As good as our virtual bouncers are, they often let in people with what seems to be a valid ID, and then once they’re in our nightclub they cause a disruption and we have to kick them out.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Sandy Wenzel (@malwaremama), cybersecurity transformation engineer, VMware.

Sandy also recommends participating in Pro’s vs. Joe’s CTF.

Got feedback? Join the conversation on LinkedIn.

Our sponsor for this week’s podcast is VMware

Full transcript

Voiceover

Ten second security tip, go.

Sandy Wenzel

As the masses swarmed Las Vegas this year for hacker summer camp, make sure whatever encryption software you’re running is truly end to end, and be mindful at what cost. Some vendors collect and store a ton of meta-data on you that are shared with parent companies.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark, I am the producer of the CISO series. Joining me is my co-host, Mike Johnson, Mike, that moment where we get to hear the sound of your voice, what does it sound like?

Mike Johnson

It sounds like this, it sounds like I am here and ready to record.

David Spark

You know, I recognize that voice, I’ve heard it before.

Mike Johnson

Once or twice.

David Spark

We’re available at cisoseries.com, that’s where you can find all of our fantastic programming. We do five shows, four weekly, one daily, go check them all out. Our sponsor for today’s episode, so thrilled to have them on board, they have been a phenomenal strong sponsor of the CISO series, and they are also responsible for bringing our fantastic guest as well, who I will introduce in just a moment, it is VMware, VMware, you know them as a virtualization company, well, they have many a security play, and we will be talking about it during today’s episode. But first, Mike, I had a first.

Mike Johnson

Uh oh.

David Spark

And this is my first.

Mike Johnson

Is this a good first or a bad first?

David Spark

It is a good first.

Mike Johnson

Oh, okay, good.

David Spark

My first ever trending tweet.

Mike Johnson

Ooh, you have arrived.

David Spark

I have arrived, this tweet got over 1300 likes on it, I also posted it to Linked In. Didn’t get nearly the amount of traffic, but it got over 170 comments on it. Here it is, and I would like your response to the question I asked.

Mike Johnson

Okay.

David Spark

How many stickers on a laptop are necessary to demonstrate that you’re serious about cyber security?

Mike Johnson

Only one, you only need one, but it’s a particular one, and if it’s the CISO Security Vendor Relationship series sticker, limited edition, but more will be available soon I am sure.

David Spark

As long as I order them.

Mike Johnson

As long as you order them, but, if you have that sticker it proves that you’re serious about security. So you only need one, but it needs to be a particular one.

David Spark

I agree with you. And, actually, I have two stickers on mine, and it is one for this show and one for defense, it does. And that’s it.

Mike Johnson

Well you’re doubly serious then.

David Spark

There you go. So, I’ve got answers all the way from zero, and people taking this question seriously, to one over the camera, to one over the logo of the computer, all the way up to completely block out the entire back of the computer.

Mike Johnson

I have seen all of these and witnessed all of them first hand for sure. I tend to be a low sticker count person.

David Spark

Alright, well, we’ll find out how many stickers our guest has, I’m thrilled to have her on board. Our sponsor guest for today’s episode is, Sandy Wenzel, the Cybersecurity Transformation Engineer with VMware, Sandy, thank you so much for joining us.

Sandy Wenzel

Thank you gentlemen, and, as for your question, the only sticker I have is my user name and password, because that’s what I thought everyone else has.

What would you advise?

00:03:17:04

David Spark

What changes have you made to your security program to be more agile? And feel free to define how you seize at that. So, agile could just be seeing threats quicker and being able to remediate quicker, but, it could also be building out your security program quicker or deploying new programs faster. So, I’ll start with you, Mike, what has been the most significant change or deployment? And how has that changed your security program?

Mike Johnson

The focus that we’ve had is trying to actually be able to change our program, trying to get to that point where we can improve our security program quicker, where we can continue to iterate. And a lot of that has been requiring us to cut down on the manual work. So, we’ve been focusing on finding a home for processes that have been manual. A good example is, we’ve had, in the past, for historical reasons, my team has had to do parts of on boarding and off boarding, and that has kept us from spending time on automation. So, we have worked with other teams, where on boarding and off boarding is a normal, natural thing for them, to transfer those processes into their organization, it’s not a heavy lift for them, sometimes we’ve actually helped them with automating those processes, but that’s really where we’ve seen a lot of bang for our buck, just simply changing where on boarding and off boarding lives into teams where it’s normal for them, where they have automation, and that has given us time to focus on automation within our team, within our processes, that automation then lets us innovate further within our program.

David Spark

That was a really long and involved way of saying we’re just pawning off our problems to somebody else.

Mike Johnson

It was a way of giving people ideas on how they can pawn off their on boarding and off boarding processes elsewhere.

David Spark

But I agree 100% of what you do.

Mike Johnson

It was a lot of work, it was a lot of work.

David Spark

Alright, and Sandy, I’ll throw this to you, first of all, how do you define agile in this situation, and it could be all of the above, but what have you found works best for you or your team?

Sandy Wenzel

Yea, absolutely. So, being able to ditch those repetitive tasks, like Mike was referring to, and those are tasks that are done manually over and over and over again and don’t necessarily change a lot, start embracing automation and orchestration wherever possible in workflows, and again, this could go from testing and scanning to remediation, to building and maintaining security policies, even the on boarding and off boarding. I’ve seen lots of play books for lots of different areas. So, while this sounds simple though, getting there is that uphill battle, because it’s not only changing mind set, it’s change in culture within that company, especially for those of us who grew up in a waterfall world. Peter Docker said it best, that culture eats strategy for breakfast, so the human factor is important in any company. So, if people, they cannot and will not execute those processes you put in place, and those guard rails, you’ll just continue to fail miserably. So, this often leads to, you know, the continued silos and decision making in a vacuum, but, also with that, in agile practice, you don’t want to try and boil the ocean, adopt and incorporate the agile principles that best fit your organization’s needs and at that time. So, as we all know, requirements change, and they change frequently as well, and that’s okay, embrace being dynamic, welcoming change is one of the foundational principles behind agile.

David Spark

So, let me boil down to some examples that you have done, if you don’t mind, can you give us one, that maybe something fairly recently you dealt with? Or just something that had sort of the most significant impact?

Sandy Wenzel

Yea, absolutely. So, it’s again being able to get people comfortable with the idea of automation, of someone taking a task that they are so familiar with and so intimate with, and telling them that it has now moved to a script or something else. So, getting that mind set shift for them of, hey, this takes my thing away, it’s not taking your job away, it’s just taking that task away so you can focus on more important things, or another thing, or even growing your skill set. That’s been one of the biggest challenges, definitely, like I said, that mind set shift. But, once they get it they’re very grateful for it.

David Spark

And, by the way, this whole fear, and especially in the security industry, of your job will be automated away, I mean, can anyone point to one case where that’s actually happened?

Mike Johnson

I think it’s like many other fears, it’s one of those that just is like a lizard brain fear, it’s not an actual one. I think our general concept has been let’s allow you to focus on the things that you, uniquely, as a human can do, rather than if a machine can do it let’s let the machine do it, and that’s really what our mantra has been there. I don’t think people generally, I mean, I can’t say it never happens, but I’m not aware of any cases where that’s happened.

How have you actually pulled this off?

00:08:31:08

David Spark

Over on CSO Online, John Edwards has a list of five skills every SOC analyst needs, they are collaboration, critical thinking, an inquisitive mind, fundamentals and the ability to work under pressure. This sounds like great skills for any employee in any job, but, Sandy, I want to ask you, what techniques have you used to build up any of these skills to better improve incident response? And is there one that needs more help than others?

Sandy Wenzel

Yea, absolutely. The biggest one is remove the pressure and make it fun. So, by gamifying it and giving the proper recognition, you’re also allowing teams across the security silos to cross-collaborate in a very structured way, and again, this is through like table top exercises, and people, they’re open for and a lot more receptive to feedback when they think it’s a game, especially when it comes to lessons learned or making mistakes. So, again, this is a very good way to desensitize or move a lot of the pressure, what I like to call the RGEs, or those resume generating events, and fostering cross-functional teaming, and it gives opportunity in that safe space for employees to flex that outside of the box ingenuity, especially for someone who’s new to the industry and just getting their foot in the door. Definitely security dinosaurs, like myself, can learn a lot from the next wave of security humans. So, how do we do that? Capture the flag and war game type of events are a great way to do this. If there are organizations out there who are still living under a rock and still not quite sure how to implement or find a use case for things like Mitre’s Attack Framework, this would be a good use case to do that.

David Spark

I could not agree with you more on gaming, and, in fact, the whole brand here, at CISO Series, we try to throw in games a lot and in fact in the next segment you’re going to play one. But, let me throw it to you, Mike, have you, on a regular basis, played games? Or just kind of every now and then you throw something out? Where are you in gamifying the SOC experience?

Mike Johnson

I do think table top exercises is one of those areas that we frequently do talk about the gamification. We’re trying to be able to have them more frequently, but they really are that example of this isn’t reality, this is a virtual creation, let’s walk through what we would do, let’s have that back and forth collaboration in a safe place where we can learn from that. So, that’s one example. In past lives, we’ve had more ability to focus on capture the flag events, and we would have the entire team, entire organization frankly, compete in capture the flag events where you do build a team, and you have a group of folks working together on solving a set of problems, competing against a different team, who’s trying to solve the same set of problems. And that really has people thinking on a different wavelength, where this is not quite reality but it’s teaching skills, it’s teaching critical thinking, and it’s certainly teaching that collaboration that John was talking about in his article, again, in that safe place, where it’s okay to make mistakes, where it’s okay to slow down or speed up or whatever it takes. And then, at the end of the day, you have a win, and you have the team that won and you have the other team sort of like, oh, hey, I can learn from that, let’s go talk with that other team and what could we have done better. So that’s another area where I’ve successfully applied gamification, capture the flag type events in the past.

It’s time to play What’s Worse!

00:12:18:07

David Spark

Alright, Sandy, I think you know how to play this game, right?

Sandy Wenzel

Yes I do.

David Spark

It’s just a risk management exercise. I provide two bad situations, but, in this case they’re actually two good situations but it’s too extreme good on one side versus the other, and you’ll see what I mean.

Sandy Wenzel

Oh plot twist.

David Spark

So, this comes from Nir Rothenberg, who’s the CISO of Rapyd, but, there’s an inspirational tip of the hat to Shahar Geiger Maor, the CISO of Fiverr, and, Mike, you’re going first.

Mike Johnson

Okay.

David Spark

By the way, no pressure here, Sandy, but, I do like it when my guests disagree with Mike. So, here we go. You have a good bug bounty program with many contributors, but, management will not budget for pen tests, okay?

Mike Johnson

Okay.

David Spark

Or, the opposite of that, you have an annual pen test by a good firm, but, management will not allow a bug bounty program. So, it’s either all bug bounty or all pen test?

Mike Johnson

I really think you’ve got a lot of companies who are in that second boat, where they have budget for penetration testing and no budget for bug bounties. So, I think that one, while we often have cases in this segment that are just completely made up and no-one would ever see these, that second one is pretty common, where maybe the company just hasn’t embraced the concept of bug bounty.

David Spark

In fact, I think there’s, I would say, probably more than half of companies are just pen test and no bug bounty.

Mike Johnson

Oh sure, maybe even more than that frankly, I mean, penetration testing took a long time to catch on as a concept, but, it’s now baked into PCI.

David Spark

Well, it’s a requirements, yes, sure. Bug bounty isn’t a requirement is it?

Mike Johnson

No, I haven’t seen any compliance framework, or regulatory framework or, frankly, any customer contracts that require it. It’s a good idea, but it’s not mandated in the same way that penetration testing is. So, I really, frankly, think I would lean on the compliance and regulatory requirements on this one, and it’s kind of an easy situation.

David Spark

So, you say the pen test is better than the bug bounty or would be worse?

Mike Johnson

Correct. Because I don’t have, from the bug bounty programs, from just pure bug bounty, you don’t have that attestation.

David Spark

You don’t have that one report that says ta-da!

Mike Johnson

Exactly. So you don’t have that, therefore you’re actually going to fail many of your compliance requirements.

David Spark

Alright. Good answer on that. Sandy, do you agree or disagree with Mike on this one?

Sandy Wenzel

I actually agree, but, I was going to say, ransomware anyway is just a pen test engagement, you just negotiate the scope repayment afterwards instead of before, right? So, but no, definitely on the compliance front, it’s mandated, you get the “here’s how we got in, here’s what we did, here’s the damage we’ve done,” and a lot of companies that perform these pen tests actually work with you to remediate those gaps, and, of course, that’s a completely different topic, as, “here’s the report, are you actually going to remediate?” But yes, when it comes to bug bounties, I guess it’s really also dependent on what you do, what is your bread and butter, for an Apple, for an example, or a Microsoft, they have bug bounty programs, absolutely, they’re a very high value target, but if you’re just like a mom and pop shop and you need to decide, you know, which one you may need more, then the pen test would be where to go.

Please, enough! No more!

00:15:53:10

David Spark

Our topic today is lateral movement by threat actors, or East-West traffic. We have heard this a lot by the way, and there’s a lot of players in the market that work in this environment. So, we all know this is a major issue in protecting your environment, and I’m going to start with you, Mike. What have you heard enough about on the topic of preventing lateral movement? And what would you like to hear a lot more?

Mike Johnson

I don’t know that I quite hear this as much, but it certainly was vogue for a long time, and you still hear it every now and then, which is the idea that you need to re-architect your cloud network in order to route all the traffic through a choke point, that was the concept of how you would get visibility into East-West traffic in your clouds was, break all of your resilience and route all of your data through this one choke point, and isn’t that great. But, hey, you’ve got visibility now. We’re not hearing it quite so much but you still hear that from time to time, and that just needs to stop. That really needs to go away. It’s dangerous, it’s bad advice. What I would like to hear more of is, how do you bring that visibility into what’s going on inside the networks? But, not just lateral movement. The lateral movement is really, that’s the bad stuff, that’s the things you really don’t want, but you also need to know about how services communicate with each other. You need to know about how the data moves within the environment. You need to know what is normal so that you can really start to pick out what is that negative, what is that bad lateral movement.

David Spark

I’ll throw this one to you, Sandy, I’m going to ask the same question. What have you heard enough about with regards to preventing lateral movement? And what would you like to hear a lot more?

Sandy Wenzel

I hear enough about, again, the bad lateral movement, and tying that or attributing ransomeware to lateral movement. Ransomware has just been getting this crazy press and we get it, us blue teamers have been lacking, we get it. We were very much too focused on layering and users accessing applications and building up a perimeter, and networks ended up being flatter than a pancake. When we try to take those building blocks, those foundational building blocks, and then move them into any sort of cloud environment with those choke points Mike mentioned, now you’re just asking for it to collapse and implode on you and get latency and all these other weird steering of traffic and U-turns and all of these other things. What I want to hear more of is understanding those relationships, not just users and access and the machines, but machine to machine as well, and not just the bad, because, again, not all lateral movement is bad, it has to happen. So, this is one of the reasons why I want to hear more of why supply chain needs to be recognized as another threat factor. What are companies doing to iterate and continually look at their third party risk assessments, and, are they going to have sort of a foundation or a mandate to say, okay, we kind of look at everyone outside of ours, or even insider threats, as a threat. So, how do we grade that? How do we look at things more on a risk then act on an alert or wait for an alert to come through.

David Spark

So, it’s more of a sort of watching risk priorities going up and down, yes, Sandy?

Sandy Wenzel

Correct, yes.

David Spark

So, can you give me a little bit more insight on that? And maybe what you guys at VMware are doing with regards to this?

Sandy Wenzel

Yes, absolutely. So, when new machines spin up, I mean, obviously at VMware with things virtualized we get tens of thousands of work loads that spin up, and they don’t live long, they last maybe a couple of days, maybe the week, or even a couple of hours. So, having our SOC, our internal SOC, act on those alerts, it just becomes very, very overwhelming, and it’s also waiting for something to happen. So, what we try to do is take a very proactive approach, and we have this concept called “Blast Chambers,” where if the developer wants to do something or spin up something new, it goes into this isolation chamber where it’s able to still communicate at a minimum and do what it’s able to do, so it’s very much segmented from everything else, and then once it passes all the sanctions it gets the appropriate security tag, and then it gets engulfed into the security policy that’s appropriate, so, it actually gets more.

David Spark

I’d like to know a little bit more of the mechanics of how this quote, Blast Chamber, works, because I like the image of this and what you’re creating. So, what is exactly happening here?

Sandy Wenzel

Yes, absolutely. So, when a developer actually spins up, let’s say an application or a host or anything on it, it has to pass certain criteria. If it doesn’t, it gets put into this isolation chamber.

David Spark

So give me an example of a criteria that would trigger it?

Sandy Wenzel

So, obviously a lot need access, like HTDP, DNS, things like that, so we’d get that basic information, but, if it doesn’t have the appropriate tag, like when the builder puts the security tag on it, whether it’s in the cloud, so you have your network security group, or the tag within what we have within VMware, it doesn’t have that appropriate tag, then it gets put into that chamber and more of like a monitor watch mode. Because, again, we don’t know if it’s going to be living long or living short, or what the actual use case for that’s going to be, and so we get more telemetry on what it’s actually doing, and since, where we sit, within NSX, is on the hypervisor itself, we don’t have to wait for network packets to actually be transient or move around to understand what the traffic is. We’re living where the work load is, we’re able to identify what it’s dependent on, what applications it’s going to be talking to, the configuration, the OS it’s on, we already have all that data to kind of make a decision and base what that risk is or, what that risk score is going to be. And that’s going to include things like what OS isn’t running, is that vulnerable, are there any CBEs tied to the processes that’s running, if it’s running Apache or Nginx, or what version, what CBEs are going to come back for that, and how vulnerable is it?

David Spark

Sandy, give me an idea of the before and after? When you’re not using this kind of sand box environment and when you are? What is the activity that changes, I guess, for the SOC, I guess, would be the people that would be most affected?

Sandy Wenzel

So, traditionally, and as it works for most folks, they spin up a host, as long as it has the appropriate OS and the activity it needs from, again, HDP, DNS, the call outs it needs, typically moving East-West, so, being able to hop to another machine or ping a resource on the same VLAN, that’s typically allowed. Because, again, needing that access or API calls, or having to pull a script, or some sort of configuration data, if they were on play books or any sort of automation, they need to be able to talk East-West, and freely. So, again, that’s why lateral movement is such a huge thing, because it’s an attack factor, and as soon as an adversary lands on a machine, they’re able just to move laterally throughout, because that segmentation doesn’t exist. So, with what VMware has moved to with their info-sec team, it’s actually being able to spin up a machine where it’s isolated within its own VLAN, and it’s not able to communicate East-West, again, we need to know why it needs to be validated, and if those tags aren’t appropriate as the machine has spun up, and this is something through what the developer does, or, even through the change control process, that is also automated through the ITSM, it’s not going to be able to communicate or go anywhere. So, again, if it only needs to live for ten minutes or a day, if it’s something for RND or if it’s something that’s just more of a QA thing, where they just wanted to test something and they don’t need that East-West access, then there’s a script that runs and that machine also, our host, may get killed, because again, it’s utilizing resources. So, that’s another big thing, is being able to tag it and say, “I need this machine up, I need it living, it’s doing production, it’s doing all the things” versus, “Oh, I just kind of forgot about this machine and it’s just living out there in the world, alive.”

David Spark

Which, by the way, that happens a lot, I know.

Sandy Wenzel

It happens very much a lot. So, just being able to manage those assets and tie a risk back to them and see whether or not it’s still being utilized, recognize it and understand the flows. Again, it’s not only how users access it, and maybe accessing that application or doing whatever on it, but, what other calls is it making? Is it using Powershell? What other APIs is it doing? Is it being monitored? Things like that.

David Spark

Let me throw this to you, Mike. What’s your reaction when you hear Sandy describing this environment? How would this change your situation?

Mike Johnson

I think it’s a great idea. What it would change for many companies is that ability to rapidly iterate in development, where you can spin up a thing, you can have the resources that you need to test it outside of your own laptop, for instance, and you can get an idea of what it’s going to look like in a production environment, but in a safe way. It sounds like there’s a great way to then progress through the gates where you can stand up a thing, you can satisfy the security requirements, and then it graduates into broader participation in the environment, potentially without ever having to get a manual security review. You know what the gates are, you know what you have to do, you have a path to do it, but you’re able to start out in a safe environment and then end up in the production environment in a safe manner, without necessarily having to have manual review that kind of slows down your development process.

David Spark

Did Mike describe that well, Sandy?

Sandy Wenzel

He did, yes, exactly.

David Spark

I’m very proud of you, Mike.

Mike Johnson

Oh thank you.

How would you handle the situation?

00:25:35:19

David Spark

Over on Twitter, I asked the question what are some good assignments to give a cybersecurity intern? My favorite answer was from David Lagace of Lowe’s Canada, who said, quote, “Here is the vulnerability scanner, all the critical and highs, and open tickets. Paste suggested remediation actions and assign them to X, Y, Z, for remediation. When you get tired of opening the first ten to 20 etcetera, come tell me how you would automate this.” Alright, I’ll throw it to you first, Mike. What do you think of that tip? And do you have better assignments for security interns?

Mike Johnson

I would cut out the go through the tickets thing, just jump straight to the automation.

David Spark

Well, don’t they need to see the tickets to know what they’re automating?

Mike Johnson

No.

David Spark

No?

Mike Johnson

No, they can work with other folks on the team to understand what that is, and this is one of the things where you’re looking at your interns, and if you’re bringing in interns that really understand vulnerability analysis, they may not understand automation and building tools. Or, if you’re bringing in people who only are focusing on tools, they may not understand the vulnerability analysis part of it. I prefer to bring in people who have an interest in security, but may not have done it before when you’re looking at an internship. So, you’re looking at people who have that engineering background, have them sit down and interview, basically the way that they would normally do any development task, they interview the subject matter experts what it is that we’re trying to accomplish, what are the requirements of this, tell me what the existing process is, but I don’t need to be an expert in that process. And I can then take the time that I have available, build that automation, and then get review and sign off from the subject matter experts who understand vulnerability analysis.

David Spark

Have you actually done this with any of your interns?

Mike Johnson

Absolutely, not necessarily the vulnerability analysis, but we’ve done it on the instant response side, on looking at events and trying to figure out ways to correlate alerts. I’ve also had them do data analysis, where it can either be hypothesis driven of we think these patterns are in the million events per second that we’re getting, help us find them. Or it could be, here’s a massive data store of ten terabytes of security data, go and find the insights, go and find the patterns, and where you’ve got people who are coming and studying data analytics, they can take that data, understand what’s going on, break it down, and then help you create patterns that you’re then able to apply to your systems and be able to analyze on the fly. I’ve definitely done that, and it’s been very successful.

David Spark

Excellent. Alright, I throw this to you, Sandy. What do you think of David Lagace’s suggestion? What do you think of Mike’s amendment to it?

Sandy Wenzel

I am in violent agreement with Mike. David brings up a good point on the automation part, but I also feel that with an intern, a fresh mind that hasn’t been in the hot seat too long, or ingrained in the day to day grind, they can still give you that outsider’s perspective looking in, which a lot of people do want, they want that feedback. So, my other tip would be that once the interns do get their feet wet and they’ve had their feet to the fire a few times, ask them for insight on how they would better the security program. So, a retrospective is what most would call that. So, having a framework, I’m a fan of the four Ls, going through your liked, learned, lacked and longed for, and I’ve also heard others using what worked well and what didn’t type of board And what’s great about these is, they’re a great way to get data, set up new goals, and they work very, very well virtually, in this new normal for us as well. And my only advice to leadership is, be very, very ready and receptive for that feedback, whether it’s positive or negative, because you will get both, but just be receptive and open to hearing that feedback, and hopefully, progressing through with change.

David Spark

I have a final question for both of you. Have you gotten advice from an intern that you actually deployed? You’re like, oh, nobody ever thought of that, let’s do it.

Mike Johnson

Yes, again, I mentioned the research projects of doing data analysis, and in that case it was, we have some theories, we just don’t have the background to necessarily go and find them, but, you, intern, with all of your doctorate studies around data analysis, you’re able to find the patterns, you’re able to help us build the models that we could then apply, and that we could then pluck out anomalies from these data streams.

David Spark

Alright, excellent, so having them do the work that you couldn’t do and they figured it out for you?

Mike Johnson

Absolutely.

David Spark

Sandy, same question to you?

Sandy Wenzel

Yes, the one I had was they actually built a play book that ordered pizza for all of the SOC analysts when there was a outage or super high, critical incident.

David Spark

That is a great, great feature. I like it.

Mike Johnson

That’s critical.

Sandy Wenzel

That’s mission critical.

Mike Johnson

That’s one of your tier one processes going forward.

Close

00:31:11:09

David Spark

Excellent. Well, we will bring it to an end right there. Great tip and suggestion. I hope that processes is in some get library, yes? Sandy?

Sandy Wenzel

Oh, absolutely, yes.

David Spark

Excellent. I want to thank you very much, Sandy Wenzel, who is with VMware, she is the Cybersecurity Transformation Engineer over there. I will let you have the very last word, but first I want to thank your employer, VMware, for sponsoring this very episode of the podcast, and many other episodes as well. Thank you very much. Two things I want to ask you, when I get to you again, because you’re going to have the last word, are you hiring? B how people can follow up with you in any sort of pitch or plug you would like to make for VMware. But first, Mike, any last words?

Mike Johnson

Sandy, thanks for joining us. It’s always great to get a blue team perspective on the show, and it was really nice to sit down and have that conversation with you. I also liked how you kept stressing the need to get fresh minds, to get fresh perspectives, to have people look at things differently than we have in the past, and really change things up and challenge convention. So, thank you for that. And I also really liked the blast chamber idea. I don’t know how I’m going to turn around and implement it tomorrow, but, it’s a great takeaway for folks to think about, consider how they might bring such a concept into their environments. So, thank you for those tips. Thank you for joining us and thank you for having the conversation.

David Spark

Alright, I throw this to you, Sandy, and continued thank yous from me as well, answer to my questions, are you hiring? How do people get in contact with you? Any other pitch for VMware?

Sandy Wenzel

Absolutely. So, we absolutely are hiring, we’re always looking for security talent and professionals and folks with just like minds, right, like minds for us blue teamers, and always fighting the good fight. Quick shout out I’d like to give is for the CTF Factory, for the amazing work they do putting on Pros Versus Joes year after year at BSides. I encourage folks to find their local BSides Chapter and participate and volunteer, it’s a great organization and they put a lot of information out for free, so, absolutely participate if you are going to Vegas.

David Spark

Give a quick two sentence explanation of Pros Versus Joes?

Sandy Wenzel

So, Pros Versus Joes, CTF, is a live simulation of blue teamers and red teamers, and the red teamers are actually professional penetration testers. So, again, that’s why it’s Pros Versus Joes, because the Joes we typically get are, students who are either practicing for their CCDC or actual Joes off the street who want to get into cybersecurity and learn more, and learn how this infrastructure works and what we’re protecting and how we do the things. So, that’s Pros Versus Joes, and again, it’s typically a live event, but obviously we can do it remotely as well with all the cloud things we have going on, so, that will be remote this year, but absolutely participate if you can and when you can.

David Spark

Awesome. Anything you want to say about VMware and getting in contact with you?

Sandy Wenzel

Oh absolutely. You can find me on Linked In, I’m very gullible to social engineering so I’m sure you can find my alter-egos on the Twitter. So, absolutely find me there. But, to get in contact with us, I’d love it, I love to hear from your feedback, whether that’s positive or negative, again, personally I’m always looking to grow. So, any feedback you have for me, any things that you think I should learn more about, open for it.

David Spark

You know what, and I will concur with that comment. We take any kind of feedback as well, positive or negative, constructive, any way you would like. We don’t need the mean tweets like Jimmy Kimmel does do on his show, but, we do take constructive and negative feedback, and I have responded to some of it in the past. So, it is heard and sometimes acted on. And a word from our research partner, Gigaom, they are on the hunt for analysts and engineers with security experience, and here’s the big thing, if you’re interested in this they are looking for those analysts and engineers who have had practical experience, those people who have implemented solutions, solved problems, worked long hours to understand how to make organizations secure in an increasingly insecure world, then contact them at gigaom.com. They’re looking for report writing and benchmark testing as well. Thank you very much to VMware, thank you very much to Sandy, thank you to you, Michael, as well, and thank you to our audience for all your awesome contributions, and, for listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”