Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 18

Cybersecurity News

EPISODE SUMMARY

How do you stay up-to-date on security news? Joe Carson from Thycotic and Mike Gruen from Cybrary share the blogs, podcasts, and speakers they trust to give credible and direct news and avoid the trolls!

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at ThycoticCentrify
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Host of award-winning podcast, 401 Access Denied
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:
Hi everyone. My name is Joseph Carson. I am your co-host for the 401 Access Denied Podcast. And today we have a very special episode and it's all it's our... Yes, it's the holiday episode it'd the one we're all meant to be merry and excited and leaving the 2020 behind us and the great 2021, which is ahead which I hope is a very different year for everybody. I'm joined by my awesome cohost Mike, do you want to give us your season's greetings?

Mike Gruen:
Yeah. Definitely, I'm Mike Gruen VP of engineering and CSO here at Cybrary, happy holidays everyone and very excited about today's episode. I feel like every episode is a very special episode, but whatever, they're all special in their own way. Today we'll be talking about where we get our security news, what blogs would you like to read, who we like to follow maybe on Twitter or just in general how Joe and I stay up to date-

Joseph Carson:
Absolutely.

Mike Gruen:
... spoiler I depend mostly on Joe. Well, I'll let that come out as we go. No, definitely not entirely we only talk every week, so I don't know why I depend on you. So without further ado, I don't know, Joe, if you want it to kick off with like maybe some of your favorite blogs or people you like talking to.

Joseph Carson:
Absolutely. I guess the one that I probably be tuned into and read the most regularly is there's a podcast which is called Smashing Security and it's from two awesome was it co-hosts similar to ourselves, of course, which is one is Graham Cluley and Carole. And they do basically this awesome podcast which comes out and it's similar to what we do, but I think one of the things I find about Graham's approach is he his humor and his laugh and the content that they cover. They cover a wide broad perspective, and they also have a lot of guests in the show. So it's one that I tune into and it's one that I enjoy listening to and it's one that I stay up to date, mostly not getting into the detail of specific security issues or incidents so it's not very technical, but it is one that I really enjoy listening to. And then Graham also follows it up he does this blog as well, which for me gets into... And Graham has been in the industry as long as I have.

Joseph Carson:
He's been around for a long time. You hear him doing a lot of keynotes. He did one recently at (ISC)², he's done a few keynotes and different major events. So he's very predominant security figure for a long time. He used to work a lot at Sophos I believe in the past. So that's one that I really enjoy. It's mostly because it brings the humor back. I like good old comedy and a lot of things that we do, I think it's good to have it in the security because it's the one that keeps us motivated. It's the one that keeps us laughing. So that's one that I like. So I don't know Mike, have you ever heard of Graham or Smashing Security or his blogs at all?

Mike Gruen:
Yes, definitely. I've heard of them. I think I've read a couple. It's one of those, again, not a huge reader so it's always nice to hear from other people what they like reading. A lot of times what ends up happening for me is I'll get a link and it'll be to somebody's blog on a specific article and then I'll go from there. But yeah, definitely heard of him and some funny stuff at times.

Joseph Carson:
Yeah. And another one that's quite common and it's the one that we all don't want to be in, which is of course, Brian Krebs. So KrebsOnSecurity is another one that... It's not one that I do regularly, but when he does post, when he does do updates it's not very frequent. It's usually every few weeks or maybe once or twice a month, he does provide these updates. Definitely every there's a major patch Tuesday that comes out, he does provide those major security updates. But it's the one that you read because there's always the one... It's a term I find funny I was trying to translate it in Estonian recently, which I refer to as ... and everyone kind of started laughing. And what it means is ... is my translation of when it hits the fan.

Joseph Carson:
That's typically when it comes out in Brian's blog, is when the shit hits the fan literally. And it's usually either looking into cases or incidents or breaches. So for me, I like Brian's journalism approach. Of course, it's not the one you want to be in. People say don't Krebs me. So that's another one that I do find... I enjoy reading it because it's his, he takes you through a story. He does a story approach, he takes you through a journey and he does get into some technical detail. So it's for me KrebsOnSecurity and Brian keep up the amazing work, looking forward to seeing you. And hopefully I'll follow you up if you're not listening to our podcast. I know there's some point we will have Brian on the show, but Brian is definitely another one that I do follow, do read up on his blogs, do follow him on social. And his approach to his journalism is fantastic.

Mike Gruen:
So when you're, let's say I'm new to the industry and trying to find people to follow, what would you say are the important things to try and figure out. Who's a really credible somebody who's who you really want to make sure you're following and paying attention to versus someone who might be over-inflating things or maybe not the best. I don't want to say dishonest in any way just not necessarily as a credible source.

Joseph Carson:
There's so many out there. I think one of the things that I find is there's a great community on Twitter of security enthusiasts, there are analysts, they are in behavior side. There's a lot of new people getting into the industry as well. So there's a lot of people that I do follow. One that I follow is one person who got me in the industry and he's still my mentor and I still look at his feeds and still... His very good Irish humor is Brian Honan, he was my manager 20 years ago. And really got me... I was doing security as a part-time thing. It was something that I was responsible for, something I was participating in, but he was the one that really changed me as focusing on as a dedicated career.

Joseph Carson:
So there's people in the industry and he's definitely one that I do see and I follow and read his every tweets, looked at his messages, follow his thought leadership. So definitely, I think there's many out there definitely in the Twitter, who do follow me and they look at who I follow. That's definitely the way kind of like I do follow those people who are honest and who are very direct and I think along the same lines. Because ultimately I hate when I do see people in the industry blaming other people or calling out other people, there's a lot of trolling in the industry as wall, and those are the ones you want to avoid so that does happen. But there's people out there Jessica Barker who will be on a that future episode I believe.

Joseph Carson:
And there's others as well that I do follow Deviant as well, you got Reboot out there, you got Len, Coldwater, Ian Coldwater. So there's many out there that I do follow. I think I always would forget this the Purple Security as well. So those are the kind of... There's a lot of people I do follow and I do trust their judgment and I trust their feedback. Don't always agree with it, but it's something that is very educational and they're very honest. So those are kind of what I recommend.

Mike Gruen:
Yeah, definitely. I think it's important you find one or two that know I are credible as you pointed out, see who they follow. The cool thing about our industry there's a lot of people that we all know each other, we talk to each other, it's definitely a more cooperative type industry than on some others. A lot of connections there and I totally agree, find a group of people and see who they follow and who are they reposting and so on and so forth, and you can get through them from there.

Joseph Carson:
Absolutely. And there's a group of us as well. I think some of the guys was it Sean Martin and Marco who does the ITSPmagazine, getting connected with them. They do basically a lot of great content to do a lot of podcasts, a lot of video shows, they follow a lot of the major security events globally, and they've introduced to me so some amazing people like Dan Kelly, you've got Sean John who's from Microsoft, and the security team. And they do introduce you a lot of fantastic people. And so following even them and listening to some of the shows and some of the guests I have on, and it's really great as well. They also periodically had these a season specials. And just recently, we also got together for all of the hosts.

Joseph Carson:
Everyone who's appeared on the shows we all got together and we had our basically Christmas holiday chat, which is always great because one of the things that this in 2020 has been very difficult because that lack of in-person and lack of interactive, the lack of networking, which meant that digital has been our only mechanism of getting the news and staying connected. So getting onto the video calls and doing the chats and Zoom parties and stuff has been a great way to stay connected. And it's definitely, for me, who's very remote and based in Tallinn, Estonia that that's my way of really keeping connected and staying social in the community as well.

Mike Gruen:
Yeah. I think that's actually brings up a really good point. And before the show we were talking a little bit about what we wanted to talk about today. But one thing we didn't talk about at all was the industry events whether it's Black Hat or whatever, there's a bunch of them. They had to go virtual this last year. But I would say that that is where I've found more people than anywhere else is go to those events, whether it's virtual or in person attend various sessions, listen to what people are saying. You can almost immediately pick up who really knows what they're talking about, and who's a good presenter and somebody you want to really be interested in, and then you can go from there. And I think those events are great events for anyone of any level to go to and interact with people. Everyone's happy to talk to you whether they're the speaker or just someone else attending really just great environments to network and meet people and find out more and learn more sources.

Joseph Carson:
Absolutely. That's my calendar for the year absolutely. Normally, it starts off the year you got a RSA, which is typically one of the big kick-offs of the year, of course, next year-

Mike Gruen:
Although we can blame RSA for the COVID infection in the United States, I think is where a lot of... I know that's where some of our employees picked it up. We're not going to blame RSA, obviously, it's a great event, but I think that was a-

Joseph Carson:
It happens when you bring a lot of people together-

Mike Gruen:
... from around the world, things happen.

Joseph Carson:
But absolutely, it's typically one of the big kickoffs of the year, of course, next year it's going virtual, so there will not be an in-person RSA next year, at least a North American one, but it would've been one I would have went to. And definitely one thing I'd recommend for the audience to follow me on my... I do release typically for the major events throughout the year. What I do is since I attend events and I go into a lot of the sessions I go through the agenda in detail. And I look to see, first of all, I check to see who's speaking and then I find out what topics they're talking about. So even looking at Sean Metcalf, which I love really going to his sessions when he's talking about Active Directory and exploiting AD and Azure and so forth. So I really do look through those agendas and I look for the people that I know are great speakers.

Mike Gruen:
Yeah, absolutely. That was the first lesson I learned. The first time I went to, I can't remember, it was probably Black Hat was one of my... I went with a friend and he was like, "Look, look at who the speaker is and that's more important than necessarily the topic." And I remember the best talks I went to was on car hacking and all of my takeaways from that and how even at that time, even though I wasn't... Just what they were talking about, OT, wasn't really something I... It wasn't part of my life. It's not something that really matters to me from a security job perspective, but the takeaways of how to actually secure similar systems and so there's always something applicable. So it's always worthwhile to listen to a speaker of interest as opposed to... Or a speaker who's a very good presenter and knowledgeable in their field because there's always takeaways that are applicable to you.

Joseph Carson:
Yeah. That's the first thing and I will say is when you're going to events so this is the big trade shows like RSA and Black Hat and Defcon is look at the agenda and look at the speakers. That's how I build my agenda is going through the speakers first. And then once I filled it out, then I go through, "Okay, what's the subject I need to attend." So then I go through it with filling it out with the ones that have a specific interest in, and then once I've done that, then I add the fillers. It could be networking, it could be other things, but that's typically how I do. And I do release a blog of here's the sessions not to miss so that people have a plan, people are ready when they go to events.

Joseph Carson:
So I usually typically follows up. I do go to Infosec Europe, which the sessions Infosec Europe is more of a meetup a networking event. And there's a lot of side shows that's where they do the Security Blogger of the Year Award, and the Security Podcast of the Year Award and Professional of the Year Award. So that's where we go for our social activities. And then shortly after that, of course, it's the Black Hat and the Defcon. I enjoy Black Hat the sessions are okay, but where I do learn the most is going to Defcon because it's like the behind the scenes. "Here's how we did it. Here's the findings."

Joseph Carson:
So Defcon is really where I like to go and hang out and network and also get my advice from. So those are some of the major things throughout the year, and I definitely recommend if you do get the opportunity hopefully they do come back. Black Hat and Defcon I hear is going to be a hybrid event in 2021, but we need the shows to come back because that's where the collaboration and communication and networking happens, not so much the event itself and the sessions. But it's where you get introduced to really amazing people.

Mike Gruen:
Yeah. It's funny how important the in-person part of that is I've attended plenty virtually or whatever, and as good as those are they're just not quite the... You can't just walk up to... Some of them try and do various things to make it a little bit more accessible beyond just attending the session. But it's definitely tricky and I think that the in-person aspect is an important one, and just hanging out with people and talking and just learning what you can, very important stuff.

Joseph Carson:
Yep. And then another one that is great is the (ISC)² Security Congress, which typically happens towards the end of the year, usually in Florida around there October, November time. But for me the problem I've had, so I've attended all of those events this year virtually. And the problem I have, is that there's one thing about going to the in-person event because then when you're there you're in their same time zone.

Mike Gruen:
Yeah. There's that.

Joseph Carson:
Attending virtual, for example, (ISC)² and Black Hat I was probably starting my sessions 9:00 PM in the evening. And they would go on to maybe two or three o'clock in the morning. And I did try to balance it because the good thing is some of the shows did actually have the recordings of some sessions. So it allowed me to next day so it didn't have the same release date. Next day I'd be watching a day behind everyone else.

Mike Gruen:
So I sort of took us off into the left there on in terms of trade shows and things like that. I think just reading other places worthwhile to get your news. I do a lot with aggregators and whether it's hacker news or Reddit or wherever, that's where some of the things like I read come through. I think Dark Reading is another good one where it's not an aggregator obviously, but where there's good stories and things like that. Any places aside from blogs and people to follow, where else do you get your news.

Joseph Carson:
Absolutely, Dark Reading is definitely one of the proper places I would go to. Hacker News is another one it's an aggregator of other fees and stuff, but I do like it gets into a little bit more technical detail sometimes. Threatpost is another-

Mike Gruen:
Sometimes on Hacker News, I will say, that's one of those places where you really have to put on your brain and pay attention to what the source is because it's an aggregator. It's a little more up to you to filter that news.

Joseph Carson:
Absolutely. So that post as well is another one similar to that. So those are the places I would go to. And of course, there's Naked Security, which is a old Sophos location. I don't know what's going to happen to it with all of the changes happening there. I do hope that that stays on because it was also a great source of it really just uncovered behind the scenes of security. It really took back and cut the raw content without really pushing too much opinion, so that was another great location that I would look into.

Joseph Carson:
So definitely Threatpost, Dark Reading, Hacker News are great sources, but you do have to really go and look into the detail and try and decipher what is of interest. But one I do really like as well is the Sophas, which is the Naked Security site as well. That's another good one that I go to and get information from. But there's many out there, there's Bruce Schneier's blogs, Schneier That's another great one that goes a bit more into encryption than the security in general type of thing.

Mike Gruen:
Yep. I think we talked about books and I think that was... He's just a great obvious person to follow and read all of his work and just I couldn't agree more there.

Joseph Carson:
Another one that I've done, one that has probably been the longest that we followed is a guy called Steve Gibson. So it's Gibson Security. He's been doing it for fuck, for a long time. And the reason why is I worked on an incident that he also worked on back in early 2001, 2002, which was the GRC.com attack, which is Gibson Research. Probably one of the longest I've been following in the security industry. So his insights and direction and all his fun podcasts as well.

Mike Gruen:
Yep. And I think I'd be remiss if I didn't at least plug Cybrary a little bit here in terms of who we have on our podcasts, whether it's this one or other ones that we do, we have lots of leaders in the industry come on. I would highly recommend just looking through if you're not even... I think my producers probably would want me to say listen to all of our podcasts, but even if you don't listen look and see who comes on and those are usually industry leaders, or people in emerging technologies and are worthwhile looking into and seeing maybe they have a blog. I know a Huntress, for example, is a good friend of ours they do a lot. There's a lot that they put out that's worth listening to and reading and so and so forth. So definitely Cybrary's a good source.

Joseph Carson:
Yeah. Some good guests and Chris Kubecka is always fun to chat with.

Mike Gruen:
Yes. She's one of our favorite guests.

Joseph Carson:
And Josh as well. So getting them on and we've had them on our podcast as well. And it's always great to have really fun, they're experts in our field. So when they come on, they have a lot of value to add. So really excited, some amazing, and I do. So one of the mediums I use for my podcast, typically on my phone it tends to be Apple podcasts where I basically do the subscriptions. So that's probably where I get the feed from that's coming in from the ... security for Cybrary and this podcast and all the others as well. That's kind of my aggregator and the cloud in Cybrary. So that's kind of the thing, but I have started recently moving a bit more to Spotify podcasts when they started separating it out. So that's another place where I've started using to listen to. I tend to do it when I'm commuting back and forward, or when I'm going for a walk to catch up on some of these feeds.

Mike Gruen:
Absolutely. Cool. Any other I feel like we've recorded for a bit, I think we've talked about ...

Joseph Carson:
Yeah, absolutely. Those are the main mediums. It's the big trade shows where we catch up we grab a drink, we network and we talk about what's been happening. That's really where the in-person... That's where you make the real connections. The blogs are really good for just that continuous staying up to date, the news articles just keeps you connected in the industry about what trends are happening. And then definitely social Twitter, LinkedIn, it definitely helps you make some great personal connections out there as well. And definitely the podcasts I do find that the podcast is probably where the entertainment comes from. Because listening to a lot of the jokes and listening to the... It keeps the security entertaining and then that's what we definitely need more of.

Joseph Carson:
I think we've really covered... I think we've given the audience of a pretty good indication of where we get our news from. And hopefully that they will be able to go out and look out and stay up to date and follow some of the people we follow because they are the experts in the field. They are the ones that we tend to trust their judgment, the sources, and advice and direction from. Many of them are mentors to me, so I think... I think going into 2021 really let's make some new connections, let's try to make sure we make security positive and let's put 2020 behind this.

Joseph Carson:
Let's make an exciting year. Let's make security usable let's make it happy. Let's get new new... I think we really definitely need a lot of new talent in the industry to come in and really help us solve the major problem because security is hard. But it is important it's something that we definitely need to get a lot more people interested in doing. Because we definitely need to protect people out there online, whatever they're doing, whether it being shopping, communicating or even working, we do need to make sure that they stay safe.

Mike Gruen:
Absolutely. And one of the other things that occurred to me while you're talking that I've taken to doing over the last I'd say nine months or so, and I'm in a unique situation I think but you can find yourself in the same way where I'm buying software for Cybrary to use obviously. And whenever I have the opportunity to parlay that into a connection with their security team, whatever company it is or their CSO, I try and do that. I try and get connected to someone over there just because I think that networking that, "Hey, we're all in this together." I found that everybody's very open to that just to making that connection, being like, "Hey, is there someone on the security team." Try and find that peer obviously if you're entry level, you're going to have a hard time getting the CSOs hear, let's be realistic. But at the same time, take that opportunity to try and make a connection to other people at these companies if you're working with other companies, meet their security team and try and interact with them.

Mike Gruen:
I think the nice thing about the internet now is we can actually stay connected and get connected. And there's no reason not to take advantage of that. So I'd also encourage that as well. If you're doing business with Cybrary feel free, reach out and say, "Hey, I'd like to talk to Mike and just get connected and see what's going on." I'm always happy to chat with people.

Joseph Carson:
Absolutely. This is the same if they called in as well. A lot of people reach out and they want that connection because they want the first hand connections with the source of information because I do, I create a lot of the content and they want to get behind the scenes of the content in many cases. So that's always a good way to get that connection. So, absolutely. I think this is another fun discussion. Happy holidays.

Mike Gruen:
Happy holidays to you as well.

Joseph Carson:
Hopefully, everyone got to spend some time over the family over the holidays and not in isolation, hopefully we can put 2020 behind us and let's make 2021 awesome. So Mike it's awesome as always to chat with you, and always looking forward to more chats in the future. And everyone out there thanks for watching, thanks for listening to 401 Access Died. Stay safe, keep watching, keep listening. And we are looking forward to keeping you entertained moving forward. So always subscribe, keep connected. Reach out to us directly as well on social and let's keep this community going. It's growing and growing and we're excited about the future thank you.