Exit Stage Left: Replacing Theater with Chaos

Posted by

Recorded at Cloud Native Security Day 2020

Capsule8’s VP of Product Management and Product Strategy, Kelly Shortridge explores how security theater leads to increased organizational friction, especially in the realm of software delivery, rather than promoting safety. She’ll contrast these dramatics with a security chaos engineering approach – one which embraces the importance of convenience, alignment with organizational goals, and the wisdom derived from failure.

Ramping up with FedRAMP

Posted by

Cynthia Burke, Capsule8 Program Manager, will give a high level overview of the Federal Risk and Authorization Management Program (FedRAMP) landscape and will discuss some of the challenges of and best practices for FedRAMP compliance using specific case study examples to help guide you and your team up the compliance hill with FedRAMP.

Capsule8 Product Demo

Posted by

Secure production Linux systems at speed and scale

Video Thumbnail

Monitoring, Detection and Protection for Production Linux Environments

Learn why organizations who need flexible production infrastructure security that embeds seamlessly into Linux systems choose Capsule8. The pioneer behind “ops-friendly” production security, Capsule8 delivers monitoring, detection and protection across cloud native and on prem private cloud environments. By using Capsule8, security teams have the visibility needed to help them detect incidents, and investigate and protect against unwanted behavior, without adding operational risk or cost.

Learn more about Capsule8:

Flexible Deployment and Protection

For teams wanting to leverage their existing operations workflows, you can export Capsule8’s findings into your existing automation, orchestration, log management, and incident response tooling. While for teams who prefer a zero-overhead graphical interface, Capsule8’s SaaS deployment allows you to manage the agent and detection policies via a hosted console.

Capsule8’s Protection is built for the unique threat models of production and cloud-native systems, leaving no coverage gaps in cloud or microservices environments and giving you consistent protection across all your enterprise infrastructure, far beyond typical endpoint security solutions.


Between 2 Kernels: Joel Fulton – E06

Posted by

Things get a bit macabre in our latest episode of B2K featuring reformed CISO Joel Fulton. The two talk about the problem with products, how being a CISO is like living in a survival horror role playing game, and how a golf course is a metaphor for pursuing security.

Video Transcript

Kelly Shortridge: Welcome to another addition Between Two Kernels. Today, my guest is Joel Fulton, who is the author of The Battle of Frogs, which is a book about Marine warfare, and sadly not about frog warfare, it’s human warfare. Did I get that right?

Joel Fulton: You did. You did. I learned it through my experiences defending a small Amazonian village from a horde of frogs using only a hoe and a glass of dirty water.

Kelly Shortridge: I see. Okay.

Joel Fulton: It’s life changing.

Kelly Shortridge: Yeah, that sounds it. So, it sounds like that really prepared you for the notion of data lakes at Splunk.

Joel Fulton: It did. That, and my experience doing full contact origami. So together that became what was necessary to do data lakes.

Kelly Shortridge: When you have the reports from Splunk, you put it into origami, and present it to the board?

Joel Fulton: Safely, right? Without any edges exposed, but yeah, I think you got it in a nutshell.

Kelly Shortridge: Great.

Joel Fulton: What is a data lake?

Kelly Shortridge: That’s a good question. I tend to think of it more as a data swamp for the most part. I think the idea is that you want a data lake-

Joel Fulton: Fetid, festering, stagnate.

Kelly Shortridge: Yes, exactly. It’s just full of just stuff that you don’t want in there, and you’re trying to sift through to find something drinkable. So I think data Lake is kind of the shining ideal, but we don’t have it very often. What do you think?

Joel Fulton: I think we have mutually exclusive, hotly pursued goals. There’s huge value in all the data possible in my hands now. And that value, very specifically, is I want to ask questions of the data and don’t know the question to ask. So statistically, things like exploratory factor analysis. Why just look at p-value to certain relationships? To try to understand what questions aren’t I asking of the data? Maybe call that R&D. Exploratory, low risk, high yield, but infrequent high yield.
But production, defending the environment, I need to know exactly what data I have, why I have it, groom it, keep it current and protect it, reduce my legal liability for the exposure, for the retention of these data, all of that. And those are usually exclusive.

I think that James Bond doesn’t use every weapon that Q develops.

Kelly Shortridge: That’s true.

Joel Fulton: But Q has got to develop a lot of crazy weapons. And I think that we cause problems for ourselves by conflating the two. Q doesn’t fight, he’s the experimental side, so keep him locked away, so that when experiments go wrong and blow up, you limit the detonation. Maybe that’s how we should look at data lakes.

Kelly Shortridge: I don’t disagree with that. It also goes into the conspiracy theory that I’ve heard, is you left Splunk because your own Splunk bills were too high.

Joel Fulton: That’s neither conspiracy nor theory. Ironically, oddly, I didn’t have a license problem at Splunk. But, there’s a Stephen King story, and it’s macabre, and I’m not sorry for bringing it up, of a surgeon who was shipwrecked, and he’s on a deserted Island. And along with him, washes up a crate of medical supplies. He’s got no food, but he’s got morphine and surgical supplies. And so, as the story progresses, he begins amputating parts of his body and consuming them to keep himself alive. And as the story concludes, everything extraneous is gone, lips, ears, the whole bat. And he’s down to the index finger and thumb, because he can still hold a scalpel, and he’s trying to figure out what to do next. That’s why I came to Splunk.

Kelly Shortridge: I’m not sure if I totally follow. It does sound an awful lot like the infosec industry cannibalizing itself.

Joel Fulton: It does.

Kelly Shortridge: It does.

Joel Fulton: If you boiled it all down, if you take away everything, the one thing I want is my central nervous system, it’s my intelligence. If you take away … And protection. I could survive without it. It’s kind of like that shipwrecked marooned surgeon. I can survive without a lot. I don’t want to just survive, I want to-

Kelly Shortridge: Right.

Joel Fulton: But if you have to peel it all away, I want intelligence. And so that, to me, was why I went to Splunk.

Kelly Shortridge: Interesting. I’m not sure if that’s the best pitch I’ve heard, I’m not going to lie.

Joel Fulton: I told you it was macabre.

Kelly Shortridge: Yeah. That’s interesting. Yeah. Maybe you have a future career in marketing.

Joel Fulton: Probably not.

Kelly Shortridge: Probably not, yeah.

Joel Fulton: I don’t know. What do you think? No, she’s laughing. No, I don’t. Her job is safe.

Kelly Shortridge: You’ve spoken about documenting what you’re divesting in your security strategy. So my question is, how can we divest the RSA conference from our industry?

Joel Fulton: Why do you go to the RSA conference?

Kelly Shortridge: Mostly to meet fine people like yourself and connect with them. And it’s the most convenient meeting spot.

Joel Fulton: It’s been disappointing, hasn’t it?

Kelly Shortridge: It depends. Some of the people are okay. If I die because of coronavirus, then it definitely wouldn’t have been worth it.

Joel Fulton: I don’t go to the floor. And when I meet other folks and talk to them, I ask them, why are you here? I’m an introvert naturally, and so I don’t like the crush of crowds.

Kelly Shortridge: Same.

Joel Fulton: It’s probably not unusual, right?

Kelly Shortridge: Right.

Joel Fulton: That skill or that predilection tends to draw people like us to these industries. I think so, totally. RSA isn’t for me. Perhaps RSA isn’t for you. And I think there’s a mismatch there. I’m going to just say dishonesty, by which we have a lot of these conversations about products changing the world.

Kelly Shortridge: Revolutionizing.

Joel Fulton: Right? Now, I’m going to be all self aware and open to criticism, like you need that permission, I’m starting a products company. I firmly believe products wound employees. World War One, they learned if you shot to wound, you would take three soldiers out, because it took two to carry the wounded. If you shot to kill, you would only take one out.

Joel Fulton: Products, wound people. And so instead of being a risk manager, or instead of being somebody who’s superb at understanding the memory process of an operating system, now you’re an expert at CrowdStrike, or Carbon Black. That reduces your functionality, it reduces your intelligence, it drops your morale, and then you know we’re going to subsist in three years.

Joel Fulton: And so we take people who are excellent at surviving off the land, like Tarzan, and we put them in a suit and we make them sit behind a desk, and they used to swing with the monkeys and it was awesome.

Joel Fulton: I think that a lot of people look at it this way. We have a lot of conversations about how do we pick a better tool, or how do we rationalize tools? Where trade wants you to get rid of them. Or how do we do a better job of not letting tools drive the process?

Joel Fulton: I think the mistake we make is failing to acknowledge people matter more than technology.

Kelly Shortridge: Mm-hmm (affirmative), definitely. Processes too, I would say. A lot of people ignore it. You can have the best technology in the world, but if your process is garbage, guess what? You’re going to have garbage as an output.

Joel Fulton: Or a wonderful process that repeatedly drives nonsense.

Kelly Shortridge: Yes, that’s true.

Joel Fulton: If you automate stupidity, it proliferates.

Kelly Shortridge: So basically like every AI tool.

Joel Fulton: Is there an AI tool?

Kelly Shortridge: I mean, they certainly claim it. Actually, on another Between Two Kernels episode, we talked about AI pretty extensively. And the conclusion was it’s basically like a toddler that has a knife. It’s just not great.

Joel Fulton: That’s interesting. Wandering in the garage with your new BMW.

Kelly Shortridge: Yeah. Something like that. So, you’re kind of presenting this landscape, it sounds to me, like a survival horror RPG. Which actually goes perfectly with the fact that you talked about open unencumbered APIs, which certainly makes it sound like the security industry has some sort of inventory weight limit. So are we in the survival role playing game?

Joel Fulton: Cool. People talk about the short tenure CISOs have. And they do it with a hint of shame, or there’s a problem like how can I succeed? Why is the average tenure only 18 months? Like it’s concerning.

Joel Fulton: What are the hallmarks of a great CISO? How do you win as a CISO? I know how to win as a CFO. I know how to win as a CIO. I know how to win as a head of sales. How do you win as a CISO?

Joel Fulton: It’s the reciprocal of all of them. What does a great CISO look like? Well, there hasn’t been an incident. Well, does the CISO control that? Well, no. So what does a great CISO look like?

Joel Fulton: Yeah, I think many CISO roles are very much like a survival zombie RPG, where you’re standing alone on a hill, trying to shoot all those zombies. But, it turns out you’re not alone. And it turns out if you took the satellite view, there’s somebody really close to you on the hill who’s fighting zombies. And one of the beautiful things about being a CISO is I don’t compete with you. So you can be the CISO for my competitor, UPS or FedEx, but together as CISOs we can trade threat intelligence, hiring practices. And we can, with two of us on the hill, get each other’s back. When you get eight of us on a hill, and now it suddenly feels like a mini series, and not as desperate.

Kelly Shortridge: Yeah. It sounds an awful lot like Allen Alford when he was on Between Two Kernels talking about the distributed tier network, where it’s basically think about blockchain, but it’s CISOs, and they’re all kind of trying to strive together. And ideally the string of the network helps everyone else.

Joel Fulton: It’s amazing. When people matter more than tech … I just left the thing with a bunch of CISOs. Why are you here? Because this is the only time I know all the people that do my job are here, and it turns out I’m not crazy. It turns out I’m not alone.

Kelly Shortridge: But what if it’s all and shared delusion? What if all CISOs are crazy, and they’re all just kind of missing the point? So the reason why I ask is I often think that there’s a lot of overthinking that happens in security, where ultimately, yes, in theory you don’t want some sort of incident. But to me, looking, again, more to the upside, it’s how do you recover most quickly? And also, again, how do you enable the business? I think a lot of times we err too much on the side of security as this kind of very definitive, concrete, this is exactly-

Joel Fulton: Do you?

Kelly Shortridge: I do. I’ve seen a lot of CISOs who think that way, where it’s like, no, my job is to just say no as much as possible. And I think that’s delusional.

Joel Fulton: Interesting. I agree. I don’t think that’s appropriate in every circumstance. And I think those are the folks that burn out the fastest.

Kelly Shortridge: That makes sense.

Joel Fulton: Because there’s no such thing as achieving security. Somebody else, and I think it was at the event that you and I … commented that security is like health, or fitness perhaps. You never achieve it. You’re always working towards it, and that’s one of your pursuits. When are you done? Well, you’re going to reach an age where now you’re staving off loss. Your improvements are done at this point. That kind of feels like security.

Joel Fulton: At Splunk, since we started talking about Splunk, I was hired by the CFO there, and that’s a little different. That’s a different org structure, and so I had some trepidation. I met him, liked him, but then let’s see how the org works out.

Joel Fulton: So we sat down for an orienting conversation, and he starts telling me this story about golf. He’s a golfer, and I am obviously not a golfer, and so … I’m avidly not a golfer. So he’s telling me that he’s at whatever the hole is, and he putted, and the line was different. The ball went a different way than he was used to, because he knew it so well he expected it, and didn’t get what he expected.

Joel Fulton: And so, the groundskeeper was there, and he says to him, “Hey, this thing isn’t doing what it did. What changed?” And so this is a long story, but I’m wondering where this is going, just like you are right now. So you feel like you’re in the moment.

Kelly Shortridge: Yeah. Golf is just not like, honestly, the war and zombie metaphors were grabbing me a lot more a little bit.

Joel Fulton: So you feel me, right?

Kelly Shortridge: Yeah.

Joel Fulton: I was like, where is this going? And he says, “The groundskeeper says to me, the golf course is a living thing. It changes all the time.” I thought, okay, all right, kind of feels like a Mr. Miyagi thing, but okay. And then he stops. He’s done with the story. He turns to me and goes, “That’s what security is. I know you’re never going to be done.” But I thought, Holy smokes, he gets it. He gets it. It is the zombie apocalypse. You’re never done with zombies. They’re always coming. So knowing that, not deluding yourself, now what do you do about it?

Kelly Shortridge: The thing is, how is that different that other functions? Because I can tell you from not having come from security myself as a background, that’s pretty true across most functions. You’re never actually done.

Joel Fulton: Yes. But, there is a standard to which you can be held, and you can measure yourself and say to a third party, “See, I’m doing a good job.” You’ve got to be held to the same categories as your CFO.

Kelly Shortridge: The thing is, I think, like in a survival game, I think we just haven’t found the right metrics. I think, again, we’re trying to reach for those impossible metrics, like perfect prevention.

Joel Fulton: Good. We can’t have metrics.

Kelly Shortridge: Why?

Joel Fulton: Because to get the metrics, you need to have external validity. So, I am not going to tell you my measurements from Splunk when you’re not at Splunk, it’s inappropriate. Because of that lack of the ability to share that inside information, we can’t build an actual attainment. We don’t know what controls are effective regardless of the environment in which they’re employed. If we could, then we could realize things like a-

Kelly Shortridge: We shouldn’t have RSA as a conference.

Joel Fulton: And a lot of the people driving RSA, and the value there, might be completely irrelevant.

Kelly Shortridge: Yes. That’s honestly, my conspiracy theory here is that a lot of vendors specifically kind of drag people towards metrics. For example, types of malware found per month. Is that actually helpful? I don’t think so, but it’s certainly convenient for renewals, right?

Joel Fulton: Yeah.

Kelly Shortridge: Is it actually helping? I don’t know.

Joel Fulton: Yeah.

Kelly Shortridge: And as a final question, why is your startup in stealth? What makes you scared? I have a good idea, given the kind of flow of the conversation, with the war metaphors and zombies and so forth.

Joel Fulton: So you begged to question I’m scared. You said why are you scared?

Kelly Shortridge: In stealth, people are generally in stealth because they are worried about not being in stealth and revealing something or otherwise, or even hurting the business. So I guess on the flip side, why do think stealth benefits you?

Joel Fulton: Yeah. It’s intentional. I’ve had the humbling experience of having people decline a job. That didn’t happen at Splunk. And it didn’t happen so much it was easy for me to think it was me. Right? It had nothing to do with me. So having people say no, now it’s like, wait, maybe you didn’t understand.

Joel Fulton: Why in stealth? Because there is momentum that is possible, and it’s possible to waste it or use it appropriately. So, our intent and plan is that we have our debutante in Paris when we’ve got a couple of customers that have great things to say about us, we are ready on the product, and then we can announce and get the ball rolling. The ball rolling to increase traction with hires, and the subsequent customers.

Kelly Shortridge: Basically the idea is that the hype train is going up the hill right now, and you’re going to start blowing the horn once it’s fast tracked to funding town or something like that?

Joel Fulton: That’s pretty good. Sort of. I’m not a Facebook guy. You can’t go on Facebook and find out a lot about me. And that’s because, one, I’m not that interesting. And two, I’m a private person. Probably like most people. So when I want to share something, I wait for people to ask, and make sure that I know them, that I trust them. And that’s just a personal thing. I’m not better than others. It’s just my style and approach.

Joel Fulton: So as we’re doing this, it’s easy to talk a lot about we’re doing this, we’re amazing at that. What we’re building … And so here’s the trite spoken, but it’s meaningful, is by CISOs forces us. So we’ve got 16 CISOs that are helping us build this product. And our goal is to be transparent, like your Android app. You know what it costs you. You know what permissions it needs. You know how to turn it off. You know how it delivers value. And to get it that simple and that right, we got to wait because a lot of talking about it early … Why do I want to be RSA every day? If I have to do it, I want to do it once.

Kelly Shortridge: That’s fair. I still like the hype train idea. Or, for the people out there who wear makeup, like Glossier being transparent and natural.

Kelly Shortridge:Yeah, perfect. Thank you.

Between 2 Kernels: Sounil Yu – E05

Posted by

Sounil Yu lays out his framework for thinking about all variety of subjects on the latest episode of Between 2 Kernels with Kelly Shortridge. The two cover his sentiments on useless security products, AI-enabled quantum trust, and giving 3 year olds automatic weapons.

Video Transcript

Kelly Shortridge: Welcome to Between Two Kernels. I am your host, Kelly Shortridge and to my left is Sounil Yu who is gainfully unemployed. Welcome.

Sounil Yu: Thanks. It’s my pleasure to be here.

Kelly Shortridge: Yes. So I think the most interesting thing for our viewers is you have been playing around with something called the DIE model and it is supposed to replace the CIA model. Does this mean you want the CIA to die?

Sounil Yu: Well, that would be something that I think my family would have issues with because then they may come after me. But no, it’s a different type of CIA. So confidentiality, integrity, and availability. I want that to die because instead I want something else that helps us not have to worry about security at all. So, no, I don’t want the CIA to die.

Kelly Shortridge: Well if we see helicopters and the SEAL Team Six coming through, then you know we need to plan an escape.

Sounil Yu: I think that’s where the story of being able to outrun a bear definitely comes into play here. But I think the CIA is faster than that so.

Kelly Shortridge: Can bears climb to the 34th floor? I don’t know. So you do want cattle to die. So tell me about this whole notion of pets and cattle.

Sounil Yu: Well, when we think about our space and cyber security we have, I think the issue is that we have way too many pets and not enough veterinarians. In fact actually, even the pets, it’s like we have a cat colony and they’ve become feral, and it just creates a burden for us. And so what we want are fewer pets that you have to take care of and love and feed. Instead, just have cattle where you just don’t care anymore, when they get sick, you shoot it, and you move on.

Kelly Shortridge: I like that analogy because I’m very familiar with the agony that comes with trying to wrap a cat in a towel and brush its teeth. And I feel like that’s a really good analogy for a lot of security work. You’re trying to like brush a cat’s teeth, which kind of obviously like you don’t want to have to do that. So cattle seems a lot easier, right?

Sounil Yu: I’m a dog person.

Kelly Shortridge: Okay, well I won’t hold it against you then. Should we stop or should we keep going? That’s okay. Okay, whatever. It’s fine. So the Cyber Defense Matrix, if the viewers aren’t familiar, it’s a great matrix, kind of outlining how you should think about different security solutions that you’re deploying in your environment. The problem I have with it though is there’s no category for useless and I think a lot of security products are useless. So how are you going to address this deficiency?

Sounil Yu: Well, it actually wasn’t a deficiency. The category for useless, there were just so many things in it, that at the end of the day I put it next to pew pew maps.

Kelly Shortridge: Pew pew maps, yes. Have you seen any at this conference? Do you think there will be any?

Sounil Yu: There’s a conference going on this week?

Kelly Shortridge: Yeah, I think so. I forget what it is.

Sounil Yu: I just have all these meetings all this week, so.

Kelly Shortridge: Yeah, no, same, yeah. I think it was, it’s related to some company they got backdoored so maybe it’s like an anti-backdoor conference? I’m not sure. Kind of cool. So where does threat intel on the blockchain fit in? Or dark blockchain? That’s whatever, that’s a thing.

Sounil Yu: Yeah, I have to go in through a really deep, dark place to figure that one out but I think it goes next to AI enabled quantum trust.

Kelly Shortridge: Sounds like a web of lies to me.

Sounil Yu: Yeah, I think that’s one way to characterize it. I think in the context of where we find most of this, it’s usually in Russia. Oh no, actually Ukraine. I’m sorry.

Kelly Shortridge: Ukraine?

Sounil Yu: Yes.

Kelly Shortridge: Okay, yes, definitely don’t confuse the two. So if you had to choose your favorite category of security solution based on your Cyber Defense Matrix, which would it be and why?

Sounil Yu: Oh it would definitely be in the category of “APPLICATION-RESPOND” because there are no vendors there and it’s so quiet and peaceful.

Kelly Shortridge: Just going to throw out there we do some of the “respond,” but anyway, this is not supposed to be an endorsement. Why do you think there isn’t anyone there?

Sounil Yu: Well, it’s because a lot of it, there’s a lot of idiosyncratic aspects of doing that function. And it’s hard to generalize, but ultimately when we look at the solutions out there, you’ve got to be able to have market penetration. You have to be able to scale this out and unfortunately that’s just something that’s hard to scale.

Kelly Shortridge: Makes sense. So similarly, why does no one care about recovery?

Sounil Yu: Well, I think it’s sort of like the pharma industry where you just don’t want people to get better. So when you go to recover, if you come up with better solutions like D.I.E., which is really a recover-oriented approach, then you no longer have a problem to solve. If you are a cyber veterinarian, don’t you want sick pets? And so I think the market will not focus on that until we as practitioners change that.

Kelly Shortridge: Interesting. So you’re saying if there was a conference where it seemed like a dog and pony show and most of the vendors were talking about how you’re really, really sick and then you propose something like DIE that basically was like, “What if you can re-architect yourself so that you wouldn’t get sick kind of by design?” Do you think the vendors would be mad?

Sounil Yu: I think so. It would turn the tables on the vendors because right now for practitioners like myself… I’m on the endpoint of the “distributed tear network” and it’s very traumatic. I have this post-traumatic vendor syndrome oftentimes. And so I think when we can turn the tables on the vendors and have them understand that, “Hey, we can actually build systems that, we can have systems that will be healthy and will remain healthy,” I think they will have post-traumatic syndrome of their own sort after that.

Kelly Shortridge: So what you’re saying is that we need some sort of mechanism to automatically generate Kleenex on the dark blockchain to eliminate the distributed tear network?

Sounil Yu: Yes. Oh, that would be excellent. I think that would be a solution that we could all embrace.

Kelly Shortridge: It could be even in buzzword bingo land, like proactive response.

Sounil Yu: Bingo.

Kelly Shortridge: Yeah, there you go. That’s perfect. So, what do you think about false advertising that may or may not happen at some conferences with vendor halls? For example, things like automation. What does that mean to you?

Sounil Yu: Well, I know what it means to me. I’m not sure if they know what it means. But false advertising. Oh, shock. Shocker. You know, marketing people, false advertising. Well, I think that when you have people who are gullible… And the interesting thing is in security, we are the most paranoid people and so false advertising doesn’t seem to be really well… wouldn’t be very effective against people who are supposed to be paranoid. So I think it’s actually a very good filtering mechanism. If you fall for the false advertising, you’re probably not a very good security professional because you’re not paranoid enough.

Kelly Shortridge: I can agree with that. You know, the whole point of security, you’re supposed to challenge assumptions and if you aren’t able to even challenge the assumptions of vendors who very obviously don’t even understand what their own product is doing, what are you even doing, right? It’s a good question, it’s a good question.

Sounil Yu: Maybe you’re not good enough to be a vet.

Kelly Shortridge: Damn, damn. Hot takes from Sounil Yu right here. So, one way I think you can think of the vendor hall, it’s almost like a grocery store and it feels like some vendor halls, all you have is a bunch of horrible, horrible junk foods that’s just going to rot your teeth. What do you think about that? Oh, you have popcorn. Whoops.

Sounil Yu: Well, it’s sort of like that pharma example I gave earlier where many of the products that we see are not necessarily going to get you better, but just treat the symptoms, never address the root cause and so that sort of mentality doesn’t ever help us get past where we are today. And it’s also unfortunate that when you go to the grocery store, you have the candy and the worst possible products available. It’s as you check out. And so that’s another thing that takes advantage of our weaknesses.

Kelly Shortridge: So what we need is a grocery store where it’s the toothpaste and the floss are at the checkout and not the candy.

Sounil Yu: Good hygiene, right. And that will be an excellent model for a cyber grocery store.

Kelly Shortridge: Can you make a note? We need to change our messaging to be toothpaste oriented, like minty fresh. We’ll work on that. So how can the attack surface of the CISO be mapped. I was thinking things like hour long buzzword-filled product pitches, budgets getting slashed. What are some of the other things that can cause a CISO to have a meltdown and make it difficult to recover?

Sounil Yu: Well as you may expect, I think about these sorts of things as frameworks. So when I think about the attack surface of the CISO, I have to go through maybe like the five senses. So taste, sight, hearing, touch, smell. And so I think what would be the most effective against a CISO will be those things that hit most of those attack surfaces. So if I think for example, like a juicy sizzling steak, that will be hitting — what? — three, four of the attack surfaces of a CISO.

Kelly Shortridge: Is that why the vendors that fly people around the world for steak dinners end up getting bought?

Sounil Yu: Probably. But if all you have is a squishy ball, you only have one attack surface that you’re covering.

Kelly Shortridge: So what you’re saying is that we need to somehow, in vendor booths, incorporate all the senses. So basically having both the steak to eat and maybe like some sort of olfactory thing walking through. It sounds like a next generation tool to me.

Sounil Yu: I’m thinking maybe a steak that you could hug. Kind of like cattle.

Kelly Shortridge: Kind of like cattle. Well, our penguin is a mascot and you know, just sizzle it up, right?. That’s horrible. That’s really horrible. So then on a scale of one to Dark Trace, how bad is it when security vendors complete automation with AI?

Sounil Yu: Yeah, that’s a problem too. Well, first I think on that scale, there’s a lot of eleven’s there. And when it comes to conflating AI with automation, we oftentimes don’t realize that they are two separate things. And the best way to characterize it is:  AI is how you think, and automation is what we do. Imagine if you were to ask.. if I asked you what age would you put to our current generation AI, what would that be? How old would you say current generation AI is?

Kelly Shortridge: Somewhere between terrible twos and horribly bratty preteen.

Sounil Yu: Okay. And then the next question is, what weapon would you give it? A pencil, scissors, a knife, a pistol, or an automatic weapon?

Kelly Shortridge: Are they named John Wick? Because a pencil, I don’t know.

Sounil Yu: Yeah, I should have added a library book to that too.

Kelly Shortridge: I would be pretty worried about giving any child a weapon in general. Let’s go with something like bubble wrap, like a fist made of bubble wrap.

Sounil Yu: Yes, so when we look at automation and AI, the AI is how it makes sense of things and then automation is the bubble wrap. So, if you’re comfortable with a three year old and bubble wrap, then that’s great, but we have a lot of people who will give a three year old an automatic weapon and that’s not so great.

Kelly Shortridge: Yeah, that’s not very desirable. One quibble I have though is you said that AI is what we think and then automation is what we do. Do you think a lot of these AI and automation vendors actually think or do things ?

Sounil Yu: I think that they claim to do so, but I don’t think they know what they think or do anything that they claim to do. So, neither is the answer.

Kelly Shortridge: There’s a solution to this as you said, on giving a three year old bubble wrap preferably. Do they just all need to nap? Is that really the problem in the space? Like everybody’s just really tired and cranky?

Sounil Yu: Or a spanking at least, but then again, I think we’re past that nowadays.

Kelly Shortridge: So next year at this I guess anti-backdoor conference, we’re going to see some anti-spanking technology? You know, now that AI has run havoc on your systems, you need the anti-AI, right?

Sounil Yu: Anti-antis. Yeah, that causes another war of escalation of antis. So, want to figure out a way to resolve that.

Kelly Shortridge: Anti-anti-next-gen. Next generation…anti-next-gen, next-gen-anti… AI… Machine learning?

Sounil Yu: That could be a new company.

Kelly Shortridge: Yeah. Anti, just anti. It just stops all threats using the power of AI’d automation. Do you want to make a billion dollars? I’m pretty sure we can raise money for that like tomorrow, today even.

Sounil Yu: Take my money please.

Kelly Shortridge: Perfect.

Sounil Yu: Thank you.

Container Escape Demo

Posted by

Watch a video demo of Capsule8 Protect in action detecting a container escape exploit.

Between 2 Kernels: Ian Coldwater – E04

Posted by

Video Transcript

Kelly Shortridge: Welcome to another edition of Between Two Kernels. Today’s guest is Ian Coldwater, who has that one secret trick that means that containers hate them. Welcome, Ian.

Ian Coldwater: Thank you.

Kelly Shortridge: You’re welcome.

Ian Coldwater: Really appreciate being here.

Kelly Shortridge: So there’s a really big debate that happens in the microservice and security community, which is around kube control. My question for you is, is it actually about controlling kubes with our minds or is it about quantum geometry?

Ian Coldwater: It’s about military grade AI quantum encryption with synergy and alignment, and we should double click on it.

Kelly Shortridge: We should indeed. How much funding has that gotten to date?

Ian Coldwater: Approximately 10 million this morning.

Kelly Shortridge: Wow, that’s amazing. I wonder what the addressable market is for that? It seems like, particularly if you’re quantum ready, that means you’re future-proof, right?

Ian Coldwater: Absolutely.

Kelly Shortridge: Yeah. Very interesting. Hey VCs, you should listen to this. And as you’ve talked about, the attack surface of Kubernetes is both as an application as well as an API. But what I think is interesting is that the attack surface of the CISO also maps to Kubernetes. Really anything trendy on HackerNews. So my question for you is why do you think security professionals often feign helplessness in learning about cloud-native infrastructure?

Ian Coldwater: Well, I think some people are just afraid about learning anything new, because nothing changes in the technology industry. It stays the same all the time. And so if we could just keep doing the same thing all the time, obviously that’s worked really well for us to secure all the things so far. So if we just keep doing the same things, then we’ll get to keep securing the things and this problem will continue to be solved.

Kelly Shortridge: That’s true. I mean, it’s very important that on the Verizon data breach report that we have the same exact things that are owning us every year, right?

Ian Coldwater: Absolutely.

Kelly Shortridge: Consistency is important.

Ian Coldwater: Very much so.

Kelly Shortridge: You never evolve, then that makes things pretty easy, right?

Ian Coldwater: Yeah. That’s why we give the people the same pentest report every year.

Kelly Shortridge: That’s true. What’s interesting though is I see so many people on the floor talking about the ever-evolving proliferation of threats. What does that mean in this context?

Ian Coldwater: Well, it means that every year the booths are colored in different colors and they have different lighting and so you can see that the industry is continuing to evolve with the different looks of the different business. Sometimes the company needs are even different.

Kelly Shortridge: Wow.

Ian Coldwater: And as we continue to learn more and do more, then we just get to secure more of all the things, because, you know all, plus.

Kelly Shortridge: Yeah.

Ian Coldwater: That’s how that works.

Kelly Shortridge: So it’s basically next generation color schemes is how we’re going to fix the industry, right?

Ian Coldwater: Absolutely.

Kelly Shortridge: That’s excellent. I’m excited about that. So this is an incredibly important topic and I think it’s really revolutionary, culturally. So when Lil Nas X says in Panini, “Just say to me what you want from me,” do you think it’s a subtle nod to the benefits of microservices as far as splitting out application tasks into individual services and then communicating the explicitly defined APIs? Do you think he’s secretly into container security?

Ian Coldwater: Absolutely. As we can all tell, Old Town Road is in fact about old school monolithic APIs, so when we’re going down the old town road, that’s the model of API. But then sometimes we just got to go somewhere else to the new town road and that’s where the microservices come in.

Kelly Shortridge: That’s fascinating. So is the horse a metaphor for something then?

Ian Coldwater: The horses in the back are all of the things contained in the containers.

Kelly Shortridge: That’s revolutionary. It’s actually I think a defining moment in our culture that security is so relevant now.

Ian Coldwater: Truly.

Kelly Shortridge: Yeah. So what do you think on the next album? Like what topics do you think he’ll cover?

Ian Coldwater: Well, I think next album he is going to be talking about the cultural ideas of DevOps. So maybe we’ll have some songs about communication or relationship building, not being adversarial, and maybe it will sound like the love song, but that won’t really be what he means.

Kelly Shortridge: So blameless postmortems, like look out for that secretly.

Ian Coldwater: Exactly.

Kelly Shortridge: Okay. That’s excellent. That’s really excellent. Do you think attackers are getting bored of being able to use misconfigurations to attack microservices environments? Do you think they’re just sitting there, Gordon Ramsey style, waiting to be able to exploit something like finally some good fricking attacks.

Ian Coldwater: Can personally confirm.

Kelly Shortridge: Yes. You’re bored?

Ian Coldwater: It’s not that I’m bored, it’s that sometimes after a whole lot of admin admin or a whole lot of no RBAC or admission control whatsoever, sometimes it’s just really nice to get a little bit of a challenge, like can we have something that isn’t just ** or allow all, and you know, it’s really nice when you find that. It means that you get something to do that day.

Kelly Shortridge: Do you ever plan on going like leaving little breadcrumbs to tell defensive teams, “Hey, level up your game?”

Ian Coldwater: I cannot say that that idea has never occurred to me, but I can say I’ve never done it.

Kelly Shortridge: Interesting. So you’ve also talked a lot in general about Kubernetes misconfigurations. How do you think the industry is misconfigured?

Ian Coldwater: I think the industry is misconfigured because I think the industry assumes that things are going to stay the same and that the people in them are going to stay the same. And as long as nothing changes, that’s fine. The problem is that the technology around the industry is changing really quickly and that security people aren’t really keeping up. And so I would say that the kinds of resource quotas that are given to the security industry versus the kind of resource quotas that are given to the clusters of the rest of the industry are clearly one of them has far more CPU and memory-bound than the other one.

Ian Coldwater: So perhaps if we could make our resource quotas more appropriately allocated, then we could maybe begin to move at some percentage of the speed as everybody else does.

Kelly Shortridge: So what you’re saying is that InfoSec is slow?

Ian Coldwater: Yes.

Kelly Shortridge: Yeah. One thing when you say that, it seems like a hot easy investment could be just instead of threat intelligence, where you have an API with dark web, its threat intelligence but Hacker News, like alerting you to the latest frameworks that are coming out and be like, “Listen security teams, you need to get ready for this.” What do you think?

Ian Coldwater: I think that that could work, but I think the one for The New Stack would work better.

Kelly Shortridge: Then you say, “Yes, of course.” Definitely no paid marketing there either.

Ian Coldwater: Well honestly, no, but it’s like anything that’s cloud related, because hacker news is going to give you a steady diet of sexism, nonsense, off topic people bringing up Richard Stallman for no reason, and at least if you’re trying to find new frameworks, maybe try, there’s other things like the new stack, but try to find something that’s going to have a little bit more of a signal-noise ratio than Hacker News does.

Kelly Shortridge: It’s fair though. I will say that a given RSA, nonsense sounds pretty on-brand. I feel like InfoSec can understand that.

Ian Coldwater: Fair enough.

Kelly Shortridge: For sure.

Ian Coldwater: That’s true. InfoSec understands sexism and signal-to-noise ratio quite well.

Kelly Shortridge: Exactly. Exactly.

Ian Coldwater: Use Signal, use Tor.

Kelly Shortridge: Yes, definitely. So what’s the worst container security product pitch that you’ve seen either on the vendor floor here or elsewhere?

Ian Coldwater: I have met a vendor at DockerCon who told me all about how their product worked and it was a really exciting next gen product that provided container security in new ways. And I asked them if they had any plans for how to deal with like side channels in their environments. And they informed me that they didn’t have to worry about that, because their stuff had an always-running daemon on both the cluster and the host with read-write access in-between, and that had a pipeline for the open internet and so nobody had to worry about side channels because everything was just going directly back and forth.

Kelly Shortridge: That’s amazing. So really what they should be pitching is we help you automate your microservices attacks, right?

Ian Coldwater: Exactly. I mean, it was a perfect attack service. I was really impressed.

Kelly Shortridge: They should really charge, like have a rate limited API for attackers. Like, “Hey, if you want an easy way in, here’s obviously you need the basic packaging and then the premium packaging,” you know?

Ian Coldwater: Totally, yeah.

Kelly Shortridge: I like that. Yeah.

Ian Coldwater: All right. VCs, if you’re listening.

Kelly Shortridge: Yeah, exactly. Attack ops! Privacy ops is big this year, attack ops next year at RSA. You heard it here first. Then finally, date, marry, kill for the terms, “DevSecOps”, “Shift Left”, and “suck ass” also known as “Sock as a Service.”

Ian Coldwater: Well, I would say you probably want to date … No, you want to date “Shift Left” because “Shift Left” probably has pretty good politics and so they’re probably fine to date. You probably want to marry “DevSecOps” because “DevSecOps” is good at communication and that’s a very important set of skills in a marriage. And you probably want to kill “SOC as a Service” because how many people are they even looking at, are they really monitoring it that well if they’re doing it as a service for everybody? You could probably kill them pretty easily to be honest.

Kelly Shortridge: What you’re saying is that you don’t want to completely automate all of the humans away in your SecOps program?

Ian Coldwater: Well you could.

Kelly Shortridge: You could. The AI could be in charge. They have SkyNet.

Ian Coldwater: Absolutely. This machine learning, what did we do wrong?

Kelly Shortridge: Or you can have that company that you said like with the bi-directional read-write access, like they could be in charge of your whole SecOps program.

Ian Coldwater: Maybe they could start it on a blockchain.

Kelly Shortridge: Yeah. What could go wrong? Dark blockchain. That’s important.

Ian Coldwater: There you go.

Kelly Shortridge: So when are we going to see Kubernetes, but blockchain?

Ian Coldwater: Well, I think it’s RSA. You know, everybody’s having the real hot business meetings. Maybe it will start up right out of here. We’ll find out.

Kelly Shortridge: Hopefully if they do create that, their booth will have donations for various therapy programs.

Ian Coldwater: Absolutely. What I really wonder about Kubernetes on the blockchain is if we have solved state enough to have a completely immutable set of state records. Wow. We will have really done a lot with state at Kubernetes [crosstalk] .

Kelly Shortridge: Sure. We could all go home.

Ian Coldwater: Yeah, that’d be great.

Kelly Shortridge: I mean, I’ve heard Kubernetes is like flawless, so…

Ian Coldwater: Absolutely.

Kelly Shortridge: Zero deployment issues in the enterprise, like it’s perfect.

Ian Coldwater: None whatsoever. Totally easy.

Kelly Shortridge: Blockchain ready, future-proof, quantum ready.

Ian Coldwater: Up and running.

Kelly Shortridge: Yes. All of it. Out of the box. Perfect. Thank you for joining us.

Ian Coldwater: Thank you. This has been great.

A Compendium of Container Escapes – Black Hat 2019

Posted by

Learn the how and why container escapes work, starting from a brief intro to what makes a process a container, and then spanning the gamut of escape techniques, covering exposed orchestrators, access to the Docker socket, exposed mount points, /proc, all the way down to overwriting/exploiting the kernel structures to leave the confines of the container.

Capsule8 Investigations Quick Start with AWS Athena

Posted by

TAG Cyber: Interview with John Viega

Posted by

TAG Cyber sits down with Capsule8 CEO John Viega to discuss how Capsule8 secures Linux production environments.