Between 2 Kernels: Ian Coldwater – E04

March 19, 2020

Video Transcript

Kelly Shortridge: Welcome to another edition of Between Two Kernels. Today’s guest is Ian Coldwater, who has that one secret trick that means that containers hate them. Welcome, Ian.

Ian Coldwater: Thank you.

Kelly Shortridge: You’re welcome.

Ian Coldwater: Really appreciate being here.

Kelly Shortridge: So there’s a really big debate that happens in the microservice and security community, which is around kube control. My question for you is, is it actually about controlling kubes with our minds or is it about quantum geometry?

Ian Coldwater: It’s about military grade AI quantum encryption with synergy and alignment, and we should double click on it.

Kelly Shortridge: We should indeed. How much funding has that gotten to date?

Ian Coldwater: Approximately 10 million this morning.

Kelly Shortridge: Wow, that’s amazing. I wonder what the addressable market is for that? It seems like, particularly if you’re quantum ready, that means you’re future-proof, right?

Ian Coldwater: Absolutely.

Kelly Shortridge: Yeah. Very interesting. Hey VCs, you should listen to this. And as you’ve talked about, the attack surface of Kubernetes is both as an application as well as an API. But what I think is interesting is that the attack surface of the CISO also maps to Kubernetes. Really anything trendy on HackerNews. So my question for you is why do you think security professionals often feign helplessness in learning about cloud-native infrastructure?

Ian Coldwater: Well, I think some people are just afraid about learning anything new, because nothing changes in the technology industry. It stays the same all the time. And so if we could just keep doing the same thing all the time, obviously that’s worked really well for us to secure all the things so far. So if we just keep doing the same things, then we’ll get to keep securing the things and this problem will continue to be solved.

Kelly Shortridge: That’s true. I mean, it’s very important that on the Verizon data breach report that we have the same exact things that are owning us every year, right?

Ian Coldwater: Absolutely.

Kelly Shortridge: Consistency is important.

Ian Coldwater: Very much so.

Kelly Shortridge: You never evolve, then that makes things pretty easy, right?

Ian Coldwater: Yeah. That’s why we give the people the same pentest report every year.

Kelly Shortridge: That’s true. What’s interesting though is I see so many people on the floor talking about the ever-evolving proliferation of threats. What does that mean in this context?

Ian Coldwater: Well, it means that every year the booths are colored in different colors and they have different lighting and so you can see that the industry is continuing to evolve with the different looks of the different business. Sometimes the company needs are even different.

Kelly Shortridge: Wow.

Ian Coldwater: And as we continue to learn more and do more, then we just get to secure more of all the things, because, you know all, plus.

Kelly Shortridge: Yeah.

Ian Coldwater: That’s how that works.

Kelly Shortridge: So it’s basically next generation color schemes is how we’re going to fix the industry, right?

Ian Coldwater: Absolutely.

Kelly Shortridge: That’s excellent. I’m excited about that. So this is an incredibly important topic and I think it’s really revolutionary, culturally. So when Lil Nas X says in Panini, “Just say to me what you want from me,” do you think it’s a subtle nod to the benefits of microservices as far as splitting out application tasks into individual services and then communicating the explicitly defined APIs? Do you think he’s secretly into container security?

Ian Coldwater: Absolutely. As we can all tell, Old Town Road is in fact about old school monolithic APIs, so when we’re going down the old town road, that’s the model of API. But then sometimes we just got to go somewhere else to the new town road and that’s where the microservices come in.

Kelly Shortridge: That’s fascinating. So is the horse a metaphor for something then?

Ian Coldwater: The horses in the back are all of the things contained in the containers.

Kelly Shortridge: That’s revolutionary. It’s actually I think a defining moment in our culture that security is so relevant now.

Ian Coldwater: Truly.

Kelly Shortridge: Yeah. So what do you think on the next album? Like what topics do you think he’ll cover?

Ian Coldwater: Well, I think next album he is going to be talking about the cultural ideas of DevOps. So maybe we’ll have some songs about communication or relationship building, not being adversarial, and maybe it will sound like the love song, but that won’t really be what he means.

Kelly Shortridge: So blameless postmortems, like look out for that secretly.

Ian Coldwater: Exactly.

Kelly Shortridge: Okay. That’s excellent. That’s really excellent. Do you think attackers are getting bored of being able to use misconfigurations to attack microservices environments? Do you think they’re just sitting there, Gordon Ramsey style, waiting to be able to exploit something like finally some good fricking attacks.

Ian Coldwater: Can personally confirm.

Kelly Shortridge: Yes. You’re bored?

Ian Coldwater: It’s not that I’m bored, it’s that sometimes after a whole lot of admin admin or a whole lot of no RBAC or admission control whatsoever, sometimes it’s just really nice to get a little bit of a challenge, like can we have something that isn’t just ** or allow all, and you know, it’s really nice when you find that. It means that you get something to do that day.

Kelly Shortridge: Do you ever plan on going like leaving little breadcrumbs to tell defensive teams, “Hey, level up your game?”

Ian Coldwater: I cannot say that that idea has never occurred to me, but I can say I’ve never done it.

Kelly Shortridge: Interesting. So you’ve also talked a lot in general about Kubernetes misconfigurations. How do you think the industry is misconfigured?

Ian Coldwater: I think the industry is misconfigured because I think the industry assumes that things are going to stay the same and that the people in them are going to stay the same. And as long as nothing changes, that’s fine. The problem is that the technology around the industry is changing really quickly and that security people aren’t really keeping up. And so I would say that the kinds of resource quotas that are given to the security industry versus the kind of resource quotas that are given to the clusters of the rest of the industry are clearly one of them has far more CPU and memory-bound than the other one.

Ian Coldwater: So perhaps if we could make our resource quotas more appropriately allocated, then we could maybe begin to move at some percentage of the speed as everybody else does.

Kelly Shortridge: So what you’re saying is that InfoSec is slow?

Ian Coldwater: Yes.

Kelly Shortridge: Yeah. One thing when you say that, it seems like a hot easy investment could be just instead of threat intelligence, where you have an API with dark web, its threat intelligence but Hacker News, like alerting you to the latest frameworks that are coming out and be like, “Listen security teams, you need to get ready for this.” What do you think?

Ian Coldwater: I think that that could work, but I think the one for The New Stack would work better.

Kelly Shortridge: Then you say, “Yes, of course.” Definitely no paid marketing there either.

Ian Coldwater: Well honestly, no, but it’s like anything that’s cloud related, because hacker news is going to give you a steady diet of sexism, nonsense, off topic people bringing up Richard Stallman for no reason, and at least if you’re trying to find new frameworks, maybe try, there’s other things like the new stack, but try to find something that’s going to have a little bit more of a signal-noise ratio than Hacker News does.

Kelly Shortridge: It’s fair though. I will say that a given RSA, nonsense sounds pretty on-brand. I feel like InfoSec can understand that.

Ian Coldwater: Fair enough.

Kelly Shortridge: For sure.

Ian Coldwater: That’s true. InfoSec understands sexism and signal-to-noise ratio quite well.

Kelly Shortridge: Exactly. Exactly.

Ian Coldwater: Use Signal, use Tor.

Kelly Shortridge: Yes, definitely. So what’s the worst container security product pitch that you’ve seen either on the vendor floor here or elsewhere?

Ian Coldwater: I have met a vendor at DockerCon who told me all about how their product worked and it was a really exciting next gen product that provided container security in new ways. And I asked them if they had any plans for how to deal with like side channels in their environments. And they informed me that they didn’t have to worry about that, because their stuff had an always-running daemon on both the cluster and the host with read-write access in-between, and that had a pipeline for the open internet and so nobody had to worry about side channels because everything was just going directly back and forth.

Kelly Shortridge: That’s amazing. So really what they should be pitching is we help you automate your microservices attacks, right?

Ian Coldwater: Exactly. I mean, it was a perfect attack service. I was really impressed.

Kelly Shortridge: They should really charge, like have a rate limited API for attackers. Like, “Hey, if you want an easy way in, here’s obviously you need the basic packaging and then the premium packaging,” you know?

Ian Coldwater: Totally, yeah.

Kelly Shortridge: I like that. Yeah.

Ian Coldwater: All right. VCs, if you’re listening.

Kelly Shortridge: Yeah, exactly. Attack ops! Privacy ops is big this year, attack ops next year at RSA. You heard it here first. Then finally, date, marry, kill for the terms, “DevSecOps”, “Shift Left”, and “suck ass” also known as “Sock as a Service.”

Ian Coldwater: Well, I would say you probably want to date … No, you want to date “Shift Left” because “Shift Left” probably has pretty good politics and so they’re probably fine to date. You probably want to marry “DevSecOps” because “DevSecOps” is good at communication and that’s a very important set of skills in a marriage. And you probably want to kill “SOC as a Service” because how many people are they even looking at, are they really monitoring it that well if they’re doing it as a service for everybody? You could probably kill them pretty easily to be honest.

Kelly Shortridge: What you’re saying is that you don’t want to completely automate all of the humans away in your SecOps program?

Ian Coldwater: Well you could.

Kelly Shortridge: You could. The AI could be in charge. They have SkyNet.

Ian Coldwater: Absolutely. This machine learning, what did we do wrong?

Kelly Shortridge: Or you can have that company that you said like with the bi-directional read-write access, like they could be in charge of your whole SecOps program.

Ian Coldwater: Maybe they could start it on a blockchain.

Kelly Shortridge: Yeah. What could go wrong? Dark blockchain. That’s important.

Ian Coldwater: There you go.

Kelly Shortridge: So when are we going to see Kubernetes, but blockchain?

Ian Coldwater: Well, I think it’s RSA. You know, everybody’s having the real hot business meetings. Maybe it will start up right out of here. We’ll find out.

Kelly Shortridge: Hopefully if they do create that, their booth will have donations for various therapy programs.

Ian Coldwater: Absolutely. What I really wonder about Kubernetes on the blockchain is if we have solved state enough to have a completely immutable set of state records. Wow. We will have really done a lot with state at Kubernetes [crosstalk] .

Kelly Shortridge: Sure. We could all go home.

Ian Coldwater: Yeah, that’d be great.

Kelly Shortridge: I mean, I’ve heard Kubernetes is like flawless, so…

Ian Coldwater: Absolutely.

Kelly Shortridge: Zero deployment issues in the enterprise, like it’s perfect.

Ian Coldwater: None whatsoever. Totally easy.

Kelly Shortridge: Blockchain ready, future-proof, quantum ready.

Ian Coldwater: Up and running.

Kelly Shortridge: Yes. All of it. Out of the box. Perfect. Thank you for joining us.

Ian Coldwater: Thank you. This has been great.