Welcome back to episode #3 of The Cyber Why Pod. The show where the okay-est four hosts in podcasting history tackle last month’s top cybersecurity and technology stories. Check out this episode as we cover some killer topics, including the new Big Head TCW team, Lacework’s potential fall from grace, Chrome finally taking a bite out of cookie theft, SiSense and the results of SaaS big data breaches, the impact of the US ban on non-competes, a Microsoft Meta-Review and CSRB tear down, the continuing NVD backlog issues, what would you do with a $100 security budget, and a real live exoskeleton.

Read below to jump to your favorite parts, or watch it straight through from start to finish. Remember—we love you! Please click subscribe and share with your friends if you want to see more!

TCW POD #3 SHOW NOTES

On this episode, hosts Tyler Shields, Rick Holland, Katie Teitler-Santullo, & Adrian Sanabria tackle the following key points:

00:42 - Introductions

03:17 - Show Sponsor - Material Security

Are you wasting your email security budget?

When every dollar counts, you want to make sure you make the most of what you get. You (hopefully) get funds for anti-phishing tools, but the threat landscape extends beyond the inbox.

With more sophisticated attack flavors at higher volumes than ever, email security must also encompass insider risk scenarios, account takeover protection, and data loss prevention.

See why Material Security is the preferred choice for organizations looking to protect more areas of their Microsoft 365 or Google Workspace footprint under a unified toolkit… and a single line item in the budget.

Visit Material Security

04:19 Meet The TCW Big Head Crew

Tyler unveils the new TCW Big Head crew. The reactions are priceless; each squad member will have their own Big Head to play with at home!

06:35 Lacework’s Fall From Grace

The crew discusses the fall of Lacework, a once high-valued startup in the cloud security industry. The potential acquisition by Wiz for a fraction of its previous value raises questions about the future of cloud security startups and the overall market. The deal also highlights the trend of consolidation in the industry. Details include the impact on Lacework's employees and customers, the long-term implications for competition and innovation, and whether consolidation will benefit or harm the cloud security industry. The deal fell apart shortly after recording this POD, and Laceworks is back on the market.

16:30 Chrome to Fight Cookie Theft

For a while, Google has been trying to replace cookies for user tracking with initiatives like FLoC. Now, they are introducing Device-bound Security Cookies (DBSC) to combat cookie theft. DBSC uses cryptographic keys bound to the device and requires explicit website usage. However, it may not fully address malware that steals login credentials. The team raises questions about the effectiveness of DBSC, the balance between user privacy and effective advertising, and the broader implications of storing credentials in plain text.

Rick also sings C is for Cookie from Sesame Street - A MUST-SEE MOMENT

27:30 SiSense Breach and Other Big Data SaaS Security Issues

SiSense, a business intelligence and data analytics platform, has experienced a data breach. The exact nature of the breach and the affected data are not yet known, but reports suggest millions of credentials may have been compromised. SiSense customers are urged to reset passwords and credentials, and law enforcement is involved in the investigation. The breach raises questions about the scope and impact, security weaknesses in BI platforms, recommendations for affected customers, attribution and motives of the attackers, long-term ramifications for data security and BI platform usage, lessons learned for other companies, future advancements in BI platform security, and the role of regulatory bodies in setting data security standards.

43:00 Potential Impacts as US Bans Non-Compete Agreements

The recent ban on non-compete agreements in the US is expected to have mixed impacts on startups. It will provide access to a larger talent pool and potentially foster innovation. Still, it may also make it harder to retain key employees and expose startups to poaching by larger companies. The ban could also pressure established companies to offer competitive wages. The decision aims to promote worker mobility and increase wages, but its effect on startups will depend on various factors.

55:15 A Meta-Review of the 2023 Exchange Online Intrusion

This team discusses the CSRB report on the summer 2023 MEO intrusion at Microsoft. The report highlights the major security breach, the failure to detect the attack, and the issues with Microsoft's security culture, key management, log retention, and notification system. It also provides recommendations for improving security practices, including enhancing security culture, modernizing key management, improving logging, and reworking IAM architecture. The crew emphasizes the need for shared responsibility between providers and customers and calls for greater transparency and reporting of breach details.

1:09:40 NVD Backlog and Lack of Enrichment Continues

The National Vulnerability Database (NVD) has experienced a slowdown in enriching new vulnerabilities with critical details, leading to concerns about the accuracy and timeliness of information for cybersecurity professionals. The slowdown is attributed to a surge in discovered vulnerabilities and resource limitations. Despite this, the NVD remains a valuable resource, and cybersecurity professionals are urged to prioritize patching and utilize alternative sources for vulnerability information. Questions arise regarding the impact on risk assessment, increased security risks, accountability and transparency, industry collaboration, and the future of NVD.

1:17:00 $100 Security Tool Budget - 1st Move

The TCW crew discusses the concept of a $100 cybersecurity budget and how cyber professionals would spend it. They pose the question of the low-hanging fruit in cybersecurity and how we can fix these problems quickly.

1:26:20 Story #5 - Dnsys X1 Exoskeleton - Cool or Fool?!

The Dnsys X1 Exoskeleton is advertised as a way to unleash superhuman athletic potential. The Crew provides humorous commentary on the video, highlighting the potential risks and limitations of the exoskeleton. Is it a gateway to laziness or a kickass exercise tool? The team debates this in this month’s story #5.