Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
What’s the Purpose of Attack Surface Management?
In this episode of Unspoken Security, host AJ Nash welcomes Jeff Foley, founder and leader of the OWASP AMASS flagship project and Vice President and Distinguished Fellow of Research at ZeroFox. They dive into the critical importance of attack surface management (ASM) in cybersecurity, emphasizing the need for visibility from an adversarial perspective. Jeff explains how attackers spend most of their time on surveillance to deeply understand their targets; a vital component to improving the likelihood of being successful during any attack.
AJ and Jeff discuss the transition from government to commercial cybersecurity - including the challenges and opportunities - and Jeff shares his insights on how the commercial sector can benefit from the disciplined and thorough approaches used in government cybersecurity. He stresses the importance of ASM as a form of intelligence, advocating for organizations to identify and manage their attack surfaces as attackers do proactively.
The episode also covers the terminology and misconceptions surrounding ASM, with both AJ and Jeff agreeing that "attack surface management" may not fully capture the essence of the practice, suggesting "attack surface intelligence" as a more accurate term. They underscore the necessity for continuous monitoring and adaptation in a constantly evolving cyber threat landscape.
Finally, as with all episodes of Unspoken Security, our guest (Jeff, in this case), reveals a secret...something that - to this point - has remained unspoken. Like every episode, Jeff doesn't disappoint!
Unspoken Security Ep 17: What's the Purpose of Attack Surface Management?
Jeff Foley: [00:00:00] we've all seen the claims, right? Where they say attackers spend 90 percent on the recon, 10 percent on pulling a trigger for the attack, right? It's true, right? And they spend a lot of time understanding the targets so that when they finally move forward. It's going to work
AJ Nash: Hello, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA, and I've been building maturing intelligence programs in the private sector for about eight years.
I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I also have a master's degree in organizational leadership from Gonzaga University. Go Zags! And continue to be deeply committed to servant leadership. This podcast brings all these elements together, with some incredible guests.
And then we're going to have these authentic unfiltered conversations on a wide range of challenging topics. It's not your typical podcast. It's not gonna be all polished with my dog has made occasional appearances on the show and people argue and debate, we might even swear here. [00:01:00] I sure will.
And that's all okay. You want to think of this podcast as a conversation that you'd over here at a bar after a long day at one of the larger cybersecurity conferences. These are the conversations we usually have when nobody's listening. So today I'm joined by Jeff Foley. He's the founder and leader of the OWASP AMASS flagship project, an adjunct professor, adjunct lecturer at Utica University.
Oh, yeah, and he also happens to be the Vice President and distinguished fellow of research for us at ZeroFox. Before joining ZeroFox, Jeff was the global head of attack surface management for Citibank. He's been an adjunct professor at the state university of New York. And he's held various roles across the U.
S. Nearly 20 years. He's an old guy like me within the government defense sector. He has a bachelor's degree in computer science from SUNY Polytechnic Institute. So that's at State University of New York, I mentioned, and a master's in cybersecurity, from Utica University. It's a hell of a bio, Jeff.
Anything I left out that you want to add?
Jeff Foley: Oh, just that for many years, when that career started, it was with us, [00:02:00] like yourself, the government space, pulled into cyber warfare, where the focus was superiority, understanding the battle space, things that maybe you don't quite hear. In commercials, cybersecurity, but, I think as we'll get to later, when I came out of that world and saw how different it was in the commercial world, it was eye opening and cause some of these things to happen that I'm known for today.
And the past lives that you just mentioned from the bio,
AJ Nash: Yeah. Listen, like you said, you came out of the government space. So did I. And some people get ruffled by that, I hear that occasionally, right? NSA is in my bio and that's all well and good. The truth of the matter is there's a lot of great talent. In the government space, the government is a great place to learn, and how to build things.
The government does plenty of things wrong. There's plenty of people who are going to have lots of valid complaints about the government. It doesn't mean everything's wrong. The truth of the matter is we talk about security. If you talk about cyber security now, physical security [00:03:00] before, war fighting, whether it's, kinetic or cyber.
That's been the government's domain. That's where it comes from. So it makes good sense that a lot of really good talent comes out of there, but I'll be interested to dig into it with you and talk about what you did learn there, what you've been able to apply, as you said, to the commercial sector, the private sector, because terminology is different.
Motives are different. The opportunities are different. How the legal world. Requirements and authorities are different out here. But some of the goals are the same, right? Our goal is to try to keep ourselves safe, to protect our ourselves from people who want to hurt us or steal from us.
We don't do as much of the offensive as they do on the government side. There's some laws in place there, but, a lot of the things, That the government has to do to keep people safe for the kind of lessons we want to learn and bring into the private sector. I'm excited to dig into this with you and learn more about, attack surface management and what you've learned and what you've built and where we're going today.
So with that, we really should just jump right in, man. The topic today is what's the purpose of attack surface management? Because a lot of people hear about attack surface management, ASM or extended attack service management or external attack service management, all these different terms. But it's [00:04:00] really important to talk about, why this even matters, and frankly, who better to ask than the guy who founded a wasp, a mass.
That's why I want to jump in. But before we get to the why, with most things you really want to discuss the what, right? Not everybody who's going to listen to this knows what a tax service management is, or maybe they think they do. And maybe their definitions aren't entirely correct. It happens.
So I want to just level set here. I want to get this baseline, with the expert and that's you in this case, Jeff, in your words, what is attack surface management?
Jeff Foley: putting that simply, right? If we're trying to keep that as simple as possible, I'd say it's visibility. But of course, that word so overused and, can mean so many things. But what I've been telling people for as long as I've been involved in trying to promote this or advocate for the importance of this is.
It's the adversary adversarial perspective. It's looking through the adversary adversarial lens. Really? And why is that important? If you've ever seen a vulnerability management program where they don't have all the assets on the list, [00:05:00] right?
AJ Nash: Great.
Jeff Foley: That's the right. That's monitoring everything. But this happens to almost every company that they miss some or.
They need to add some new ones that they just found out about.
But if you are only looking at it from that perspective of we're watching what we've been told to watch or what we think we're supposed to be watching, but see adversaries don't do that, right? They just find out. They just go dig it up.
And for the longest time companies were not the same due diligence, I'll call it right. Where it's let's assume nothing. Let's just look at it as if. We were going to put this organization in the crosshairs. And what do we see like an an attacker would, because all too often what we find, or I can say every single time I've ever done this for any organization, what I find is there's more out there than the company realizes. So that's what ASM is. There's a lot of benefits that come from executing that or performing that periodically, which we can get [00:06:00] to later.
AJ Nash: Yeah so you're saying it's, 1st of all, I'm going to jump into the terminology. And you and I didn't invent this term, by the way, I think everybody should know that and probably does. I, but I'm going to attack it a little bit. I guess attack service management from what you just described.
There's not a lot of management involved in that. Is there like,
Jeff Foley: I,
AJ Nash: to everybody,
Jeff Foley: I didn't coin the term. I'm not really fan of it.
AJ Nash: neither of mine, to be honest. And no offense to everybody out there in the world who, whoever invented this and all the marketing folks, including our own, frankly, who still talk about it as a tax service management. I've repeatedly said, I'm not a fond of the term because there's not much management to it.
What you're saying is from hearing correctly. Through the adversary's lens. You mentioned there's a lot of stuff out there people don't know exists, right? This, I think people call it shadow it a lot of times, right? No shock that people spin up new servers new websites, even, all sorts of new things in the name of the company, maybe it's in cloud, right?
There's, they spin up new, buckets in cloud. And people don't know it exists. And this has been going on a long time, that challenge I've been on stage for years talking about Intel. And I [00:07:00] start by saying, the CMDB the configuration management database, which is supposed to be an inventory of everything you have, right.
Every, every computer and all the software on it and all the versions and all the, everything I had every time I've stood on stage and said, everybody raised their hand. That's confident their CMDB is accurate. Nobody raises their hand. Half the people laugh, which I think is sad, frankly. And I just sit here going how can you defend things?
You don't even know what you have. You don't know your environment. You don't know your inventory. As an Intel guy, it scares me because I can tell you this is scary adversary. They are, they're very dangerous. They've got, these tactics and techniques, and they're interested in companies just like us, and they've just come up with this new tactic.
But I can't tell you if it really matters to us, because I don't even know if we have that software system or we have that version or if we're patched or what our compensating controls are. Or, what's exposed to the world and people just shrug it off and giggle at sometimes that the CMDB is out of whack.
And from what you're saying, this extends, right? You've got adversaries are able to just find stuff that we don't know exists. How do you defend things that you don't know exist? And so being [00:08:00] able to look through the adversary lens, as you put it. And as you, astutely also said adversaries don't, They don't follow rules, right?
They don't really care. They just go out and find shit. That's the deal, right? Whatever means necessary to go out and find things. Cause their job is to get into our, back pocket and steal from us. Like they don't have to follow the rules. I think it's an interesting piece that adversary component, as you said, so attack service management is not management.
It's visibility from what you're saying. Like I've even argued, it's a form of intelligence, like attack service
Jeff Foley: Yeah. That's what I would call it. If I could rename it, I would probably call it attack surface intelligence. It is intelligence. It's able to be turned into actionable intelligence. That, that's what we're really dealing with here. And like you said, that's how the adversary is using it. It's find out what we can about the target.
That's in the form. If we're looking at this through a, an operation, right? It's. Understand the battle space. So it's [00:09:00] your job to understand your side, which would be like the blue side, but you have to understand the red side as well. It doesn't matter whether we're talking about because you're a defender or an attacker, both sides are necessary.
You have to understand both sides in order to then start making decisions to say, We're either going to defend like this because we think it's likely that they are going to do this. Or if you're on the other side, the attacker side, then you're going to look at the blue side and say we believe they are, set up to defend themselves in these ways.
So we will choose these attack vectors to increase the likelihood that these attacks are successful. They won't be detected, whatever your priorities are. So it requires this intelligence. A lot of times called reconnaissance in order to make stronger decisions. And that's what we're now bringing to corporations and any organization for that matter, this on the internet is we're saying, you really need to do this to yourself so that if this was being [00:10:00] done to you.
You would know what they're going to see. you don't like that you have a problem and you need to fix Because because when it's all over, what you should be saying, when this is a well oiled machine is you should be saying, I do what I'm seeing, I'm comfortable with what I'm seeing.
And I think that's the position we want to be in as we continue to, defend this organization. In honestly, a contested environment. That's what the internet is, whether people want to admit that or not. It's a contested environment where there's a cost of doing business in a somewhat dangerous or, a risky place.
So you need to be, coming to this conclusion that we've accepted the risk. Now we're comfortable with the level of risk and this is the way we want to keep it as we continue to accept the cost of doing business.
AJ Nash: That's a good point. You talk about accepting risk, right? That's one of the biggest parts of being a CISO is risk, right? To be able to quantify the risk, be able to, communicate that risk to [00:11:00] leadership, be able to own or accept the risk or be able to make sure that somebody else if it does the CSO, perhaps or the CIO or the whatever who ends up being, but being in a position to be able to own risk.
It's really hard to own risk if you don't actually know what the risk is. Or it's really dangerous to own risk. You think you knew what it was, and it turns out there's a whole lot of risk. You didn't know, that shadow it that's undefined undetected. And suddenly that's the attack factor.
That's the door that somebody gets in, to your environment. S3 buckets come to mind all the time in, yeah, when we get into cloud misconfigured S3 buckets or extra buckets aren't supposed to be there because organizations didn't have policies in place, or it may have policies, but didn't have controls in place.
And lo and behold, an organization might think that they know what their risk is. And they said we've, we're an acceptable risk. And the truth is you're carrying a whole lot of risk. You didn't know about, because you didn't know your own environment. It's good.
Jeff Foley: We've engaged a lot of organizations over the years. and what we do is we assess them through the attacker's perspective and we come to the, to the table and then we show [00:12:00] them this is what you look like to an attacker on the internet. How much of that were you aware of?
Or show us your asset inventory, right? To. And the thing is, it's completely common that even a company with a mature security program probably only knew about 80 of what we show them. Some, quite a few are at 50
AJ Nash: so the risk all wrong then, right? Obviously they don't know half the stuff out there. Their risk rating couldn't possibly be accurate any longer.
Jeff Foley: I don't know. It's in some cases. We've even seen 25 percent
AJ Nash: Oh,
Jeff Foley: is all they were aware of from what we were presenting to them.
AJ Nash: Has anybody ever gotten like 100%? You ever had one they mapped out and they're like, yep, we know everything. But
Jeff Foley: no, single 1 Not one yet. Even small groups, like even the tiniest companies, there's something out there that didn't realize like an old piece of equipment or something.
I'm waiting. I'm waiting for the day.
AJ Nash: Challenge laid out there for somebody. If anybody thinks they know 100 percent of their inventory, reach out to Jeff fully we'll give you his email address [00:13:00] and, maybe we'll call someone kind of a prize. If somebody can actually do that, if we can do an ASM scan and they come up with a hundred percent.
You know what, I'm going to do it right now out of my own pocket. Maybe this gets edited out. Let's hope so. I don't have money, but I'm going to offer a $500 gift card right now. Like Amazon, I'm going to pick a company. So you can't get it from anywhere you want. 500 Amazon gift card. First company, first organization.
Don't be like your home system. I'm not interested in somebody from housing. Check my house. Not that kind of bullshit. Come on, help me out here. But you were, you work for a corporation. You got more than, I don't know. 20 people in a company. I'll go really small. And you can reach out to Jeff and you can prove that you, he did a scan and a hundred percent of your stuff was accounted for and I'll give you a 500 Amazon card and we're doing it once by the way.
So it's first come first serve. I don't know how to make the money. So we'll see if that picks up, when it comes out and I'm going to regret this later, probably, but if nothing else, Jeff, your story will change, at least you'll be able to say there's one company out there that proved to me it can
Jeff Foley: Yeah, that'd be great. I appreciate that.
AJ Nash: yeah,
500 500 bucks though. Wow.
Jeff Foley: a lot of [00:14:00] people are aware of the mass project in the fast, the fact that they have a place to go if they are willing to take on this responsibility, right? Or attempt to address this. Whereas, we've been helping people for all the way back to 2017, roughly when.
Unfortunately, a lot of people didn't even realize they should be doing this, or it just seems like not part of a security program. Now, again, coming from my background in cyber warfare, this was just You couldn't come to the conversation, right? If you couldn't, say you were up to speed on this information or intelligence, frankly, you'd be kicked out of the room.
If you attempted to chime in on the decision making when you didn't even know the battle space looked like, but when I came to the, private sector and this was the norm at first, I didn't believe it, honestly I thought it was just. Exceptions or edge cases, but it turned out, no, it was the norm. [00:15:00] And that's when I said, wow we need to do something about this. We need to help change this. So that's where, our initiative came from with the open source work.
AJ Nash: It's a good, I'm glad you mentioned it, right? And yeah, you're right. Getting laughed out of the room. It's like showing up for, you imagine being a general who's showing up for, meetings. We're going to discuss an invasion, of another country or whatever.
And it's a land war and they can't tell you how many tanks and people they have. Oh, no, we don't know. We've, they're over there somewhere. What about this platoon? I'm not really sure where those guys are. Yeah. What about these guys? I wouldn't know. They're still part of the army anymore. Yeah. Yeah. It would be, Impossible, it wouldn't even come up as an idea.
Of course, where all your inventory is and where all your weapons are and where all the things you have to defense are, where all your forward base operating bases are and all these things are, and I'm with you, I, when I got in the private sector, similar experience on the Intel side, when I realized.
How much wasn't known, at least on Intel's, they would say Intel's just moving into the private sector. Makes sense. But when I started learning and for me, it was CMDB right away. It was the first thing I was getting into as an Intel guy. I was like, all right, we're going to know what to defend.
I got to know what we have, et [00:16:00] cetera. And when I realized I was working with, and for people who didn't know, and it wasn't a panic, it wasn't like, this is the top of our list of things to fix. That just was like, no, we don't really, we don't really know. We've got this database, but it's all out of date.
And then they just accepted it and move on to the next thing. I was like how's that? Okay. I don't understand it. I still don't. And it seems to be a bit of the norm. As you said, I find very few organizations that feel confident that they have their inventory sorted, and they just go about their day.
And I just think your house is on fire. But as you said, moving into the private sector, you realize this was like the norm and as opposed to just this outlier, the edge cases. So it brings me to the next question we want to talk about today, which is now that we've talked about what a tax service management is, despite the fact it's not really management.
Why was ASM created independent of the other programs like CTI, vulnerability management, red team? It sounds to me like it should be part of red team, right? It's understanding what the adversary sees of us. So it's emulating what their vision is. And then you'd go from there. But why is ASM independent of all these things?
Jeff Foley: Yeah, it's a good question. And I imagine there's [00:17:00] some people that would say ASM could live within a red team function because the people. That are performing red team exercises are definitely familiar with the process of collecting that kind of information about a target. The thing is, I would argue they're not usually intelligence people, right?
There's a
Little bit of a gap there, so they're good at collecting it and then using it to do additional security assessment. They're. Used to that. And if they're given ample time, most red teamers are even very good at using OSINT, open source intelligence to, try to paint a more complete picture as complete a picture as they can about their target.
So these are not foreign, concepts to them, but they're not used to collecting all of this and making it very consumable by other security functions. So if you do put it in a red team [00:18:00] function, I think what tends to happen is. The data tends to stay there, right? And you could probably fix that or adjust that if you were to prioritize it, but I think you're taking a chance that.
If you try to bring it to life within the red team function, it may end up staying there. Also, security assessors are often used to keeping the information they collect about security, private, right? Or they're pretty good at keeping it to themselves. ASM is information that needs to be shared with the rest of a security program, similar to threat intelligence.
AJ Nash: Huh. Huh.
Jeff Foley: And again, therefore the almost like the culture doesn't quite match, the function
is
AJ Nash: that's exactly what I was thinking. The word culture came to mind, that it sounds like it's more of a culture that doesn't fit Red Team. Red Team sounds like they should be one of the primary customers of ASM. Feed into them to say, hey, this is, we did a scan. Here, you can have this.
It'll save you the trouble of having to do your own [00:19:00] recon. We've already done the recon part for you. And then from there, they can move on to the next things because they have a recon, result. They have a report that already looks like what the adversary is seeing. And then they can get into how are we going to attack these.
End points and these assets, as opposed to having to go find them first, but I'm with, yeah it seems to make sense culturally, an organization does more of the reporting out in the sharing. That's not really a red team. They do their reports after they finish their operations, but that's about it.
Sounds like it fits more within that Intel piece, which is what we already talked about, which is why I think it shouldn't be called the tech service management, should be tech service intelligence, because it's another form of Intel. It's Intel on ourselves. From the adversaries point of view, and then, we can layer the other Intel pieces on it.
I think so. It sounds like it makes sense. Like you're saying it's a cultural difference, but what about like phone management or, any of the other organizations that it could have been tied to? Why is it pretty much, why is it different from all management? I guess it's a good question to ask in here.
Jeff Foley: Yeah. And a lot of companies have tried to stand up an ASM function within a vulnerability management
Jeff Foley: Sometimes with success, but I guess it also depends on how you're measuring success of [00:20:00] your ASM function. So if it's only two. Expose the unknown unknowns, which we talked about that, right?
These, this percentage of assets that the organization's not aware is out there. Then ASM could do quite well, finding those and feeding that to vulnerability management. So then, VM can put eyes on those assets, but there's a lot more you can use. Asm or as I for then just, making sure that your vulnerability management capabilities or vendors or what have you are looking at all the exposed assets.
So I think, again, the problem is if you put it there, and it needs to get used or consumed by someone else, vulnerability management will probably have little motive to support that, right? They're just going to be looking at our job is to monitor these assets and make sure that they're. They don't need to be patched or, the correct security controls are in place. And as long as that's happening, then we're checking the boxes [00:21:00] or meeting our, the expectations on us. But what about all these other potential consumers of the data? They often now don't get, access to the data or the whole picture. Because again, this is an intelligence sharing capability.
That's what this needs to be at the end of the day, not bring the data in and now make sure we're not missing anything and then call it a day. It's bring the data in and make sure all the right people are getting it the way they need it to take the appropriate action.
AJ Nash: Got Okay. That makes sense then, right? So vulns has their job to do. And like I said, their job is to find the vulns, monitor the vulns, not necessarily share information around. Red team, their job is to understand the environment, from the adversaries perspective and then try to take action to, uncover
problems. But again, they're only reporting really is after action reports for the most part. So I, then they get the Intel space, right? And so on the Intel side, and you and I both mentioned, our belief, this really falls in Intel. Hell you even just said ASI, which is a tax service intelligence.
I'm guessing is where you were [00:22:00] going with that. But here's a piece here. Cause I have my own bone to pick on the Intel side. Most people who know me, no, I don't. I rarely if ever use the term cyber threat intelligence, or even threat intelligence for that matter. I normally just call it intelligence.
And the reasons for that are threat is a subset, people call it all they want. They're probably not gonna get me to buy into it. Threat is a subset of Intel. It's not its own thing. And I think it's Intel. Then you have physical and you have cyber and threats are just all part of that, right?
And that gets into risk is your, your threats, in your bones, right? That means that ASM or ASI, as we're starting to call it here in this conversation, that won't fit under a CTI program. Then it's not a threat Intel program because threat Intel tends to be about threat actors.
Tactics, techniques and procedures, things like that. But if we talked about the larger intelligence program, which I admit is pretty Me getting on a soapbox. I've talked about for years how this should be elevated under chief intelligence officer, et cetera. But if we do that now, it sounds like it unifies.
AJ Nash: You've got your threat Intel component. You've also got your, your strategic Intel is out there. You've also got your [00:23:00] attack surface Intel could be there. You've got all these other different forms of intelligence that could then be unified fusion intelligence center at that point. Would that make sense to you?
If it ended up moving in that direction, then would it be something that would fit under an umbrella of intelligence? It's not under threat intel, because I think that's just, monitoring TTPs and maybe actors in and of themselves. But in the greater scheme of intel, would it fit better as attack service intel within a larger intel umbrella?
Jeff Foley: Yeah. I'm really glad you brought that up because. Cause
AJ Nash: ha,
Jeff Foley: I've seen people try to put an ASM program under a, CTI program
And it worked, in that people understood that culture was there right to bring the intelligence in and disseminate it to the right people in the organization. Great, but the priority was on the threat intelligence.
Like you said, that subset, right? So the ASM kind of took the back seat or the back burner and. It still made it hard to get it to the right [00:24:00] consumers, within the organization. So I would still say, be careful with that. I don't know if I would advocate that people put their ASM or ASI program under CTI, but like you're saying when it's a larger program, where this is about, the fusion, bringing it all together for the more strategic vision or, visibility. Now, I think we're talking, cause I've seen that done as well. Unfortunately, only in a few companies where they had say a large enough and mature enough program to, I assume they've been burnt a couple of times trying to get this right. And then they realized, wait, this is the only right way to do this.
And then they finally. Managed to, build that out in what they call the cyber fusion center. But it works, right? Because now it brought all the data together, it identified, the overlapping information or associations, across the different kinds of intelligence, allowing you [00:25:00] to paint the more complete picture.
And it was great. It also made it easier to pull the, what I'm going to keep calling ASI in for business intelligence or business decision making, not necessarily just. InfoSec, right? Because it's great that you now have, I'll say visibility on the battlefield or for the assets they're exposed on the internet, but there's different ways you could use that, right?
There, there's a lot of ways you could, pull that information into your decision making processes and enhance your situational awareness for different, I'll call it challenges or problems that your company could be facing.
AJ Nash: Yeah, I think, that's nice to know we're on the same page on this one, that if this is elevated up there's more opportunities there. And you point out, from a business standpoint which is the goal of intelligence is to Improved decision making.
And ultimately the goal of almost everything we're doing is from business standpoints, you want to lower risk. You want [00:26:00] to, increase profitability, which comes from lowering risk and lowering dangers, as part of that concept. And also Intel, and we talked about the culture component, the part of the culture for intelligence is understanding your stakeholders, understanding their requirements and then delivering.
Against those requirements. And this is another aspect of that where, you know, as you said, you've seen some success if they do it as a fusion center, right? If you have ASI, attack surface intelligence tied into their fusion center, along with your threat intel and your strategic and all that, I suspect those organizations are pretty mature, which means they, they would have
and understanding of who their stakeholders are, who their customers are and what their requirements are. And then you can distribute to the right people. So our attack surface intelligence, our scan okay that's going to go to the red team. So they know how to emulate the adversaries. This is what the adversary sees.
It's also going to go to our bones team, to say, this is what we found that you might not know have existed. It could very well go to the CISO as well, to talk about the full risk ratings or whoever's handling risk for that organization. Maybe the policy. Okay. Or, organization is going to see that say, Hey, your [00:27:00] policies aren't being enforced properly.
Or do you have policies? People are spinning up all sorts of things. Do you have a written policy that says they can't? And if so, has it been distributed and if so, how are you enforcing it? All of these things become normal, normalized for intelligence folks, because that's our gig, right?
We understand we, the stakeholders, the requirements, we deliver against those requirements. We monitor that, we measure that for effectiveness. And you can see impact and results. Whereas a lot of these other organizations aren't. Designed or built that way. So I'm gonna keep banging the drum on that.
Obviously, that we should, look at this greater picture of intelligence because you're also getting all that context gets tied together. Then to the bones team will get the Intel to not just know. Hey, do you have a vulnerability? But what's the likelihood it's going to be compromised? What adversaries out there are capable of doing so and have the motivation to do so and have that motivation against Your specific company, or at least, your industry, your geography.
Otherwise I'm not sure how they're deciding how to prioritize things other than just this looks scary, so we should make it number one versus number three versus number 212. That's never done. And I've seen a lot of that. Like we said, same thing, [00:28:00] fragmentation where the Intel team knows a lot of stuff and the volunteer team worries about a lot of stuff and they don't talk nearly enough and you get the
civilian equivalent of a 911 eventually, not nearly as devastating, of course, but in terms of when somebody looks in reviews, they go geez, we had all the information. Yeah, but the right people couldn't talk to right people because nobody knew what they knew and or what I knew.
And everybody lived in their own little silo and we've seen that in cyber. I don't know if you have. You've been out there a bunch. I'm guessing you've seen some of the same things where bad things happen. You realize it was preventable if all the right people knew. Connections had been made,
but they weren't
Jeff Foley: it's just something you said earlier, the attackers don't have this problem.
AJ Nash: They don't get together and have meetings on calendars and have to schedule things out and take two hours to decide the next policy decision. They don't do all that kind of stuff.
Jeff Foley: They're going to look at the whole company, right? All the different kinds of intelligence that you could collect in order to have, As complete a picture as possible. And we've all seen the claims, right? Where they say attackers spend 90 percent on the [00:29:00] recon, 10 percent on pulling a trigger for the attack, right? It's true, right? And they spend a lot of time understanding the targets so that when they finally move forward. It's going to work
right. And to your point, they want the most complete picture possible, right? To understand what exactly is that asset? Is it important? Is it going to get me where I'm trying to go?
Are they likely to be watching it? Is it part of the crown jewels? All these kinds of questions, which require big picture visibility of the organization. Like not just information security or it, but. What is this company doing with these assets? What does it mean to the organization?
Things like that. We need to make sure that these internal programs are collecting the data or the intelligence in the same way. So we're getting that more complete picture when people ask questions, for intelligence X that it's actually enhancing our [00:30:00] Say the completeness of our view for the other types of intelligence, right? They're complimenting each other, but that's oftentimes not happening, right? Like you said, this is being done in silos. Everyone's keeping, their information to themselves or close, close chest and it's not helping anybody or
AJ Nash: We talked at the beginning of the show, right about you and I both come out of the government space. And there are people that have all sorts of biases against government sometimes and aversions to talk about it. And, some are well founded and some aren't and that's all fine.
But this is a perfect example where I just chuckle sadly to myself and say, geez, I feel like I've heard all this before. I have, and we all have, it's, this is, this was the pre 9 11 world of intelligence, right? Where that's what the 9 11 committee came back and said was. Failures in the community, which listen, you make a lot of arguments about that, and I don't know anybody who failed personally, but the system was set up to fail as it turned out because everybody had their bits, right?
And there was some sharing going on and some fusion and some [00:31:00] relationships, but a lot of it wasn't. A lot of it was I've got mine. You've got yours. I've got things to get done. I don't have time to worry about what you have to get done. We all have our own missions. And of course, then you throw in some politics.
Budget, same things are happening now. We see it in cyber, right? Organizations, I'm going to focus on my responsibilities. I've got my KPIs and my OKRs and all this, and on my budget which I have to defend against losing cause budgets get cut. And geez, if we unified, if we did a fusion system, who's going to be in charge then?
I run my own org now. And so do these other three peers of mine. If we fused it, I'm going to work for somebody else. I'm gonna lose my job. I'm gonna lose my budget. There's a lot of that. I think that's happening. Not everywhere. Some of it's just people haven't thought this way, but I suspect there's some of that going on.
And let's face it. If you've got three, I don't know, directors, senior directors, whatever it might be that are parallel. They're not gonna run to the CSO and say, I really think you should unify this and fire two of us. They're not gonna do that, right? And if the CSO hasn't given it much thought because they're buried in a thousand other things, they're probably not gonna think to do it either.
And I'm not saying, by the way, that you have to unify and fire people. That's not really my point. But there's a lot of [00:32:00] reason for folks not to elevate this up as an idea. People don't like losing status. They don't like losing title. They don't like losing their jobs. Obviously, they don't like losing income.
And if they've got their own little lane and they continue to build the walls around it, that silo gets stronger and stronger. And they deliver results because the OKRs and the KPIs all say they are delivering what they were supposed to deliver. They're not going anyplace. But the organization as a whole still has these giant blind spots and still has these inefficiencies.
They may be overspending. How many times have you gone to an org and found that, They had two or three different licenses for the same company, the same tooling. That they didn't realize and they're double and triple paying. They don't have an enterprise license, would have saved
Jeff Foley: that offer the same very similar, vendor that has similar offerings. Yeah, all the time. Actually, and they don't even realize it, right? They don't because they just don't talk to each other. But to what you said earlier, I think I'm pretty sure I heard you say chief intelligence officer or something like that.
AJ Nash: Yep. Yep,
Jeff Foley: If that were to become the norm, the directors could stay right where they are. They just, they'd be reporting to the right [00:33:00] person is what I would call that. And the specializations could stay in place, but. We now have the right officer to make sure that all that's being brought together to that more unified view for the org and disseminated, disseminating it to all the right people.
I think that's part of the problem is this is so important, but yet it doesn't reach CRO and that's why it's dysfunctional in a lot of ways for a lot of corporations
AJ Nash: agree. That's, I wrote that paper a couple of years ago. Now the rise of the CIO, the CINO, the chief intelligence officer. And that was exactly the thinking. It wasn't to replace anything. The truth of the matter is I wrote it in the paper at the time and I say it repeatedly, It's not even the most novel idea other than it doesn't exist in the private sector.
It's what happened after 9 11. It's I'm not gonna lie about it. It's the office of the director of national intelligence. This is where same concept. You need somebody who's a unifier. And what I had said is the sea level should be set that way. And the chief intelligence officer should be the consul Gary to the CEO.[00:34:00]
Basically, along with the chief legal officer. And then the other side, you got all your business folks, and that's where you get your Intel requirements. You get them from the C level and all the subordinates. There's all your Intel requirements. So you got somebody in charge of all that. And then everybody else is a customer.
They don't work for the CINO. Nobody's losing their jobs. Nobody's losing the authority. Nobody's losing credibility or title or money or any of that. They're all doing what they're doing. It's just all aligned to enterprise wide intelligence requirements now. And they are driven by the C level, which means they also will include the business intelligence, right?
The long term strategic goals, not just from a security standpoint, but business. It'll include when you get into acquisitions, right? Mergers and acquisitions. There's not enough Intel tied to that. And ASM would have a role to play in that too. Hey, let's run an ASM scan on this company and see what their footprint really looks like.
It would work on third party risk. If you run, a tax service management scans for third party risk and have the same results. So if you're going to acquire a company or if you're going to merge with a company or partner with a company or hire a vendor, these are all things that could be tied together.
None of that's happening. Now, to my knowledge, I don't know anybody who [00:35:00] runs an attack service management scan on a vendor before they do business with them. I, if you know of one, know. Maybe I'm missing it. Is it starting to change? Am I just
Jeff Foley: Yeah. Supply chain security is getting a lot more focus, thank goodness now. And it does, it is including if we can't trust them to tell us what they're doing, we can at least look right. Similar to the MNA where there's only so much you can ask them prior to the, the closure, closing the deal, but there's nothing stopping you from looking
right.
AJ Nash: That's an Intel function right there. You're doing research recon on an acquisition target or on a partnership or on a vendor, that's all what Intel does. So yeah, I'm obviously I keep banging this drum. Eventually we're going to get there. We're having some discussions. I've talked to some larger organizations about doing this Intel component.
This, thing, it's hard to get there, right? There's politics, organizations don't want to have a C level. When I first, floated this idea and wrote this paper, I have no doubt that people thought it was self serving. How convenient you're putting yourself in a position where you could be a C level now.[00:36:00]
AJ Nash: Doesn't have to be me. Look at it. I wrote the thing two, three years ago now. Maybe four. I don't remember now. I'm still not a C-level, by the way. And in fact, I know a couple people who now have the title of Chief Intelligence Officer. I'm still not one of them. If it's been self serving, I'm really damn bad at it.
But I still believe in it. I think it's gonna be the solution. I think eventually we're gonna see larger organizations. Somebody's gonna take a swing. And it's going to be it's going to work and we're going to see these improvements. Maybe it's gonna take something more catastrophic. I don't know.
Again, the U S government didn't get there until something terrible happened. And then everything changed. I think we'll see it here too. Now I want to jump to the third question we had prepped for today. And admittedly, we've already started going there. So I, we're repeating some of it, but I'm curious to get more, thoughts.
We talked about tax service management or tax service intelligence. I'm just gonna start calling it that. I'm hopefully. People won't get mad at me for it, especially at our own company. But how do you see the relationships between attack service intelligence and the rest of the enterprise? And again, we already started talking on this path because it's a natural discussion, but how are those relationships, CTI, we've already said, okay, they're not in CTI.
Vulnerability management, we've already said they're not in vulnerability management. But [00:37:00] what about, digital risk protection? What about HR, insider threat? The business Intel component, how are all these relationships? Is this going to just go back to the CNO discussion, which would thrill me, of course, but how are they today and working together with one another?
Jeff Foley: If we're strictly talking about, how do all those functions, worked with an ASI function, right? What's that relationship look like? I would say similar to how CTI probably has to handle this. From my experiences, you're collecting all this, but your consumers perhaps need the information or intelligence in different.
I'll call it formats, right? Or delivered differently because it means different things to different. Parts of the organization, right? So there's an, the part that no one likes about ASI is that it's not as simple as monitor the assets, put it, stored in a database somewhere and call it a day.
That's just the beginning. That's like the, the technical side of the work,
But a lot of what really makes it [00:38:00] successful is it's all the relationship building, right? It's all the understanding who the consumers are, understanding what this means to them, making sure they're able to get it in that format they need it in and timely when they need it. So that now it has that positive impact on their function and you become a supporter of what they're doing, right? That takes care and management, right? To really make sure that all those relationships are in a healthy state, that they're getting what they need and they could change what they think they need, right?
Or that you could expose them to more of this and they could realize that this could help them even more than they understood previously. So that's what I would say. This feels or looks like when you're really executing this correctly. Which is why I also think it does make more sense to have it up a little higher, so to speak, like you're saying where. It's not over in the corner or [00:39:00] like this, Oh, this neat thing that maybe they could take advantage of.
It's more like something that a lot of the company is taking advantage of. And if they don't, it will seem silly, right? Just like any other major type of intelligence that's driving business decisions. It also needs to be available to everyone, right? So it could, that could mean. Your vulnerability management program or your red team.
It could also mean the CISO. A lot of people at that level just want to be able to ask the question. What does this actually look like out there? So when I'm talking to a director and I say, what's going on, that what they're telling me lines up or matches with what I'm seeing, like almost a way for them to have their own little set of binoculars to say.
I'm going to, I'm going to be watching. So you better tell me what's really going on out there. It could be consumed that way. And as you've already pointed out by completely different parts of the company that are focused on building partnerships, taking risks [00:40:00] on new dependencies, from, B2B, these are big decisions that.
Need to be fueled by as much data as they can get their hands on to, to make strong, smart decisions here. So it can't be something off in the corner of a InfoSec program where it feels unreachable to the people that are in those very different roles. Again, to what, to your point, I think that's why we need.
A chief intelligence officer or someone who could say it's not a problem. It's part of my program. We'll make sure you get it and we'll get you that complete picture. You need to make those important decisions where if it's part of InfoSec, strictly InfoSec, it can make it feel out of reach,
AJ Nash: Sure. That makes sense.
Jeff Foley: I don't know if that answers your question, but the two pieces to this, or what I tell people, they have to at least be ready to take on is
be ready to monitor all this. It's a lot of, it's a lot of work to watch all of this exposure and make sure you're not missing anything. And there's a lot of elements [00:41:00] to how do you do that successfully? So you're getting, you're not, you're still not missing anything. And then how do you get that to all the right people or consumers within the organization?
So that there's no point in collecting all this and having this excellent picture of what's going on out there. If no one's making use of it, right? You need to be working that other side, which is disseminating the intelligence effectively throughout the organization.
AJ Nash: Yeah. No, I think you made some good points in there. This is different for different organizations, right? And that ability to process needs to determine based on those needs, what we should go get and how to report it back and what format is really important. And there's a lot of organizations that probably are left out right now, because, as you said, this ends up in a corner someplace.
Maybe they're doing the A. S. M. scans, the tax service scans and they're saying, okay we know vulnerabilities needs to see this. And maybe they're going to policy to say, we have a lot of, Architecture out there. It shouldn't exist. What are, what's going on with their policy or the enforcement of those policies?
But are they having a discussion with insider [00:42:00] threat for instance, to find out, are these being spun up maliciously, are they having a discussion with marketing to say, Hey, you've got a whole lot of websites out there that shouldn't be there or a whole lot of things that don't exist.
Are they having a discussion with business Intel? Probably not if I had to guess. Is this getting used in, M&A, you're saying it's starting to improve there, which is good. But it's certainly not widespread. I would say. So yeah, the ability to elevate that up, Intel was an.
It's not a product. Intel is a service. It's okay. All time products are the output, but Intel is a service. You have to understand people's needs and you have to meet those needs to improve decision making to improve business impact. That's about all the things you're mentioning. That's that big dissemination piece.
You have to know what people need and give it back to them. And it's across the entire enterprise. Yeah, I'm I think we're on the same page elevating this. And being in a position where this can be across everyone because that accessibility matters. You mentioned, not getting things reported.
We talk about all the time in the Intel space. Intel is not valuable if nobody ever reads it. If it's so highly classified, nobody can see it. Then it's, it doesn't matter what it is. If I had the cure for cancer, but I wouldn't share it with anybody, I haven't actually cured [00:43:00] cancer.
Just so anybody wonders nothing's changed. If I keep it to myself and then I die, I guess cancer still hasn't been cured. With Intel, if you know the thing and you don't tell anybody the thing you haven't done anything, it hasn't changed, later on, you will say, Oh, I knew that.
And nobody's gonna believe you anyway. Dissemination is a key component to all of this. I talk about in the Intel cycle a lot, all the greatest Intel, you gotta get it to people. And that's hard to do with programs that get buried in basements. Whether it's a tax service intelligence or threat intelligence or strategic intelligence, whatever it is, if it's buried in the wrong organization, under somebody, a leader who doesn't see their role as a service role beyond.
Where they are beyond what their OKRs are in their seat and their, their KPIs are, et cetera, then they're not going to go further than that, they're just not, that's, people work to meet the metrics they've been given, which is nothing wrong with that, by the way, it's a great way to build your career and it's smart, the metrics just need to change and this thing has to be elevated up.
So the metrics are different. So somebody is meeting a different set across a wider Audience within an enterprise. And you'll get more [00:44:00] efficient results as a result. You get better Intel, more actionable opportunities, probably save some money on some of these enterprise licenses, or as you said, multiple vendors that do the same thing that you could knock out if you just got together and had somebody high enough to go, why do we have three vendors doing the exact same thing for three different orgs at triple the price?
Oh, we just had one vendor that did it all. And of course, yeah, listen, I work for vendors. So do you, we work for the same vendor in this case. People are gonna argue that self serving that's fine. I can live with it. It's a business world. Yes. We have a platform that does all this. Yes. I believe it's a good thing.
And yes, I believe somebody should look at it. That's it. That's the end of our sales pitch here. We're not in sales. I've been on the other side though. I've been in a customer. The fact of the matter is people are spending a lot of money on a lot of things, probably the wrong way, because it's all fractured and it's buried in corners.
So
Jeff Foley: And one
AJ Nash: Yeah, man, go.
Jeff Foley: Oh, you said like, how does this fit with a DRP?
AJ Nash: Oh yeah.
Jeff Foley: So I actually had this discussion at, DEF CON couple of years ago where the question was should ASM remain internet infrastructure. Again, what vulnerability [00:45:00] management tends to focus on or just keeping it within the say, strictly infosec world.
AJ Nash: God. I hope you said no.
Jeff Foley: I did,
AJ Nash: out here advocating for something totally different.
Jeff Foley: but it was met with a pushback. Like initially, the feeling was let's not make this more complicated than, It already is. And then cause it, people to stop thinking about it. But I said, I don't think we want to set this on the wrong path. ASM should be anything that's exposed on the internet.
That is, could have a impact on your security posture, period. I don't care what it is, even if that's individuals, right? Any,
anything.
AJ Nash: Social media accounts. We've talked about some of that stuff.
Jeff Foley: Yeah. All of it, accounts, credentials, anything out there that it could come Impact your security posture or program. Then it needs to be considered as part of the intelligence collection that we're talking about. And when you combine that [00:46:00] with what we're already learning from CTI, where now it's like you can create customized prioritization, right?
Where we know what's out there. That's relevant to our organization. We know what people are doing that would align or. Their attack preferences, like TTPs, would now line up with the attack opportunities or vectors that we know. Exist within our environment or exposed environment. Now you have very prioritized to-do list. .
People tell me all the time we've had a successful vulnerability management program, but now we have a pile of data that we could. We're never going to catch up with, and we don't know how to prioritize it to answer the question of what should we be doing on Monday?
That's the big question. That's what everyone is irritated about is we have tons of data more than we know what to do with. If you start bringing this intelligence together, I would argue. It gives you a [00:47:00] very good idea of what you should be doing on Monday. Because now you're addressing the things that are truly. Like high probability that these are going to actually happen, right? Again, looking at it, because you're looking at it from the attacker's perspective you're answering the question of if someone actually tried to do this, what would they probably do?
AJ Nash: Yeah. And you get those nine boxes, right? The, from the most likely, most dangerous to the least likely, least dangerous, and then everything in between you get those nine boxes to say, what's going to be the outcome here and that gets you your prioritization, which I listen, anybody listening to this, who does a risk probably already knows this, obviously, but that's how you get that prioritization.
But as you said, it's Intel driven, then it's your assessment of which box this fits into gets better. If you're able to say, not just, what we have for a vulnerability, but also Yeah. What we have is a likelihood that an adversary is going after it. We have adversaries who've done it before.
We have evidence of that, that they're capable of doing it, that they're motivated to do it against us would raise the probability even further that they've been successful. And then where is that bone? Is it tied to our [00:48:00] crown jewels? Because you have to have a crown jewel assessment cause you have to have a proper CMDB cause you have done all this work that we just talked about.
It's a big difference between saying, Hey, there's a bad guy out there. We're saying, Hey, there's a volume out there and be able to pull those together and say, Hey, there's a volume that's currently exposed. There's a bad guy out there who's capable of attacking it. They have attacked companies like us in the past in our geography before they've been successful.
Oh, by the way, they've said on the dark web, they're planning on doing this. That's nine on the nine box. That's the top. That's most likely most. Oh, no, I forgot. There's a piece that makes it the nine. By the way, if they attack that thing, it's directly tied to our crown jewels. They will steal the Coca Cola formula.
Now it's a nine, right? Now it's everything, right? We've put all this together and said, this is the right bad guy, the right time, the right place, the right capability, the right motivation, and the right content they're going to steal. That's the top. I don't know many organizations, I don't know many organizations that pull all of those things together.
Jeff Foley: No, they don't. Because so many of them, if you look at how they're spending, so that's another thing that I did when I came out of the government [00:49:00] world and I started helping commercial companies is helping them do the gap analysis on their security programs in a plot. But so many of them are focused on building the bigger walls. Not what you just said, which is I'll call it understanding the battle space so that you could just make more intelligent decisions about, is this what we should be focused on or not? Another thing too, that they did a lot of these companies didn't realize is once you're looking through the attacker's lens, you can start answering questions that you just couldn't before, like how expensive will it be for them to discover these things?
AJ Nash: Yeah. Is it worth the adversary's effort?
Jeff Foley: Or you could say. For the flybys, is this something they're just going to see, as they take a look, or do they really have to have us marked as we want to go after this organization before they're going to be able to find these things.
But that could still help you [00:50:00] understand, what are we going to clean up first?
Or what are we more concerned about here?
AJ Nash: Sure. Yeah, as soon as you target of opportunity and somebody who's directly going after you, if you're the defense sector and you have the next great stealth technology, and you know that there's a nation state that wants you, they're going to put a lot of time and effort and money into it.
And you know that whereas if it's just the local retail shop and script kiddies are going to come by and find some open port someplace. It's totally different. Yeah, your target of opportunity versus a directed target, can affect, as you said, like how you're going to prioritize these things.
Jeff Foley: Yeah, but how would you know which assets of yours fit into which, say, category or bucket? If you haven't looked at it yourself this way. To say how hard was it to find these things? All
AJ Nash: it's frustrating that we're not seeing more of that. We're seeing some, you said at least, it's encouraging to hear that people are using some of this stuff for, third party risk and some of it for M&A it's nice to see that there's some improvements there.
It's just slow man and frustrating after a while. And, I feel bad that I say the same, some of the same [00:51:00] things. Over and over again about this, greater intelligence picture, et cetera. But things aren't changing fast enough. I'm impatient, things have gotten a lot better in the eight years I've been in the private sector, but I don't have 80 more of them.
So I'd like to see some things move faster. And I think this is, one of the big ones and this attack service intelligence concept and all the things that could be doing, is a big component to this. So listen, we got to wrap up. We're running out of time. So we got to get to the closer.
And as the name of the show is Unspoken Security. With that in mind. I ask every guest the same question. You don't get a pass just because we work together. You need to tell me something that is unspoken so far, that you haven't told other people to this point. This is something for you.
That's been unspoken.
To a murder. We are recording.
Jeff Foley: I'll keep it light.
AJ Nash: yeah,
Jeff Foley: I feel like in the information security community, I hear a lot of people throwing the claim out that if you're going to be in cybersecurity, you don't have to know how to code. Maybe. But the secret or unspoken truth would [00:52:00] be I don't quite agree with that.
AJ Nash: now we're going to cut this out. We're going to have to edit this shit out, Jeff, I absolutely, we're going to, this is the part we get to argue is right here at the end. Apparently now go ahead and finish your story before I tell you how wrong you are. No, go ahead.
Jeff Foley: So much of it probably is just cause I'm biased because my history with all this was I didn't go to school, when I was, going to college to become an InfoSec expert or, enter the world of information security. I just wanted to be able to, Write code for the internet, right?
That was the way I looked at it. It was so I pursued network programming, distributed systems, telecommunications and computer science. But the point or the real interesting thing is every major success I've had in my own career tied automation into it, right? Every single thing we did that became important was codified, right?
So we figured out something important and then it was codified to. Make it. So it could be automated or become part of a system to provide automated response and things like [00:53:00] that, or to do things that for instance, like sub second frequency that, humans just never would have been able to keep up with.
AJ Nash: Sure. Sure.
Jeff Foley: so looking at it through my perspective, I would say there's so much opportunity though, if you're in security. And you know how to, write the code to, automate, the techniques I'll call it. There's so much opportunity there. I don't know why anyone would want to give that up, especially since this is the part I always try to encourage people to consider is it's probably not as hard as people think it is. I think they should give themselves more credit and, assume they can handle it. Cause it's not that big a deal.
AJ Nash: Okay. So I rarely challenge people's unspoken security, unspoken part, right? You're going to actually, I think you might be the first. I hear what you're saying and I think there's incredible value in being able to code, right? I don't think it means you have to build a code to be in security though.
And that's what a lot of people talk about is you don't have to build a code [00:54:00] to be in security. You don't listen. I don't code. I think it's safe to say I'm somewhere in the security community at this point. I don't code things. If I did, I'd probably be better. I'm not gonna lie. Yeah.
It'd be a great skill set to pick up. I'd also be better if I knew how to build furniture. Or if I could, be a lot of things around the house. So I don't have people working in my house all day. Cause I have to pay them to do things I can't do well. It doesn't mean I'm not a homeowner though.
I think your point is really valid and powerful in that there are a lot of amazing things you can do when you encode and automation is a perfect example of that. And you're probably right that a lot of people think it's scarier and that they talk themselves out of doing some of these things, myself included, frankly.
But also keep in mind, you've been very successful doing this. You may underestimate how hard it is because for you it wasn't as. You're very good. And I think some of us make a mistake sometimes of thinking if something isn't hard for us, it means it's not hard. I've had to learn that over the years.
I, I've had to find different ways to tell people how to do or offer people advice on how to do like public speaking, for instance, because my advice doesn't work for some people, it turns out. Things like, ah, don't overprepare, just show up and [00:55:00] wing it. Not great advice for a lot of people.
People, some people are very afraid of public speaking and just like some people are afraid of coding. So I think. I think you're right in that it's a powerful thing, like people who are capable of coding, who really understand networking, networking well, and the technical details, they're definitely going to be better in certain areas and smarter in a lot of areas.
But there are, I think there is a lot of space in this community for folks who don't code, just team up with those people like I do, like I team up with guys like you and say, Hey man, I need to get this thing sorted and I don't know how to do it. And the time it would take me to learn. The coding necessary to be successful and do great automation at this point in my life as an old dog, I'm just going to find somebody who's smarter already does it.
Cause that's just more efficient. I'm just gonna make good friends and trade beers, or, whatever things I'm good at with them in exchange for, and I'll barter through. So I don't want to scare people away from the industry, but I do agree with you that if you're capable of coding and you're good at it, the power is remarkable.
It's a superpower in my opinion. But, But it's interesting to get your perspective. I'm careful. I'd rarely push back on these. But, yeah, it's an interesting point. I think [00:56:00] there's room in the community for everybody, but certainly if you can code and code well, yeah, you got a leg up on people like me.
Maybe there won't be room for people like me in the future. Maybe we'll all be thrown out eventually.
Jeff Foley: I don't know. I think. You're saying it right. I, the right way to, share this with people probably is not that I'm trying to say you can't be in this, occupation without those skills, more that you hear people all the time saying how do I get an advantage? Or how do I. Ensure that I'll be able to get a job or get a more interesting position somewhere.
I would say, consider expanding your skillset, make it. So you're not just an an analyst or someone that can work with certain, vendor products or solutions, but now you could potentially build your own solution if that made sense
or a customized solution for your employer. And this will just make you that much more valuable.
In what you do, and it could open up opportunities as well when problems are, the organization is facing problems [00:57:00] and you could raise your hand and say I'm pretty sure I could help with that. You're just going to be that much more valuable. Yeah, to, to what you're saying, not to steer people away that, find this intimidating, but maybe something to consider tackling if you want to expand your value to whoever you're working with.
AJ Nash: That's a great point, especially in a competitive marketplace, we are seeing people who are saying, how do I get into the industry? How do I separate myself from other candidates? How do I ensure my career? I think you hit it on the head with that. Yeah. Add that skill set, to put it in other terms, if I worked let me use my house as an example.
If I needed a kitchen table, I can buy one currently. Okay. And that's fine. I'll solve the problem with that. But boy, if I could build one, then I can solve the problem. Even if all the stores were closed, you're talking about, people who, instead of being able to find a solution, to buy a solution, to work with somebody else's paid solution could build a solution.
Yeah. That's a whole separate set of powers. A lot of orgs are in the build and buy, pendulum. They go back and forth when they're in the build phase. You can still work with the tool they [00:58:00] want if they can't afford that. And they want to go, or in the buy phase, I should say.
And if they can't afford that, or they want to go into the build phase, cause they decide that. You're not out of a job. In my case, frankly, if our company went to all build and versus buy, I'd probably find myself in a lot of trouble because I don't build shit. I buy shit. And I, and I work with people and I manage things and I lead things, but if they said, no, you're going to build it from scratch by hand, I guess I'd be looking for something else to do with my time.
So I think that's a really powerful point. If you want to. Get into the industry. If you want to separate yourself, if you want to secure your future, more skill sets, more ability to build from scratch, which is all code in our industry. Really? Yeah, it's people who are great at coding. Pick a language, python is a big one, right?
But pick, you can pick several languages. It goes over time or people were great at reverse engineering, which is the next step. A lot of times. Yeah, those people don't have hard time finding jobs. They're not sitting unemployed for very long. Usually, , they don't worry about the economy shuffling like a lot of us do.
So I think that's a really powerful message to it's definitely. puts you in a better spot and you can follow Jeff Foley, you can be like him. Jeff's never out of a job. Look at his [00:59:00] resume. The guy's always working. All right, man. Listen, we got to wrap this one up. I appreciate that. I appreciate you taking the time, to be here with me today and to talk through this stuff and talk a little bit.
As it turns out, we got to battle a little bit on the last piece, which rarely happens. So it was fun though. I think we got the same place. Yeah. I don't know if there's any thoughts you want to add to wrap this one up. Is there anything we left out you want to close out with? If we covered everything, that's good.
But I was like, the guest one last shot, to
Jeff Foley: mean, maybe just a quick plug. If it's not a
AJ Nash: Sure. Plug it, man. Plug it.
Jeff Foley: We had a great talk here about, tax surface management slash intelligence or hopefully intelligence in the futUre. and if whoever's listening finds this interesting or something, they would like to. I'll say fix in the private, sector or these days, I would say in, in all of the information security community, please don't hesitate to come to OWASP.
OWAS AMASS is the, flagship project that now is focused on this. It's a whole chunk of the portfolio at oas, which is. You have to know it's out there if you're going to do anything about it. Even [01:00:00] OWASP who's been focused over the years on application security quite a bit. Admits there's not a lot of good we can do with application security if we don't know where the applications are sitting.
So if you'd like to help with this, or you'd like to open the world's eyes to the importance or urgency on around this, please, Find our discord, come to our get hub. There's lots of ways you can reach out to us. And we are always welcoming contributors or people that would like to support what we're doing, which does not necessarily mean coding.
There's lots of ways you can support, advocating testing. You could go out and speak about this. So there's all sorts of ways you can, work with us to bring this to more organizations and help them wrap their arms around. understanding their attack surface and making better decisions based on that.
AJ Nash: Oh, that's great, man. I appreciate you mentioning that and I agree, anybody who's interested in getting involved in helping, Jeff always a great guy to work with. It's a great guy to reach out to, check out [01:01:00] OWASP and the AMASS program. If you're going to be in Vegas this summer, I'm sure Jeff's going to be at DEF CON he's there every year, so you can catch up with him in person.
Otherwise just drop him an email and, it's an important project and I'm thankful we had the chance to chat about it today, man. So with that, listen, I, again, I want to thank you one more time. Appreciate you taking all this time to, to get together with us. For those who are listening.
I want to appreciate you listening or watching. Thanks for taking your time to listen to us and to support the program. Please subscribe, download, tell your friends and neighbors how great it is. If you hate it, don't tell anybody at all, go away. Do all the things that help us continue to grow this program.
Also, Provide feedback. If it's positive feedback, I like it a little more negative feedback from be honest, especially publicly, but I'll take all of it, and DM me message me. If you want this program to change, if you've got a better idea on how to do format, if you got guests, you want to bring on whatever it might be, please contribute.
We want to continue to do this. This isn't about me. It's about guests in the community. So again, thanks everybody for your time. Appreciate it. And until next time, that's been it for this episode of Unspoken Security.
Jeff Foley: Thank you, AJ.
AJ Nash: Thank you.