The Next Era of Data Security: AI, Cloud, & Compliance – Jeff Smith, Dimitri Sirota, Kiran Chinnagangannagari – ESW #390
Full Audio
View Show IndexSegments
1. The Next Era of Data Security: AI, Cloud, & Compliance – Dimitri Sirota – ESW #390
Today's data landscape is undergoing a seismic shift with increasing regulatory pressures, rapid acceleration to the cloud, and AI adoption. Join BigID's CEO and Co-Founder, Dimitri Sirota, to learn how organizations can adopt a holistic approach to their data security and compliance strategy to keep up with the revolution in data, transforming their data into a competitive advantage.
This segment is sponsored by BigID! Start protecting your sensitive data wherever your data lives at https://securityweekly.com/bigid.
Sponsored By
Guest
Dimitri Sirota is the CEO and co-founder of BigID – the leader in data security, privacy, compliance, and AI data management – and a security expert. He is an established serial entrepreneur, investor, mentor and strategist, and previously founded two enterprise software companies focused on security (eTunnels) and API management (Layer 7 Technologies), which was sold to CA Technologies in 2013.
Hosts
2. 50,000 critical exposures + one of the most vulnerable IT environments: our schools – Kiran Chinnagangannagari, Jeff Smith – ESW #390
I've been so excited to see the external attack surface management (EASM) market take off in the past few years. This market category focuses exclusively on security issues exposed to the public Internet - issues ANYONE can see.
All organizations have exposure management problems, but industries that are traditionally underfunded when it comes to cybersecurity and IT are particularly worse off. We see breaches in these industries every day - industries like manufacturing, healthcare, and education. Of course, exposure issues don't stop at the network boundary - all organizations have internal exposures to worry about as well.
With all the breaches we see every week, we've become somewhat desensitized to them. Is it possible to address even just the most critical exposures (a fraction of 1% of all vulnerabilities) in one of the most underfunded industries? In this episode, we dive into how a small school system in New Mexico took on this challenge.
Guests
Kiran Chinnagangannagari is the Chief Product and Technology Officer at Securin. He is a highly accomplished and experienced executive with extensive experience in key leadership roles at major multinational companies. Kiran was the Co-Founder, President, and Chief Technology Officer at Zuggand, an Amazon Web Services Advanced Consulting Partner. Before Zuggand, Kiran was the Chief Technology Officer of the state of Arizona, where he was instrumental in advancing IT strategy and enabling efficient, innovative, and sustainable services. Passionate about helping people find solutions that make their lives easier, Kiran brings a deep understanding of leveraging technology to solve business challenges.
Jeff Smith is the Assistant Director of Technology for the Farmington Municipal Schools in Farmington, New Mexico with 21 years of experience in the K-12 education technology space. Jeff specializes in server, client, and user management within the district.
Hosts
3. Enterprise News – ESW #390
This week in the enterprise news - Cymulate acquires CYNC Secure, Tidal Cyber acquires Zero-Shot, Amazon ransomware attack, and more!
Hosts
- 1. ACQUISITIONS: Darktrace announces proposed acquisition of Cado Security, a cloud investigation and response specialist
- 2. ACQUISITIONS: Cymulate acquires CYNC Secure to enhance exposure management solutions
- 3. ACQUISITIONS: Tidal Cyber Acquires Zero-Shot Security to Enhance Threat Intelligence Mapping Capabilities
- 4. NEW COMPANIES: Orchid Security
Identity-first orchestration. Very exciting! I think it's clear we need more automation tools in security. We need better automation tools that we can build orchestration flows with more quickly. We need more products like Tines and Torq.
- 5. NEW AI FEATURES: Voice Preservation and Voice Profiles mode – Indian English – female agent
I don't think "creepy" is the right way to describe this. It's a bit disconcerting to see this level of voice change made this easy and instantaneous. Thinking about how this could be abused in subtle ways had my head spinning a bit.
- 6. TTPS: New Amazon Ransomware Attack—‘Recovery Impossible’ Without Payment
I've been saying for a while now that "resilience" will be one of the big buzzwords that we see in 2025, and this is a perfect example. I wonder how many orgs have a playbook for recovery in a case like this.
Another thing that bugs me is the quote about "this is why MFA is important" in the article. Dude - what part of AWS API key did you miss? How are you going to implement 2FA on an API key? I mean, theoretically, there are ways to restrict the use of API keys (request can only come from certain IP addresses for example), but generally, a machine identity/script can't use MFA.
Am I missing something here?
- 7. HOWTOS: Latest rsync vulnerabilities and how to find impacted systems
I love this "how to find X in your environment" series from runZero. On one hand, it seems SO basic. On the other, it's a perfect example of the kind of security basics defenders should be practicing.
If you don't know if/where rsync exists in your environment, you can be sure an attacker will know it within 10 minutes of pivoting onto a host with access to the internal network! I always found it strange, as a pentester, that I seemed to know the customer's network better than they did after poking at it for 2 business days. This is a problem.
- 8. INTERVIEWS: Rising Tides: Wendy Nather on Resilience, Leadership, and Building a Stronger Cybersecurity Community
- 9. DUMPSTER FIRES: Matt Mullenweg deactivates WordPress accounts of contributors planning a fork
What is HAPPENING over there??? This row is getting ridiculous.
- 10. POLL: Security, Funded #176 – What’s the biggest driver for your company’s investment in “AI for Security” or “Security for AI”?
Mike Privette does a poll in every issue of his newsletter, and shares the results in the next issue. I found this one really interesting.
What’s the biggest driver for your company’s investment in “AI for Security” or “Security for AI”?
Addressing talent shortages (8 votes) Automating manual security processes (24 votes) Enhancing threat detection and response (6 votes) Staying competitive in the market vs. peers (6 votes)
So, the reason I find this interesting, is that generative AI doesn't really help you automate manual security processes. It helps distill information and maybe make some of those processes take less manual time, but GenAI isn't really good for automating anything, as it's non-deterministic (and therefore, can't be trusted without a human babysitter).
A lot of the "AI for your SOC" startups are doing both, however, and I think that's where the confusion might be coming from. They're conflating the messaging, so naturally, folks think AI is doing the automation, when that bit is probably just good old python and other typical SOAR components.
- 11. ESSAYS: Passing the buck with ‘hacklore’
Always NordVPN when you Public WiFi?
- 12. REGULATION: UK floats ransomware payout ban for public sector
So problematic. Typical legislation that doesn't really understand the realities of ransomware and potential outcomes.
Sure, you prevent the organization that's directly targeted by the ransomware crew, but what about other organizations and individuals impacted? There's no reason the ransomware crew can't just go extort them instead.
For example, say the NHS gets hit with ransomware. If this passes, they won't be able to pay a ransom, but the ransomware crew could still come after their private market partners, their contractors, individual employees, and patients.
- 13. SQUIRREL: Linus Torvalds offers to build free guitar effects pedal
Linus Torvalds would like to solder a distortion pedal for you
- 14. SQUIRREL: ENRON
Enron is back, baby!
