Cyber Asset Inventory Risk Management

Patrick Spencer (00:01.641)

Hey everyone, welcome back to another episode of, let’s try that again. Oh, everyone, welcome back to another episode from Kitecast. Tim, my co-host is Duane Mead. Tim, how are you doing today?

Tim Freestone (00:15.038)

I’m just fine, Patrick. How you doing?

Patrick Spencer (00:17.477)

I’m doing well, thanks. Well, we have a real treat today. We have Huxley Barbie who is joining us. He is the security evangelist over at RunZero, serves also at the same time as an organizer at B-Sides New York City. Prior to RunZero, Huxley has held a number of leadership roles in cybersecurity at Fortune 500 companies like Cisco, fast growth startups, IPO startups like Datadog.

Uh, he has a couple of master’s degrees, uh, one in risk management from Queens college, another in applied mathematics from, uh, my neck of the woods at the university of Washington. Uh, it’s going to be an interesting conversation. Uh, every time we talk to someone new on the Kitecast, him, it seems like we get a new fresh angle on cybersecurity and compliance, and I’m sure Huxley is going to give that to us. So Huxley, thanks for joining us.

Huxley Barbee (01:06.286)

Thank you.

Huxley Barbee (01:11.423)

Thank you for having me. Happy to be here.

Patrick Spencer (01:14.381)

Uh, well, let’s start by talking a bit about your, your latest role over at RunZero. You know, what’s RunZero do? Some in our audience may not be familiar with you guys, uh, and talk a bit about your role over there.

Huxley Barbee (01:26.582)

Yeah, so RunZero is a cyber asset attack surface management solution that is any organization’s first step in security risk management, in particular, by using the comprehensive security visibility that RunZero provides to help organizations understand their exposure for exposure management. And the way we do this is through a number of different approaches, but not only we combine

Patrick Spencer (01:53.057)

Free for you Tim? Yeah. Oh Huxley you’re frozen.

Tim Freestone (01:53.194)

We lost him. Yeah, we lost him.

Huxley Barbee (01:56.798)

unauthenticated active scanning, API integrations, and also passive discovery.

Patrick Spencer (02:01.945)

We got to do that one again, I think actually because we lost you sort of in midstream So I’ll go back

Tim Freestone (02:08.434)

Might be your internet connection is a little clunky. You’re now you’re now you’re blurry.

Huxley Barbee (02:13.546)

Is that right? Umm… Hmm.

Patrick Spencer (02:16.205)

Let’s see how he’s.

Huxley Barbee (02:18.094)

I got full, maybe if I switch to this other one, one second.

Patrick Spencer (02:24.621)

It allows you to do a couple setting changes, so let’s see.

Patrick Spencer (02:31.818)

might help.

Huxley Barbee (02:38.602)

Hey, is this better? I’m trying a different access point. Hopefully that does the trick.

Tim Freestone (02:41.419)

Yeah.

Patrick Spencer (02:45.621)

Yeah, let’s try. And why don’t we just start from the top. It’ll be easier to probably edit together and it’ll be more seamless. So.

Tim Freestone (02:46.722)

Let’s try that again.

Tim Freestone (02:52.607)

Yeah.

Patrick Spencer (02:54.409)

Hey everyone, welcome back to another episode of Kitecast. I’m joined by my cohost, Tim Freestone. Tim, how are you doing today?

Tim Freestone (03:01.642)

Good. How you doing, Patrick?

Patrick Spencer (03:03.509)

Doing well. We have a real treat today. Huxley Barbie is joining us. He is the security evangelist over at RunZero. He’s going to tell us a bit about the company and what they do there in a really unique space, which we’ll get to here in a second. He also serves as an organizer at B-Sides NYC. We, I don’t think we’ve talked much about security events and how you organize and put them together. How do you get papers presented or accepted that you want to present at the conferences?

He’s going to be able to talk a bit about that. Prior to Run Zero, Huxley has held a number of leadership roles in cybersecurity at Fortune 100 companies like Cisco. He spent, I think about 11 years there. Uh, at fast growth, growth IPO companies like Datadog. He has a couple of master’s degrees, one in risk management from Queens College. Another one in applied mathematics from my neck of the woods over at the University of Washington. Huxley, thanks for joining us today.

Huxley Barbee (03:59.198)

Thank you for having me. Happy to be here.

Patrick Spencer (04:02.101)

Looking forward to this conversation. Not everyone in our audience may be familiar with what you guys do over at, uh, run zero. Why don’t we start there? Uh, give us, uh, an overview of what the company does. What problem are you trying to solve in the marketplace?

Huxley Barbee (04:18.366)

Yeah, so Runzero is a cyber asset attack surface management solution that is any organization’s first step in security risk management. And we do this by giving you comprehensive security visibility to help you understand your exposure. And we do this in a unique way because we combine authenticated active scanning, passage discovery, and, uh, and, and API integrations. And that’s, that’s sort of like a little bit of the marketing description. Like what I like to say is we tell you about all the stuff on your networks.

that you have to protect, and we tell you what’s bad on those networks, and then we help you do something about the badness on the networks.

Tim Freestone (04:57.738)

I like the boil it down to the third, third grader approach. That’s actually the marketing message for you right there. I, let me, let me ask you, like three or four years ago, I think I was having some conversations with a company called Randori and they did a tax surface management. They were acquired by IBM. Is that a similar thing? You just tacked on cyber asset in front of the ASM part. What’s the deal there?

Huxley Barbee (05:05.666)

Hehehehe

Huxley Barbee (05:16.63)

Mm-hmm.

Huxley Barbee (05:25.482)

Yes, so Randori and its similar companies, what they do is they strictly focus on the adversary’s view of an organization, right? So just from the outside. Whereas with a cyber asset attack service management solution, you are also looking at the inside. Or what I should say is most cyber asset attack service management solutions only look at the inside.

Tim Freestone (05:37.181)

Oh, that’s right.

Huxley Barbee (05:54.27)

Runzero is one of the few that actually contextualizes all of your devices based on whether it’s on the internal attack surface, external attack surface, cloud attack surface, mobile attack surface, and so on and so forth.

Patrick Spencer (06:06.965)

So does that address this concept of third party risk management? If you’re looking at some of those devices on the outside, I believe that’s the case based on what I read on your website.

Huxley Barbee (06:16.586)

That is one of the use cases. There are customers that use RunZero to help them understand a target prior to a merger and acquisition, prior to a partnership with them. So you’re trying to understand your third party risk. And then finally, which one that everybody forgets is divestitures. When you let go of a company, you wanna make sure that the new segmentation controls are in place. How do you verify that? Well, you need to understand.

your internal attack surface in that case.

Tim Freestone (06:49.602)

Hmm. Got it.

Patrick Spencer (06:52.545)

How do you define assets? You know, that I think might be helpful to our audiences. Assets can mean a number of different things. I know one area that you’ve spoken about quite a bit this year actually at several different conferences is focused on IoT devices. Blast from the past for us, Tim, right? We’re over at Fortinet, but it’s more than IoT. It’s, you know, what are you talking about when we say assets?

Tim Freestone (07:09.292)

Yeah.

Huxley Barbee (07:15.486)

Yeah, so an asset is a compute device. Plus all of the related attributes that security teams care about and those related attributes include the hardware, the software, the services, the security controls, the owners of those assets and a few other items.

And this is different from what is traditionally considered an IT asset. Right. Cause like I said before, you’re talking about the details that the security teams care about on the IT side. And they don’t necessarily, certainly care about vulnerabilities, right? Which is something that we would include, um, in, in what is an asset, right? Vulnerabilities as well as insecure configurations, the IT side, they don’t care about those details as much, but they might care about replacement cost.

for licensing, right? And so on the IT side, that’s more important. Not as much on the security side necessarily, right? So it’s an as a compute device, any compute device, any that could be in the cloud, could be IOT, could be OT, any compute device plus all the details that concern security.

Tim Freestone (08:31.842)

Do you include people into that one? Into that, uh, Mm-hmm. Okay.

Huxley Barbee (08:34.43)

Yes, as part of ownership. As part of ownership. So that’s of the seven types of details that security teams care about, people is included in ownership. And when we say owner, this could potentially mean the person that’s responsible for that device, like the IT person that’s responsible for it. But it could also mean the most recent logged in user. That’s also a type of owner of a device.

Patrick Spencer (09:00.909)

So IOT is kind of an interesting topic and you’ve presented a couple of conferences this year on that topic and your tool is used to identify IOT devices. It’s been a couple of years, as I mentioned, since Tim and I spent a lot of time dealing with IOT from a cybersecurity and marketing standpoint. But what’s happening in that space? Is the risk getting greater? Is it being minimized with some of the cybersecurity capabilities out there? Where are we at right now?

Tim Freestone (09:00.94)

Um.

Huxley Barbee (09:30.638)

So I’ll talk about IOT and OT separately. IOT things are getting… Do I just want to say worse? Yeah, let’s just say worse, right? Because the proliferation of IOT devices is, I would say, increasing at an increasing rate. And so there’s just getting to be more and more of that, right? Do you have any friends that do not have an IOT device in their house anymore? Like that’s, you know, it’s hard to find these days.

Everybody has a smart speaker or an IP camera and so on and so forth. So because that attack surface is growing and it’s not being managed, things are getting worse on the IOT side. On the OT side, what we’re seeing is a trend that sort of started in 2005 where these, you know, what, what CESA calls critical infrastructure and key resources, these type of environments, OT, ICS environments that were traditionally air gapped started.

becoming connected to the IT side, started getting connected to the networks and indirectly connected to the internet such that the adversary from some far away country can now have access to the water treatment facility and peoria and things like this. And because these OT networks are traditionally air gap,

a lot of the same sort of innovations that we’ve had on the IT side in terms of security, ADR, vuln scanning, all these types of things, never transferred to these OT environments. And so you’re looking at like, you know, Marty McFly back to the future type of security, level security maturity, and all being exposed now to the adversary somewhere else. And well, I’m just like that trend of.

Tim Freestone (11:22.69)

Yeah, my sense… Oh, sorry, go ahead.

Huxley Barbee (11:27.282)

Overlaying OT on top of IT or convergence of IT and OT just it’s just going to keep getting worse

Tim Freestone (11:32.982)

Yeah, my sense here is as far as the doomsday scenario of cybersecurity, right, is that’s where it most likely will take place. I mean, a lot of the threats and thefts that’s happening right now, for the most part, at least once we’re getting media coverage is around theft of personal information, ransomware, and then the corresponding.

legal implications and the cost of those breaches to companies. But that’s all related to essentially theft or procurement and holding of personal information, which only goes so far on a global scale in terms of impact. But you start taking down power plants, water supplies, things like that. This is where the threats to…

or the cyber threats really start to impact global economic and just general human existence. Where are you on this? So I’ll get to my point. Where are you on the doomsday scenario of cybersecurity having done this for 20 years? You see it getting closer and closer. Are you more scared every day you wake up? Are you more hopeful? Where’s your head at on this?

Huxley Barbee (12:59.07)

I am not yet more hopeful. Actually, let’s just say, I’m not hopeful for the immediate term. I’m hopeful for the longer term. Because at some point, at some point the business side of these organizations aren’t gonna come around and put in the investment that is required and take heed of the advice of their security teams that’s necessary. I remember recently I was at a conference and

Tim Freestone (13:01.898)

You can wait about it.

Huxley Barbee (13:28.634)

this lady was speaking to me about some of the challenges that she’s having at her organization. And I was in Calgary, right? So you got to imagine lots of oil, gas, energy. And she worked at one of these companies and she was having such a challenge to get the business to understand that she needs to patch devices, right? And I don’t think she was insisting that you patch everything, right? Because if you look at the larger risk management matrix, sometimes you accept risk, sometimes you avoid risk, sometimes you transfer risk, right? So I don’t think she was

Tim Freestone (13:37.614)

Mm-hmm.

Huxley Barbee (13:57.938)

saying like, we have to go patch absolutely 100% everything and eliminate 100% of all risks, which we all know is not practicable. But she was having challenges just getting them to allow her to patch anything. And so at some point, I hope over the longer term, these organizations come to grips with this idea that you need to include security as part of your business model.

Tim Freestone (14:26.686)

And she was having challenges probably just because of budget, I’d imagine. Like they just didn’t want to spend the money on that.

Patrick Spencer (14:33.513)

Maybe not enough resources.

Huxley Barbee (14:34.262)

No, I mean these are these are very well funded organizations, right?

Tim Freestone (14:39.054)

But then what would be the outside of that? Just ignorance and not caring or?

Huxley Barbee (14:44.562)

It’s downtime. Right? These organizations, they lose money when they have downtime and many of them are critical infrastructure. And so they’re highly regulated and downtime, unplanned downtime is cause for fines and penalties. Right? If you’re an electrical utility and then you have unplanned outage, you will be investigated.

Tim Freestone (14:46.318)

Oh, please miss that one.

Huxley Barbee (15:13.89)

by your respective government and potentially will be fined. And so they want to avoid outages at all cost.

Tim Freestone (15:21.802)

And any type of outage, even if it’s internal for the.

Huxley Barbee (15:29.698)

So there’s the issue of having an outage because you’re losing money, right? It’s also that there’s this concern that, hey, if we do an update or a patch, what happens to that device? They’re highly allergic to any sort of outage. And so if you have a bad update or a bad patch

causes extended downtime, that is cause for concern for them to just avoid doing anything that you’re suggesting.

Patrick Spencer (16:10.073)

No, that makes a lot of sense. Tim’s going to be back. His microphone decided to do an update and restarted his computer. How much for needing to patch, I think, right? An unexpected patch. You brought up an interesting point about, you know, fines and penalties. When it comes to asset management and managing all those patches and so forth. Where, you know, Tim and I talk a lot about.

Huxley Barbee (16:16.118)

There you go, and he’s having an outage right here. Yeah.

Patrick Spencer (16:37.185)

data security and compliance, with all the regulations that are out there, whether it’s HIPAA, particularly in the data privacy space or GDPR, CCPA and so forth. But then you have others that are focused on the security space like NIST and other frameworks that are used to measure your security. Do you see us headed in the direction of…

of compliance being used when it comes to managing your assets, where you need to demonstrate certain things to comply with different, and we’re probably already there with certain regulations today, but where do you think we’re at and where do you think we’re headed on that front?

Huxley Barbee (17:16.238)

So definitely compliance is a, I hate to say this, but it’s actually a great thing for security, right? Because let’s say you’re a CISO, right? How do you get budget? One way is through charisma, right? You’re just like, you’re that person and you can rub elbows with all the execs and then you’re able to get the funding that you need. The second way, which I’m sure you’ve all heard this, like never let a good breach go to waste, right? Every…

Tim Freestone (17:29.765)

Hehehe

Patrick Spencer (17:30.859)

Hehehe

Patrick Spencer (17:34.889)

I’m in trouble then.

Tim Freestone (17:36.265)

system.

Huxley Barbee (17:45.282)

Good CISO knows how to leverage that breach. I’ve heard some CISOs talk about how they are, they typically already have a plan set out for the things that they’re going to ask for. They sort of like, they can model in their minds like where the next breach might come from. And then they create a list of things they wanna buy or invest in based on that threat model. And so, when it does happen, they just pull it out of their drawer or file folder and just.

Tim Freestone (18:06.868)

Sure.

Huxley Barbee (18:14.538)

Add in a few details that are necessary to make it relevant to this particular breach and then boom, there it is. And they want to get this done within about 72 hours of the breach. So that’s methodology number two. The third one is compliance, right? In which case the CISO doesn’t really have to say anything, just say like, yo, government says so, or our insurance company says so, or let’s say we’re subsidiary and the parent company says so. There it is. It’s not me.

I’m not being the bad person here. We’re just gonna have to do this and we need this amount of investment. So compliance is great. It’s a boon. It’s a boon for security. And certainly the universe is helping security teams by creating more and more regulations and reasons for compliance, right? So on the federal side, CISA last year released BOD2301, which requires compliance in terms of asset inventory and things like this. The New York,

Department of Financial Services has an updated version of their regulation for financial institutions where there’s certain new requirements that are taking effect in the middle of 2024. Things to look forward to next year. So yeah, there’s just more and more compliance. It’s definitely a forcing function for security teams in the work that they do, for better or for worse.

Patrick Spencer (19:41.533)

You mentioned 2024, we publish an annual forecast report with some predictions about what sort of it’s nostalgic look back on what happened the prior year. Those are obviously in some instances anyway, going to continue in the coming year, but it’s also, you know, things that we see trending solutions that are going to help address some of the problems that we’re seeing take place in the marketplace. And what are a couple of things that you see coming up in 2024 that organizations, cybersecurity or compliance should be

watching.

Huxley Barbee (20:14.542)

So we are going to continue to see new vulnerabilities in the wild that just boggle the mind, right? 2023 we had Move It, which seems to have affected just about every government organization, every university and their ramifications in terms of HIPAA and other regulations that are just going to continue for the months to come. It is.

Huxley Barbee (20:46.344)

It is not beyond the stretch of imagination to say that there’s going to be another big vulnerability coming in 2024. Right? So we didn’t move it. The year prior we had a lot for Jay. Like there’s going to be another one. Right? This it’s going to happen and the impact is going to be big and we’re all going to be scrambling around. And not because we didn’t see it coming. Right? Because Klopp, who exploited Moveit,

had exploited Exelion and was it Go Anywhere MFT? Just like, you know, some months before they did the same thing with Move It. So it’s like, it’s not as if we don’t know that it’s coming. It’s actually coming. But it’s gonna happen and we’re just, security teams are just overwhelmed with everything else that this sort of proactive approach to securing an environment. It’s just difficult. It’s difficult to do.

So that’s definitely one. And then the other one I would say is definitely more supply chain shenanigans for sure. And I’m not talking about like new supply chain infiltrations, like injection of code into CI-CD pipelines. I’m talking about the malware that was injected into CI-CD pipelines this year or the prior year coming to light, right?

Patrick Spencer (22:07.549)

Interesting.

Huxley Barbee (22:08.533)

in 2024.

Tim Freestone (22:09.584)

Yeah, they do tend to hang out for, keep a low profile for six months to a year, just making sure they’ve got all the trip wires known before they start the, the event, right?

Huxley Barbee (22:12.67)

Yeah, yeah, there’s like a.

Huxley Barbee (22:22.91)

Yeah, there’s a certain latency to it, right? In terms of supply chain attacks. I mean, just 2023, there was a new vulnerability in Team Cities, which is a CI-CD software that came from JetBrains, which is a very popular IDE. And they had 30,000 customers, and I think 80% of the Fortune 100s use JetBrains, and potentially Team Cities as well. And…

The moment the vulnerability was published, not everybody was patching. And it was disclosed later that Lazarus Group and some other folks from North Korea were already leveraging that vulnerability to infiltrate Team City’s instances that were boggles of mind that were exposed to the internet. And which like, why is an internal development server exposed to the internet, but like that’s a question for another time. So we don’t know.

Tim Freestone (23:14.257)

Mm-hmm.

Huxley Barbee (23:22.678)

what these groups have done with that team city’s vulnerability, how they’ve leveraged it and what exploits they might have injected into the software of these various organizations. And so maybe 2024, maybe 2025, we’re going to find out. It’s just, you know, that’s sort of gift that keeps on giving.

Tim Freestone (23:40.593)

Yeah.

Patrick Spencer (23:40.945)

Is part of the answer understanding the vulnerabilities that are out there as they’re being published, right? In the CVE database from CISA, but also understanding your assets and which ones are patched, which ones aren’t, which ones pose the greatest risk. And is there a way to build a risk scoring model based on those two factors?

Huxley Barbee (24:03.146)

Yeah, yeah, absolutely. I mean, you gotta first start with a comprehensive asset inventory of all of your assets, as I mentioned before, but then you layer on top of that information about vulnerabilities, as well as insecure configurations that exist on those devices. And then if you then coalesce that information into the context of your attack surface, now you have something measurable that you can work towards.

to reduce your exposure, right? So know what you have, figure out what’s bad, and then understand how that looks in terms of a big picture, and then you add a metric to it, and then you can measure this goal of trying to reduce your vulnerabilities and your insecure configurations on that attack surface. And I’ll add, insecure configurations is often, very often overlooked, and this is like the easy thing.

And there’s not like a CVE associated with them. I’m talking about like, you got Telnet left open. You have a web service that has an expired certificate. You have a remote desktop protocol exposed to the internet. There’s no CVE for this. It’s not as if somebody at a vendor company like wrote bad code, insecure code, and now you’re running it. That’s just you. Or somebody in your company like misconfigured this device or that software.

Tim Freestone (25:04.837)

Right.

Huxley Barbee (25:31.414)

to allow that insecurity, right? So this is very important too. And oftentimes I feel like, you know, the media that we all watch are always heavily focused on the new O-Day or like what this APT is doing and not really focusing like the really simple things that make the adversaries life really, really easy, but is also really easy for you to mitigate. And that doesn’t get enough attention in my mind.

Tim Freestone (26:00.44)

Yeah, I’d agree with that. And oftentimes it comes down to just people being the weakest link in these systems. And so, you know, it’s like, when you look at what you, what you do at your company with cyber asset, attack surface management, what other layers do you talk about in, in your conversation with CISO on top of what you do? Like, is there a stack? It’s like, this stack will, with us included, we’ll get you about as lower risk as you could possibly imagine. Or.

Huxley Barbee (26:06.86)

100% yes

Tim Freestone (26:30.052)

Is it just different every time?

Huxley Barbee (26:33.15)

Well, every company needs good asset inventory and every week, every company needs exposure management. Like every company needs to understand their vulnerabilities and their insecure configurations. So there’s always going to be variations in the conversation because every organization is different, right? Some have OT environments. Some do not have an OT environments. So the nuance of these things that I just said is going to vary, right?

Tim Freestone (26:57.532)

No, I guess what I’m asking is like, you know, asset management, attack surface management with cyber assets is one, then you layer on identity access management. Oh, and you also need to layer on, uh, IAS and SAS tools. And you also need to layer. Like what are the, is there a pre is there a, um, a layering of architecture that you kind of go in as a best practice with you included?

Huxley Barbee (27:07.627)

Mm-hmm.

Huxley Barbee (27:25.506)

Not necessarily because good comprehensive security visibility is basically the bedrock of any security program. And so no matter what that security stack looks like, we’re going to be at the bottom of it. You’re going to need us in order to support everything else that you’re doing.

Tim Freestone (27:34.781)

Mm-hmm.

Tim Freestone (27:46.396)

Hmm. I see. Makes sense.

Patrick Spencer (27:47.341)

Hmm. Interesting. We haven’t talked about content, Tim. We want to turn a little bit in that direction.

Tim Freestone (27:54.116)

Yeah, I mean, the one piece, yeah, the one piece I was thinking about with the supply chain, so it’s often spoken about in context of code and, um, when you get down to it, code is just a file that moves and it’s content and, you know, they’ve embedded malicious code and malware into that file and the content. But there’s a ton more content moving down the digital supply chain between.

Government and you know you think about like CMMC and the defense industrial base They’re not just exchanging codes, but I reckon probably not exchanging very much code. They’re actually exchanging Information and content in other formats and malware can get injected into just about any sort of content that moves Do you do you have conversations with other parts of the supply chain? Are there other conversations related to the supply chain beyond just?

Code and security do come companies realize that all content moving is a vector of entry

Huxley Barbee (29:00.462)

I don’t know if everybody thinks down to that level of granularity because I want to say a very high majority of organizations are still working on the basics. Like basics like, let me make sure I have EDR on all of my devices. Let me make sure I’m vuln scanning everything I should be vuln scanning. That type of thing. That type of treatment of…

Tim Freestone (29:05.468)

Mm-hmm.

Tim Freestone (29:12.57)

Yeah.

Tim Freestone (29:17.368)

Yeah. I got that one. That was cool.

Huxley Barbee (29:29.058)

how the data flows and whether that data is flowing to the right folks in a secure manner, I think is a type of sophistication that you would find on the higher end of the CMMC. And most organizations are nowhere close to that. Like maybe NASA, but like, you know, most organizations are not anywhere near that.

Tim Freestone (29:42.983)

Yeah.

Tim Freestone (29:52.988)

We can confidently say NASA is their client horse. Yeah. I it’s, it’s just a matter of time. It’s, but I hear you that, um, oftentimes the conversations are exactly what you just said, which is, do you have detection or response?

Huxley Barbee (29:56.262)

Okay, there you go. Yeah, plug for y’all right here.

Huxley Barbee (30:12.927)

Yeah, in this.

Patrick Spencer (30:13.185)

They think about their assets, they think about their vulnerabilities, what’s past what is, I think, the biggest threat. And they forget about their content.

Tim Freestone (30:16.572)

the network, the applications, all that stuff.

Huxley Barbee (30:20.026)

Yeah. And the smaller the organization, the worse it gets. Like I have a buddy who is, uh, has a consulting organization that focuses on SMBs and they’re, they’re right at the bottom there where they’re just trying to get backups working, right? Cause they’re afraid of the next ransomware.

Tim Freestone (30:34.738)

Yeah.

Tim Freestone (30:38.236)

Yeah. I mean, we were, we had a conversation with a CISO of a large municipality to go unnamed and they were still figuring out how to put a sim in, you know, like alerts and notifications and things like that. And I was just like, holy.

Huxley Barbee (30:53.382)

I would say that’s medium level sophistication already. There’s still mom and pop shops that have just nothing. Where they don’t even have a security team, they might have a part time IT person, and they don’t necessarily even realize that the adversary is already on their network. They just think that the network is slow.

You know what I mean? Actually, you’re part of a botnet, but the ramification to you is, oh, my network is really slow, I don’t understand.

Tim Freestone (31:24.846)

Yeah.

Tim Freestone (31:33.424)

Yeah.

Patrick Spencer (31:35.585)

So you’ve been involved over at B-Sides for a few years now. One, our audience, not everyone may be familiar with them. There’s a bunch of events that take place in various locations every year. So tell us a little bit about B-Sides to begin with, and then speak to how you got involved.

Huxley Barbee (31:55.278)

Sure. So I think everybody’s familiar with the big ticket business side conferences like RSA and Black Hat. But I think most folks are also aware that there are community based conferences, right? DEF CON being the most famous one, very community driven, a little bit detached from the corporate side of the cybersecurity industry. And

B-Sides is a framework for these types of community-based security conferences. There are others that are outside of B-Sides, right? There’s Blue Team Con, there’s GRRCon, and so on and so forth. They’ve been here, been around for a long time. SummerCon is another one. They’ve been around for a long time, very community-driven. But B-Sides was built as a framework for these types of community-based conferences.

And it started with B-Sides Las Vegas, and it has now expanded to hundreds of security conferences throughout the world. You will find a B-Sides conference, and I think, you know, let’s say 75% of countries, I’m guessing on that one. And B-Sides New York City happens to be the New York chapter, if you will, for B-Sides. And these types of conferences, like I said,

very community driven, so it’s more about the practitioners showing up to share information with each other and they tend to be very technical as well. So like technical community driven conferences.

Patrick Spencer (33:38.061)

interesting. Now you.

Tim Freestone (33:38.852)

And technical on the cybersecurity side, so like IT or security architects, things like that, or is it, does it bleed into developers, both?

Huxley Barbee (33:49.062)

There can be some AppSec talks as well, but they’re gonna be technical as well. Like you’re gonna see a lot of code being shown in these presentations or live demonstrations of something that somebody wrote and put up on GitHub and that type of thing. What you’re not gonna find is product pitches, right? Which you have at Black Hat and RSA and things like this. It’s gonna be like some tool that somebody wrote.

Tim Freestone (33:56.475)

Mm-hmm.

Tim Freestone (34:06.717)

I think.

Tim Freestone (34:13.426)

Right.

Huxley Barbee (34:18.854)

or some methodology that somebody came up with, or some insights that somebody found about this particular system that they’re trying to compromise things along those lines, like, Oh, here’s a new exploit for like Google workspace or something like that. And, but, you know, not no product pitches because that’s just not the type of conference that, um, besides our, or any, any other community driven conference for that matter.

Tim Freestone (34:45.236)

Sure.

Patrick Spencer (34:46.805)

In your role, you help organize the local New York City chapter. What’s your involvement there?

Huxley Barbee (34:54.803)

I am the lead organizer at B-Size New York City, yes.

Patrick Spencer (34:58.689)

I see. Now you have a lot of experience. You know, we have some folks listening to this who want to present, maybe they presented at conferences in the past. You’ve presented at a bunch and I think you’ve done a little bit of commentary on your social channels about how do you put together a winning proposal for one of these events so your proposal is accepted as a presentation. You know, what recommendations do you have on that front?

Huxley Barbee (35:15.13)

Mm.

Huxley Barbee (35:24.926)

Yeah, so, and for those of us who are like, you know, very geeky and very much behind the screen, it’s actually, could potentially be a big challenge. But you really want to think about what the CFP selection committee is seeing in what you’re submitting, right? You’re going to be submitting a title. You’re going to be submitting the abstract. Most conferences don’t

ask you for like slides ahead of time necessarily. But you wanna make sure that the abstract in the title is one, understood, and two, like has relevance. It could be interesting to somebody, right? Doesn’t have to be interesting to everybody, but it should be somebody. And I see from the submissions to our conference, a lot of folks don’t take the time.

to put themselves in somebody else’s shoes. Right, it’s not in the shoes of somebody like out on the street, it’s in the shoes of somebody who potentially understands what you’re doing because they’re also a security practitioner, right? So one thing about these community-driven conferences is it’s all volunteer. We do not get paid for any of the work that we do. So this is on our own free time that we’re reviewing your submission, your abstract. And so you wanna make it easy for us. You wanna make it easy for us, we need to be able to understand what you just wrote.

Like I was reading this one abstract and…

And I spent time deciphering what they said. And all I could tell was something like botnets are bad. Um, botnets rely on the operating system that they run on. And then I forgot what the third point was, but it was, it was equally like. Unimpressive in terms of like me understanding the point. And I just had no idea what they were doing. Like, what, what are you trying to convey here with this point? I have no idea. Um, and, and the title was, was just as cryptic. And so.

Huxley Barbee (37:26.198)

Like we never really considered it because what are we considering? Like I had no idea. So just, you know, because, because the submission requirements are so small, right, you’re not submitting your bio, like, you know, extended, like documentation of what you’re presenting. It’s really just the title and the abstract. Take, take the five, 10, 15 minutes to, you know, make sure that it’s going to be understood and it has some relevance to, or interest to the person, to the people, you know, to your peers.

Maybe ask a friend to read it and say, hey, what do you think about this? You know, a little bit of QA on that, on the two paragraphs that you wrote. And already you’re good, yeah. Well, yeah, I mean, it is to a certain extent, some sort of marketing, but you know, as is important in marketing, understand who your audience is and make sure that you’re understood by them, right? So that’s the number one advice I have.

Patrick Spencer (38:03.669)

Sounds like Mark.

Tim Freestone (38:05.104)

Yeah, it does sound like one.

Huxley Barbee (38:24.542)

other things that I can say, but that’s probably number one.

Tim Freestone (38:27.688)

So that’s advice on that topic. I have a more philosophical question around what advice you would give. The next generation of cybersecurity professionals. If you could give one piece of advice, what would it be to them? What are we at? Gen, what’s after Z? So Gen Z and after.

Patrick Spencer (38:27.971)

I’m sure I’m able.

Huxley Barbee (38:35.246)

Mm-hmm.

Huxley Barbee (38:54.559)

I don’t know.

Tim Freestone (38:54.564)

that are thinking a career path here. What advice would you give?

Huxley Barbee (38:59.32)

Hmm

Tim Freestone (39:00.532)

It’s a tough one, right? Find another provider here. It’s a tough one.

Huxley Barbee (39:02.27)

Yeah, you know, and the thing is, you know, when we all got started, it was a different world, right? There were no, there was no term blue team, red team. It was just like you were a hacker, right? Even if you’re doing defense, you were a hacker. And there weren’t like all these certifications either, right? Like those all came later. And so it was just like you, you know, tinkering in your craft and getting better at it and getting to know other folks. And

Tim Freestone (39:08.692)

Mm-hmm.

Huxley Barbee (39:31.818)

and sort of growing in that way. And nowadays it’s like there’s like boot camps and certifications and all this stuff. So I don’t know if my advice here is relevant in the current world. Like maybe I’m too old for this, but I have done a number of career coaching calls in the last like.

Tim Freestone (39:48.508)

Hahaha.

Huxley Barbee (39:58.61)

year or two, like people reach out to me on LinkedIn and say, like, can I talk to you and about, about getting into cybersecurity or like, what should my next steps be? And I feel these calls. One thing I’ve noticed from these folks is the lack of attention or care for the networking part of it. Like they’re all, they’re all on try hack me. They’re trying to get to 1% and try hack me, or they’re on hack the box.

Tim Freestone (40:19.89)

Why not?

Tim Freestone (40:23.944)

I see.

Huxley Barbee (40:24.854)

So they’re working on that and they’re studying for the certification, that certification and.

Tim Freestone (40:29.148)

It’s not interesting enough, the network. It’s not fun enough, right?

Huxley Barbee (40:33.05)

I don’t know what it is or maybe it’s just like everybody’s shy. Like, you know, think about the people who gravitate towards like sitting behind the screen looking at logs all day, right? Like we’re not the folks that like, uh, go out there and, and really showcase our charisma, like I guess those folks become CSAs maybe, but, um, so that I’ve noticed is, is the, the lack of networking and the

Tim Freestone (40:57.528)

Oh, that type of networking. Gotcha. Yeah. The, I’m sorry. I’ve mixed it up with like the network of your.

Patrick Spencer (41:01.885)

and was remembering his days at Fort Worth.

Huxley Barbee (41:03.022)

Oh, oh, yeah. Yeah, you know what? I have something to say about that too, because I find that other folks who are like, focus on the skills and the knowledge on the security overlay to basic networking, not necessarily having the basics of networking. Like, I meet people who don’t know how to subnet, but are trying to do security work. And it’s like, ugh, I don’t know. Maybe the world’s changed, but I feel like.

Tim Freestone (41:29.278)

Mm-hmm. Mm.

Huxley Barbee (41:32.842)

Knowing how to subnet is that like a really basic skill that you should probably master before you do anything else. But yes, people networking is something that I find that a lot of early in career seem to not focus on and they should probably focus on it more because you could try as hard as you want on that resume. Sometimes it’s just will not get past the recruiter because you don’t have the right acronyms to raise the alarm that you’re a good candidate.

Ultimately, your ability to network will pay dividends, maybe not tomorrow, but in five to 10 years, absolutely. But yes, also learn networking. That’s also very important.

Tim Freestone (42:06.673)

Yeah, sure.

Tim Freestone (42:14.34)

Yeah. Capital in, yeah.

Patrick Spencer (42:16.781)

That your background is quite fascinating. You, you know, speaking to your advice that you have from a career standpoint, you have two master’s degrees, one in risk management, which makes sense, you know, that’s the other one makes sense, but is an interesting combination of mathematics. And you did some studies at University of Illinois, I think some studies at Berkeley, and then you finished it up at UW, you know.

Tim Freestone (42:18.096)

Yeah, I think that’s good.

Huxley Barbee (42:39.926)

Mm-hmm.

Patrick Spencer (42:43.413)

The combination of those two components is unique in the realm of cybersecurity. I suspect maybe not as much in, for example, data analytics. If you’re a chief analytics officer or something along those lines, but you know, what prompted you to do the mathematics piece along with risk management and how does that benefit you as a cybersecurity professional?

Huxley Barbee (43:04.83)

Yeah, so the mathematics piece, a lot of it was personal interest. So I, um, maybe, maybe TMI, but when, when I was an undergrad, I was very much focused on becoming a physicist. And the reason why I didn’t was because I didn’t do so well in multivariate calculus. And so that was just like something that really bugged me, you know, throughout the years and I wanted to re-challenge myself and

to sort of find closure. And so I got that degree in applied mathematics. The great thing about.

and education applied mathematics is not only do you end up learning about, you know, really cool things like, uh, chaos theory and, and so on and so forth, but you also, uh, end up having a lot of exposure to numerical analysis as well as, hate to use buzzwords, but like, w we actually did like work on supervised learning and things like this, you know, AI ML, yeah, neural networks and so on and so forth. So I had a pretty early exposure to that.

those types of technologies and not just like a superficial, like here’s like a 15 minute video on what is AI, but like actually wrote code and developed some quick applications that leverage that type of technology. So, you know, it’s one of those things like, it’s a fundamental body of knowledge that can help you in anything that you do in life, right? And as time has proven out,

it’s becoming more and more important to have some understanding of that type of technology. The risk management piece is just simply because I, earlier in my security career, I was very much focused on devices and protecting networks, right? Very much a lot of risk mitigation. And at some point, I don’t remember when, I started to realize

Huxley Barbee (45:13.618)

Actually, maybe it was when I got my CISSP, I started to realize that there’s like a bigger picture here and that cybersecurity is really part of a larger risk management strategy for any sort of organization. And so I wanted to expand my scope. And so therefore I followed that path to help me have a broader view of how organizations deal with risk. And…

to this day, I will continue to speak about cybersecurity in the context of greater risk management. I think, in fact, I just, earlier in this conversation, we were just talking about risk avoidance and risk transfer. And one thing that I find with many security practitioners who’ve grown up in the tech world as I have, is very often you immediately, your mind goes to some sort of risk management, so at risk mitigation treatment.

Tim Freestone (45:51.996)

Thank you.

Huxley Barbee (46:09.254)

as opposed to understanding larger picture. So I mentioned earlier this lady I met in Calgary, who was like, I need to patch, I need to patch. And I said, I don’t think she was trying to patch everything, right? Because there’s other things that you can do in risk management to help an organization be resilient to various risks. And until I challenged myself to broaden my view, I was very much risk mitigation, risk mitigation, risk mitigation.

Patrick Spencer (46:38.677)

That’s interesting. That’s an interesting combination. And it gives you insights that you wouldn’t have if you hadn’t pursued both degrees I constantly find in marketing, man, I wish I had paid closer attention in those mathematic classes that I took. So, well, I think we’re about out of time. Uh, this has been a fascinating conversation, uh, Huxley, uh, you know, your background is fascinating. What you guys are doing over at the run zero is very interesting.

For someone in our audience who wants to get in touch with RunZero yourself, what’s the best way to do so?

Huxley Barbee (47:11.222)

So with RunZero, just go to www.runzero.com. That’s R-U-N-Z-E-R-O. There is actually a free trial that you can download and just run in your home and just to see what are the various devices that you might have. You might be surprised. I was surprised to find my washing machine on the network. It was, it was right there, like, you know, LG washing machine, like, oh, when did that happen? So.

Patrick Spencer (47:31.137)

What?

Tim Freestone (47:31.781)

Ha!

Huxley Barbee (47:38.21)

There’s that and there’s a free community edition as well. That’s sort of free forever. You download it, you can use it for yourself with no charge. And to sign up for the free edition of free trial, you don’t even need to provide your credit card and just go ahead and download it. And if anybody wants to reach me, I am active on LinkedIn. I’m also active on the infosec.exchange Mastodon instance. You just search for Huxley Barbie.

H-U-X-L-E-Y B-A-R-B-E-E. I am the only Huxley Barbie you’re ever going to meet. So I should be the first hit of any search results.

Tim Freestone (48:14.108)

I’m sorry.

Tim Freestone (48:18.046)

Good.

Patrick Spencer (48:19.021)

That’s great. Well, thanks for your time. For our audience, we appreciate you guys tuning in. For other Kitecast episodes, you can check us out at www.KiteWorks.com Kitecast

Tim Freestone (48:30.332)

Thanks.