Full episode and show notes

The Illusion of Control: Shadow IT, SSO Shortcomings, and the True Path to Security – Dave Lewis – ESW #413

Interview with Dave Lewis Organizations believe they have a firm grip on security with SSO and corporate IT policies, but in reality, shadow IT lurks in the background—expanding attack surfaces and exposing sensitive data. Employees bypass security controls for the sake of convenience, while SSO fails to provide the comprehensive security net organizations expect. Talk about the critical weaknesses in traditional SSO implementations, how shadow IT thrives under the radar, and why enterprises continue to experience data breaches despite security investments. Can cover real-world examples of security failures, highlight the role of human behavior in risk, and provide actionable strategies to r...

This episode is sponsored by
Full Segment Notes

Interview with Dave Lewis

Organizations believe they have a firm grip on security with SSO and corporate IT policies, but in reality, shadow IT lurks in the background—expanding attack surfaces and exposing sensitive data. Employees bypass security controls for the sake of convenience, while SSO fails to provide the comprehensive security net organizations expect. Talk about the critical weaknesses in traditional SSO implementations, how shadow IT thrives under the radar, and why enterprises continue to experience data breaches despite security investments. Can cover real-world examples of security failures, highlight the role of human behavior in risk, and provide actionable strategies to regain control over enterprise security.

This segment is sponsored by 1Password. Visit https://securityweekly.com/1password to learn more about them!

Topic Segment: Is AI taking our jerbs or not?

I listened to most of a debate between Marcus Hutchins and Daniel Miessler over whether generative AI will be good enough to replace a lot of jobs (Daniel's take), or so bad that it won't take any (Marcus's take). I got frustrated though, because I feel like some foundational assumptions were ignored, and not enough examples were shared or prepared.

Assumption #1: Jobs exist because work needs to be done. This is a false assumption. Check out a book called "Bullshit Jobs" to go down this particular rabbit hole.

Assumption #2: The primary task of a job is the job. This is rarely the case, unless you work in the service industry. How much of a developer's job is writing code? A lot less than you think. Employees spend a massive amount of time communicating with other employees, via meetings, emails, Slack chats - can AI replace this? Maybe all that communication is wasteful and inefficient? Could be, but for every job AI supposedly replaces, it becomes someone else's job to manage that AI agent. Does all of middle management become expert prompt engineers, or do they also disappear with no employees to manage?

Assumption #3: Jobs aren't already being replaced. They are, they're just not terribly visible jobs. That contractor your marketing team was using to build blog/SEO content? He's probably gone. The in-house or contract graphic designer? Probably gone. There's a whole swath of jobs out there, where quality isn't very important, but work needs to be produced, and those jobs are being actively replaced with generative AI. With that said, I don't see any full time jobs that require quality work and a lot of communication with other employees getting replaced. Yet? Ever? That's the question.

The Enterprise News

In this week's enterprise security news,

  1. Not much interesting funding to discuss
  2. Securonix acquires ThreatQuotient
  3. Cellebrite acquires Corellium (that sounds a lot like a rock bought a stone or a gem or something)
  4. Yet another free vulnerability database
  5. ChatGPT can now clandestinely record meetings
  6. Threat detection resources
  7. a VERY expensive Zoom call (for the victim)
  8. Should we stop using SOC2s?
  9. Should we give up on least privilege?
  10. How much did it cost to change HBO to HBO Max, then to Max, then back to HBO Max?
Guest

Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. Dave is the Global Advisory CISO for 1Password.

He is the founder of the security site Liquidmatrix Security Digest & podcast. He is currently a member of the board of directors for BSides Las Vegas. Dave has previously worked in critical infrastructure for 9 years as well as for companies such as Duo Security, Akamai, Cisco, AMD and IBM. Previously he served on the board of directors for (ISC)2 as well as being a founder of the BSides Toronto conference.

Dave was a DEF CON speaker operations goon for 13 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference in Canada and the CFP review board for 44CON in the UK. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others.

For fun he is a curator of small mammals (his kids) plays bass guitar, grills, is part owner of a whisky distillery and a soccer team.

List of Articles

Adrian Sanabria

  1. FUNDING: Courtesy of the Security, Funded Newsletter, Issue #199 – The Model Weights Are Off

    First, interesting fundings!

    1. Fleet raises a $27M Series B, led by Ten Eleven Ventures. Fleet is a device management product that bucks the norm in some good ways.

    Next, interesting acquisitions!

    1. Securonix acquires ThreatQuotient. The deal amount wasn't disclosed, but ThreatQuotient raised a total of $89.6M, while Securonix's last round was around $1B. I can't really think of any good, recent comps for this one.
    2. Cellebrite acquires Corellium for $170M. Corellium, best known for its legal battles with Apple, has clear value to Cellebrite. The company sells tools that use exploits to get into various mobile devices, and Corellium's product helps to streamline the process of finding exploits.
  2. NEW TOOLS: CVE search – Vulnerability Database, from Wazuh
  3. NEW FEATURES: ChatGPT now includes a meeting recorder

    Careful what you say in meetings, the apps have ears!

    • Currently, this only exists in the MacOS desktop app
    • There's no way for other parties to know you're recording
    • There are a ton of other tools that do this as well, Notion and Krisp.ai, for example
    • You can disable it for your Edu, Team, or Enterprise workspaces (more info on that here)
  4. DFIR: Prosecutors drop case against Knoxville man accused of taking part in 2021 ambush of Austin-East students

    I'm baffled that it took 4 years to hire a forensic expert to pull location data off the phone. Also, why didn't' they just subpoena his mobile provider for cell tower logs? It seems insane we almost jailed someone for attempted murder when a routine DFIR operation confirmed his alibi.

  5. DFIR: An excellent list of threat detection resources from Alex Teixiera
  6. HACKING: The $200,000 Zoom call

    A crazy hack - I'm surprised we don't hear about scammers using this approach more often.

  7. ESSAYS: 99% of AI Startups Will Be Dead by 2026 — Here’s Why

    He argues that most AI companies are just thin wrappers around a base model/service (e.g. ChatGPT) and a HUGE markup.

    Ironic Twist: The author is selling a product that looks a lot like a wrapper, even if it does use a local model.

  8. ESSAYS: Does the SOC 2 need to die?

    TL;DR - he thinks industry-specific frameworks are more appropriate and effective.

    Some more of his thoughts here: https://www.linkedin.com/pulse/15-things-i-hate-soc-2-rant-aj-yawn-oln4e/

  9. HOT TAKES: Least Privilege is Dead, from Kevin Paige
  10. SQUIRREL: How much has it cost HBO MAX to annoy you with branding changes?

    A LOT, it turns out.

Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Segments

Related Content

You can skip this ad in 5 seconds