Enterprise News – ESW #390

Identity-first orchestration. Very exciting! I think it's clear we need more automation tools in security. We need better automation tools that we can build orchestration flows with more quickly. We need more products like Tines and Torq.

I don't think "creepy" is the right way to describe this. It's a bit disconcerting to see this level of voice change made this easy and instantaneous. Thinking about how this could be abused in subtle ways had my head spinning a bit.

I've been saying for a while now that "resilience" will be one of the big buzzwords that we see in 2025, and this is a perfect example. I wonder how many orgs have a playbook for recovery in a case like this.

Another thing that bugs me is the quote about "this is why MFA is important" in the article. Dude - what part of AWS API key did you miss? How are you going to implement 2FA on an API key? I mean, theoretically, there are ways to restrict the use of API keys (request can only come from certain IP addresses for example), but generally, a machine identity/script can't use MFA.

Am I missing something here?

I love this "how to find X in your environment" series from runZero. On one hand, it seems SO basic. On the other, it's a perfect example of the kind of security basics defenders should be practicing.

If you don't know if/where rsync exists in your environment, you can be sure an attacker will know it within 10 minutes of pivoting onto a host with access to the internal network! I always found it strange, as a pentester, that I seemed to know the customer's network better than they did after poking at it for 2 business days. This is a problem.

What is HAPPENING over there??? This row is getting ridiculous.

Mike Privette does a poll in every issue of his newsletter, and shares the results in the next issue. I found this one really interesting.

What’s the biggest driver for your company’s investment in “AI for Security” or “Security for AI”? 

Addressing talent shortages (8 votes) Automating manual security processes (24 votes) Enhancing threat detection and response (6 votes) Staying competitive in the market vs. peers (6 votes)

So, the reason I find this interesting, is that generative AI doesn't really help you automate manual security processes. It helps distill information and maybe make some of those processes take less manual time, but GenAI isn't really good for automating anything, as it's non-deterministic (and therefore, can't be trusted without a human babysitter).

A lot of the "AI for your SOC" startups are doing both, however, and I think that's where the confusion might be coming from. They're conflating the messaging, so naturally, folks think AI is doing the automation, when that bit is probably just good old python and other typical SOAR components.

Always NordVPN when you Public WiFi?

So problematic. Typical legislation that doesn't really understand the realities of ransomware and potential outcomes.

Sure, you prevent the organization that's directly targeted by the ransomware crew, but what about other organizations and individuals impacted? There's no reason the ransomware crew can't just go extort them instead.

For example, say the NHS gets hit with ransomware. If this passes, they won't be able to pay a ransom, but the ransomware crew could still come after their private market partners, their contractors, individual employees, and patients.

Linus Torvalds would like to solder a distortion pedal for you

Enron is back, baby!