The Perfect Gift for a Cyber Crook

What do you give to the person who wants to learn how to steal everything?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and 
 Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest Jim Wachhaus (@imanapt), risk intelligence evangelist, CyCognito.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, CyCognito

By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network.

Full transcript

Voiceover

Ten second security tip. Go!

Jim Wachhaus

You want to prevent breaches? Prevent ransomware from phishing? I know it’s been said many times many ways, but 2FA will save your life some day.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO/Security Vendor Relationship Podcast. My name is David Spark, I’m the producer of the CISO series. And joining me as my co-host for this very episode is Andy Ellis. He’s the operating partner over at YL Venture. He’s also co-host today and many episodes of this very show. Andy the sound of your voice would sound something like…

Andy Ellis

Happy New Year everyone.

David Spark

Happy New Year. We’re available at CISO Series.com. Our sponsor for todays episode, who is also responsible for bringing our guest today and you’ll meet that person in just a moment. They are CyCognito. Thrilled to have them on board, a brand sponsor. First episode of 2022, very excited about that. More about them and what they’re doing and risk intelligence, which we’ll be talking about on the show. But it is our first episode of 2022 so I’m going to ask the question that is being asked. On many a tech podcast around the world, what is your prediction for this year?

Andy Ellis

Oh my prediction certainly for the next month is that social media will go wild making fun of all of the predictions that we’re all going to make. But that said, I think my predictions actually anti-prediction. I think we’re going to stop hearing about the cloud migration, because I think we’ve hit critical mass of Cloud Native. That there’s enough people already in Cloud that nobody wants to admit that they have not migrated yet. So we’ll get to hear a lot more Cloud firsts I think is going to be the language of 2022.

David Spark

I think security’s still going to be a big topic in 2022. I think so. I don’t think it’s going to evaporate. [LAUGHS]. Don’t see us all being unemployed because nobody cares about security anymore.

David Spark

No, and also the thing that I said of this last year 2021 although we saw inklings of it previously, but 2021 was really the year that the Cyber Security news broke in the mainstream news before the [SPECIALIST TERMINOLOGY].

Andy Ellis

Yeah and definitely it feels like it’s no longer the province of just the specialist reporters in the mainstream news. That it is now mainstreamed enough that everybody talks about it. It’s not like, oh if Nicole doesn’t talk about it, it didn’t happen.

David Spark

Right. Good point. Let’s bring on our guest. Our first guest for 2022. Our sponsored guest for today’s episode is Jim Wachhaus, the risk intelligence evangelist over at CyCognito. Jim, thank you so much for joining us.

Jim Wachhaus

Thank you for having me David and Andy.

Are we making the situation better or worse?

David Spark

Nearly three quarters of security professionals think security hygiene and posture management has become more difficult over the past two years, said VentureBeat of the new report by JupiterOne and Jon Olstick at Enterprise Strategy Group. The survey alerted to growing concerns about vulnerabilities such as the discovery of sensitive data in previously unknown locations, unknown websites with a path to their organization, exposed employee credentials or misconfigured user permissions and unknown SaaS applications running in the corporate environment. Two-thirds admitted to cyberattacks through an unknown or unmanaged Internet-facing asset.

So Andy, I’m going to start with you. The lack of knowing is what’s abusing cybersecurity professionals. How can we shore up our cybersecurity hygiene? Is this just deploying asset management solutions or is it something else?

Andy Ellis

I think the lack of knowing is mostly our own fault. I like to think of it as imaging a board member asked the CEO and says, “Hey, do we patch all of our systems? I heard about this log for something, thing. Do we patch all of our systems?” And the CEO says, “Of course we do.” And of course the CEO then turns to the CIO and says, “Hey, do we patch all of our systems in a timely fashion?” And when the CIO hears this, “Did you patch all of your systems?” At each stage the people who are answering hear it about the systems they own. I see this in a lot of security programs, we only talk about the systems that have great ownership, we know exactly who to point a finger at. So we end up answering, “Well we patch our active directory server really quickly, but we don’t talk about all the other devices in our environment.” And so that’s the lack of knowing there’s a problem. So I think that asset management helps, but really being able to let go of that certainty for a moment and say, “Look, the systems I know about, let’s just write them down.” And whenever somebody says, “Hey, did you talk to so and so about that system?” Write down that you don’t know anything about this system. And it’s okay, but now you can start to approach it from a hygiene perspective.

Because it’s like brushing your teeth. If all you’re doing is brushing your front two teeth they’ll be really nice and white for a while, but the rest of your mouth’s going to be kind of stinky. You’ve got to learn where all the teeth are if you want to brush your teeth. This is like the story of the elephant of people only knowing certain parts of the elephant. As well.

David Spark

Jim do you feel the same as Andy or is there more to this story?

Jim Wachhaus

I’d say there’s a little bit more to this story from the usage of words like fault or responsibility. I think it’s important to remove fault from that equation because as soon as there’s fault being found you start having people hiding stuff or being squirrelly about where their assets are, or where the responsibility is. Everybody is responsible for an attack surface. They’re responsible for the assets that are in the corporate environment. And by taking responsibility and knowing that you’re responsible you’re going to do more than just good asset management or more than just good vulnerability management, you’re going to do good risk management for the enterprise.

David Spark

And this whole concept of asset management is really taking off I think 2021. We have heard about a few years prior, but this year really was the story of asset management, because you know, everyone of these vendors sold with the line of, you can’t protect what you don’t know and I think, correct me if I’m wrong both of you, what we don’t know is much larger than what we thought. Yes, Jim?

Jim Wachhaus

[LAUGHS]. We run into it all the time. I call it the stages of grief of attack surface management. There is that denial that there’s those assets are our assets, there’s the bargaining. Well those aren’t actually my assets, they belong to this subsidiary over here. And then there’s kind of like this start of acceptance, but there’s also grief, anger. There’s all kinds of stages of grief to attack surface management, and we run into it all the time.

David Spark

Andy, have you gone through those levels of grief?

Andy Ellis

I’ve gone through those levels of grief, because I already started on acceptance, so I’m fortunate.

Jim Wachhaus

[LAUGHS].

Andy Ellis

But it had to introduce other people to it, because historically asset management was tied into systems management. And so people had an asset management system, and so they were reluctant to get another one, but their asset management system only worked on Windows servers. And you’re like, well how helpful is that? I’ve got a lot of non-Windows servers over here, or vice versa, only work for the Linux server, so maybe it was Infoblox.

So only the machines that you can configure DNS for on this one. And so that’s what the problem is, when asset management became its own discipline and people said, no, no. I just need an asset management that will buy API, pull information from all of these different system management locations to where all of a sudden you started to get this bigger view and realize that you had enclaves and you were only paying attention to one of them before.

If you’re not paranoid yet here’s your chance.

David Spark

What is it in a malware payload that would lead one to believe they’re being attacked by a nation state attacker vs. a private entity? This was the question posed by Daniel Rosehill of Rosehill Marcom Consulting on the cybersecurity subreddit. Some of the responses mentioned whether you were targeted or if the attack was trying to exfiltrate specific information or if they were taking their time to pull that information. But others said that nation state actors have signature tools and tricks. Also, a nation state attacker would probably use a zero day (considered more sophisticated) than a known vulnerability. And other malware will give indications as to where it came from or where it’s trying to phone home. All of these are pretty good suggestions. Andy, what do you think?

Andy Ellis

Well my first question is why do you actually care? You’re being attacked by someone.

David Spark

Well this was the question that was posed on Reddit. Where is this coming from?

Andy Ellis

It’s an interesting one, but somebody who’s thinking about this. First of all protect yourself, but recognize that a lot of nation-stateactors use the exact same commercial tools the private actors use because they work. And so why bother doing something more extreme and so I think that what you might look at is say, does the cost to the attacker match with the benefit that they could get commercially. If they’re burning zero days to steal some credit card records, that’s a little bit odd.

David Spark

Well that probably wouldn’t be an nation-state attacker.

Andy Ellis

No that might actually be an nation-state attacker where they’re covering their tracks by stealing credit card data. They burn zero days to get into your environment.

David Spark

What else did they do? Because this attack doesn’t make any sense. Jim?

Jim Wachhaus

Well that’s the think with no making sense. They might be like dropping something to get you distracted which we’ve seen this happen plenty of times.

Andy Ellis

Yeah, but does it make financial sense? We would joke about it. If you found a crypto miner. Almost every security team stops investigating. We had a machine compromised, the attacker put on a crypto miner. Thank god. Okay, well how many of those were nation-states that stole something else and left their crypto miner behind.

David Spark

But the story we hear a lot of if you’re getting attacked by a nation state they’ve got way deeper pockets and if there’s something they want they’re gonna get it. Jim? Yes?

Jim Wachhaus

Yes, I also would go back to the question and ask are they being asked this by their cyber-insurer? ‘Cause a lot of writers in cyber-insurance actually make nation-state actions not insurable.

David Spark

Really.

Andy Ellis

Right.

Jim Wachhaus

So that could be a potential reason why they’re asking that question and it’s an interesting one because that’s a monetary consideration for any organization that’s accepting risk and using cyber-insurance to cover for it. But now they get hit by cyber-warfare. Have we ever seen cyber-peace? Cyber-warfare and they now longer are covered for that ransomeware attack that was by the way added on to cover the tracks of the actual target.

David Spark

I’m going back to you, Andy. You don’t think there’s any value Jim puts a good point about regarding insurance.

Jim Wachhaus

Negative value.

David Spark

Yeah.

Andy Ellis

Right. [LAUGHS].

David Spark

If you know who’s attacking you, isn’t this whole thing about understanding. If you know who’s attacking or what their motivation is then you can sort of shore up your defenses a little bit better. Yes?

Andy Ellis

Maybe. Like there’s some value. And I consider there’s zero value in understanding that but I worry too much that it becomes a recency bias. I mean who attacked me today, that’s what I want to defend against. Like here’s the question. Are you a business that a nation-state attacker might attack? If so what would they want. But you could do this thought exercise without waiting for the malware. Like how would a nation-state actor leverage access to your environment to cause your country too have a bad day? If you can answer that question that is far more valuable then figuring out whether a given piece of malware is nation-state or commercial.

David Spark

Jim, you get the final word on this.

Jim Wachhaus

I agree with Andy in that regard. I’d say host incidents in the post-mortem when the legal team is getting involved that’s when that question if going to become relevant, but not during the attack and not before attack certainly.

It’s time to play, What’s Worse?

David Spark

Alright, Jim. You know how this game Is played? It’s a risk management exercise, right up your alley. So what’s going to happen is I’m going to give you two scenarios, they both stink and you have to choose of these two horrible scenarios which one’s worse. I always make Andy into first so you get a little more time to respond. I always like it when you disagree with Andy, but no pressure. Andy likes it when you agree him, so there you go. That’s how we’re different.

Andy Ellis

And we’re not allowed to weasel our way out of these scenarios?

David Spark

No. This, what’s worse scenarios comes from Nick McNaulty who is at a confidential source. I don’t know what it is and hopefully he knows what it is, but right now we don’t know. Here’s the scenarios. Scenario number one, the ability for patch managers to selectively patch Microsoft systems a la carte. Now the issue here is potentially not installing patches that are needed. So you just sort patch what you think is needed, rather than Microsoft telling you what you need. Or the opposite which is the new Microsoft bundles that just push patches that might not be necessary on the majority of your systems. This is a classic scenario, we’ve seen this before, Andy. What’s worse?

Andy Ellis

This one actually is hard, because I like both of them. This isn’t actually like an awful choice, this is actually a good choice for once. I’ve got merits, I’m going to pave the world, like every system gets every update and they’re all running latest and greatest. That means that that business analytics after we bought five years ago and haven’t paid for maintenance on is going to stop working. So better go upgrade that one folks and better yet I get to blame this all on systems administration. Like this is an IT problem, it’s not a security problem. So that’s the first that everybody gets it. If it’s selective means we can not take some, but then that means we’ll never take some. So I’m going to go with that as actually the worse one. I’d rather just pave the world, because that’s how I feel today than let people leave the pothole because they know where the pothole not that.

David Spark

Alright, so the worse scenario is the a la carte.

Andy Ellis

The a la carte especially because I’m assuming and maybe I shouldn’t have assumed it, but the a la carte is like there’s no tracking. I don’t know what they took, because if I knew I could get them to actually take the relevant one. So that when then make that better.

David Spark

Alright. Our answer in the studio Jim. What is what is worse? The a la carte or the push it all?

Jim Wachhaus

Wow! Part of me wants to agree with Andy, but the fighter in me is going to say you’re absolutely wrong Andy. The pave it all is going to break something. It’s going to break things that your business depends upon and if you think that cybersecurity is not beholden to the business making money and keeping the lights on you’re absolutely wrong, so I think we need to put trust in our people to make the right choices that keep the lights on and keep us profitable and cybersecurity just has to deal with that, we have to catch up, we have to monitor, we have to be better citizens in the ecosystem of the competitive environment that we all live in.

David Spark

And I’m going to add to what you said Jim, because I think the argument you made, Andy is that at least they know what they didn’t patch, but that should actually be the good thing. In the scenario you said Jim, something’s going to break, who knows what. [LAUGHS].

Andy Ellis

The downside is if only the system owner knows. So IT doesn’t know what they didn’t take, I don’t know what they didn’t take. So for all I know they going to be saying, “Oh look.” I could just say I don’t want to take anything, ’cause that makes my life easier, so that’s why I’m saying that was the worse one. I completely agree just with Jim’s point that security doesn’t want to be the villain here, but note that Microsoft is pushing these, Microsoft was chosen by IT. This is totally not security’s fault. I’m going to be there with a drink to help console people when their system’s break and help them pick a new vendor.

Jim Wachhaus

Andy, I do admire the laissez faire approach of the nuke and pave.

David Spark

Yeah, but how do you know the roads don’t have potholes in them. You just pave them every couple of years. You don’t go looking for potholes to patch up for a while.

Jim Wachhaus

More beaches and umbrella drinks for us.

David Spark

Oh I love it.

Jim Wachhaus

Yeah.

David Spark

Beaches umbrellas and paving. Very good. [LAUGHS].

Please enough. No, more.

David Spark

Our topic is risk intelligence. Now this is the issue of how well do you understand your risk from all aspects. The idea being the higher your risk intelligence, the more informed decisions you can actually make around security and your business. So I’ll start with you, Andy. What have you heard enough about with risk intelligence and what would you like to hear a lot more?

Andy Ellis

I think I’ve heard a little too much trying to tie it together with hazards. And so I like to think about risk as having hazards which are problems in your environment. And then the risk which is the instantiation of those hazards and that’s where the intelligence of knowing like who is going to trigger or how it’s going to be triggered that that becomes interesting. So I’d like to hear of sort of more about how does that knowledge actually then tie into the hazards you have in your environment so you can prioritize the hazards that you’re going to reduce instead of trying to reduce the scenarios. Like a nation-state attack or wants to attack me, great. That’s never going to go away. I should never say, “Oh look, I got tall enough that the nation-state doesn’t want to get after me.” It’s, “I’m tall enough that the nation-state is going to be less effective. And so that’s the nuance that I’m looking to hear more about.

David Spark

I like that. Jim, what say, what have you heard enough about on risk intelligence and what would you like to hear a lot more?

Jim Wachhaus

Say we’re going to holy and totally solve this problem with automation. We are going to automate a lot of risk intelligence. The synthesis of contextual information that’s my environment with threat intelligence that’s globally distributed. We’re going to be able to prevent a lot of attacks by knowing our risk intelligence posture or risk posture. But we’re also going to be unable to prevent a lot of attacks and you’re not going to be able to prevent attacks with simple AI and automation. You’re going to have to have people who are out there actually fixing these prioritized issues patching, reconfiguring, providing masking whether it’s web application firewalls, XDR something like that. You’re going to be able to then reassess your risk, provide risk intelligence based upon threat intelligence combined with that contextual information. I’d like to see more of that.

David Spark

Okay, so this where we could lead into how CyCognito is dealing with this very issue. This is the barely wicked, you are by the way risk intelligence evangelist. So we’re talking to the right person right now.

Jim Wachhaus

I hope so.

David Spark

How is CyCognito handling this?

Jim Wachhaus

So CyCognito approach is risk intelligence from the standpoint of an attacker. We are a SaaS based platform that has a globally distributed and very stealthy botnet that is going out there and discovering all of the assets that are in the attack surface, without any input from you. You can provide input if you would like to make our automation platform more intelligent but you don’t have to, you can depend on our system to do it for you. We’re going to then test all of those assets that we’ve found in that attack surface, whether their IP address is digital certificates or web applications, domains, sub domains, things like that. And we’re going to tell you about the risk that are most important. The pathways that are going to be followed by attackers to get that initial access to then do all of the other bad stuff that’s to the right of the Mitre attack framework. So really our risk intelligence is about synthesizing threat intelligence with real time data from your environment and providing information and wisdom.

David Spark

Jim, give me a very detailed example like a scenario that one of your customers has seen. How does that information actually come to them. We’ve done this research, we’ve done this. This is now what we know, this is the risk intelligence we’re providing. Give me an example.

Jim Wachhaus

For the Log4jissue that we’re all dealing with right now are platform provides not only 100% confidence that we have found assets that are affected by the Log4j because the way that we have exploited them, but we also provide exploit intelligence a way for you to use Metasploit to execute the exploit against those system, basically log for Log4Shell and you’re going to be able to use that information to then shore up your defenses by seeing what the logs look like, by seeing what the traffic looks like in your blue team so that you can then monitor for that throughout your organisation. That’s just one small exploit intelligence example that really leads to risk intelligence. Basically the unification of threat intelligence on a specific IOC with that vulnerability or exposure being in your environment in particular.

David Spark

That’s excellent. So they are with your information able to make better decisions it seems like, because you’re literally showing a very sort of linear pathway of what’s happening. Yes?

Jim Wachhaus

100%. There’s a pathway that leads you from bad state to good state and then verification that you’ve actually arrived at your destination.

David Spark

I’m going too have you close this out. Give me an example of what some of your customers have said to you prior to using your product and now having the information and being able to act on the information you give them.

Jim Wachhaus

The feedback has been tremendous. Essentially we’re providing proactive control or visibility on the attack surface. So they have said things like, we use the CyCognito platform as our one system of truth or the record of truth for the entire external attack surface. So basically the CyCognito platform is driving internal meeting and alignment and communication about how to manage risk in that environment. The metrics that we provide are providing KPIs that are driving better behavior in these organizations. I’ve had a CISO tell me, I’ve actually heard this a couple time from different people that our intelligence of the attack surface is kind of like when you do a penetration test you’re kind of looking at a inch wide and a mile deep is a penetration test. Our platform is kind of like a foot deep and a mile while. It covers everything and it covers it to the point that a attacker would see from the Internet so that we can shore up any holes and close the door on those attackers, to prevent breaches in the future.

Is this the best use of my money?

David Spark

We’re recording this episode just days before Christmas and someone on the AskNetsec subreddit asked what gifts should I get my husband who is looking to go into Red Teaming/vulnerability? And he was telling me this is just from the community a lock picking set, an RFID cloner, Book on social engineering, a Raspberry Pi, Another monitor, Subscriptions to Hackthe box or Tryhackme for Capture the flag exercises. And WiFi Pineapple. Andy, I’ll start with you. What would you suggest would be the perfect gift for a wannabe Red Teamer?

Andy Ellis

So I liked a lot of those, they’re very tactical gifts, like here’s how to go practice. I’m going to go for a more strategic gift, ’cause if you want to be a Red Teamer you really need to understand complex systems, because you’re often looking for sort of the gap in between them and my go to book on that is, Engineering a Safer World by Nance Leveson, which really explores from the safety aspect the difficulties of making complex systems safe and how the systems that all think they work together actually create a vulnerability. So it’s a fantastic introduction to think about safety in a complex environment, which then lets you think about your infelicities in a complex environment that you’re gonna want to learn how to exploit.

David Spark

Good tip. Jim, you’re recommendations for a wannabe Red Teamer?

Jim Wachhaus

Andy your example is excellent and very professional, mine is going to be a lot more casual and that is watch Ferris Bueller’s Day Off and talk about all the way that Ferris hacks his associates with social engineering.

Andy Ellis

Things you couldn’t do anymore now that we all have cell phones.

Jim Wachhaus

Very true.

David Spark

By the way both great suggestions as well and I must say that I must say that I thoroughly enjoyed this list and how by the way eager this woman was to get a gift for her husband for that matter. Let me ask you, those are two good ones. From the list though that I read off were there any favorites that you thought.

Andy Ellis

I’ve got to say that another monitor like if you only have one monitor having a second monitor is one of the best things you can have just for general productivity. So whatever you’ve got to do a second monitor is fantastic. I personally love the lock picking set, that’s because that’s one of the things that I learned to do early on, but I have too many lock picks already.

David Spark

Oh well. Mostly I have one of those wide screen monitors, which I used to have multiple monitors and going from multiple to wide screen is a big difference. I thought there wouldn’t be much of a difference, it is a significant difference.

Andy Ellis

It is. I’ve got a wide screen curved gaming monitor in front of me, and then above that I have a second monitor just so I can put all the zoom people up there and still have my monitor.

David Spark

So you can be playing games while you are on zoom calls?

Andy Ellis

I could totally be playing games, haven’t you noticed that I look away for a while. I’m not playing games, honest, David.

David Spark

Alright Jim, from this list what was your favorite?

Jim Wachhaus

I also agree that the second monitor or third monitor or fourth monitor is absolutely a great investment. I use multiple monitors and it changed my life. But I also like the lock picking set and the social engineering book.

Closing

David Spark

Well that brings us to the very end of this episode. That was awesome. Thank you very much, Jim, thank you very much, Andy. And I want to thank your company, Jim. CyCognito, for some risk intelligence and to be more intelligent about your risk situation. Check them out at CyCognito.com. That’s CyCognito. I’m going to let you have the very last word, Jim, if you have any special offer for our audience, please let us know or a way to get in contact with you. One of the questions I always ask my guests, are you hiring? So have any answer for that, but first, Andy.

Andy Ellis

Well you know, this was really fascinating. I think one of the things we do more as a security team and this security industry is actually learn to use the same words to talk about things. [LAUGHS].

David Spark

I like that. I was actually having a conversation with a friend of mine, not on security, but I was saying, “Have you heard this term? Have you heard this term? And he goes, “You know what? There are a bunch of terms that mean exactly the same thing and I think we totally talking about the darned thing.”

Andy Ellis

Oh absolutely, and next year it’ll be whole different words ’cause we’ll have a new state of vendors, who’ll need to differentiate themselves from the existing vendors and they’ll do that by creating new words to describe the things they do. They totally look absolutely nothing like this other thing that a vendor already does.

David Spark

I can’t even remember what the category was I was referring to, but I remember talking to one vendor and they were all excited, because Gartner was creating a whole new category for them and my attitude was, “Wouldn’t it be better if you just fit into this category?” I can’t remember what it was, some basic category. I’m like, rather then having to not just sell your company, but also to see this whole concept of a new category. That’s like double marketing in sales. That’s a royal pain in the butt, like it’ll be easier to slide into whatever everybody knows.

Andy Ellis

Yeah, but the analyst firms would like you to do that, because if you’re a vendor and you’re in an analyst firm you’re paying them based on these number of different categories you interest in. So if they create a new category you don’t abandon the old category, no you’re still in that and you’re in the new one, and now you’re paying them more money.

David Spark

I do understand how this works from the analyst view point.

Andy Ellis

Yeah.

David Spark

But I’m just more concerned about the vendors viewpoint of making life simpler for the people they’re trying to sell to.

Andy Ellis

Yeah, well you want to have both, right? If somebody hears about the new word you’ll like to own the new word.

David Spark

Right.

Andy Ellis

But if they only know the old word you’d like to be competitive on the old word too.

David Spark

Let me ask you. Of the new categories in the past five years which ones do you think have actually taken hold? I’m thinking XDR even though there’s a lot of complaints.

Andy Ellis

I mean, what is XDR? Like XDR at this point appears to be either sim next generation or EDR generations or something entirely and I say that as somebody who’s invested in a XDR company. I don’t even know the boundaries of XDR.

David Spark

Well I would say actually asset management is definitely as a category taken off.

Andy Ellis

Asset management definitely is a category that’s taken off. You think we’re starting to see some things around SaaS that are becoming I think this year we’ll see more people settling down to the talents and the grips of the world or the valiances like what does that space look like? Because it’s not just API security, which is what I think some people sometimes lock it down to, but you know, since we’ve got CyCognito here I think this whole risk intelligence, threat intelligence, threat management. This one has gone through some evolutions so I think it has to settle down before I’m gonna say it’s taken off, but at the same time the fact that there is this much motion is interesting.

David Spark

Honestly just knowing more so you can make better decisions whatever way you want to label that is fine.

David Spark

And I now toss to Jim. Jim, any last thoughts on this topic? How do people get in contact with you? Are you hiring? And do you have an offer for our audience?

Jim Wachhaus

Come to www.cycognito.com. Come check out our blog posts, I’ve done a ton of blog posts and there’s some great information there about Log4j, DNS, passive DNS and just closure as examples and yes, we are hiring. We’re actually in hypergrowth right now, because risk intelligence, external attacks, surface management are hugely powerful topics these days especially as Mitre attack merged with pre ATT&CK in October of 2020 and since that time we’ve gottan a lot of coverage. So come check us out, come see our nine minute demo and then you very much for having me on your podcast, David and Andy.

David Spark

Very last question, Jim. How do people get in contact with you?

Jim Wachhaus

Jim@cycognito.com.

David Spark

Simple as that. And also we’ll have a link to his LinkedIn profile as well. Thank you very much Jim, Thank you very much CyCognito, thank you very much Andy and Thank you to the audience. As always for your contributions and for listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”