Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.

Links:

• Blog entry: https://swagitda.com/blog/posts/on-yolosec-and-fomosec/
• Why the Worst Cloud Security Predictions Might not Come True: https://securityintelligence.com/articles/worst-cloud-security-predictions-not-true/
• First Known Malware Surfaces Targeting Windows Containers: https://www.darkreading.com/vulnerabilities—threats/first-known-malware-surfaces-targeting-windows-containers/d/d-id/1341230
• Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang: https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/
• TeamTNT attacks IAM credentials of AWS and Google Cloud: https://www.scmagazine.com/home/security-news/cloud-security/teamtnt-attacks-iam-credentials-of-aws-and-google-cloud/
• School Cybersecurity: How Awareness Training Removes Attackers’ Options: https://securityintelligence.com/articles/how-awareness-training-improves-school-cybersecurity/
• Only 17% of organizations encrypt at least half of their sensitive cloud data: https://www.scmagazine.com/home/security-news/only-17-of-organizations-encrypt-at-least-half-of-their-sensitive-cloud-data/
• Return to Basics: Email Security in the Post-COVID Workplace: https://beta.darkreading.com/vulnerabilities-threats/return-to-basics-email-security-in-the-post-covid-workplace
• Zero Trust or Bust: What it is and Why it Matters to Data Security: https://securityintelligence.com/posts/zero-trust-why-it-matters-data-security/
• What the FedEx Logo Taught Me About Cybersecurity: https://www.darkreading.com/vulnerabilities—threats/what-the-fedex-logo-taught-me-about-cybersecurity/a/d-id/1341118
• How the Rise of the Remote SOC Changed the Industry: https://securityintelligence.com/articles/work-from-home-remote-soc/
• Organizations Shift Further Left in App Development: https://www.darkreading.com/application-security/organizations-shift-further-left-in-app-development/d/d-id/1341219
• Kate Turchin Wang YouTube: https://www.youtube.com/c/KeynoteSinger
• The Misaligned Incentives for Cloud Security: https://securityboulevard.com/2021/05/the-misaligned-incentives-for-cloud-security/
• Kelly Shortridge Twitter: https://twitter.com/swagitda_

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Jesse: Every week, I read dozens of articles, hundreds of social media posts on several platforms, and thousands of private messages about cybersecurity. There is one single most pervasive theme from all of them: security messaging is binary; there are generally only two mindsets about security. Both of these are wrong.

First, there’s the sensationalists who dream of being Case, the antihero in Gibson’s novel, Neuromancer, which is, by the way, the greatest dystopian cyberpunk novel ever written. I will fight you on that. These jokers want the world to think they are the first and final defense against the alien invasion of sophisticated and powerful hackers. Really, most of these folks are trying to chase a non-existent adrenaline rush doing defensive security. Don’t get me wrong, I love being a defender. It’s just not strapping a saddle onto a missile and riding into the sunset.

Second, there’s the cyber-doomers who spread fear, uncertainty, and doubt—we call it FUD—about how cyberspace has already collapsed and we’re all on life support while the hackers outside [unintelligible 00:02:06] run amok in pure cyber-anarchy. These purveyors of apocalyptic doomscapes assure us all that culture of no is the only answer to keeping sanity and safety within our control. They live on and trade in fear, but all this does is cost more money and hinder the mission in business. Kelly Shortridge calls this YOLOsec and FOMOsec and does a much better job at this than I can. Go read her blog entry.

Meanwhile, in the news. Why the Worst Cloud Security Predictions Might not Come True. We security people are usually gloom and doomers. It’s our stock and trade.

However, the migration to cloud is moving the exposed attack surfaces. This may not mean an increase in risk for many organizations. This could simply be a shift in risk categories.