100% SIGNAL PODCAST

There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise,  so we don’t have either. We’re aiming for 100% clear signal. 

Got feedback? Drop us an email: info@securityvoices.org

marc_tremsal_propic.png

35/ MARC TREMSAL

Director of Product Management, Datadog

As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products.  This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.

Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheated marketing claims, cybersecurity companies have alienated would-be cloud customers who openly wonder why they can’t buy protection the same way they purchase the rest of their infrastructure.

Marc talks through the challenges of staffing a cloud security product team—  how much do you value deep domain expertise? Do you shrug it off and simply hire the best developers?  We explain how the hottest talent on the market will be cybersecurity veterans who take the time to retool for the public cloud as they will hit the “goldilocks” spot for a growing throng of potential employers.

We wrap up a surprisingly optimistic conversation with a glance ahead to 2021 where Marc reckons consolidation of providers will be a key trend alongside a hard look at just how immutable some of our infrastructure truly is.

About Marc

Marc builds products for security and engineering teams. Currently, he's a Director of Product Management at Datadog, as well as an aspiring chess rec league player. He lives in Manhattan with his wife and their very small dog, but can regularly be found in his home country of France.

rich_mogull_edited.jpg

34/ RICH MOGULL

Rich Mogull- CEO/Securosis, CISO/DisruptOps

Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. 

 

If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.

 

If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.

 

If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.

We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.

 

About Rich

Rich is the CEO of Securosis, a security research and analysis firm, and the CISO of DisruptOps, a cloud security automation platform based on his research. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having started working hands-on in cloud nearly 10 years ago. He is also the principal course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. He is also an active disaster response paramedic.

120010703_620274071963940_39661626348757

33/ ZACH MUSGRAVE 

Engineering Manager, Infrastructure Security - Yelp

In our 1st episode of the cloud sec series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.

 

While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013.  Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company.  We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).

 

Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding  it takes to make it successful.  We also cover  Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).

 

We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.

 

About Zach

Zach Musgrave leads the Infrastructure Security and Security Platform teams at Yelp. These teams manage risk, conduct incident response, and build systems to improve security posture. Covered mandates include data security, AWS cloud security, automated scanning, intrusion detection, and internal access control.

 

Before switching to security, Zach spent time as an engineer doing performance optimization, devops, observability, and various flavors of data engineering. Throughout it all, he has come to have a deep appreciation for the intricate interplay between business needs and risk prioritization within a rapidly evolving organization.

 

Zach received an M.S. in Computer Science and Engineering from the University of Michigan. Back in the day, he was an English major.

  • Facebook
  • Twitter

© 2019 Security Voices.org