In this Their Story podcast on ITSPmagazine, Huxley Barbee emphasizes the importance of comprehensive asset inventory in prioritizing security efforts. The discussion covers RunZero's approach to asset management, highlighting the role of visibility in addressing security challenges and improving business decision-making.
In this Their Story podcast on ITSPmagazine, Huxley Barbee delves into the world of InfoSec and asset management, discussing the importance of having a full asset inventory and how his company, RunZero, addresses this challenge with a cyber asset management solution.
Founders HG Moore and Chris Kirsch identified the need for better tooling as security teams' scopes expanded beyond managing traditional IT devices to securing IoT and OT devices across various environments. RunZero helps organizations understand gaps in security controls coverage, identify potentially vulnerable devices in the face of zero-day threats, and more.
Huxley Barbee explains that a full asset inventory, including asset details like location within the network, device function, and business context, can assist in determining which vulnerabilities or misconfigurations need immediate attention. Huxley highlights the delicate process of gathering information on devices and the importance of incremental fingerprinting, particularly in OT environments and those with often-unmanaged IoT devices.
The trio also cover the business side, discussing the typical clients for RunZero and the mindset shift required to realize that existing asset discovery tools may not be sufficient. They discuss the collaboration between IT, OT, and security teams, emphasizing that having a full cyber asset inventory beyond the traditional IT asset inventory can help reduce remediation time and improve overall business decision-making.
Tune in to this episode to learn more about RunZero's modern approach to asset management, the crucial role of visibility in addressing security challenges, and how a robust asset inventory by RunZero can help businesses leaders and security practitioners make better decisions.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guest: Huxley Barbee, Security Evangelist at RunZero [@runZeroInc] and lead organizer for BSides NYC [@bsidesnyc]
On LinkedIn | https://www.linkedin.com/in/jhbarbee/
On Twitter | https://twitter.com/huxley_barbee
On Mastodon | https://infosec.exchange/@huxley
Resources
Learn more about RunZero and their offering: https://itspm.ag/runzervvyh
Catch the video and podcast version of this conversation: https://itspmagazine.com/their-stories/its-difficult-to-secure-the-invisible-reinventing-asset-management-for-modern-challenges-in-it-iot-and-ot-a-runzero-story-with-huxley-barbee
BSides NYC Podcast: https://itsprad.io/event-coverage-1388
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SPEAKERS
Voiceover, Marco Ciappelli, Sean Martin, Huxley Barbee
Voiceover00:10
Welcome to the intersection of technology, cybersecurity, and society. Welcome to itsp magazine. Thank you for joining us for this conversation.
Marco Ciappelli00:37
Sean,
Sean Martin00:39
I'd like to go fast. And
Marco Ciappelli00:46
that's been limited zero. Try to
Sean Martin00:49
run zero. No, I'm joking. I think there's a there's a lot of Xero marketing messaging out there in the context of trust. And I think what we're going to talk about today is, how do you know who you can trust and how to trust them? And then why trust them and where to trust them? And how to enable the business with trust. If you can't see what's going on, in the first place. And I don't know anything about this topic, thankfully. But we do have somebody who does know that talks actually Barbie from Ron zero Huxley, thanks for joining us today.
Huxley Barbee01:36
Thank you for having me both. It's looking forward to this conversation here.
Marco Ciappelli01:42
Absolutely cool. And just Just a heads up for people watching the video that you can see, we're all black and white. For those listening, you just kind of have to trust us. We're all in black and white. We're from we're from the past. But we talk about the future. That's the funny part.
Huxley Barbee02:00
Yeah, very monochromatic.
Marco Ciappelli02:04
Monochromatic future, you want to start with that you see the future being monochromatic?
Huxley Barbee02:10
Well, everybody's homogenizing in some ways, I feel like it's
Marco Ciappelli02:18
very, very profound, very profound.
Sean Martin02:21
All right. So before we get into the core of the conversation, hopefully, a few words about who you are. Maybe your journey into the world of InfoSec. And your role at run zero.
Huxley Barbee02:38
journey into the world of InfoSec. Well, I, when I majored in undergrad, I majored in Asian languages. And so I came out of college with no marketable skills. Aside from technology, which was a hobby, so that was my entry into technology, because there was nothing else I could really do. And lo and behold, I'm still here, after decades of of working in IT and security. But at run zero, my company, I am the security evangelist.
Sean Martin03:20
Exactly. And while maybe national languages, Li do have a role in technology and security, for sure, but language in general, and the the ability to communicate and translate things from one thing to another is super important in this industry. So I suspect you lean on that skill set in some way as as you help tell the run zero story to prospects and customers and partners and the like.
Huxley Barbee03:52
more so now than before. There was a time when I was a software engineer hands on keyboard all day long. Yes. But now Now more. So giving me I'm having these conversations with industry at large, that is more important.
Marco Ciappelli04:05
As a matter of fact, I think it just made a case for anybody from any background is actually needed in this industry. You never know where you start. But you know, you may end up in cybersecurity for reason or another. So I think that's that's a pretty big topic right there, too. Although I know we're not here to talk about that. But I guess as an ambassador, as somebody that represent a company, you know, the touch of what the industry has become nowadays. I think it's quite quite important. For sure.
Sean Martin 04:36
Yes, let's take let's go back to black and white times. Probably not that not that far back. But run zero give us a little background on on the forming of the company. What the initial objective was. Any initial goals or milestones that the founders wanted to achieve with A company and we'll kind of go from there.
Huxley Barbee05:01
Yes. So the founders of the company are HG Moore and Chris Kirsch. And they are both folks who have been steeped in offensive security for quite some time he more obviously author of metal split. Chris Kirsch is the black badge winner, DEF CON black badge winner of the social engineering contest from years back. And so they have, both in their their hobby of cybersecurity as well as in their jobs, met with a lot of customers understood the challenges for a lot of customers. And one of the things that they saw again and again, was that most customers didn't know what they had on the network. So that's one really key important thing. The other thing that they realized is that more and more security teams were no longer being asked to just protect the managed IoT devices in the corporate environment in the office, essentially, that over the last 20 years, the security teams have been asked to start protecting IoT devices, IoT devices, and a multitude of environments, not just the office, but also in the cloud and remote employees, homes, and targets of mergers and acquisitions, in the factory, and so on, so forth. So that scope for security teams have have drastically expanded. But at the same time, the tools that security teams had for going out there and figuring out what is on the network, which was sort of okay, 20 years ago, when you're just dealing with the office, were entirely unsuitable for this day and age. And related to this whole divergence of, of environments and diaspora of devices. They also noticed this decentralization and control. So for example, in the cloud, developers are spinning up machines left and right, without any sort of proper governance, right. And oftentimes, these these EC two instances or lambdas, they're sort of instantiated, but then never decommission, leaving this, this open, open hole for attackers. So he and Chris looked at this situation and said, well, there has to be a better way, there needs to be new tooling to deal with the new reality. And that's how they came up with with run zero, which is a cyber Asset Management solution.
Sean Martin07:39
And when we when we talk about discovering assets, and I mean, I can I can look back two days when, when I was managing a NASM, product, GRC product for a big company. And a big part of it was asset identification. And it collected a ton of stuff. And it can be used for a ton of things. And then one of the ways that we were able to kind of connect it with the users was to find those use cases where this information can be used to make decisions, drive actions, reduce workflow overhead, reduced team burnout, whatever the case is, may be. So I'm wondering how how some of the initial use cases looked, especially as you talk about IoT and OT those devices, shed different types of information that maybe some teams understand other teams don't. I don't know, I'm kind of all over the place here. But the connection of it and OT, where those things, crossover, so maybe a few, a few scenarios where the information helps to, to provide some insight into the team or teams that need to do something with it.
Huxley Barbee09:00
Yeah, and you know, oftentimes for customers, the ones that are a little bit more mature, having a full asset inventory is an end, in and of itself, right? And having that full asset inventory is actually far more difficult than the folks who have never even tried to, or never even tempted to get that full asset inventory. It's easy to figure out what are all the managed IoT devices on your network. It's the unknowns that really are problematic. These are the ones that are probably have been orphaned. They have not been patched. They have no governance whatsoever, and they've been forgotten about. And it just so happens, these are also the same ones that have an outsized implication for your security posture, right because attackers are not going to go for the manage it device that's up to date on his patches and it has EDR on it. No, they're gonna go for the one that's like been sitting there For like last five years, people forgotten about it, or people know it's there. But they're free to breathe on it because nobody knows what it's for. And they're afraid of it restarting, causing similar sort of outage. So that that in of itself is important for more mature organizations. But as you've alluded to, for many organizations, it's about what else you can do with asset inventory. That's important. One particular use case that we see quite a bit is understanding the gaps in your security controls coverage. So for example, what are my devices that are missing? EDR? And you can't really answer that question. Unless you have an approach that brings together a full acid inventory plus information from your EDR of choice, right. So find endpoints missing CrowdStrike, find endpoints missing, Sentinel, one, find endpoints, missing. AVG, for example, that that is a major, major use case that is popular with with with Runza was customers. Another one would be trying to be better about zero days. Right? Obviously, there are volunteer centers out there, and they very play a very important role in helping a company mitigate any sort of potential problem. But the fact of the matter is, usually, when there isn't, there's a zero day, it takes time for the information to be released through the NVD. And it takes time for Vaughn scanners to release an invalid check. And even if a voluntary exists, the customer then has to rescan the entire network. And oftentimes, they're not even rescan home network, they're just re scanning part of the network that they're allowed to because Vaughn scanning has troubles of its own one really, one really unique and novel way that customers use this full asset inventory is to identify devices that are potentially vulnerable to a new zero day. Right. So rather than doing a full blown check, you're able to use certain heuristics or other sort of attributes that are like telltale signs that this particular device may probably has this vulnerability, and use that to help you scope out a punch list of what to go after in order to deal with the zero day, like right on day one.
Sean Martin12:28
And talk to me about the the process of gathering this information, because you, you mentioned bad actors having access to SCADA systems, IoT devices, default passwords for those things, ports and, and, and API calls that can be used against and a lot of that stuff is open source intelligence, so sent on showdown and other places. So there's that kind of data. And then there's deeper, like you said, inside, perhaps, is it running an EDR? Or not? How, how deep and wide? Can you get without like destroying the network? Because you're, you're kind of going after the device to say, give me all that you can give me? Yes. But but sometimes that actually triggers a response from the device, that's not acceptable, like shutting it down, or, or blocking ports, or whatever the case may be. So how do you? How do you know what's important? How do you know about how to get it in a safe manner?
Huxley Barbee13:37
Yes. So what you're talking about is 100%. A concern. And this is one of the reasons why security teams have to pick a time of the night in order to run a volume scan, or, you know, manage these really large exclusion lists to have IP blocks and not just not looking at at all. And you'll find that this is more necessary in OT environments, as well as with IoT devices is less of an issue with managed it, but still an issue, of course, but with ot devices, some of which have been sitting there for like 20 3050 years, like, you really have to be very careful in terms of what you're doing with scanning. So there's, there's a lot going on here. And one of the reasons why historically, scanners have not done well with these devices that are prone to disruption is because they send intentionally sent non standard packets. And it's a tactic that's used by these older legacy scanners to elicit a certain type of response from the operating system of that target device in order to make a determination as to what it is right it's a fingerprinting technique of sending a non standard packet just to see what it how the response is right in the behavior that device and then say, Ah, it must be this type of device because of the response, that's something you absolutely should not do. If you want to have that breadth of coverage with devices. Another thing to do is to make sure that you're fingerprinting incrementally. So a lot of legacy scanners, and I'm thinking Nmap, necess, as well as the major villain scanners, what they'll do is they will, they will query a device and grab all the information at once. This, of course, also can cause a disruption on a device because it might have an older TCP IP stack, or it might have a custom software, or it might just be like, under resourced, which causes it to freeze up or restart, based on based on that, that sort of like, in depth query all at once. Really, what you want to do is what we call incremental fingerprinting, where you send at first a super benign query, just to get some sense of what this might be, like, you know, around the edges. And then based on the response, the response is, you iteratively, go deeper and deeper with the queries to gather more information about it. And so in so doing, you know, hey, I can send this type of packet but not that type packet, I can make this type of query, and not that type of query, in order to avoid some sort of major outage with with that device that you're trying to scan. But you're right, it is, it is a a touchy thing, you have to be very careful when you're doing extra scanning, especially in in OT environments, and with IoT devices.
Marco Ciappelli16:37
And as you're talking about this, I want to start looking at things a little bit from on the business side, right? I mean, for me, if I were the business in charge, and you're telling me this thing are like, you know, we come in, we don't break stuff. Okay, that's cool. That could be my main my main fear, like, you know, not only you know, you want to do it at night, but also, I really don't want to deal with that disruption, then you can start thinking like, Well, why do you have the 25 years old device or whatever it is, but the point is, is there? So tell me about a some either case study, or what is your typical kind of client for ground zero? And how does it go the first conversation with them? Well, you know, are they looking for already looking for what you're offering, or it's something that is, oh, I didn't know, we could do this, the way you do it. That sounds good to me.
Huxley Barbee17:33
I would say most people agree in the importance of asset inventory, everybody knows that you cannot, you cannot protect what you don't know about, like that's sort of a truism sort of accepted. I think the biggest shift in mindset is realizing that existing asset discovery tools don't quite cut it. They are either either they're optimized for managed IoT devices, or they do acid discovery in such a way that they only gather a minimal amount of information, which leads to miss identification, like bad fingerprinting, essentially. So at the end of the day, you, you end up in a situation where your asset inventory just isn't really covering everything that you need. And it is exactly the stuff that is not covering, which is where you are most vulnerable. It is those unknowns on the network, that you're that you're not going to be inventorying that you're not gonna be able to discover. And it's just so happens, those are the same ones that are going to be most susceptible to attack and get you to the most trouble. Right? A lot of this comes back to this idea that when you do asset discovery, you should be taking an approach through the lens of the attacker. In fact, in fact, very important point here. asset discovery and recon are two sides of the same coin. It's really the exact same thing. It just depends on what your perspective is. If you're an attacker, yeah, you call it recon, if you're a defender, you call it S inventory. But it's all really the same thing. And what you're trying to do is figure out where you have problems, you start with visibility, you start with figuring out what everything is. And then the next step is figuring out what are all the bad things. Where do I have to prioritize?
Sean Martin19:21
How important is it to know I'm thinking from the business perspective here as well, because if you have the information, you're hopefully going to use it to make some decisions and drive drive some actions. And as we all know, there's no lack of security data in one form or another come in at the team from all angles all times of the day. And it's all marked red high, right. You got to take care of this. So how, how does what you provide help teams perhaps prioritize where to focus Sure important to the business?
Huxley Barbee20:02
Sure, absolutely. So there's, there's a variety of ways that good asset inventory full asset inventory can help you prioritize where the security team should focus. So let's imagine there's either a vulnerability or a misconfiguration on a device. Okay? Yes, there are tools these days that can tell you Oh, the CBSs score is such and such, right, but the thing is, nearly or severity. But the thing is, you know, with more than half of vulnerabilities being marked as higher are critical, like, it doesn't really help with prioritization. So, you want to start looking at other things around that asset to help you make a determination as to whether or not that weakness that misconfiguration vulnerability is something you should really look into right away? One thing to look at is, hey, is this device externally facing? If this has a public IP, then clearly, that's something that is more likely going to get you in trouble than something else. Like, if, if I have RDP running on a device that's completely isolated internally, okay, you know, might be something you want to look at, but it might be okay. But if it's RDP running on a device that has a public IP address, you should really take a look at that as quickly as you can, and understand why that's there. And that actually has to be there. So location within the network, very important. Another, another detail that comes from asset inventory that can really help is what is the function of this device. Right? If if this device is a printer, then okay, as the vulnerability or misconfiguration, good to know, but probably very little damage that an attacker can do. But if this were an IP camera, where they can start looking at the facilities, then that might be something that's worth looking at. So understanding these asset details, whether that be what is the hardware, or what is the who is the owner of this, who's the business owner of this understanding of the business context of that device, could potentially be very, very helpful, along with our location, very helpful in helping security teams determine where they should prioritize.
Marco Ciappelli22:29
You know, I'm gonna go back to the business, because you're another tech guy, so I'm always gonna bring you back to the business. So tell me, who is your typical client? I mean, I know you have many, many are do you work more with an industry then another? What kind of maturity company you normally work for? And somebody's listening? Now, I was gonna tell like, I'm gonna go and talk to Ron zero, because I'm gonna, I know, I'm gonna go and work well with them.
Huxley Barbee22:57
Yeah, I would say, Well, the fact is, we have customers in every single industry. Like there is not one that can't use us an inventory. It is such a foundational component to a security program, that you couldn't really mount a credible defense without having it. Now, with that being said, of course, some customers have an easier time coming up with a full asset inventory, right. So if you are a company that is just born in the cloud, and you're just using a single cloud, right, you're just you're just AWS, you have a handful of AWS accounts or less, then you probably don't need a scanning solution, you could probably just get away with using the AWS console or using some sort of cloud solution for something like that. But if you are the type of organization that has multiple clouds, where you need consolidation across all of your cloud environments, or you have lots of unprecedent problem premise environments, there's definitely room for you to take a look at different asset discovery solutions to understand and like what might be best for you. We see a lot of interest, obviously, in manufacturing and retail and education. Right? Education being like, for example, like really federated environments, but we also see interest in like health care, and oil and gas and things like this, as well as finance. So lots of different industries need acid inventory, about the only one where they don't need a full on scanning Plus API integration solution would probably be some sort of single cloud born in the cloud type of company.
Sean Martin24:48
So talk to me a little bit more about the the environment because you mentioned multiple, multi cloud. I don't know if cloud sovereignty, data sovereignty or The clouds are in different countries, if that plays a role containers plays a role if there are VMs, obviously, within their I don't know, if you get into some of the what's running on it in terms of apps? How, what are some of the nuances that maybe some organizations might think they have asset inventory covered, where in fact, they're missing key elements because of these changes in networking infrastructure that and device composition, I guess, if I can call it that, that changed the way they should be looking at things? Where are they? Are they kind of missing the mark? Do you think?
Huxley Barbee25:45
Yeah, so you know, there are multiple dimensions to measure whether or not your asset inventory is full. One is by device type, right? So are you getting all of it out to you know, team? One is environments? Are you? Are you getting devices that are disconnected from the network? Because they're your remote employees homes? Or are they in cloud, right? So that's another dimension. Another dimension is sort of like the depth of detail. So when we talk about cyber assets, which is distinct from IP assets, I'll explain that in a moment. But a cyber asset is a compute device, plus all the related information that security teams care about. So this means not just hardware, but also software that's on that device. And the services that are listening on that device, what are all the misconfigurations and vulnerabilities that are on the device, who are the users associated with that device, and things like this, and this is very different from an IT asset because to analogize over right, it is it is compute device, plus all the information that IT teams CARE ABOUT IT teams would care about replacement cost or licensing. This could be important to security teams, but it's not as important. So we don't consider that to be part of a cyber asset. But nevertheless, we see a lot of security teams, taking it assets from an IT Asset Management solution and then trying to use them for security purposes, where they have replacement costs, which is useless to them. But as missing vulnerabilities or missing, like these are the listening services on that machine, which they would care about, but it doesn't have it. And so they're hampered by by having a lack of lack of depth in their asset inventory. And this goes back to saying earlier, the tools that were okay 20 years ago for just the office don't are not really suited for the realities of today. And what you really need is a cyber Asset Management solution to help you along. Yep.
Sean Martin27:41
And let me ask this question first. Do you also collect the IT asset information? So or do you purposefully stick to security stuff?
Huxley Barbee27:53
Well, I mean, the replacement cost, that's something that comes outside of scanning, you can't scan for that information, as far as I know. But there's definitely some interplay between a cyber asset and IT asset. Of course, you can use one to sort of feed into the other one.
Sean Martin28:10
Great reason. Yeah, because it goes back to my scenario. This is going to date me y2k, where security company trying to help organizations kind of crossed that mark over the over the new year, March timeframe. And, and I talk about this on my show redefining cybersecurity all the time where security information and it information can actually drive better business decisions. So we're not back on our heels all the time trying to patch stuff, where in fact, if a machine is full on hard disk space, and has a bad network card that keeps failing and and other things that are IT related, and also is constantly in Patch mode, because that the OS sucks. So the applications on it have have issues, that that's a problem machine, right, that maybe the business might want to look at changing out. So I guess the question is, maybe that that doesn't directly apply, but is there a role for run Xero to help the broader business? Me? Yeah, really strong decisions?
Huxley Barbee29:27
Yeah, so two comments here. First one on y2k. y2k was one of my earlier projects. When I was a, I was a consultant back in the day. So yeah, I was right there with you. And so yeah, absolutely. There are definitely we do definitely do have customers who take this cyber asset inventory, and then use that to feed into their CMDB in order to make sure that those it workflows are operating on all the devices we haven't even talked about out this, but many of the IoT asset discovery tools also are not fit for purpose for the realities of today. And they also are missing those IoT devices and IoT devices, those unmanaged IoT devices that they need to know about for other reasons, right for operational efficiency. And, you know, one of the side use cases for, for having a really good asset inventory, even though it's a cyber asset inventory, is to then feed into the IPS inventory into the CMDB, or some sort, with this wealth of detail. And, of course, then it can could use that to go do something else with it. And of course, that that, that certainly does help the business make decisions in terms of, of performance, and efficiency, and so on, and so forth. I think a second thing that's worth worth noting about this sort of interplay between IT and security and how it's better to collaborate. Fact of the matter is, security teams do not own those devices. There was one survey recently where it said something like more than 60% of security teams need to work with other groups in order to actually remediate any security problems. Or to put another way, security teams are often begging and pleading and cajoling all these other groups within the organization to please please, please patch the damn thing or take it down or whatever. Right? So it's always, it's always better when the two are playing well together, security is necessarily a collaborative collaborative discipline. And if if there can be an agreement on authoritative data, right source of truth, if you will, things just go better. And having a full acid cyber acid inventory, where the asset ownership of as many devices as possible is known, also reduces remediation time, right? So rather than security teams having to go figure out who owns this damn thing, because the person that we see over here, listed for this asset left the company 1010 years ago. So now who owns it? Who can I talk to you about what this is? What the hell does it do? Does anybody seem to know and having to track down who the owner is? Reducing that time really helps with reducing your mean time to respond? So it really helps the company in multiple ways to have a full asset inventory that is also potentially feeding into for IT Asset Inventory. Wow.
Sean Martin32:39
So truth, trust back to the trust.
Huxley Barbee32:42
Trust, I want to challenge this so early at the beginning, you said you know, trust, trust, trust, and of course, the name of the company is run zero. I want to say unequivocally Runza was not a zero trust company. When we say zero, we don't mean zero trust, right? When we say zero, we just mean there's zero unknowns on your network in terms of assets. We're not We're not here to jump on the zero trust bandwagon for for the VC money or anything like that. That is that is still very much
Sean Martin33:14
playing. Playing on that a bit. Yeah, we
Huxley Barbee33:16
are. We are not that. I will say that be very clear about that.
Marco Ciappelli33:21
You should put down zeros doesn't stand for that. Zero. It's another zero.
Huxley Barbee33:26
Like could you tagline Yeah, the other zero?
Marco Ciappelli33:29
Yeah, there's zero. Yeah, the other the other dimension. So I like to end this kind of conversation always looking into the future. And you guys data yourself with a y2k can say I was there during the French Revolution, but that really dates me so we'll just move into the future instead of that. Where do you see things going here? Like I'm just gonna get for example, a quote that I found here and on the on the website is as Ron zeros, the bomb, for a home and for work slash corporate not gonna read who said that, but it's a big company. And so there is an entire new dimension, but divorce is an entirely different set of tools and technology that we have nowadays. You know, you talked a lot and Shawn mentioned, you know, 20 years ago, you probably couldn't even do what you guys are doing now. So kind of curious to put your futuristic hat on and see where do you see this industry moving, especially for, for what you do, like how technology is coming in? I mean, feel free to drop a few technology there. You know, just curious I mean, on on this question to what do you see,
Huxley Barbee34:45
every every conversation I have somehow Chet GPT comes up.
Marco Ciappelli34:50
Just stay I don't know. It might Yeah. All right. Well,
Huxley Barbee34:53
I think the important thing and this I think I have very high confidence in this problem is not going to get any better on its own, you're the surface that you present to attackers, which they may take advantage of, in order to infiltrate into your company, and move laterally through your company. And that's not going to get any better, there are going to be more and more assets that you have to deal with, especially the ones where they're being instantiated without proper governance. So that that is something that you can take to the bank, I feel like, that's not going to change that is coming, it's just gonna get worse. And you have to, you have to find a way to deal with it. Otherwise, you're always going to be on the backfoot, your security program is always going to be reactive. Because you just don't know what you have. And so every day is a new, unhappy surprise for your security team.
Marco Ciappelli35:52
So it's cleaning up kind of like it rule of thumb, stead of having so much, maybe in the future be a little bit more minimalist in the, in the assets that you have, or is just like, not that, yeah, it's not the way business gonna,
Huxley Barbee36:08
no, that's not gonna happen, there's always going to be new new ideas, new offering more companies, you know, and there's gonna be, there's, the number of software engineers are is always increasing, I don't care if there's AI writing code these days, there's definitely, there's always going to be more software engineers, building more applications and more services. And they're going to be pushing the envelope of what the security team has to deal with. So you got to deal with it. Because otherwise, it's just gonna get get away from you.
Sean Martin36:42
I can, the nerd me wants to talk for hours, and I can, I'm just thinking of all these use cases, like you talked about, old stuffs not gonna go away and new stuffs gonna come. And then in the middle there, migrations from old to new, like from on premises to the cloud and, and renting devices or leasing, tractors, or network, all this stuff where we can control some things, but we still need to know what's going on and help guide others that have the control and the ownership. And I think you nailed it for me in the single source of truth. So giving, having visibility into that, being able to act your language through being able to translate that and communicate that back to the business and the players in the business, whether it be directly or through partnerships, to say, this is where we stand from a cyber perspective. Here's how it plays in from an IT and OT and IoT perspective. And hopefully, we can make some better decisions as a business. Because we have this visibility from a single source of truth. So I love it. I always say one more question, but market will bash me over the head if I do that. So so maybe we can have another chat and get into. I'd like to talk operations and team structure and workflows and all this stuff. So who knows maybe there's another chat down the road for some of those things. But we'd love to come back. Absolutely. Yes. And maybe maybe there's a place all see you in New York. Coming? Yes,
Huxley Barbee38:18
absolutely. So I aside from being the security evangelist that runs through I'm also the lead organizer for besides NYC and besides NYC is on after a five year hiatus. We are on April 22 2023. Tickets are on sale now. It's only $15. So we only $15 for the conference. And if you are a student, you automatically get a refund after the conference.
Sean Martin38:48
Look at that. I'm going to become a student for the day. I'm always learning something I learned a ton today. I am a student. Well, we'll put a link in to besides NYC so folks can can check out the events and hopefully meet you there Huxley and thanks for helping to put that on. After five year hiatus. I actually will be in California, heading to RSA before that. So I won't be able to visit you live in person in New York sadly, but hopefully many who are on the East Coast can do that. And others others as well. Any any theme or any any highlights that are important for folks for that.
Huxley Barbee39:35
Oh at besides, no. It runs the gamut. We have red team talks, Blue team talks, other colors of the InfoSec wheel talks we got workshops, villages, it's it's full security conference full
Sean Martin39:48
on full on besides love it. It's right in the spirit that it was created. Alright. Well Huxley, thanks so much for bringing the story to us. Great to learn more about on zero, and great to meet us the evangelist and spokesperson for for this, I think we have some, some good tips in here for folks looking at their inventory, and their assets of inventory assets. So we'll include links to your sites and other information you think folks would want to access to help them learn more. And thanks again. Thanks, everybody for listening to the story here on itsp magazine.
Voiceover40:38
If you enjoyed this podcast, share itsp magazine with your friends, family and colleagues. Thank you for listening