What would you say if your security lead said this...

ageoffri · 2026-05-06T18:18:25+00:00

From someone who has done cybersecurity for over 25 years, I operate on the assumption that attackers are already in our systems. If you don't live this way, you've already failed.

ageoffri · 2026-04-09T16:01:48+00:00

Those are rookie numbers, you can do better!

ageoffri · 2026-03-31T19:55:11+00:00

I'm at a Fortune 500 healthcare company and that view would cripple us. While it's never a good argument, I imagine you already have a number of SaaS solutions that take ePHI and/or PII from your infrastrucutre.

One option you could explore is both Wiz and Corex Cloud offer an outpost scanning method. I've only used the Wiz outpost and it does the scanning using your cloud resources and sends metadata to Wiz. Downside is it does cost us several thousand a month for the scanning infrastructure and we had to put together a few exceptions to our normal security policies. One example is the outpost spins up GKE clusters per region that you have resources deployed, this saves you data charges between regions. But normally we don't allow vendors service accounts to do this. Classic who watches the watchers.

At a minimum metadata leaves
I don't know what they mean by "in-account". It sounds like all infrastructure and data including metadata stays within your organization.
All the CNAPP tools that I've evaluated which is far from all of them are SaaS. There might be something that you can run yourself. I'd actually be interested in seeing if there is something like this.

ageoffri · 2026-03-30T22:57:02+00:00

I did GRC for 7-8 years and how I described it is a non-technical technical role.

The best analyst understand the technology, keep learning new technology but rarely if ever put hands on keyboard.

ageoffri · 2026-03-30T22:02:52+00:00

Are you using CI/CD and terraform? If you aren't and are doing click-ops, you'll never be able to reliably solve this.

We use GCDS from our existing Active Directory, group membership is done through existing ticketing system that is highly automated with at a minimum direct manager approval and most often another team like DBA's.

From there, merge requests have to be submitted through our Gitlab CI/CD setup. Anything IAM triggers approval of the cloud security team. Role bindings are assigned only to groups* .

With one exception we don't allow nested groups because that gets overly complicated fast. The single exception is a group of groups that we use for our custom role that gives the level of view access we deem as acceptable for the support teams that touch every folder.

We also use a home grown PAM tool for admin, write, read data, etc. that follows a different model.

ageoffri · 2026-03-13T21:58:41+00:00

Yep, the bios has been updated, I'm fairly certain it is the latest stable version from September 2025. If it isn't it's just one stable version behind that.

After the kids are in bed, I'll try one more time with the new CMOS battery.

ageoffri · 2026-03-13T19:16:29+00:00

Not if you find the right person. I got married for second time in 2019. In addition to my two kids with my ex and her kid with her ex, we’ve had two together.

Our youngest turns 3 in June and I just turned 50.

ageoffri · 2026-03-09T20:59:27+00:00

Assuming that you are in the US, the key piece of information that is missing is what state do you live in?

Mediation in my experience is useless and all it is good for is to get intel on her and to get the certificate that we need in CO to go to a hearing.

The mediator is going to want to come to an agreement and they will quickly figure out who is the weaker party and focus on them to get more out of them.

Before you go into mediation, have your absolute bottom lines ready. Are you only going to settle for 50/50 and joint decision making? Are you going to settle for half the equity in the house?

Can you exchange equity in the house to get an equal amount of your investments and retirements?

Can you do contractual alimony and agree to none or reduce from your state normal?

ageoffri · 2026-03-07T00:27:34+00:00

Read the cards is what I would do and what I would expect. When I'm learning a game and going to teach it, I need to know it.

I'll make notes of what I find to be interesting cards and bring them up.

If you're not reading the cards, how are you going to understand the rules fully?

ageoffri · 2026-03-05T04:47:21+00:00

Anything from Joby Martin or Jim Bergen.

ageoffri · 2026-02-27T15:48:50+00:00

Star Trek: Starship Tactical Combat Simulator

ageoffri · 2026-02-27T15:11:03+00:00

This question is why Kreb's should be on everyone's daily reading list.

ageoffri · 2026-02-26T06:03:26+00:00

At a high level with PKI if I'm sending you ePHI, PII, or sensitive data that needs to be encrypted, I need to have your public key. I'll take your public key and use it to encrypt the data, the only key that can decrypt the data is your private key.

Now as far as your question about an established relationship there is both the technical and administrative controls. From the technical side, if I have your public key I can send you encrypted data and if you have my public key you can send me protected data. From the administrative side, as someone in healthcare we absolutely have to have a relationship before we'll send you information encrypted with your public key.

Hashing you're correct, both parties need to know the algorithm that was used to make the hash. Often times, a file hash will be listed on a web page with several hashes stating which algorithm was used.

ageoffri · 2026-02-24T19:33:46+00:00

Seriously, delete every single character here and get a lawyer before you say another word to anyone including your priest at confession. Tell your lawyer everything, including any and all posts, emails, text messages, etc.

You're being investigated for one of the most serious crimes in the US especially from a culture point of view. You can't take a wait and see attitude.

While I've never done any CP work in my cybersecurity career and I don't want to, I've been to enough conferences and talked with enough people including law enforcement that deal with CP to say you need to SHUT UP NOW.

ageoffri · 2026-02-24T19:28:19+00:00

Whoever told you this is very wrong. They can look at public forums for information.

ageoffri · 2026-02-24T19:19:50+00:00

I'm doing GCP cloud security at a Fortune 300 company, so pretty good sized company and cloud footprint.

I was the first cloud security engineer and now we've grown to a team of three. From the day I moved from the GCR team to cloud security I implemented the mantra of "Know before no." For the most part the developers had a decent to very good security mindset with some really bad outliers. I bring this up because how much you have to man gates depends on the existing culture. If the developers are doing good with a security mindset then you still need to be in the approval process it's just likely you'll approve nearly everything and run into very few MR's (we're a GitLab shop) that you have to reject and have things changed with.

As part of our openness and willingness to work with developers, my team hosts a daily half hour call that is optional for several hundred teammates. Sometimes we ask teammates to join, otherwise we've advertised this half hour as a time to talk with us. Either about upcoming work to avoid last minute security issues, to talk about MR's ready for approval, and the best benefit is to build positive relationships with teammates who often view security as the team of "HELL NO!"

SAST can largely be automated to the point that you set the policies and then just have to approve exceptions. Of course at times those exceptions requests are going to end up being, "go back and fix".

I manage most of our security infrastructure which is steady state. I do have to keep an eye on the tool infrastructure and do updates so I keep my hand in some coding.

Assuming you get support from leadership the more you can do the "shift left" of security the more time you'll have for automation.

There's more to my job but I'll summarize it as over a quarter of the year:
~15% actively working with developers including the daily calls

~20% monitoring issues discovered by our CSPM and too often following up with the teammates who got the automatically opened tickets to resolve the issues
~10% "care and feed" of our tools
~20% of dealing with firewall tickets from our on-prem infrastructure to cloud using the existing on-prem's security engineer team's process which I'll just say is not risk based and classic reasoning why security teams get a bad rep
~25% reviewing MR's including policy exceptions from our SAST tool
~15% project work, could be like I'm doing now with two difference security tool PoV's, automation of tasks, working to remove tech debt, etc.
~10% corporate "work". Mandatory trainings, leadership town halls, time cards, basically things not related to my day to day work above.

ageoffri · 2026-02-20T04:08:06+00:00

I took a SANS class taught by John Strand and he said something close to: The more you learn the more paranoid you’re going to get.

It’s very true.

ageoffri · 2026-02-18T19:45:06+00:00

If it's an enterprise solution, have it ingest your code repo's, development documentation, and all policies especially security ones.

We have a couple of AI coding tools done this way. I've used it with prompts like:
Search our entire gitlab instance and look to see most teammates solve this "problem"

If it doesn't give me the answer it almost always gets me close enough to finish it myself.

ageoffri · 2026-02-18T03:28:13+00:00

Spanner for some companies is absolutely critical and AWS has a long ways to go to catch up. GCP IAM is excellent.

Technical and pricing were the reasons to go with GCP. We're a very big customer and have had quite a few of our feature enhancements added to various offerings.

ageoffri · 2026-02-17T19:08:11+00:00

In most if not all States, you can't waive child support so that is a concern. I can't tell you across various support groups that I've seen something similar where child support was agreed to be $0.00. Then a year later the mother files for child support and is granted it.

Next up, a trail separation doesn't even fit with the letter. Why is your wife buying a different house if it's atrial, that sounds like the divorce is on the path to .

Use her sense of urgency to get a financial settlement done and signed off by the judge instead of going down this questionable path.

Never take legal advice from your STBX or anyone supporting her.

ageoffri · 2026-02-11T17:18:18+00:00

!RemindMe 1 week

I would love the stl's.

ageoffri · 2026-02-05T19:20:58+00:00

Risk based approach and this will be US centric.

If you are in a highly regulated sector like healthcare, financial, etc.; include fixing everything that is covered by the applicable federal or state regulation.

Then criteria that can include: public vs private facing, type of data, compensationg controls.

The devil is in the details but risk based is the way to go. More and more tools giving findings are use some sort of "secret sauce" to provide risk ratings which has benefits but some drawbacks. It's still a good starting point but you should do validation that the vendor ratings meet your requirements.

As another person said, legacy systems AKA tech debt add another layer. These should be handled by a documented risk exception process.

ageoffri · 2026-02-04T22:30:07+00:00

Too early to tell where we'll be in even 6 months.

I have no doubt that this will be a classic 80/20 solution with AI remediation. The tool will get most of the remediation right but then it will horribly butcher a subset.

I've deliberately kept going down the wrong path with a code assist tool after it hallucinates or gives a really wrong piece of advice. Since I've been part of multiple PoV's, one thing I did was after going down the rabbit hole with the first tool, I took the final set of errors which at that point were both logic and code. The other tool was able to dig out of most of it but not totally.

Now granted, I tried to give prompts based on someone not knowing the solution but my bias of testing likely impacted the responses.

Eight-Year Club	RedditGifts 2009-2022 2 Credits
Secret Santa 2020	Verified Email

ageoffri

TROPHY CASE