Bypassing Bitlocker encryption. - CyberWire Daily

Summary7 min read

Podcast Summary: CyberWire Daily – Episode on Bypassing BitLocker Encryption

Podcast Information

Title: CyberWire Daily
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program includes interviews with a wide spectrum of experts from industry, academia, and research organizations worldwide.
Episode: Bypassing BitLocker Encryption
Release Date: May 15, 2025

1. Introduction and News Highlights

In this episode of CyberWire Daily, host Dave Bittner delivers a comprehensive update on the latest cybersecurity news before delving into an in-depth interview with Devin Ertel, Chief Information Security Officer at Menlo Security. The initial segments cover critical vulnerabilities, market shutdowns, regulatory changes, and ongoing cyber espionage activities.

Google Chrome Vulnerability ([02:30]):
Google has issued an emergency patch for a high-severity flaw in the Chrome browser that allows full account takeovers. Discovered by Solid Lab researcher Sevilod Kokorin, the vulnerability arises from weak policy enforcement in Chrome's loader component, enabling attackers to leak sensitive cross-origin data via malicious HTML. Google confirmed the existence of a public exploit, indicating potential active abuse. The fix is being rolled out in the latest Chrome version across all platforms, with users advised to update immediately.
Microsoft BitLocker Bypass ([05:15]):
A newly revealed vulnerability in Microsoft BitLocker allows attackers to bypass encryption in under five minutes using a software-only method dubbed BitPixie. This exploit targets systems lacking pre-boot authentication and has a public proof of concept available. Unlike hardware-based attacks, BitPixie extracts BitLocker's volume master key through software or by exploiting a flaw in the Windows bootloader during PXE soft reboots. Experts strongly recommend enabling pre-boot authentication to mitigate this risk.
Shutdown of Huawang Guarantee Black Market ([07:45]):
The Chinese-language black market known as Huawang Guarantee has been dismantled following Telegram's ban of thousands of related accounts. Facilitating over $27 billion in illicit transactions, primarily using Tether, the marketplace offered services such as money laundering and tools for forced labor in Southeast Asia. The operation's takedown was spearheaded by crypto tracing firm Elliptic and media investigations by Wired. Another market, Jinbe Guarantee, was also banned but may seek to relaunch.
CFPB Cancels Data Broker Regulations ([10:00]):
The Consumer Financial Protection Bureau (CFPB) has withdrawn a proposed rule aimed at restricting data brokers from selling sensitive personal information without consent. Initially intended to combat commercial surveillance and protect national security, the rule faced criticism from privacy advocates and veterans groups who argue that its rollback endangers Americans by facilitating scams, surveillance, and blackmail.
Belgian Court Ruling on Privacy Frameworks ([12:00]):
The Belgian Court of Appeal has ruled that the transparency and consent frameworks used by major tech companies like Google, Amazon, and Microsoft to justify online tracking are illegal under the GDPR. The court upheld a 2022 decision by the Belgian Data Protection Authority, citing multiple violations, including inadequate data security and deceptive consent practices. This ruling has significant implications for the advertising industry across Europe.

2. Featured Interview: Devin Ertel, CISO at Menlo Security ([14:02] - [29:52])

Dave Bittner welcomes Devin Ertel to discuss redefining enterprise security, focusing on Menlo Security’s innovative approaches and the broader implications for the cybersecurity landscape.

a. Redefining Enterprise Security ([14:13] - [16:08])

Devin Ertel outlines Menlo Security's evolution from remote browser isolation to what they term "Workspace Security." Originally focusing on securing web browsing by executing all browser activities in the cloud, Menlo Security now offers comprehensive protections that extend to application access and data handling.

b. Remote Browser Isolation and Workspace Security ([16:19] - [19:04])

Ertel explains how Menlo Security's cloud-based browser ensures that users remain unaware of the underlying security processes, providing seamless protection without hindering user experience. By isolating the browser, the company prevents malware downloads and other threats from reaching the endpoint.

Notable Quote ([16:38]):
"The beauty about Menlo is that no one would even know you use your browser and we add the protections so your user wouldn't even know that all these protections there might be some things like, hey, you're downloading malware, we stopped it."

c. Addressing Contractor and BYOD Challenges ([17:23] - [19:22])

Ertel discusses the complexities of managing contractor access and Bring Your Own Device (BYOD) policies. Menlo Security offers granular controls within the browser to restrict actions such as downloading or uploading data, watermarking sensitive information, and ensuring that no data reaches potentially compromised endpoints.

Notable Quote ([18:24]):
"With this new solution, you basically can put all these controls in. Oh, you don't wanna let them download anything. You can't download anything when you go to this app."

d. Integration of AI in Security Solutions ([19:45] - [22:07])

The conversation shifts to the role of Artificial Intelligence in enhancing security measures. Menlo Security leverages AI for tasks like computer vision to detect phishing attempts and real-time data detection to prevent accidental data leaks. Ertel emphasizes the importance of AI in automatically identifying sensitive information and mitigating threats without relying solely on user-initiated labeling.

Notable Quote ([20:49]):
"We're looking at AI to automatically detect data whether or not you labeled it correctly. Like a lot of people, they try to go around and put the labels on."

e. Zero Trust Architecture ([22:25] - [27:47])

Ertel elaborates on Menlo Security's Zero Trust approach, which focuses on securing application access rather than the entire network. By restricting access to individual applications and implementing stringent security controls, Menlo minimizes the attack surface and prevents lateral movement within the network.

Notable Quote ([24:07]):
"We're just zero trusting that user to that app. You know, provide the security controls, provide the visibility of what they're doing, provide the ability to quickly cut it off if needed."

f. Balancing Usability with Security ([26:47] - [28:25])

Ertel discusses the challenge of maintaining user-friendly interfaces while implementing robust security measures. Menlo Security adopts a customer-centric approach, continuously refining their solutions based on internal usage and feedback to ensure that security enhancements do not disrupt the user experience.

Notable Quote ([27:30]):
"Depending on your use case and your company's risk appetite on that one of how you want to turn and crank those levers."

g. Future of Browser-Based Security and Cultural Shifts ([28:25] - [29:52])

Looking ahead, Ertel envisions a future where secure browsers like Chromebooks become the norm, simplifying security management by centralizing protections within the browser. He acknowledges the cultural shift required for broader adoption, especially beyond technical roles, but remains optimistic about the transition.

Notable Quote ([28:10]):
"I would love for everyone to have a Chromebook."

3. Closing Remarks and Industry Insights

After the interview, Dave Bittner provides additional insights into the cybersecurity landscape, highlighting the importance of attack path management and addressing the recent wave of layoffs in the sector.

Attack Path Management:
Bittner underscores the critical role of attack path management in identifying and mitigating risks associated with compromised privileged accounts. Tools like Bloodhound Enterprise by Spectrops are mentioned as essential for connecting identity and security teams to reduce vulnerabilities.
Impact of Layoffs on Cybersecurity ([29:38] - [29:52]):
The episode concludes with a discussion on the significant layoffs in major cybersecurity firms such as Microsoft and CrowdStrike. Despite strong financial performances, these companies are reducing their workforce to allocate more resources toward AI initiatives. Experts warn that such layoffs could weaken organizational defenses, as experienced professionals are lost, potentially leading to increased security risks.
- Notable Quote ([29:45]):
  "You're not just losing people, you're losing the people who know how to stop attacks."

4. Conclusion

This episode of CyberWire Daily effectively combines timely cybersecurity news with an insightful interview on enterprise security innovations. Devin Ertel's discussion on redefining security through Zero Trust and Workspace Security offers valuable perspectives for organizations looking to enhance their defenses in an evolving threat landscape. Additionally, the coverage of current industry challenges, such as vulnerability patching and workforce reductions, provides listeners with a comprehensive understanding of the multifaceted nature of cybersecurity today.

Notable Quotes with Timestamps

"The beauty about Menlo is that no one would even know you use your browser and we add the protections so your user wouldn't even know that all these protections there might be some things like, hey, you're downloading malware, we stopped it." – Devin Ertel ([16:38])
"With this new solution, you basically can put all these controls in. Oh, you don't wanna let them download anything. You can't download anything when you go to this app." – Devin Ertel ([18:24])
"We're looking at AI to automatically detect data whether or not you labeled it correctly. Like a lot of people, they try to go around and put the labels on." – Devin Ertel ([20:49])
"We're just zero trusting that user to that app. You know, provide the security controls, provide the visibility of what they're doing, provide the ability to quickly cut it off if needed." – Devin Ertel ([24:07])
"I would love for everyone to have a Chromebook." – Devin Ertel ([28:10])
"You're not just losing people, you're losing the people who know how to stop attacks." – Dave Bittner ([29:45])

Additional Information

For more details on the topics discussed in this episode, including the latest cybersecurity threats and defense strategies, visit The CyberWire. To stay updated, subscribe to the CyberWire Daily podcast on your favorite platform and join the conversation with industry experts shaping the future of cybersecurity.

Loading summary

Transcript85 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Delete Me also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Google issues an emergency patch for a high severity Chrome browser flaw researchers bypass BitLocker encryption in minutes. A massive Chinese language black market has shut down. The CFPB cancels plans to curb the sale of personal information by data brokers. A cyber espionage campaign called Operation Round Press targets vulnerable webmail servers. Google warns that Scattered Spider is now targeting US Retail companies. The largest steel maker in the US shut down operations following a cybersecurity incident. Our guest is Devin Ertel, chief information security officer at Menlo Security, discussing redefining enterprise security and the long and the short of layoffs. It's Thursday, May 15, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great as always to have you with us. Google has issued an emergency patch for a high severity Chrome browser flaw that could allow full account takeovers. Discovered by Solid Lab researcher Sevilod Kokorin, the bug stems from weak policy enforcement in Chrome's loader component, letting attackers leak sensitive cross origin data via malicious HTML. This can expose oauth tokens through manipulated referrer policies, especially dangerous in authentication flows. Google confirmed a public exploit exists, implying possible active use. The fix is rolling out in the latest Chrome version across platforms. Users should update manually or let Chrome auto update on restart. This follows a March patch for another critical Chrome zero day, used in espionage attacks targeting Russian entities with which exploited Chrome sandbox bypasses to deliver malware A newly revealed flaw in Microsoft BitLocker allows attackers to bypass encryption in under five minutes using a software only method called BitPixie. The exploit targets systems without pre boot authentication and has a public proof of concept available. Unlike hardware based hacks, bitpixie extracts bitlocker's volume master key entirely through software or by exploiting a flaw in the Windows bootloader during PXE soft reboots, two attack versions for Linux and Windows PE allow access using signed components with no need for physical tampering or a full disk image. The attack is stealthy and effective on unattended or stolen devices. Experts strongly advise enabling pre boot authentication to block access to the VMK and prevent such breaches. A massive Chinese language black market for crypto scams and money laundering, known as Huawang Guarantee, has shut down after Telegram banned thousands of related accounts. This underground marketplace operated openly on Telegram, facilitating over $27 billion in illicit transactions, mainly using tether. Vendors offered services like money laundering, victim data and even tools used in forced labor at scam compounds Southeast Asia. The takedown followed an investigation by crypto tracing firm Elliptic and media inquiries by Wired. Another market, Jinbe Guarantee, was also banned but may attempt to relaunch. Telegram's crackdown is seen as a major victory against online fraud, though experts warn these groups may shift to other platforms. The operation's ties to powerful Cambodian elites underscores the challenge of dismantling such networks elsewhere. German police have seized the crypto platform Exch, also called Exchange, and over $30 million in digital assets linked to money laundering in the $1.46 billion Bybit hack. Authorities acted swiftly after Exchange announced plans to shut down amid pressure from law enforcement. The platform had rejected Bybit's request to freeze stolen funds later traced by Elliptic to North Korea's Lazarus group. Launched in 2014, Exchange processed about $1.9 billion in crypto and operated on both the Clearnet and Darknet. The Consumer Financial Protection Bureau has withdrawn a proposed rule aimed at curbing data brokers from selling sensitive personal information without consent. Initially introduced to combat commercial surveillance and protect national security, the rule would have required brokers to obtain consent before sharing data like Social Security numbers and financial histories. Acting CFPB Director Russell Vaught said the move aligns with revised policies and interpretations of the Fair Credit Reporting Act. Critics, including privacy advocates and veterans groups, argue the rollback protects corporate interests at the expense of public safety and national security. They warn that data brokers continue to endanger Americans, particularly military personnel, by enabling scams surveillance and blackmail. The rule's cancellation follows a broader downsizing of the CFPB under President Trump's administration and pressure from fintech industry lobbyists across the pond. The Belgian Court of Appeal has ruled the transparency and consent framework used by Google, Amazon, Microsoft and others to justify online tracking is illegal under the GDPR. The court upheld a 2022 decision by the Belgian Data Protection Authority confirming multiple violations, including failures to secure data, properly obtain consent and ensure transparency. The transparency and consent framework underpins the tracking heavy real time bidding advertising system and active on 80% of the web. Critics led by Dr. Johnny Ryan of the Irish Council for Civil Liberties say tech firms use deceptive consent pop ups to mask widespread data misuse. The ruling applies across Europe and pressures the ad industry to move away from surveillance based models. The court also found IAB Europe, which created the tcf, violated gdpr, although not for actions within the RTB protocol itself. A cyber espionage campaign called Operation Roundpress, likely run by the Sednit Group, Also known as APT28 or Fancy Bear, is targeting vulnerable webmail servers like Roundcube, Horde, Mdamon and Zimbra to steal sensitive email data. Researchers from Welive Security reveal attackers use spear phishing emails to exploit cross site scripting flaws, including a zero day in mdamon. The payloads, dubbed spypress, steal credentials, emails and contact lists and can bypass two factor authentication. Some even set up malicious mail forwarding rules for persistent access. Targets are primarily defense and government entities in Ukraine, Eastern Europe and globally. Spy press variants are obfuscated and communicate with hard coded CNC servers. The campaign underscores the continued targeting of outdated or unpatched webmail systems and cyber espionage, particularly during times of geopolitical tension like the war in Ukraine. Security experts urge regular patching and phishing awareness to mitigate these risks. Google warns that hackers tied to the Scattered Spider group known for crippling UK retailers like M&S, are now targeting US retail companies. These attackers are skilled at bypassing strong cybersecurity defenses and tend to focus on one industry at a time. Scattered Spider has also been linked to past breaches of MGM Resorts and Caesars Entertainment. US Retail security groups are actively monitoring the threat, with Google helping coordinate briefings to prepare major companies like Costco, McDonald's and Lowe's. The largest U.S. steelmaker, Nucor temporarily shut down some operations following a cybersecurity incident involving unauthorized access to its IT systems. The company activated its incident response plan, took affected systems offline and is working to restore operations while Nucor didn't specify which facilities were impacted. It emphasized the shutdown was precautionary. With 300 sites and 25,000 employees, Nucor is a major global player. Coming up after the break, my conversation with Devin Ertel, chief information security Officer at Menlo Security. We're discussing redefining enterprise security and the long and the short of layoffs. Stay with us. And now a word from our sponsor, Threat Locker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.
[12:32]
Devin Ertel
Foreign.
[12:39]
Dave Bittner
Let'S be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, Trust Vanta to monitor compliance, streamline risk and speed up security reviews by up to five times and the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time you can get $1,000 off vanta@vanta.com cyber. That's v a n t a dot com.
[14:02]
Interviewer
It is my pleasure to be joined here at RSAC conference by Devin Ertel, who is the Chief Information Security Officer at Menlo Security. Devin, welcome.
[14:12]
Devin Ertel
Thank you. Thank you for having me.
[14:13]
Interviewer
My pleasure. So before we dig into our topics today, it's a busy rsa. Anything in particular you're you're looking forward to as you walk the show floor?
[14:24]
Devin Ertel
You know I check out vendors just you know like everyone else here doing that I like hearing strategies. Usually you will find topics that are going to be they're up and coming and what people are thinking about and you have like a mind share here and I'LL be interested to see how many times people say agentic while I'm here.
[14:44]
Interviewer
Yes, yes. It's funny. We were joking about how like we're sort of on the trailing edge of the hype cycle for AI, but now we've added the word agentic, so we're back up again.
[14:55]
Devin Ertel
I feel like I heard it like two months ago now. I've heard it a thousand times already. Absolutely.
[15:00]
Interviewer
Well, let's talk about enterprise security. I mean, for folks who are not familiar with the types of things you and your colleagues at Menlo do, can you give us just a brief overview?
[15:08]
Devin Ertel
Yeah. So Menlo started over 10 years ago in the remote browser isolation space. So securing the web. So when users are going out and browsing stuff, if there's a compromised website or something's going on, we actually have our own cloud browser that actually everything executes there. We re render to make everything safe for the user. Since then we have added many more features and you can almost say it's what we're calling now Workspace Security. But yeah, so they've been in the browser. There's a lot of browser experts that know way more about the browser than I do there. But it's kind of crazy to think about, like 10 years ago, I don't think we thought we were not using the browser as much as we do now. Like I'm literally in a browser that's basically.
[15:56]
Interviewer
Yeah, I mean, I think it's central to most people's computing experience. Certainly on the desktop.
[16:01]
Devin Ertel
Yes.
[16:01]
Interviewer
Yeah.
[16:01]
Devin Ertel
You know, before we had thick clients and you know, all this stuff. But now, yeah, it's kind of crazy how that's changed so much.
[16:08]
Interviewer
So help me understand, for folks who aren't familiar with it, this kind of browser, how does it differ from the day to day browser that I'm using that comes with my computer?
[16:19]
Devin Ertel
Well, the beauty about Menlo is that no one would even know you use your browser and we add the protections so your user wouldn't even know that all these protections there might be some things like, hey, you're downloading malware, we stopped it. Right. So they might see things like that. But the day to day use, you wouldn't even know that it's even happening. Which as a security practitioner, as myself, the beautiful solutions, your end user should never know. Right. You do not want to be a hindrance, you want to be able to let the business run. So that's, that's a good thing, right? Yeah, yeah, yeah. So we tech, we integrate with Chrome, you can put Us as a proxy and get those. And we can put it. And you can put us in front of applications that we're kind of transparent and to the user, this, this word.
[17:03]
Interviewer
I've heard of, I think to pre detonate things.
[17:06]
Devin Ertel
So yeah, so think sandbox when you know. Yeah, absolutely.
[17:13]
Interviewer
Well, what are some of the obstacles that you find some of your customers are facing here when they're, when they're coming to you and saying, hey, we think this might be a good fit for us. What problems are they trying to solve?
[17:24]
Devin Ertel
So yeah, so of all the feature sets with the beginning one, I think everyone was trying to solve like users going and downloading malware. Right. Like that's like a very common thing. And that's what the remote browser isolation. What's happening now is we kind of flip it down its head and we put the isolation in front of applications. I like to call it like a WAF on steroids. So we protect the application itself and then we protect end user. What if you have a contractor? Normally 6 month contractor comes in, you give them a whole laptop and then you gotta go get the laptop back. Sending the laptop and getting the laptop is hard enough in itself. With this new solution, you basically can put all these controls in. Oh, you don't wanna let them download anything. You can't download anything when you go to this app. Oh, you don't wanna upload anything. You can't do that. You can watermark it to make sure they can't screenshot things. You can essentially lock in this application and ensure that nothing reaches the endpoint because you can't really trust that endpoint being that you don't have it.
[18:25]
Interviewer
And is this outside or inside of the browser?
[18:28]
Devin Ertel
All in the browser.
[18:29]
Interviewer
It's all in the browser, yes.
[18:32]
Devin Ertel
You can put all these protections in place without having to procure a whole laptop with EDR on it with all these security controls. And it's zero trust. Right. And you can manipulate, you can even manipulate the page. I don't want them to see the comments section of this. So I, you know, it's just, it's very, very tuning.
[18:52]
Interviewer
You can actually go into the pages they're visiting and restrict.
[18:57]
Devin Ertel
Yes.
[18:58]
Interviewer
Yeah. Oh, that's fascinating.
[18:59]
Devin Ertel
And since it's in the cloud, they have no, they can't change it if it was on the endpoint. The user can fiddle if they're technical enough.
[19:05]
Interviewer
And I suppose, I mean for like you, you mentioned a contractor. If someone wants to be in like a BYOD position, you don't. The, the person doesn't have to. The, the, the security professional doesn't have to be in charge of the device.
[19:20]
Devin Ertel
Yes.
[19:20]
Interviewer
Because they have control of the browser.
[19:22]
Devin Ertel
Yes. And it can be a pain. Shipping a laptop. Sure. Building it and getting it back, I.
[19:28]
Interviewer
Think is the part that, you know.
[19:30]
Devin Ertel
Right. It is getting it back. You're absolutely right.
[19:34]
Interviewer
We really need it back. Yeah, absolutely.
[19:37]
Dave Bittner
Yeah.
[19:38]
Interviewer
Well, let's touch on the hot topic, which is AI, of course. How does that play into any of the things that you all are doing?
[19:45]
Devin Ertel
So, yeah, so that's what we're using. We have a couple of things that we're using like computer vision, AI and that would be protecting like credential compromise. So phishing email comes in, they mimic your okta page or whatever, your Microsoft O365 page, steal your credentials. Right. This would detect that, basically using computer vision, knowing, hey, this, this is not O365 website, but it has your logo. It has this on there. This seems a little thing. It would just immediately. I think we call it zero hour detection. Like it would immediately detect it. Even if categorization, you know, it wasn't labeled bad yet. And a lot of times what the actors do is they just bring up a site for a little bit and then, you know, and. Right. Or put it up, let it be under the radar, get a good categorization and then. So then you can fish people onto it. That's one way. The other way, which we're really looking into it is with data. And that's where workspace security comes into play. I always say, like back in the day, you know, I don't want to age myself here, but we had mainframes and databases.
[20:49]
Interviewer
Sure.
[20:49]
Devin Ertel
We could put our arms around it. All right.
[20:51]
Interviewer
That's right. I want to hug my server.
[20:54]
Devin Ertel
Yes. And we put all we did, I think as a security industry, we did a great job with all the firewalls with the detonation before things come in. But now I really feel like the COVID era kind of kicked that up. Like the digital transformation and all that. There's so many SaaS tools, there's so many, like messaging apps. And data is just all over the place now. Right. So we're looking at AI to automatically detect data whether or not you labeled it correctly. Like a lot of people, they try to go around and put the labels on. You know, someone can forget that label. There's a lot of things that can go wrong with that where AI can come in, see, oh, there's a whole bunch of Social Security is on this document, are you sure you want to email it to this person and detect it real time redact and let it go through?
[21:40]
Interviewer
Right. So I mean, you have the opportunity to kind of save the users from themselves. The errors.
[21:46]
Devin Ertel
Yes.
[21:47]
Interviewer
Unintentional sharing of things.
[21:48]
Devin Ertel
And if they actually wanted a document back, they can, you know, if like this. So that's what we're looking at now. And that's what we're calling workspace security. It's like the modern thing where the browser is and there's all these like backend API calls. Like data is spread out a lot and a lot of people do not know where it is. It's. It's a hard thing to do. It's a challenge right now.
[22:07]
Interviewer
Yeah. Well, I think for a lot of people, ignorance is bliss. You know, how do you sleep at night?
[22:12]
Dave Bittner
I don't know what's going on behind the scenes.
[22:13]
Devin Ertel
Yeah.
[22:14]
Interviewer
I trust people like you to know what's going on behind the scenes.
[22:17]
Devin Ertel
So.
[22:17]
Interviewer
Well, let's touch on zero trust. Cause that's an important part of the equation as well. What do you all have? What's your relationship with zero trust?
[22:25]
Devin Ertel
Yeah. So with a couple of our products, I always like to say with the browser, when people are browsing the web in general, you're not even trusting the web. Right. So that's not. It's a different take on zero Trust. But I do like to say that the other one, when I said it, we flipped it on the other side is so when you give that contractor that app, back in the day, we used to have to use VPNs. Right, right. And you are essentially tunneling them into your corporate underbelly, I call it, because the controls get weaker as you go in, usually on these big organizations. In fact, I used to be a pen tester for many years. And when I compromised something and I could go through a vpn, I was like, game is over now.
[23:03]
Interviewer
Because the assumption is there's enough protection with the VPN that if you've made it past the vpn now, you got.
[23:10]
Devin Ertel
To tunnel into it.
[23:10]
Interviewer
We trust you. Yeah.
[23:11]
Devin Ertel
We got to tunnel into the network. And then you just pivot on the other things.
[23:14]
Interviewer
Sure.
[23:15]
Devin Ertel
Where this, you're giving access to a single app, you're not going anywhere but that app. So and then like I said, you can put a ton of other protections around there to protect that app itself so they can't go elsewhere. So that, that is like the zero trust in my mind. I mean, I've been in organizations where we are always trying to like micro segment everything. And I know there's a lot of solutions for that, but that's really challenging of understanding where every server is talking to what and trying to zero trusted that way. This is always taking an approach of zero trust at the door where you can't even get in anywhere. And then you basically are just zero trusting that user to that app. You know, provide the security controls, provide the visibility of what they're doing, provide the ability to quickly cut it off if needed. So that is our play, which we call SAA Secure Application Access essentially is what that is.
[24:08]
Interviewer
The folks who are experiencing success with this sort of, with this approach.
[24:13]
Devin Ertel
Yeah, right.
[24:13]
Interviewer
The thing that you are saying, we think this is the way to go at it. What does that look like for them? What are the things they're enjoying by embracing this approach?
[24:24]
Devin Ertel
Well, one like the use case I used earlier, you know, being a contractor, that or bring your own device, you brought that up. Like even your phones, you can do that. You can literally say, okay, so you're allowing people to have their own phone, but maybe you shouldn't access the code base or maybe you shouldn't access the cloud infrastructure, but I will allow you to access, I don't know, the lunch menu.
[24:48]
Interviewer
Right, right, okay, sure.
[24:50]
Devin Ertel
So you have that ability. You can really get granular with this stuff. And so with bring your own device and that. And I can tell you the one thing that a lot of people I think is overlooked is the actual security. It's putting on the application itself as a forward pen tester. Attacking the app, you get access and then you attack the app, you get access to the host, the end user, then you attack the app. It's a waf, a web application security firewall is really hard to manage. It's a lot of rules, a lot of false positives. This is a plug and play. Like they cannot see or do or alter any of the requests that come into the application. So doing the SQL injection is next to impossible because you unless you somehow figure a way to do it in the form and individually. So you're really protecting the app what also you're doing. So what attackers are doing now is so everyone's going on the FIDO two factor authentication because the attackers figured out how to push bomb on phones, they figured out the one time how to fish the one time codes. So now what they're doing as people are using Fido, which is a much more secure two factor, they're just taking the cookie. So think when you authenticate via fido, Right. It's like, okay, well I'll take this cookie now and then I'll go and access it with this solution. The cookie actually never also touches the endpoint. So if that endpoint was compromised, they're not going to be able to get that authentication cookie and bring it somewhere else and then gain access. So you really are zero trusting that device where it can. I mean you're locking it down quite a bit without having a whole bunch of agents and ADR and all that. You don't need all that stuff saying you don't need adr. I believe that's a foundational thing. But.
[26:32]
Interviewer
Yes, well, but when you all are designing and deploying this product, how do you balance for your users ease of use with powerful options?
[26:48]
Devin Ertel
Right, Absolutely. Well, internally, you know, I say we're customer zero and we literally everything that we build, we put out in our company. So sometimes I have made users unhappy. So. Okay. Which Jen gives feedback and we change things like that. So there are things you can do. So you could say you want Okta to be that factor and then there's a cloud browser login that happens after the fact that you can loosen those controls because you have the door in front of that. That is the Okta and the Fido and your, your password rotation and whatever you're doing. I see authentication security wise. And then that allows you into the gate to actually app access the cloud browser.
[27:31]
Dave Bittner
Okay.
[27:31]
Devin Ertel
So. So you can leave. You can, you know, depending on your use case and you know, if you're in a big government and very sensitive, you might not want to. It all all depends on the your company and it's risk appetite on that one of how you want to turn and crank those levers.
[27:47]
Interviewer
Yeah. Where do you suppose this is all heading? I mean we were talking about how the browser is central to most people's desktop computing experience is this the future is not having, you know, that soft underbelly on your machine available. Do you think?
[28:07]
Devin Ertel
I would love for that. As a security professional, I would love everyone to have a Chromebook.
[28:10]
Interviewer
Yeah. Right.
[28:12]
Devin Ertel
But it's a cultural shift that in fact I was just talking to another practitioner. There's a joke where it's like to pay a bill, you know the old school, we have to open up the laptop, we don't bring out the phone. And I'm still that way. Right. So that's right.
[28:25]
Dave Bittner
That's right.
[28:26]
Devin Ertel
So there's always a cultural shift. But does do many people besides an engineer that is like coding that's going to take a bigger cultural shift. So like a salesperson or a marketing person, I think a Chromebook will be fine. The amount of stuff you can do in a web browser, which they already do, you know, if you see their laptops, it's just a Chrome page with a thousand tabs open.
[28:48]
Interviewer
I'm with you. You know, I'm sure our listeners have heard me talk about when I was time to outfit my elderly father with a computer and he'd been a Mac user for many, many years. But there was a time when Chromebook, for my sake.
[29:03]
Devin Ertel
Yeah, it was like troubleshooting.
[29:05]
Interviewer
Yeah, yeah. It was just, you know, it's kind of. Kind of bulletproof for the simplicity, fit the user case, you know, in that particular case.
[29:11]
Devin Ertel
Yeah, I think, I think that's where it's going. Which. The interesting thing is Chrome Safari, you name the browser. Yeah, they're a user. They're not like a corporate application. Right. And we haven't put the protections in place. And that's where Menlo has come in and said, okay, use your browser. Let us put a little more security on.
[29:29]
Dave Bittner
And.
[29:30]
Devin Ertel
And Chrome is doing stuff where they're continually adding, but you have a little more control over it rather than just being some cuz we. It's basically an operating system now.
[29:39]
Interviewer
Yeah, absolutely. All right. Well, Devin, thank you so much for.
[29:42]
Devin Ertel
Today to get with you. Absolutely, absolutely.
[29:52]
Dave Bittner
Foreign what's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do. And finally, layoffs are hitting the cybersecurity sector hard this summer, with major players like Microsoft and Crowdstrike slimming down. Despite healthy profits, Microsoft recently let go of 6,000 employees, many in tech roles. As it shifts more investment into AI. CrowdStrike trimmed 500 positions while announcing record earnings. The message seems automation is in and human jobs are negotiable. But behind the financials are real people. Skilled professionals who've spent years building defenses now finding themselves out of work. And the ripple effects aren't just personal. Experts warn that sudden layoffs, especially in cyberteams, can carry serious security risks. Departing employees may, intentionally or not, walk out with sensitive data and stretched thin, security teams may miss emerging threats. As SANS Institute's Rob T. Lee puts it, you're not just losing people, you're losing the people who know how to stop attacks. Companies might see cost savings now, but the long term bill could come in the form of a breach headline. And nobody wants that. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Worried about cyber Attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire.