, so as, like a former defender like I, I got

00:36:52
used to hearing like, oh, you know, you're always behind like

00:36:54
you're, you know they only have to be right one time.

00:36:57
You've got to be right all the time, like all of that kind of

00:37:01
stuff, and so I think it does feel oftentimes like we're at a

00:37:05
little bit of a disadvantage trying to defend.

00:37:07
But I, I think, and to like to be clear, I am not a policy

00:37:12
expert or anything like that.

00:37:13
This is just sort of my off the cuff, like thinking about this.

00:37:17
So like I would almost take some of those like you know,

00:37:20
principles that I would try to apply at a company and sort of

00:37:24
expand them in a sense.

00:37:26
So like there are a couple of things that like, if I'm coming

00:37:30
into a company we'll use this analogy I'm coming into a

00:37:32
company as a defender with no like actual blue team, no

00:37:36
defense To speak of right.

00:37:38
There are a couple of things that I would do right, and one

00:37:41
of those is make sure there are logs and lots of them, get a

00:37:46
handle on the assets that we own , like where is everything,

00:37:49
where is all my stuff, and get kind of a sense of just like,

00:37:53
what is what does normal look like here in terms of logs and

00:37:58
traffic and behavior and employee actions and all of

00:38:01
those kinds of things like get some baselines.

00:38:03
These are very, very broad, I realized.

00:38:04
But like so.

00:38:06
So those are a couple of things that I think are really

00:38:08
important, as like trying to build a defense program, like as

00:38:12
a cyber defender, right and I think you can kind of

00:38:15
extrapolate that a little bit to a larger level as well right,

00:38:19
like for for a country or a nation state understanding, you

00:38:23
know, where are all of my really important assets?

00:38:27
Where are all of my operational technology?

00:38:29
Who runs it?

00:38:30
Do I have relationships with those, those organizations or

00:38:33
individuals?

00:38:34
Could I like identify all of them right now, if I needed to?

00:38:38
Do I have a list of those things?

00:38:39
Do I understand what normal activity and I will leave that

00:38:44
very broad do I understand what normal activity looks like?

00:38:47
You know, having a sense of, again, baselines, I think is

00:38:51
really important.

00:38:53
And then telemetry, right, like and I think we obviously have

00:38:57
many agencies who this is their sole focus, right, so, like, I

00:38:59
think this is probably an area where we're, you know, where

00:39:02
most most organized.

00:39:04
Most countries, I would say, probably already have a good bit

00:39:07
of this going.

00:39:07
But, like, having the proper telemetry in place is really

00:39:10
important so that you can actually start to understand

00:39:13
what is normal, what is unusual.

00:39:15
And can I actually point to measurements and point to like

00:39:18
data to say like this is something that's concerning Well

00:39:22
, why?

00:39:22
And so I.

00:39:24
So I think I feel like maybe that's a cop out answer.

00:39:27
But just like thinking broadly about like how I approach it at

00:39:30
companies versus how I would approach it for a larger kind of

00:39:33
, on a larger scale, like I think a lot of the principles

00:39:36
kind of remain the same.

00:39:39
Speaker 1: Yeah, yeah, that's a.

00:39:40
That's a good point.

00:39:41
I mean the principles, they tend to remain the same, it's

00:39:45
just to add a much.

00:39:46
You know huge, or scale, yeah, significantly, multiple times

00:39:51
over, you know.

00:39:54
So I really want to talk about maybe what, what's some of the

00:39:59
research that you've that you've dove into right, what's maybe

00:40:04
some interesting areas that you've, you know, researched,

00:40:07
written papers about, potentially things like that.

00:40:11
Speaker 2: Yeah, there's been actually quite a few interesting

00:40:14
things I think we've looked at this year.

00:40:16
I think probably the one that I'm closest to has been all the

00:40:21
managed file transfer shenanigans.

00:40:23
I often joke now that MFT actually stands for my favorite

00:40:28
topic, because it's like all I thought about for months on end.

00:40:31
So kind of looking at that whole ecosystem which we're

00:40:36
shifting, really we're taking like a hard left away from like

00:40:39
talking about nation state, like cybersecurity to like cyber

00:40:42
crime, right, totally different flavor of things and different

00:40:45
flavor of actors and all of that .

00:40:46
But this was actually like so so we had move it over the

00:40:52
summer, which has just been kind of really this awful like

00:40:56
fallout we're seeing.

00:40:57
There have been some others in the past go anywhere, you can go

00:41:01
all the way back to like 2020 and you see, like kind of the

00:41:05
way I think of it is like the bookend.

00:41:07
This sort of initial file transfer hack that was kind of

00:41:13
along the same lines was Accelyon's legacy file transfer

00:41:18
and that was a CLOP operation.

00:41:19
So CLOP extortion group, ransomware group, all of that

00:41:22
right, and they've actually gone on to hit several other tools

00:41:25
in this category.

00:41:26
So I think it's been written about, folks have talked about

00:41:30
it.

00:41:30
But there have been multiple tools in this vein that have

00:41:33
been targets of attacks, particularly by CLOP, in some

00:41:38
cases for ransomware, in some cases just pure extortion.

00:41:41
And it's really interesting because, like, if you look at

00:41:46
their leaks site, so they'll post the data leaks or a sample

00:41:49
of them on their leak site, they'll give a company time to

00:41:51
respond and then, if they don't like, they'll go public with the

00:41:54
data and they'll actually, you know, post notes and say like,

00:41:58
hey, we're not interested in, like, government data, we're not

00:42:00
interested in like all of that.

00:42:02
Like we're just we're financially motivated.

00:42:04
Like they will explicitly say we're just doing this to make

00:42:06
money.

00:42:06
And it makes a lot of sense because these tools are, like,

00:42:13
if you look at any of the websites for these tools, for

00:42:15
move it, for go anywhere, for share file, for all of these

00:42:19
other tools, right, the idea behind them is that they they

00:42:22
facilitate secure file transfer between and within organizations

00:42:27
and they do it, are claimed to do it, in a way that is

00:42:30
compliant with, like lots of different regulations.

00:42:32
So GDPR, pci, you know your alphabet soup there and so, like

00:42:38
this has been kind of fascinating to follow for me

00:42:41
because, from a financially motivated threat actor

00:42:44
perspective, these tools are like a goldmine.

00:42:47
They are usually adopted by enterprise organizations to like

00:42:54
lots of data at play, and they also.

00:42:56
So we did some research over the summer when move it kind of was

00:42:59
popping off and we actually looked at every move it instance

00:43:03
on the internet that we could find several thousand of them,

00:43:07
and then we went through and did attribution on all of them,

00:43:11
like we wanted to see who owned them, and so we ended up being

00:43:14
able to do that for I want to say, around 1500 of those

00:43:16
instances, and what we found was that the majority of these,

00:43:21
these instances were either in financial services companies or

00:43:24
healthcare companies, so these are really highly regulated

00:43:28
industries.

00:43:28
We also found a non trivial amount, like in government,

00:43:32
government space as well, but these are like highly regulated

00:43:35
industries that have, you know, arguably pretty sensitive data

00:43:39
on hand and they're big companies.

00:43:41
So like that's been really fascinating to follow and I

00:43:44
think like I'm really curious to see kind of the next evolution

00:43:48
of this, because I have this sort of suspicion that these

00:43:55
kind of like back office apps, so they're not necessarily like

00:43:59
customer facing software, but they're like B2B types of

00:44:01
applications.

00:44:01
I feel like this is an interesting area for threat

00:44:06
actors, because it's not necessarily something I think

00:44:11
we've often, you know, thought about in terms of like the

00:44:12
security of these tools, because they're they're not like again,

00:44:16
like necessarily consumer facing all the time.

00:44:17
So I'm kind of fascinated with, with that Especially so like

00:44:23
also enough, I'm rambling a little bit.

00:44:27
But one, one final thing I'll say kind of along these lines is

00:44:28
during all of this file transfer sort of wild activity

00:44:33
Back in April we also saw paper cut print server software was

00:44:36
also attacked by his clop and lock bit, and it wasn't a

00:44:40
ransomware extortion.

00:44:40
They essentially like use those servers to like gain access,

00:44:43
gain a foothold on the network and then install some like

00:44:46
remote management software.

00:44:47
But again, like this is sort of a like a B2B kind of tool.

00:44:49
It's not necessarily like something that's customer facing

00:44:55
or client facing, but it's there to like facilitate

00:45:01
business, and so I'm kind of fascinated with this whole

00:45:03
category of software and and sort of like.

00:45:06
I think I'm kind of like, I'm kind of like, I'm kind of like,

00:45:09
I'm kind of like and and sort of what we will see in the coming

00:45:14
months and years as far as like those, those tools being

00:45:16
targeted.

00:45:19
Speaker 1: Yeah, you know, earlier on in my career I worked

00:45:22
for a company that was B2B and you know I didn't think I never

00:45:29
thought anything of it.

00:45:30
You know, like if I had to transfer files to them or

00:45:35
whatever might be, I didn't think anything of it.

00:45:37
You know, I was told, open up this tool, log into this thing

00:45:42
and do it.

00:45:42
You know, sometimes I didn't even have to log in and now, now

00:45:49
that I'm in security, right, like it's like oh, that was

00:45:52
actually like really bad that was.

00:45:55
You know that that was frowned upon.

00:45:59
You know it's, it's fascinating because it's a, it's a solution

00:46:06
that just about every company has to have, some some sort of

00:46:09
you know way of doing it right.

00:46:11
And it's really tricky because you're moving potentially

00:46:15
sensitive data across the internet from one company to

00:46:19
another and you need to be able to send it securely, receive it

00:46:23
securely and, you know, move it within your own network, knowing

00:46:28
that it's not malware or some sort of you know Trojan, that's,

00:46:32
that's, you know, waiting to strike or you know, looking at

00:46:37
your network and whatnot.

00:46:38
It's, it's an interesting area and you know, I, you know I, you

00:46:45
know I, you know, I find it really fascinating that recently

00:46:50
those attacks have kind of picked up.

00:46:52
Right Like now.

00:46:53
I'm starting to think of you know things that are going on in

00:46:56
the world and being like, oh, like is it?

00:46:59
Is it getting attacked this way ?

00:47:01
Um, you know, and then my mind also goes down the rabbit hole

00:47:05
of well, the government still uses you know couriers, like

00:47:09
actual, physical people, real people, to take you know

00:47:13
sensitive documents from one facility to the other.

00:47:16
Um, they still actually do that .

00:47:19
I mean maybe there's something to that right, like I don't know

00:47:22
, like yeah, I mean you know, just you know, with my limited

00:47:27
experience with the government, you know they they trust, they

00:47:31
trust their technology, they trust their IT, you know

00:47:34
architecture and team and everything like that, but they

00:47:37
only trust us so much, right, right, like there's still that's

00:47:41
like the paranoid part of society, like you want to talk

00:47:45
paranoia.

00:47:45
Like go work for the government , you know, like I've I've been

00:47:49
in facilities where you know it's a cube farm and people have

00:47:53
mirrors situated, you know, very specifically at their

00:47:58
monitor so that they could see if anyone's looking at their

00:48:01
computer behind them without them knowing or whatever.

00:48:04
Um, like that's the sort of people that are that are in

00:48:09
those jobs doing that work.

00:48:11
Speaker 2: I mean that's kind of fascinating because it I mean

00:48:14
it sounds like it sounds a lot like a lot of security folks I

00:48:17
know Um, to some extent right, like, and I think I think

00:48:23
there's a healthy, there's something kind of healthy about

00:48:26
that, about not totally trusting everything like trust, but

00:48:29
verify trust to a point but then just kind of assume, like

00:48:33
always assume the network is out to get you always assume that

00:48:36
there's something compromised somewhere, like, and I think,

00:48:40
yeah, it's kind of an exhausting like sort of overly paranoid

00:48:43
way to think about things, but like we're also kind of paid to

00:48:45
be paranoid.

00:48:46
I think in some, in some respects, um, we kind of have to

00:48:50
assume that that could be the case.

00:48:52
Um, and so, yeah, I it's that's really funny because, like I

00:48:57
said, I've I've definitely worked with a couple of people

00:48:59
who've been, who've been kind of on that level, um, and I mean I

00:49:04
respect it, I get it Um.

00:49:06
I think when that's when you're kind of looking at this stuff

00:49:10
all day, every day, you just kind of have to assume that that

00:49:12
something like that's going on somewhere.

00:49:16
Speaker 1: Right, yeah, you know trust but verify.

00:49:19
It's interesting.

00:49:20
You know, we even have to do that with, like security

00:49:23
solutions in this field, right, yeah, recently, you know, I did

00:49:28
a like a cloud native WAF POC and my, my manager chose a

00:49:35
product that I was very against.

00:49:37
You know that has its own, you know dynamics with it and

00:49:40
whatnot.

00:49:41
But, um, you know, at the end of the day, right, I'm an

00:49:44
engineer, I'll deploy whatever you tell me to deploy.

00:49:46
I think it's a bad idea, but it doesn't matter.

00:49:50
You know, um, and along with that came when he, when he chose

00:49:55
the other product, I'm like, okay, well, I don't believe that

00:49:58
it's going to do what it actually is supposed to do, and

00:50:02
so I'm going to set up a lab environment where all I do all

00:50:07
day long is attack this thing when we make a configuration

00:50:11
change.

00:50:12
You know, in front of an application, like I'm attacking

00:50:16
that very specific rule set and if it ever, you know, pops, if

00:50:21
it ever actually doesn't block it, like it's claiming, then

00:50:26
we're, you know, I'm going to be documenting all of it and

00:50:29
presenting it to you Like, see, like we shouldn't have done this

00:50:32
.

00:50:32
You know, um, like, even in security, we have to really take

00:50:38
those measures, because how do you know your EDR is actually

00:50:41
doing what an EDR should if you never try it?

00:50:44
Speaker 2: I 100% agree.

00:50:46
Um, I've also been in this situation, funny enough, like

00:50:49
with with a new WAF a few jobs ago.

00:50:51
Same kind of thing.

00:50:52
Like we need to test and make sure this actually, you know,

00:50:56
this does what it says it does and in our case, it actually did

00:50:59
.

00:50:59
So we, if everything worked out well, um, but, yeah, I mean you

00:51:03
.

00:51:03
I feel like you kind of can't always take things at face value

00:51:06
, particularly when you were essentially hiring a product to

00:51:10
do a job for you.

00:51:11
Like, the whole idea is that you can kind of offload some of

00:51:15
your like mental resources to this product, to this tool, and

00:51:19
you need to actually make sure you can, because then, if you

00:51:22
can't, you're going to end up in a really worse situation than

00:51:25
if you, you know, not install the tool in the first place.

00:51:27
Um, and it's, it's.

00:51:30
It can be hard to cut through like a lot of this sort of

00:51:33
buzzwords and jargon and kind of like oh, this, this will do

00:51:36
this, will it really, though?

00:51:38
Um, you know, I think, I think it's important to kind of have

00:51:42
an empirical approach and like no, like, show me the data.

00:51:44
I want my hands on the data, I want to see proof.

00:51:46
Um, yeah, yeah.

00:51:48
Speaker 1: Absolutely Well, Emily, you know, and

00:51:52
unfortunately we're coming to the end of our time here.

00:51:55
Um, I feel like we could talk for another hour or two.

00:51:58
Speaker 2: Yeah, I agree.

00:51:59
Yeah, this has been great.

00:52:01
Speaker 1: Yeah, I'll, I'll.

00:52:02
I'll have to have you on again and we'll talk about you know,

00:52:04
maybe, maybe wouldn't you release, you know, some new

00:52:07
research or something like that.

00:52:09
You could absolutely come on and talk about it, Um, but you

00:52:12
know, before I let you go, how about you tell my audience, you

00:52:15
know, where they could find you if they wanted to reach out to

00:52:17
you, Um, and where they could find census.

00:52:21
Speaker 2: Yeah, so for census, you can go to censuscom.

00:52:23
Um, you can also go to searchcensuscom, which is, which

00:52:26
is a lot of fun.

00:52:27
Go search, go play around.

00:52:29
It's free.

00:52:30
Uh accounts are free, so you can sign up and um, go and have

00:52:33
some fun with that data.

00:52:34
Um.

00:52:35
And then for me, um, I'm on LinkedIn and mastodon, primarily

00:52:39
these days.

00:52:40
Um, on LinkedIn, I'm just Emily Austin, um at census, and then

00:52:44
um on mastodon, I am MLE, uh at infosecexchange.

00:52:49
Um, so, yeah, uh, that's how you can, how you can find me.

00:52:53
Um awesome.

00:52:56
Speaker 1: Well, thanks, emily.

00:52:57
I really appreciate you coming on and I hope everyone listening

00:53:01
to this episode enjoyed it.