Segment 1: Fastly Interview
In this week's interview segment, we talk to Marshall Erwin about the state of cybersecurity, particularly when it comes to third party risk management, and whether we're ready for the next big SolarWinds or Crowdstrike incident. These big incidents have inspired executive orders, the Secure by Design initiative, and even a memo from JPMorgan Chase's CISO.
We will discuss where Marshall feels like we should be pushing harder, where we've made some progress, and what to do about incentives. How do you convince a software supplier or service provider to prioritize security over features?
This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them!
Segment 2: Weekly Enterprise News
In this week's enterprise security news,
- Agents replacing analysis is highly misunderstood
- only one funding round
- Orca acquires Opus to automate remediation
- OneDrive is updating to make BYOD worse?
- Companies are starting to regret replacing workers with AI
- Is venture capital hanging on by a thread (made of AI)?
- Potential disruption in the traditional vuln mgmt space!
- MCP is already looking like a dumpster fire from a security perspective
- malicious NPM packages
- and, IS ALCHEMY REAL?
Segment 3: RSAC Conference 2025 Interviews
Interview 1: Pluralsight
Emerging technologies like AI and deepfakes have significantly complicated the threat landscape of today. As AI becomes more integrated into our lives, everyone - not just cybersecurity professionals - needs to develop security literacy skills to keep themselves, their organizations, and their loved ones safe. Luckily, there are countermeasures to spot and identify AI and deepfake-related threats in the wild. In this segment, Pluralsight's Director of Security and IT Ops Curriculum, Bri Frost, discusses how AI has changed the cybersecurity industry, how to spot AI and deepfakes in the wild, and the skills you should know to defend against these emerging threats.
Pluralsight's AI Skills Report
This segment is sponsored by Pluralsight. Visit https://securityweekly.com/pluralsightrsac to learn the skills you need to defend against the latest cyber threats!
Interview 2: Radware
Adversaries are rewriting the cybersecurity rules. Shifts in the threat landscape are being fueled by attackers with political and ideological agendas, more sophisticated attack tools, new coalitions of hacktivists, and the democratization of AI. Radware CTO David Aviv will discuss how companies must adapt their cyber defenses and lead in an evolving era of asymmetric warfare and AI-driven attacks.
This segment is sponsored by Radware. Visit https://securityweekly.com/radwarersac to learn more about them!
Bri is a renowned expert with 7 years of experience in the field of Cybersecurity and IT, bringing a unique perspective to the table. As the Director of Security and IT Operations Curriculum and Research at Pluralsight, Bri is instrumental in developing the cutting-edge cybersecurity and operational curriculum and content strategy. With a wealth of knowledge as an author of Pluralsight training content, she infuses a “red-team” or attacker-focused mindset into her teachings to grasp security concepts and defense strategies effectively. Bri holds a bachelor’s degree in InfoSystems and Technologies and is certified with Security+ and Pentest+ credentials.
David Aviv is chief technology officer at Radware, where he oversees the technology strategy for the company’s cloud, application, and network security solutions. In this role, David is involved in researching and developing the key algorithms and concepts that guide future product development.
Before joining Radware, David was vice president of engineering at Ofek, an Israeli ILEC. He also served in the Israeli Air Force as a senior technical leader. David has decades of experience leading the design and development of enterprise scale communication systems, with a specialty in the telecommunications sector.
David holds a Ph.D. in electrical engineering from the Naval Postgraduate School in Monterey, California, a Master of Science in electrical engineering from Tel Aviv University, Israel, and a Bachelor of Science in electrical engineering from Ben-Gurion University, Israel.
Marshall Erwin is the Chief Information Security Officer at Fastly, where he leads the security operations, security architecture, and compliance teams and works to secure the company’s global infrastructure. Prior to Fastly, Marshall worked for eight years at Mozilla, where he served as both Chief Security Officer and Head of Privacy and led the development of critical security features in Firefox.
Marshall has been working in the field of cybersecurity for more than 20 years. He started his career in the intelligence community, focused on understanding the cybersecurity capabilities of nation state actors. He also served as a staffer in the senate shaping cybersecurity and national security legislation.
Adrian Sanabria
- FUNDING and M&A, courtesy the Security, Funded newsletter, issue #193 – From RSA to ROI
Vibe check
Last week's' question was, What trend in security is most misunderstood right now? and the overwhelming response was for "agents will replace analysts".
Funding
Only one this week! I'm guessing the money-filled air cannons have gone dry after RSAC and it might take a few weeks for the industry to refill them with some new announcements. Or, we're already close enough to BlackHat that folks are hording their announcements months in advance!
- Ox Security, an Israel-based software supply chain security and risk management platform, raised a $60.0M Series B from DTCP. (congrats to Katie & team!)
Acquisitions
- Orca Security Acquires Opus to Bring Agentic AI to CNAPP. When Opus first came out, founded by ex-Siemplify folks, it looked like SOARv2 (i.e. a Tines competitor). Then it became clear they were aiming for the risk-based vulnerability management (RBVM) space (a Nucleus, Vulcan Cyber competitor).
Since CNAPPs largely point out the problems when it comes to vulnerabilities and misconfiguration, folding in Opus allows them to offer automated remediation. That is, if this can work at scale, and if customers have the stomach for enabling automated remediation on production assets.
- NEW FEATURES: OneDrive New Feature Allows Default Sync of Personal & Corporate Accounts
I wasn't sure whether to categorize this as "NEW FEATURES" or "NEW VULNERABILITIES"
bah dum tshhhh
- LAYOFFS: CrowdStrike to lay off 500 employees amid major restructuring
Microsoft also. Of course people are going to say "AI"!
And it's unclear if they're wrong, but I think it's more likely that market conditions are putting pressure on all companies to lighten the load, and nothing squeezes margins like paying people salaries.
- ESSAYS: Company Regrets Replacing All Those Pesky Human Workers With AI, Just Wants Its Humans Back
This is potentially the beginning of the third AI winter. All it takes is for a few large companies to throw in the towel and say "AI doesn't work, we're going back to the old ways", and it will make the industry nervous. "AI" will become a bad word again, and we'll have to come up with a new term to refer to generative AI and agentic software.
The technology will eventually emerge from the trough of disillusionment and provide modest benefits to businesses, but events like this could help burst AI's bubble.
- HOT TAKES: In 2025, venture capital can’t pretend everything is fine any more
"VCs are screwed" is a hard line to swallow. It kinda feels like the folks that were like, "Crowdstrike is DONE" after their snafu last summer.
I'm in the "I'll believe it when I see it" camp.
- HOT TAKES: Ditch Vulnerability Scanners: Modernizing Exposure Management
Ha! I called it back in episode 401, on April 3rd. I had a few things to say about runZero reporting CVEs in the latest update:
"Could runZero replace traditional vuln mgmt solutions? Probably not in the short term, but they're sure flirting with the idea in a way that would have me worried if I were in that space."
A mere 19 days later, we get a blog post from runZero titled, "ditch vuln scanners".
I really like this approach. We haven't had any real innovation in infrastructure vuln scanning since Delve Labs exited to Secureworks in 2020. Word is that new owner Sophos will shut down the Taegis VDR product to avoid upsetting key partnerships.
Currently the strategy is a hybrid one - use runZero for asset discovery, identification, and some light vulnerability management discovery. Then, lean on EDR to provide vuln management for the core Windows/Linux/MacOS stuff.
I like this strategy, because since forever, some of the most important vulnerabilities have been findings like "Informational: HTTP service running on port 80". These findings don't even get a criticality, a CVE, or a CVSS score. They're often an unpatched, unmanaged IoT device with default credentials, or exploitable vulnerabilities. Traditional scanners don't catch them, because they don't do a good job of asset identification with anything that wasn't important 20 years ago.
- DUMPSTER FIRES: MCP: May Cause Pwnage – Backdoors in Disguise
MCP is going to be a NIGHTMARE of unprotected creds, unencrypted links, and overpermissioned agents/integrations
- DUMPSTER FIRES: CISA Kills Off RSS Feeds for KEVs and Cyber Alerts – Socket
The hits keep on coming. Apparently enough people complained that they reversed the decision, but this is getting exhausting.
CVE is losing funding! Nope, saved
No RSS feeds for KEVs! Nvm, jk, lol
Is the goal to feel out what we (the security industry) really care about, or are things really this dysfunctional with cybersecurity in USGov right now?
- SUPPLY CHAIN: Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
From what I can tell, this is just straight up social engineering - not typosquatting or slopsquatting. People are so quick to install plugins these days, the number of successful downloads here doesn't surprise me.
Apparently a legit NPM library was also compromised, and this compromise is related to the fake NPM packages.
- THROWBACKS: When Security Monitoring Provides Neither Security Nor Monitoring
Remember that time 10 years ago when Nick Selby did an IR engagement and found that the company's MSSP had no visibility into their environment, because their box was plugged into the wrong SPAN port?
For three years?
Boy, those were the days. Good thing this doesn't happen anymore with MSSPs, right?
RIGHT???
- SQUIRREL: Philips debuts 3D printable components to repair products
Sounds amazing, until you see that it's just a single attachment for an electric shaver. A little underwhelming for a big announcement/press release.
- SQUIRREL: ALICE detects the conversion of lead into gold at the LHC
Alchemy is real?
Ayman Elsawah
