Join us on an inspiring adventure through the world of cybersecurity, as we share a cup of digital coffee with our guest, Emily Austin, a seasoned professional in the tech field. Prepare to be enlightened and intrigued by her unlikely journey into the world of cybersecurity, a detour from psychology to tech that not only shows there's no single path into the industry but also demonstrates the value in diversity and unconventional paths.
You'll gain insights into the world of security research, understanding the importance of different perspectives and the value of effective communication. Discover the nuances of internet mapping and security research, and get a glimpse into the day-to-day life of a team handling comprehensive internet scan data. Learn how modern conflicts shake the tech industry, as we unravel the complexities of cyber warfare and the critical role played by the Ukrainian IT army.
Finally, brace yourself as we lay bare the underbelly of tech: the increased attacks on back office software. We'll take you through the potential risks and implications of assaults on file transfer tools and shed light on how these attacks are affecting enterprises and regulated industries. This episode is a thrilling exploration packed with insight and analysis - a must-listen for those curious about the ever-evolving tech field, cybersecurity, IT, and the true essence of a career in technology. Tune in to join the conversation!
LinkedIn: https://www.linkedin.com/in/emilylaustin/
Censys: https://censys.com/
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: I was going.
00:00:00
Emily, it's great to finally have you on.
00:00:03
I feel like we've been trying to schedule this thing for, I
00:00:07
mean, what seems like an entire year at this point.
00:00:09
Speaker 2: Yeah, no, I'm glad we could finally finally make it
00:00:12
work, make it happen.
00:00:13
So, yeah, I'm excited to be here and to chat with you.
00:00:17
Speaker 1: Yeah, absolutely so.
00:00:19
You know, Emily, I always start everyone off with telling their
00:00:22
background because I feel, like you know, for a wide variety of
00:00:27
people that may be listening to the podcast, if they want to
00:00:31
get into security, it's important for them to hear you
00:00:35
know a different background, right For them to hear it and
00:00:39
know like, oh well, if they did it, maybe this is possible for
00:00:42
me.
00:00:43
So what's your background?
00:00:45
How did you get into IT?
00:00:46
How did you get into security?
00:00:48
You know, maybe, what peaked your interest in those areas to
00:00:53
make you go down this kind of crazy rabbit hole of
00:00:56
cybersecurity?
00:00:57
Speaker 2: Yeah, yeah, yeah.
00:00:59
So I love this because I feel like I often get asked you know,
00:01:03
how do I get in?
00:01:04
As if there's sort of this one core or ideal path and really
00:01:08
the reality is very different.
00:01:09
Like I think, as you probably know, like lots of different
00:01:12
ways to get into this industry.
00:01:14
So I, for me, I was really interested in like computers.
00:01:22
As a kid I kind of, like you know, did the whole, you know,
00:01:25
learn how to build websites and write HTML and notepad and like
00:01:28
all of that kind of stuff, and so that was really interesting
00:01:33
to me and I had no idea that that was actually a thing you
00:01:35
could do, is like a job, because I think this was a little bit
00:01:38
before I don't want to date myself too much, but this is a
00:01:41
little bit before that was like a big, a big thing.
00:01:43
This was before tech was such a big thing and such a like
00:01:47
highly sought after career, and so it was very into that.
00:01:51
I really loved it.
00:01:52
And then when I went to undergrad, I wanted to do
00:01:55
computer science and I was actually told by a very well
00:01:59
meaning person but that it would be too hard for me that I
00:02:03
wasn't caught out to do CS and I listened, which I wish I hadn't
00:02:08
, and I would encourage anyone who hears that to not listen
00:02:11
like.
00:02:11
If it's something that you really feel pulled to do like,
00:02:13
go for it.
00:02:14
And I ended up doing psychology instead.
00:02:17
But this turned out to be kind of a great thing because I spent
00:02:20
about a year and a half working in a research lab, stayed and
00:02:24
did like an undergrad honors thesis and all that and I
00:02:26
through that I really discovered that I loved research.
00:02:29
I loved the idea of kind of like carving out new information
00:02:33
and figuring out new, new facts and uncovering new, new pieces
00:02:37
of the puzzle.
00:02:38
You know, in that case it was around cognitive psychology.
00:02:40
But that was really kind of the first inkling to me that like
00:02:44
research was a thing I was interested in.
00:02:47
And I went on to like I worked for a neuro marketing company
00:02:50
for a couple of years, which is wholly unrelated to what I do
00:02:54
now.
00:02:54
But then I got my first job in tech about 10 years ago now and
00:03:01
I was a quant essentially for a user research team.
00:03:05
So they brought me in to help essentially identify customers,
00:03:09
as I was working at a software company and the user research
00:03:13
team there wanted to find interesting customers to talk to
00:03:17
, to interview, and so my charge was go look in our user
00:03:21
database and find people who are doing interesting things with
00:03:24
our platform.
00:03:25
So you can probably kind of start to put the pieces together
00:03:29
like oh, this is, this is anomaly detection, you're
00:03:32
looking for weird things and very large sets of data.
00:03:34
And so I did that for a few years and that's really where
00:03:38
I'd say like I honed my like programming skills and kind of
00:03:41
got more, more experience like with databases, with actually
00:03:43
writing code to, like you know, analyze data, doing
00:03:46
computational analysis and things like that.
00:03:48
And so I did that for a few years and I still always kind of
00:03:53
felt pulled a little bit toward security.
00:03:56
Like I read 2600 and like hacking magazines like at
00:04:01
various points in my life and I was just really, really
00:04:04
interested in it.
00:04:05
And somehow an opening came available on our security team,
00:04:11
the company where I worked at the time, and I had no business
00:04:15
applying for it.
00:04:15
Frankly, like I still don't know how I wound up getting
00:04:19
getting the role, but I wound up getting a position on the
00:04:23
security team and it was like I feel like that's what you know.
00:04:26
You think back about your life and you think about these
00:04:28
branching points of like the decisions you've made and I feel
00:04:31
like this is still one of probably the most impactful
00:04:34
decisions I ever made was taking that role and it was actually
00:04:41
kind of a hard, hard thing to step into because I got on the
00:04:44
team and I was so excited.
00:04:45
Everyone was super nice, like just really wonderful.
00:04:47
But everyone on the team was either an application security
00:04:52
engineer, just like software security engineer, or they were
00:04:55
a pen tester.
00:04:56
Speaker 1: And I was like well.
00:04:57
Speaker 2: I'm not.
00:04:57
I don't.
00:04:58
I'm not one of those Like I can write code but I'm not a
00:05:00
software engineer.
00:05:01
I can kind of figure things out but I'm not a pen tester.
00:05:04
And so I had to spend some time kind of figuring out like how
00:05:09
my skills actually fit into this broader team.
00:05:12
And it turned out that in that particular scenario you know, I
00:05:16
had been at the company for a while, I knew the data, I knew
00:05:19
the user data quite well in our databases, and so that actually
00:05:24
put me in a good position to be able to help, from a security
00:05:27
perspective, find unusual things that were going on in our
00:05:31
environment and user accounts against the application, like
00:05:34
all of that kind of kind of domain right, and so it enabled
00:05:38
me to actually carve out another sort of like subgroup on the
00:05:41
team which became the blue team for our org.
00:05:45
So that was really really cool and rewarding.
00:05:47
Kind of going from I have no idea what I'm doing here to
00:05:50
everyone, kind of going you'll figure it out, it'll be fine,
00:05:53
and then being able to kind of say, no, actually there is a
00:05:57
place for these skills here.
00:05:58
I think you know, coming from sort of the analytics and data
00:06:01
place, data, data world, there are a lot, there's a lot of need
00:06:06
for those skills in security and it's not getting, it's not,
00:06:10
it's not going away.
00:06:10
I'll say and yeah, so I spent a few years there and worked on a
00:06:16
couple of big projects where I felt like I was really, I really
00:06:20
wanted to get into security research.
00:06:21
That was really just like what was calling me Incident response
00:06:24
got really really a lot after a while like I just wanted to
00:06:27
sleep and not have a pager and so, yeah, had a couple of
00:06:33
different roles in security, engineering and research and now
00:06:37
, and for the last almost two years, I've been at Census.
00:06:40
So I am a senior researcher here and lead the security
00:06:44
research team.
00:06:45
And yeah, I mean it's.
00:06:47
I feel I feel so lucky to get to get to do, to do this every
00:06:52
day.
00:06:52
The internet is a wild, weird place, but man, it's fun.
00:06:58
Speaker 1: Yeah, it's really, you know, it's.
00:06:59
It's interesting how, like, the internet came about and now we
00:07:04
all have careers based on the internet, you know, and it's
00:07:08
like we all have, you know, a million different niches and
00:07:13
areas of specialty and things like that.
00:07:15
It's just, it's really, it's fascinating, you know, because,
00:07:19
like I'm sure, those people that you know cobbled this thing
00:07:22
together right in the beginning, like they never, they never
00:07:26
imagined that.
00:07:27
You know, that there would be security issues and security
00:07:31
researchers and things like that .
00:07:34
It's just, it's fascinating to me, yeah.
00:07:36
Speaker 2: Yeah, well, I mean, if you think back, like if going
00:07:39
back to like the late 80s, when when you had like the Cuckoo's
00:07:42
egg cliff stole kind of, the first really big like intrusion,
00:07:46
like computer network intrusion , that kind of you know,
00:07:49
captured the public's imagination, I guess, or
00:07:52
interest, that was fascinating.
00:07:54
And you go back and you read that book now and you're like,
00:07:57
wow, I can't believe there were.
00:07:59
There were no protections, there were no.
00:08:01
You could just kind of like dial up and log in and there was
00:08:03
no.
00:08:03
Like things have changed so much and it's such an
00:08:07
interesting it's been.
00:08:09
It's interesting to see, like you know, going back and reading
00:08:11
that now and seeing kind of how things have changed and all the
00:08:15
different needs we have as we kind of shift more and more into
00:08:18
this very like online space in our lives.
00:08:22
Speaker 1: Yeah, yeah, it's a.
00:08:24
It's a completely different world because of it.
00:08:26
Yeah, so when you, when you were applying, you know, to that
00:08:32
first security role, that first security team, you know, you
00:08:37
said that you know you basically had, you know, no business
00:08:41
applying to the team or the role or anything like that.
00:08:43
How did you overcome that?
00:08:45
Because there's a lot of people out there that you know see
00:08:49
roles on the internet and if they're not 100% a match, if
00:08:53
they don't have everything on the list, like they don't even
00:08:55
consider it.
00:08:56
You know, and for me, you know, with my background, I mean I
00:09:03
did over 300 interviews before I got into security, you know,
00:09:10
and that was the most frustrating part, and I was
00:09:13
applying to things that you know , I was 50% a match for I would
00:09:18
meet the, I guess, the social skill part of it, but I wouldn't
00:09:23
meet, you know, half of the mental skill or the technical
00:09:27
skill part of it.
00:09:27
You know, so how did you, how did you overcome that part of it
00:09:31
?
00:09:31
Was there anything that you did that you know helped you
00:09:36
through it?
00:09:37
Or did you just say screw it?
00:09:38
I'm going to see where this goes.
00:09:40
Speaker 2: It was a little bit of both.
00:09:41
So I totally want to like double down and say to anybody
00:09:46
who's listening if you see something that's interesting to
00:09:49
you and like you know you've been working on those skills and
00:09:51
you don't meet like 50% of the job criteria, apply anyway.
00:09:55
Like, do it anyway.
00:09:56
We tend to self-select out for a lot of things that we would
00:09:59
actually be really good fits for .
00:10:01
So, like, do it anyway.
00:10:02
And this was kind of that like, and to give some more context
00:10:06
for this, in my case it was a little bit of a special
00:10:09
situation because it was an apprenticeship program, so kind
00:10:14
of like an internal internship, where the applicant got like
00:10:18
three months to go join this new team, kind of see if it's a
00:10:20
good fit and then if at the end of the three months it was, then
00:10:23
you'd get hired onto the team and if not, you had the safety
00:10:27
net of your existing position to sort of fall back into.
00:10:30
So I want to fully acknowledge like I had a lot of safety nets
00:10:33
and kind of training wheels and sort of like.
00:10:36
This was a very unique situation .
00:10:38
But in terms of preparing and kind of getting ready, I leaned
00:10:43
really heavily on the experience I did have.
00:10:45
I was like you know, I've been here several years, I know the
00:10:50
user data, I understand the application, I understand, you
00:10:52
know, from a user perspective, I understand where things are in
00:10:56
the database, like I know kind of where the like the skeletons
00:11:01
in the closet are, if you will.
00:11:02
And so I kind of leaned on the things that I knew were my
00:11:05
strengths, which I think is always a good strategy, right,
00:11:09
like leaning on things that you know, that you know very well,
00:11:14
and kind of going from there and saying like, hey, this is what
00:11:17
I can bring to the team and also showing that you know, I kept
00:11:21
up with security news.
00:11:22
Even then, you know, like following certain RIP Twitter I
00:11:26
guess but like certain accounts on Twitter, or like you know
00:11:31
different blogs, different security kind of influencers.
00:11:33
Even back then I was ready to talk about that and say like
00:11:38
here's how I kind of learn things, here's what I'm
00:11:40
interested in, here's what you know, here's my plan or here's
00:11:43
kind of what I envision being able to do in this role.
00:11:48
And so, yeah, I would say just like really leaning on your
00:11:50
strengths, because the wonderful thing about security, I think,
00:11:55
is that there's a lot of space for a lot of different skills
00:11:59
and I think for those of us who kind of got into it a little bit
00:12:03
before the before, it got really really cool to be in
00:12:06
security, like it became a thing Like I think you know, now
00:12:10
we're seeing degree programs and like boot camps and all that.
00:12:13
Like a little bit before that, I think you kind of just had to
00:12:16
be like, hey, here's what.
00:12:17
I know how to do, I'm really good at this thing and I think I
00:12:20
can, I can, add some value because this is my area of
00:12:25
expertise, yeah, so I feel like that.
00:12:28
You know, your mileage may vary .
00:12:29
Again, everybody's got a different background and
00:12:31
different experience, but for me that's kind of what I what I
00:12:34
tried to lean on.
00:12:37
Speaker 1: So did you know the hiring manager beforehand or
00:12:41
anyone on the team beforehand?
00:12:44
Speaker 2: I had like met them briefly at different like
00:12:47
company functions.
00:12:48
But I actually did go and like talk to the hiring manager a
00:12:51
little bit ahead of time and I was like hey, I'm really
00:12:53
interested in this.
00:12:54
I just want to let you know I'm going to be putting my
00:12:55
application just to kind of chat with him and let him know.
00:13:00
Like hey, I probably don't have a really strong chance at this,
00:13:04
but I'm going to give it a shot .
00:13:06
But apart from that, no, like I really didn't know anyone on
00:13:09
the team at the time.
00:13:11
Speaker 1: Yeah, I have a good friend of mine that I actually
00:13:15
grew up with and he went down a totally different path in life
00:13:20
and he's, you know, warehouse worker and he's he's been doing
00:13:23
that for like 15 years at this point and he's kind of miserable
00:13:28
, you know, and so he's always been interested in IT and
00:13:33
security and I always told him like, hey, man, you're, you're
00:13:36
literally working at a giant company.
00:13:38
I guarantee you they have, you know, not just one security team
00:13:42
, they have like probably five or 10 security teams.
00:13:45
Like all you need to do is just reach out to someone in IT and
00:13:50
go from there, you know, and like I feel like it's that
00:13:57
actually doing that, you know, and saying, saying to himself
00:14:01
like oh, it's okay for me to do this, which like holds him back
00:14:06
from actually making that a progress, you know, and yeah,
00:14:09
it's a daunting thing, but at the same time, what do you have
00:14:13
to lose, you know, like what do you really have to lose in this
00:14:18
situation?
00:14:19
If you're unhappy, probably not making enough money, you know,
00:14:24
and an email is standing in between you and you know, a
00:14:29
happier, more fulfilling future, like, why not send the email?
00:14:34
Speaker 2: Yeah, I mean it's scary to put yourself out there
00:14:36
Like I have.
00:14:37
I've talked with folks, I have friends who have been in similar
00:14:40
situations and it's like it can be, I think, crippling for some
00:14:45
folks too, because they're like , why don't want to?
00:14:46
I don't know, is this okay to do?
00:14:48
Like it's just, it's not clear always, I think, that kind of
00:14:51
norms around it.
00:14:52
But to your point, like shoot your shot, like you get one
00:14:56
chance at this, like do do it.
00:14:58
Like the only thing that's going to happen, like the worst
00:15:01
thing that's going to happen is they're going to say no or just
00:15:03
not respond and like, yeah, that does burn a little bit, it
00:15:06
stings a little bit, especially the first few times.
00:15:08
But you start to get a little more resilient and you start to
00:15:11
realize like no, I can do this, like I am worth putting myself
00:15:16
out there, like I know things, I have skills I can offer, like
00:15:20
you know.
00:15:20
And I think just showing that initiative sometimes can go a
00:15:23
long way.
00:15:25
Speaker 1: Yeah, when, when someone tells me no with a job
00:15:28
and I don't know why I've always been like this like okay, onto
00:15:31
the next one, you know like I'm going to waste any time like
00:15:34
they didn't like me for whatever reason, you know, when
00:15:38
interviews go really well, I'll like I'll dwell on it a little
00:15:42
bit.
00:15:42
I'll be like man, I was really frustrating, like you know.
00:15:46
Why did I not get that?
00:15:48
Speaker 2: Right.
00:15:49
Speaker 1: Right.
00:15:49
But yeah, it's.
00:15:51
You know, I feel like you almost have to be a bit of a
00:15:55
like a mercenary.
00:15:56
You know at some point, right, like you got to, you got to be.
00:16:01
You know, give it a mission.
00:16:02
You got to give yourself a mission and then you got to not
00:16:05
care how it gets done.
00:16:06
You know like it gets done, how it gets done and don't ask any
00:16:10
questions.
00:16:11
Yeah.
00:16:13
Speaker 2: I mean and that's the thing too is like you just kind
00:16:16
of have to be willing to keep pushing and it's so.
00:16:19
Again, it's exhausting, like I know.
00:16:22
I see stories all the time of people who, like they've
00:16:25
hundreds of applications, all of these things.
00:16:27
But, like you, you will find the right thing when, like you
00:16:32
just have to keep pushing.
00:16:33
Um, and I would say, like, if there's folks on LinkedIn or,
00:16:38
you know, twitter or Mastodon or wherever that like reach out to
00:16:41
people like you know, again the worst folks can say is like no,
00:16:45
I can't, or like just not respond.
00:16:47
But like, get people's perspectives.
00:16:49
Like, if you're continuing to get rejections and you're not
00:16:52
quite sure why, like get some extra eyes on your resume, get
00:16:55
some extra eyes and like do a mock interview with some folks,
00:16:58
some friends, or something like that.
00:17:00
Um, you know, because there are definitely ways to improve at
00:17:04
that and like it's.
00:17:06
I think it's especially weird, for I mean, for me it's really
00:17:10
weird.
00:17:10
I know, for a lot of folks in the industry it's weird.
00:17:12
It's weird to feel like you kind of have to market yourself.
00:17:14
Um, because that feels very unnatural, I think, to a lot of
00:17:18
us who are like I don't want to, I just want to like sit and do
00:17:21
computer things Like this is my happy place.
00:17:22
I really want to be thinking about like what is my personal
00:17:25
brand or all of that kind of stuff, but like it really can
00:17:30
help in terms of like you know folks, kind of knowing your name
00:17:33
, folks, knowing who you are, um , you know being being somebody
00:17:38
who's putting you know, writing a blog, publishing posts on
00:17:41
LinkedIn or different things like that.
00:17:43
Like those things can help.
00:17:45
I mean, it's nothing is guaranteed, but like thinking
00:17:48
about how you're putting yourself out there and kind of
00:17:50
the public presence that you have, uh, can can help,
00:17:54
especially like in those early, kind of early stages where
00:17:56
you're trying to break in.
00:17:58
I think.
00:18:00
Speaker 1: Yeah, you know, and when you're doing that, I always
00:18:03
thought that I didn't have anything unique or valuable
00:18:07
enough to like provide to the industry.
00:18:09
Right, why am I creating some you know extravagant LinkedIn
00:18:14
posts or a blog post?
00:18:15
Right, like I don't have anything special, like I'm
00:18:18
nobody, um, but it gives you a voice, really, when you don't
00:18:24
really have a voice outside of it.
00:18:26
You know, and you know you're not going to be able to do that.
00:18:28
It's very easy to snowball the interactions and the views and
00:18:33
downloads right, like with a podcast or a blog or anything
00:18:36
like that, and I found that it's actually really beneficial.
00:18:43
Like I've gotten opportunities just because I started that blog
00:18:47
and I started this podcast.
00:18:49
Right, I've gotten opportunities I never would have
00:18:52
, I never would have even been considered for, I never even
00:18:56
would have considered myself for them.
00:18:58
It only benefits you because, as you're doing it, you're
00:19:04
developing other skills.
00:19:06
You're developing new skills of how to think about a technical
00:19:10
topic and then write it in the way that many people can consume
00:19:15
it.
00:19:15
That's something that's actually really unique.
00:19:19
That published authors even struggle with is actually taking
00:19:24
a technical topic and dumbing it down.
00:19:27
Enough, I mean, I don't want to say dumbing it down, but like
00:19:30
yeah, like making it accessible.
00:19:32
Yeah, you're taking it down to its most basic parts and you can
00:19:35
say like OK, if I can visualize this, I can build everything
00:19:39
else off of it.
00:19:41
Speaker 2: Yeah.
00:19:41
Yeah, I mean yeah, sorry, go ahead.
00:19:45
Speaker 1: No, you go ahead.
00:19:47
I wasn't going to say anything of value.
00:19:50
Speaker 2: I doubt that, but I just want to like piggyback on
00:19:53
that because I it's folks.
00:19:55
Folks I get people asking, well , like how do I get into
00:19:58
security research or what skills do I need to have?
00:19:59
And I think writing and effective communication is one
00:20:02
of the most underrated skill sets.
00:20:04
Like nobody is going to care about the really cool zero day
00:20:10
you just found, like in anything , if you can't effectively
00:20:13
communicate why it matters like nothing.
00:20:15
Nothing is going to change that .
00:20:18
And so being able to to like communicate those ideas
00:20:22
effectively and at different levels like you know, in my role
00:20:25
now, like I have to talk to folks who are, you know, who are
00:20:29
other researchers, who are deeply in the weeds, like I am,
00:20:31
and also like folks at the executive level so being able to
00:20:35
kind of go between those two levels and figure out like well,
00:20:38
what's important to like bubble up to folks who maybe don't
00:20:41
want all the weeds, don't have time for it or that's just not
00:20:44
their, their wheelhouse Like being able to do that and figure
00:20:47
out like what is my like, what is the executive summary of what
00:20:50
I'm trying to say?
00:20:51
Essentially, it's really important and I know it's not
00:20:53
like the most exciting thing, but it's so so critical for
00:20:57
being able to, like, get get your work noticed, get your work
00:20:59
kind of help, push it forward, to help others understand the
00:21:04
impact that you might be having or could have.
00:21:06
Being able to communicate is just, especially in a written
00:21:11
form, is just so, so important.
00:21:12
I can't, I don't know, I can't understate that or I can't
00:21:16
overstate that enough.
00:21:18
Speaker 1: Yeah, you know, when I was working for a credit
00:21:22
bureau Actually, this was the only time that I ever had a
00:21:28
technical writer on the team and she was, you know, fresh out of
00:21:32
college studied English.
00:21:34
You know, maybe the most boring topic to me, like when I took I
00:21:39
delayed taking.
00:21:40
I had two English classes to take an undergrad and I delayed
00:21:43
taking them both until like senior year because I hated them
00:21:47
so much and everyone's like, oh , you're the oldest person in
00:21:51
here, like we're all freshmen.
00:21:52
I'm like, yeah, I hate English so much.
00:21:55
Speaker 2: Yeah.
00:21:56
Speaker 1: Like I'm already speaking it?
00:21:57
Why do I need to learn about it ?
00:21:59
You know, that was just my mentality with it, but it was
00:22:04
really helpful for her to be there.
00:22:08
Right, that had that different, totally different skill set.
00:22:11
Right, she's not technical at all.
00:22:13
So when we're talking about technical things and she has to
00:22:16
take notes and create a paper about a community post, whatever
00:22:20
it is, you know she she would have to slow us down, be like,
00:22:25
hey, break this thing down for me.
00:22:27
You know, why does it work like this?
00:22:29
Why does this make sense?
00:22:30
Why did you say this?
00:22:32
You know, and she also learned a lot, and now she's moving into
00:22:36
more technical roles, you know, just from that experience,
00:22:40
which is really it's really interesting.
00:22:42
Speaker 2: You know, I never would have thought that that was
00:22:45
a possibility, you know yeah, I mean I worked with someone who
00:22:50
excellent pen tester, one of the best I've worked with who in
00:22:53
terms of like writing reports, thinking through ideas,
00:22:56
collaborating with others and just obviously the skill set
00:22:59
that he had he was like a masters in literature, Like no,
00:23:04
no, like formal educational background and it like totally
00:23:06
different, but it gave him this different perspective and it
00:23:09
gave him a way to be able to really clearly communicate the
00:23:13
ideas and the things that he was finding and it just, I mean, it
00:23:16
just made him a stellar pen tester.
00:23:18
Like he was just fantastic at his job because he could
00:23:21
actually talk about at multiple different levels like what he
00:23:24
was finding, why it mattered.
00:23:25
Why should we care?
00:23:26
Why do we need to patch this?
00:23:27
It was just, yeah, I think having those like different
00:23:33
backgrounds on a team is so, so important because you get all
00:23:37
that different perspective.
00:23:38
Speaker 1: Hmm, so you know, let's dive into what a security
00:23:43
researcher is and what your, what your day to day looks like.
00:23:46
You know, are you?
00:23:47
Yeah, we'll just start with that before I start diving into
00:23:51
my million questions.
00:23:53
Speaker 2: Yeah.
00:23:53
So security researcher, I think , is one of those very, very
00:23:56
broad terms that can mean a lot of different things depending on
00:23:59
where you are.
00:24:00
In some cases, you know these are folks who are doing exploit
00:24:05
development or research or vulnerability research.
00:24:07
In some cases, you know they're working at vendors and they're
00:24:11
they're studying things that are happening on endpoints, that
00:24:15
their vendors are watching.
00:24:16
So for us, for me and for my team, you know we we sit, we sit
00:24:21
with access to this really really comprehensive map of the
00:24:25
Internet.
00:24:26
So Internet wide scan data, the entire IPV for space, and so
00:24:30
really for us there's a, there's a couple of like kind of, I
00:24:34
think, common paths that our day might take.
00:24:36
On one hand, there's a lot of just exploratory data analysis.
00:24:41
Like the Internet's a really big place, really weird place.
00:24:43
There's lots and lots of stuff.
00:24:45
To you know, there's always new rocks to kick over.
00:24:47
So in the case that like there are fewer internet fires than
00:24:53
usual, like we'll do some exploratory stuff will dig.
00:24:55
Well, like I noticed this weird thing, I want to look into it,
00:24:58
and so like just kind of the natural curiosity takes over and
00:25:02
then, kind of on the flip side, is the slightly more reactive
00:25:05
work when you know a CV comes out that's like critical or says
00:25:10
add something to the kev list.
00:25:11
Or you know there's something really going on in the security
00:25:14
news cycle and if that's something that we have the
00:25:17
ability to see as in like it affects a public internet facing
00:25:20
device, will go and look for it in our data and try to
00:25:24
understand.
00:25:24
You know how broad is the impact of this particular
00:25:27
vulnerability.
00:25:28
You know how many hosts, where are these hosts located?
00:25:31
Are there particular autonomous systems that are really
00:25:34
affected by it?
00:25:34
And so that's kind of the more reactive piece.
00:25:38
So it just sort of depends on, kind of like, what's happening
00:25:40
in the world, what we end up looking at, and we also, like I
00:25:44
say what's happening in the world because there's also the
00:25:47
geopolitical angle to that as well.
00:25:48
You know, when there are conflicts or very big things
00:25:53
happening, whether they're natural disasters or other
00:25:56
things, from our perspective we want to better understand.
00:25:58
You know what is internet connectivity, look like there
00:26:02
and what can we say about.
00:26:03
You know operational technology in these regions.
00:26:06
What can we learn based on kind of patterns around them being
00:26:11
online versus offline?
00:26:12
So what color can we add to those stories and context can we
00:26:16
add to those.
00:26:17
So yeah, it's kind of a mixed bag of things and again, that's
00:26:22
pretty unique to sort of what we have access to, a census and
00:26:26
sort of what we do.
00:26:27
But more broadly, like, I think security research is just a lot
00:26:32
of being very curious about whatever data you have at hand.
00:26:37
Speaker 1: So what?
00:26:37
What is census?
00:26:38
What?
00:26:38
What do you guys do?
00:26:41
Speaker 2: Yeah, so there's two pieces to what we do.
00:26:43
So on the one hand, we have our exposure management or tax
00:26:48
surface management platform.
00:26:49
So if you've been in IT, you've been in security, you know that
00:26:53
asset management is not really an easy thing.
00:26:55
It's kind of a pain, and so the idea there is that we help
00:27:00
teams identify all of the things on the Internet that they own,
00:27:02
that they're going to be able to get access to, that they own,
00:27:04
that their company owns, ideally making it easier for them to
00:27:08
sort of administrate them.
00:27:08
If there are problems with them , like end of life software, or
00:27:13
maybe we think you're running something that might be
00:27:15
vulnerable to this new CDE that's popping off, we want to
00:27:17
let you know about it.
00:27:18
So that's one big piece of what we do.
00:27:22
And the other big piece is census search and data, and this
00:27:26
is near and dear to my heart because this is what my team and
00:27:28
I really really focus on.
00:27:31
So census scans the entire IPv4 space all day, every day, and we
00:27:36
maintain this, this comprehensive map really, of the
00:27:38
Internet.
00:27:38
So Internet connected devices, edge devices you can go to
00:27:43
census search, dot, census, dot, io, and and find these things
00:27:49
in our data and start to look and investigate them.
00:27:50
So where this gets really cool is if you're a security
00:27:54
researcher, maybe you want to investigate some recent threat
00:27:57
actor activity and you want to understand what you're doing and
00:27:59
you want to understand more about their infrastructure so
00:28:02
you can use our data.
00:28:02
We have both the host data set so all of those IPv4 and some
00:28:07
IPv6 hosts and we also have a certificate data set.
00:28:10
So we ingest lots of CT logs, we ingest lots of certificates
00:28:17
on the order of billions, and so that also is a really
00:28:21
interesting data set to play with in terms of looking for
00:28:26
interesting infrastructure based on based on certificates.
00:28:28
So it's kind of census in a nutshell.
00:28:33
Speaker 1: By chance?
00:28:35
Did you see any sort of I guess new infrastructure stand up or
00:28:41
new attacks launched before or even during the Russia US Korean
00:28:49
conflict and now Israel Hamas conflict?
00:28:51
Did you, did you see any, any kind of digital precursors?
00:28:57
Speaker 2: Yeah, so I can't get into super detailed response
00:29:00
here, but yes, these were, these have both been things that
00:29:03
we've we've followed pretty closely and just trying to get a
00:29:06
better handle on again, like some of the things that we're
00:29:09
often interested in these scenarios are you know what is
00:29:13
operational technology infrastructure look like leading
00:29:16
up to, during the, during these types of events?
00:29:19
So, yes, there are definitely changes you can start to track
00:29:24
and start to see, unfortunately, when these things unfold.
00:29:29
Speaker 1: Yeah, it's really interesting because I feel like,
00:29:32
you know, in the in the digital age of, like, big data, you
00:29:37
know, I feel like, before a you know physical kinetic attack
00:29:43
ever happens, there's typically, you know, some sort of attack
00:29:48
or preparation in cyberspace, right.
00:29:53
And so I've had, on other people that you know have looked
00:29:58
specifically at Russia, ukraine, and they're a little bit more,
00:30:03
I guess, liberal with what they say, because they're a little
00:30:05
bit closer to the battlefield, so to speak, and it's just, it's
00:30:10
just a fascinating area, you know, because it's it's like a
00:30:13
developing, it's almost like a developing space of security
00:30:17
right in front of us, of identifying like, oh, something
00:30:21
might be going on over here or, you know, like, whatever it
00:30:24
might be.
00:30:25
Because you know, as, as I guess, kinetic attacks are kind
00:30:30
of, they're kind of, you know, basic or very standard and you
00:30:36
know what they are and how they're deployed and things like
00:30:38
that.
00:30:38
The cyberspace side of it is that new evolving field that now
00:30:45
countries are diving more into.
00:30:47
That you know, it's interesting to see, like even how the NSA
00:30:52
uses cyber cyberspace.
00:30:54
You know, like it's really fascinating to see that.
00:30:59
Speaker 2: Yeah, one thing that was super interesting to me
00:31:02
during the kind of the ramp up of the Russia Ukraine conflict
00:31:08
was the Ukrainian it army sort of self organized group of folks
00:31:12
on telegram who are just like we're going to try and attack
00:31:16
Russian infrastructure.
00:31:17
And it was just this sort of kind of ad hoc group of folks
00:31:21
who were trying to like DDoS, different Russian sites or you
00:31:24
know, do what they could to have some kind of impact, to like
00:31:27
impose cost and difficulty on Russia.
00:31:30
And I don't actually know like how impactful it was.
00:31:33
I know there have been, there have been some studies that have
00:31:35
come out that have talked about that.
00:31:36
I haven't looked super deeply into them and like that's a
00:31:39
fascinating thing to is you have , you know, and at one point I
00:31:43
want to say it was like somebody high up in government in
00:31:48
Ukraine was like, hey, we're developing an it army, come join
00:31:51
us.
00:31:51
And I cannot remember his, his exact position or title, but it
00:31:55
was like this call to cyber arms , so to speak, of like, hey,
00:31:59
we're doing this, like you know, hop in, we're going to go,
00:32:02
we're going to go try and, like you know, lob some attacks
00:32:05
toward Russia.
00:32:06
And so that was just fascinating to me to see like
00:32:10
such a large scale kind of civilian orchestrated thing.
00:32:15
And so, yeah, I think you're right, like I think this is a
00:32:19
very interesting time, like we've seen, you know, kind of
00:32:25
precursors to these sorts of things in the past.
00:32:27
But I feel like this is really like this is the new way forward
00:32:32
, like this is how things will go going forward.
00:32:35
And so you know, if a nation is spending a lot of time
00:32:39
developing offensive technology and kind of letting the
00:32:42
defensive piece of it from a cyber perspective sort of fall,
00:32:47
I think, just broadly speaking, I think that's a huge disservice
00:32:50
because, you know, while the exploits are cool, like you've
00:32:54
got to be able to defend, you've got to be able to detect and
00:32:57
defend these types of things.
00:33:00
Speaker 1: Right, yeah, you know , with the IT Army of Ukraine,
00:33:04
when, when that was actually starting you know I'm not a
00:33:08
hacker by any means, like I can spell the word, but like, when
00:33:11
it comes to actually hacking things, you know, I'm not the
00:33:14
person that you should be going to ever.
00:33:16
And when that stood up, you know, I went onto the website to
00:33:21
see, like you know, like okay, you know, how successful could
00:33:25
this really be.
00:33:26
Like it's Russia, you know, like Russia has a pretty good
00:33:28
cyber warfare program.
00:33:29
You would think, like they have this stuff locked down,
00:33:33
probably better than ours even.
00:33:35
You know, because they don't have as many.
00:33:37
You know, I view it as they don't have as many like politics
00:33:41
in between their engineers and what actually needs to get done.
00:33:45
And I was on the site, and I mean constantly.
00:33:50
This is a site of hundreds of targets and the entire time that
00:33:54
I was on the site, every single thing was down.
00:33:58
Speaker 2: Yeah, yeah, so there were there were all of these
00:34:00
like coordinated DDoS campaigns and like they were just sending
00:34:03
like multiple requests obviously as a DDoS would, but like it
00:34:06
was just this in browser thing, like they made it very easy to
00:34:10
actually do, which I thought was fascinating.
00:34:12
So, like I it was, it was kind of interesting to see that like
00:34:18
yeah, they actually did like DDoS a bank or like other
00:34:21
different like services and companies.
00:34:22
It was like, oh, this is, this is an interesting phenomenon.
00:34:26
Like I don't think I've ever actually seen this play out in
00:34:29
my lifetime like this.
00:34:32
Speaker 1: Yeah, I don't think anything, maybe.
00:34:37
I mean was like the last time, you know, a large group of
00:34:42
people came together and achieve something.
00:34:44
Might have been like the collapse of the Soviet Union,
00:34:47
you know, like when they had the protest across Europe, right
00:34:49
like yeah maybe I don't know, you know, the first one in cyber
00:34:55
war fair like for sure, cyberspace for sure.
00:34:59
Speaker 2: Yeah, yeah, definitely, like I think that
00:35:01
was just what was so like I even still looking back, like it
00:35:06
just almost doesn't even feel real, which is maybe and I don't
00:35:10
mean that to sound insensitive like I know it's very real for
00:35:12
folks who are experiencing like the direct impact of it.
00:35:15
But you know, kind of sitting back from a, from a strictly
00:35:19
like cyber perspective, just what a fascinating kind of like
00:35:26
of unfolding of events, I guess.
00:35:28
Speaker 1: Yeah, so you talked about, you know, shoring up the
00:35:33
deep defenses and ensuring that you're good on the defense side.
00:35:37
How, how do you go about doing that?
00:35:40
Because so for companies, for large companies, that is a
00:35:47
seemingly unsurmountable task that you will just forever, you
00:35:52
know, be doing.
00:35:53
You're never going to be on top of it, you're never going to be
00:35:55
in front of this thing.
00:35:56
You know you're always kind of trying to play catch up, right,
00:36:02
and there's a lot of different facets to that in and of itself.
00:36:07
But then when we talk about a country and the critical
00:36:11
resources within the country and the different, you know
00:36:15
companies that you know are small businesses.
00:36:20
You know one person owns it, runs it, does everything
00:36:23
themselves.
00:36:24
They have one contract with the government.
00:36:26
That's all that they do for 40 years.
00:36:28
You know who cares about IT at that company.
00:36:32
Right, like this guy's doing all the work.
00:36:34
You know how, like where do you ?
00:36:38
Where do you start?
00:36:39
You know how do you?
00:36:41
How do you get ahead of this thing?
00:36:43
Can you get ahead of this thing , or is it just forever a losing
00:36:46
battle?
00:36:47
Speaker 2: So I, so as, like a former defender like I, I got
00:36:52
used to hearing like, oh, you know, you're always behind like
00:36:54
you're, you know they only have to be right one time.
00:36:57
You've got to be right all the time, like all of that kind of
00:37:01
stuff, and so I think it does feel oftentimes like we're at a
00:37:05
little bit of a disadvantage trying to defend.
00:37:07
But I, I think, and to like to be clear, I am not a policy
00:37:12
expert or anything like that.
00:37:13
This is just sort of my off the cuff, like thinking about this.
00:37:17
So like I would almost take some of those like you know,
00:37:20
principles that I would try to apply at a company and sort of
00:37:24
expand them in a sense.
00:37:26
So like there are a couple of things that like, if I'm coming
00:37:30
into a company we'll use this analogy I'm coming into a
00:37:32
company as a defender with no like actual blue team, no
00:37:36
defense To speak of right.
00:37:38
There are a couple of things that I would do right, and one
00:37:41
of those is make sure there are logs and lots of them, get a
00:37:46
handle on the assets that we own , like where is everything,
00:37:49
where is all my stuff, and get kind of a sense of just like,
00:37:53
what is what does normal look like here in terms of logs and
00:37:58
traffic and behavior and employee actions and all of
00:38:01
those kinds of things like get some baselines.
00:38:03
These are very, very broad, I realized.
00:38:04
But like so.
00:38:06
So those are a couple of things that I think are really
00:38:08
important, as like trying to build a defense program, like as
00:38:12
a cyber defender, right and I think you can kind of
00:38:15
extrapolate that a little bit to a larger level as well right,
00:38:19
like for for a country or a nation state understanding, you
00:38:23
know, where are all of my really important assets?
00:38:27
Where are all of my operational technology?
00:38:29
Who runs it?
00:38:30
Do I have relationships with those, those organizations or
00:38:33
individuals?
00:38:34
Could I like identify all of them right now, if I needed to?
00:38:38
Do I have a list of those things?
00:38:39
Do I understand what normal activity and I will leave that
00:38:44
very broad do I understand what normal activity looks like?
00:38:47
You know, having a sense of, again, baselines, I think is
00:38:51
really important.
00:38:53
And then telemetry, right, like and I think we obviously have
00:38:57
many agencies who this is their sole focus, right, so, like, I
00:38:59
think this is probably an area where we're, you know, where
00:39:02
most most organized.
00:39:04
Most countries, I would say, probably already have a good bit
00:39:07
of this going.
00:39:07
But, like, having the proper telemetry in place is really
00:39:10
important so that you can actually start to understand
00:39:13
what is normal, what is unusual.
00:39:15
And can I actually point to measurements and point to like
00:39:18
data to say like this is something that's concerning Well
00:39:22
, why?
00:39:22
And so I.
00:39:24
So I think I feel like maybe that's a cop out answer.
00:39:27
But just like thinking broadly about like how I approach it at
00:39:30
companies versus how I would approach it for a larger kind of
00:39:33
, on a larger scale, like I think a lot of the principles
00:39:36
kind of remain the same.
00:39:39
Speaker 1: Yeah, yeah, that's a.
00:39:40
That's a good point.
00:39:41
I mean the principles, they tend to remain the same, it's
00:39:45
just to add a much.
00:39:46
You know huge, or scale, yeah, significantly, multiple times
00:39:51
over, you know.
00:39:54
So I really want to talk about maybe what, what's some of the
00:39:59
research that you've that you've dove into right, what's maybe
00:40:04
some interesting areas that you've, you know, researched,
00:40:07
written papers about, potentially things like that.
00:40:11
Speaker 2: Yeah, there's been actually quite a few interesting
00:40:14
things I think we've looked at this year.
00:40:16
I think probably the one that I'm closest to has been all the
00:40:21
managed file transfer shenanigans.
00:40:23
I often joke now that MFT actually stands for my favorite
00:40:28
topic, because it's like all I thought about for months on end.
00:40:31
So kind of looking at that whole ecosystem which we're
00:40:36
shifting, really we're taking like a hard left away from like
00:40:39
talking about nation state, like cybersecurity to like cyber
00:40:42
crime, right, totally different flavor of things and different
00:40:45
flavor of actors and all of that .
00:40:46
But this was actually like so so we had move it over the
00:40:52
summer, which has just been kind of really this awful like
00:40:56
fallout we're seeing.
00:40:57
There have been some others in the past go anywhere, you can go
00:41:01
all the way back to like 2020 and you see, like kind of the
00:41:05
way I think of it is like the bookend.
00:41:07
This sort of initial file transfer hack that was kind of
00:41:13
along the same lines was Accelyon's legacy file transfer
00:41:18
and that was a CLOP operation.
00:41:19
So CLOP extortion group, ransomware group, all of that
00:41:22
right, and they've actually gone on to hit several other tools
00:41:25
in this category.
00:41:26
So I think it's been written about, folks have talked about
00:41:30
it.
00:41:30
But there have been multiple tools in this vein that have
00:41:33
been targets of attacks, particularly by CLOP, in some
00:41:38
cases for ransomware, in some cases just pure extortion.
00:41:41
And it's really interesting because, like, if you look at
00:41:46
their leaks site, so they'll post the data leaks or a sample
00:41:49
of them on their leak site, they'll give a company time to
00:41:51
respond and then, if they don't like, they'll go public with the
00:41:54
data and they'll actually, you know, post notes and say like,
00:41:58
hey, we're not interested in, like, government data, we're not
00:42:00
interested in like all of that.
00:42:02
Like we're just we're financially motivated.
00:42:04
Like they will explicitly say we're just doing this to make
00:42:06
money.
00:42:06
And it makes a lot of sense because these tools are, like,
00:42:13
if you look at any of the websites for these tools, for
00:42:15
move it, for go anywhere, for share file, for all of these
00:42:19
other tools, right, the idea behind them is that they they
00:42:22
facilitate secure file transfer between and within organizations
00:42:27
and they do it, are claimed to do it, in a way that is
00:42:30
compliant with, like lots of different regulations.
00:42:32
So GDPR, pci, you know your alphabet soup there and so, like
00:42:38
this has been kind of fascinating to follow for me
00:42:41
because, from a financially motivated threat actor
00:42:44
perspective, these tools are like a goldmine.
00:42:47
They are usually adopted by enterprise organizations to like
00:42:54
lots of data at play, and they also.
00:42:56
So we did some research over the summer when move it kind of was
00:42:59
popping off and we actually looked at every move it instance
00:43:03
on the internet that we could find several thousand of them,
00:43:07
and then we went through and did attribution on all of them,
00:43:11
like we wanted to see who owned them, and so we ended up being
00:43:14
able to do that for I want to say, around 1500 of those
00:43:16
instances, and what we found was that the majority of these,
00:43:21
these instances were either in financial services companies or
00:43:24
healthcare companies, so these are really highly regulated
00:43:28
industries.
00:43:28
We also found a non trivial amount, like in government,
00:43:32
government space as well, but these are like highly regulated
00:43:35
industries that have, you know, arguably pretty sensitive data
00:43:39
on hand and they're big companies.
00:43:41
So like that's been really fascinating to follow and I
00:43:44
think like I'm really curious to see kind of the next evolution
00:43:48
of this, because I have this sort of suspicion that these
00:43:55
kind of like back office apps, so they're not necessarily like
00:43:59
customer facing software, but they're like B2B types of
00:44:01
applications.
00:44:01
I feel like this is an interesting area for threat
00:44:06
actors, because it's not necessarily something I think
00:44:11
we've often, you know, thought about in terms of like the
00:44:12
security of these tools, because they're they're not like again,
00:44:16
like necessarily consumer facing all the time.
00:44:17
So I'm kind of fascinated with, with that Especially so like
00:44:23
also enough, I'm rambling a little bit.
00:44:27
But one, one final thing I'll say kind of along these lines is
00:44:28
during all of this file transfer sort of wild activity
00:44:33
Back in April we also saw paper cut print server software was
00:44:36
also attacked by his clop and lock bit, and it wasn't a
00:44:40
ransomware extortion.
00:44:40
They essentially like use those servers to like gain access,
00:44:43
gain a foothold on the network and then install some like
00:44:46
remote management software.
00:44:47
But again, like this is sort of a like a B2B kind of tool.
00:44:49
It's not necessarily like something that's customer facing
00:44:55
or client facing, but it's there to like facilitate
00:45:01
business, and so I'm kind of fascinated with this whole
00:45:03
category of software and and sort of like.
00:45:06
I think I'm kind of like, I'm kind of like, I'm kind of like,
00:45:09
I'm kind of like and and sort of what we will see in the coming
00:45:14
months and years as far as like those, those tools being
00:45:16
targeted.
00:45:19
Speaker 1: Yeah, you know, earlier on in my career I worked
00:45:22
for a company that was B2B and you know I didn't think I never
00:45:29
thought anything of it.
00:45:30
You know, like if I had to transfer files to them or
00:45:35
whatever might be, I didn't think anything of it.
00:45:37
You know, I was told, open up this tool, log into this thing
00:45:42
and do it.
00:45:42
You know, sometimes I didn't even have to log in and now, now
00:45:49
that I'm in security, right, like it's like oh, that was
00:45:52
actually like really bad that was.
00:45:55
You know that that was frowned upon.
00:45:59
You know it's, it's fascinating because it's a, it's a solution
00:46:06
that just about every company has to have, some some sort of
00:46:09
you know way of doing it right.
00:46:11
And it's really tricky because you're moving potentially
00:46:15
sensitive data across the internet from one company to
00:46:19
another and you need to be able to send it securely, receive it
00:46:23
securely and, you know, move it within your own network, knowing
00:46:28
that it's not malware or some sort of you know Trojan, that's,
00:46:32
that's, you know, waiting to strike or you know, looking at
00:46:37
your network and whatnot.
00:46:38
It's, it's an interesting area and you know, I, you know I, you
00:46:45
know I, you know, I find it really fascinating that recently
00:46:50
those attacks have kind of picked up.
00:46:52
Right Like now.
00:46:53
I'm starting to think of you know things that are going on in
00:46:56
the world and being like, oh, like is it?
00:46:59
Is it getting attacked this way ?
00:47:01
Um, you know, and then my mind also goes down the rabbit hole
00:47:05
of well, the government still uses you know couriers, like
00:47:09
actual, physical people, real people, to take you know
00:47:13
sensitive documents from one facility to the other.
00:47:16
Um, they still actually do that .
00:47:19
I mean maybe there's something to that right, like I don't know
00:47:22
, like yeah, I mean you know, just you know, with my limited
00:47:27
experience with the government, you know they they trust, they
00:47:31
trust their technology, they trust their IT, you know
00:47:34
architecture and team and everything like that, but they
00:47:37
only trust us so much, right, right, like there's still that's
00:47:41
like the paranoid part of society, like you want to talk
00:47:45
paranoia.
00:47:45
Like go work for the government , you know, like I've I've been
00:47:49
in facilities where you know it's a cube farm and people have
00:47:53
mirrors situated, you know, very specifically at their
00:47:58
monitor so that they could see if anyone's looking at their
00:48:01
computer behind them without them knowing or whatever.
00:48:04
Um, like that's the sort of people that are that are in
00:48:09
those jobs doing that work.
00:48:11
Speaker 2: I mean that's kind of fascinating because it I mean
00:48:14
it sounds like it sounds a lot like a lot of security folks I
00:48:17
know Um, to some extent right, like, and I think I think
00:48:23
there's a healthy, there's something kind of healthy about
00:48:26
that, about not totally trusting everything like trust, but
00:48:29
verify trust to a point but then just kind of assume, like
00:48:33
always assume the network is out to get you always assume that
00:48:36
there's something compromised somewhere, like, and I think,
00:48:40
yeah, it's kind of an exhausting like sort of overly paranoid
00:48:43
way to think about things, but like we're also kind of paid to
00:48:45
be paranoid.
00:48:46
I think in some, in some respects, um, we kind of have to
00:48:50
assume that that could be the case.
00:48:52
Um, and so, yeah, I it's that's really funny because, like I
00:48:57
said, I've I've definitely worked with a couple of people
00:48:59
who've been, who've been kind of on that level, um, and I mean I
00:49:04
respect it, I get it Um.
00:49:06
I think when that's when you're kind of looking at this stuff
00:49:10
all day, every day, you just kind of have to assume that that
00:49:12
something like that's going on somewhere.
00:49:16
Speaker 1: Right, yeah, you know trust but verify.
00:49:19
It's interesting.
00:49:20
You know, we even have to do that with, like security
00:49:23
solutions in this field, right, yeah, recently, you know, I did
00:49:28
a like a cloud native WAF POC and my, my manager chose a
00:49:35
product that I was very against.
00:49:37
You know that has its own, you know dynamics with it and
00:49:40
whatnot.
00:49:41
But, um, you know, at the end of the day, right, I'm an
00:49:44
engineer, I'll deploy whatever you tell me to deploy.
00:49:46
I think it's a bad idea, but it doesn't matter.
00:49:50
You know, um, and along with that came when he, when he chose
00:49:55
the other product, I'm like, okay, well, I don't believe that
00:49:58
it's going to do what it actually is supposed to do, and
00:50:02
so I'm going to set up a lab environment where all I do all
00:50:07
day long is attack this thing when we make a configuration
00:50:11
change.
00:50:12
You know, in front of an application, like I'm attacking
00:50:16
that very specific rule set and if it ever, you know, pops, if
00:50:21
it ever actually doesn't block it, like it's claiming, then
00:50:26
we're, you know, I'm going to be documenting all of it and
00:50:29
presenting it to you Like, see, like we shouldn't have done this
00:50:32
.
00:50:32
You know, um, like, even in security, we have to really take
00:50:38
those measures, because how do you know your EDR is actually
00:50:41
doing what an EDR should if you never try it?
00:50:44
Speaker 2: I 100% agree.
00:50:46
Um, I've also been in this situation, funny enough, like
00:50:49
with with a new WAF a few jobs ago.
00:50:51
Same kind of thing.
00:50:52
Like we need to test and make sure this actually, you know,
00:50:56
this does what it says it does and in our case, it actually did
00:50:59
.
00:50:59
So we, if everything worked out well, um, but, yeah, I mean you
00:51:03
.
00:51:03
I feel like you kind of can't always take things at face value
00:51:06
, particularly when you were essentially hiring a product to
00:51:10
do a job for you.
00:51:11
Like, the whole idea is that you can kind of offload some of
00:51:15
your like mental resources to this product, to this tool, and
00:51:19
you need to actually make sure you can, because then, if you
00:51:22
can't, you're going to end up in a really worse situation than
00:51:25
if you, you know, not install the tool in the first place.
00:51:27
Um, and it's, it's.
00:51:30
It can be hard to cut through like a lot of this sort of
00:51:33
buzzwords and jargon and kind of like oh, this, this will do
00:51:36
this, will it really, though?
00:51:38
Um, you know, I think, I think it's important to kind of have
00:51:42
an empirical approach and like no, like, show me the data.
00:51:44
I want my hands on the data, I want to see proof.
00:51:46
Um, yeah, yeah.
00:51:48
Speaker 1: Absolutely Well, Emily, you know, and
00:51:52
unfortunately we're coming to the end of our time here.
00:51:55
Um, I feel like we could talk for another hour or two.
00:51:58
Speaker 2: Yeah, I agree.
00:51:59
Yeah, this has been great.
00:52:01
Speaker 1: Yeah, I'll, I'll.
00:52:02
I'll have to have you on again and we'll talk about you know,
00:52:04
maybe, maybe wouldn't you release, you know, some new
00:52:07
research or something like that.
00:52:09
You could absolutely come on and talk about it, Um, but you
00:52:12
know, before I let you go, how about you tell my audience, you
00:52:15
know, where they could find you if they wanted to reach out to
00:52:17
you, Um, and where they could find census.
00:52:21
Speaker 2: Yeah, so for census, you can go to censuscom.
00:52:23
Um, you can also go to searchcensuscom, which is, which
00:52:26
is a lot of fun.
00:52:27
Go search, go play around.
00:52:29
It's free.
00:52:30
Uh accounts are free, so you can sign up and um, go and have
00:52:33
some fun with that data.
00:52:34
Um.
00:52:35
And then for me, um, I'm on LinkedIn and mastodon, primarily
00:52:39
these days.
00:52:40
Um, on LinkedIn, I'm just Emily Austin, um at census, and then
00:52:44
um on mastodon, I am MLE, uh at infosecexchange.
00:52:49
Um, so, yeah, uh, that's how you can, how you can find me.
00:52:53
Um awesome.
00:52:56
Speaker 1: Well, thanks, emily.
00:52:57
I really appreciate you coming on and I hope everyone listening
00:53:01
to this episode enjoyed it.