Plan-B Security

Great Scott, we've seen this before.If you could climb into a DeLorean and travel back through your organization's identity management history, you'd find the same pattern repeating at every stop. 2014: overprivileged Active Directory service accounts. 2017: Hadoop credentials nobody remembers creating. 2021: Tray.io integrations that are "too risky to rotate."Different year. Same mistake. And if my calculations are correct, your AI agents are about to become the next entry in this timeline.In this episode, we'll fire up the flux capacitor and take you on a tour through twenty-five years of IAM failures. From Operation Aurora through SolarWinds to the no-code revolution. The lesson? We keep traveling back to the same problems because we never actually fix them. We just give them new technology to hide behind.

MCP promised to be the USB-C of AI agents, a universal bridge to your tools, APIs, and data. But when the setup docs tell you to copy cookies out of Chrome DevTools and paste them into plaintext config files, something has gone very wrong. This episode traces a year of MCP security breaches from tool poisoning to full supply chain compromise, unpacks the IDE vulnerabilities turning developer laptops into open doors, and makes the case that credential brokers, not user discipline, are the architectural answer. If your AI agents hold raw OAuth tokens, this one's for you.

In 1983, Ken Thompson warned us: you can't trust code you didn't write yourself. Forty-two years later, a worm called Shai-Hulud proved him right after compromising thousands of packages in hours. Software supply chain attacks aren't just theoretical anymore, they're automated, self-replicating, and could be spreading through the packages your team installed this morning. We break down the s1ngularity and Shai-Hulud campaigns, explain why attackers target developers differently than customers, and give you seven things you can do this week to stop being an easy target.

AI systems are all the buzz - and for good reason! The productivity gains are real! But do the risks outweigh the gains?Every AI agent you deploy has three capabilities: what it can see, what it can access, and what it can do. Combine all three, and you've handed attackers a skeleton key. In this episode, we dig into Meta's Agents Rule of Two framework and show you exactly how to build customer service bots, fraud detection systems, and inbox assistants that can't be weaponized.

Join us as we explore the treacherous waters between perfect security planning and real-world implementation. Drawing surprising parallels between the Battle of Trafalgar's communication challenges and modern cybersecurity struggles, we dive into seven critical security initiatives that often fail even the most capable companies. From zero trust architecture to passwordless authentication, we examine why brilliant ideas sometimes sink faster than a lead anchor - and more importantly, how to keep them afloat. The perfect intersection of historical insight and modern security challenges, this episode reminds us that sometimes the best security strategy isn't the most elegant – it's the one your team can actually execute.

In this hoot of an episode, we've taken a nocturnal flight through the fascinating world of User Behavior Analytics, guided by the wisdom of our feathered friends, the owls. Just as these majestic birds use their UV-powered pick-up lines to find the perfect mate, we've explored how UBA can help you find the perfect balance between trusting your users and verifying their actions. You'll walk away with a toolkit full of insights on implementing UBA in Okta, turning your security system into a wise old owl that can spot a rat from a mile away. Whether you're dealing with midnight oil burners or potential security breaches, you'll be equipped to handle it all with the grace of an owl gliding through the digital forest.

Discover how to navigate the rich landscape of open source, from safely integrating external code to contributing your own digital harvest back to the community. Learn practical strategies for implementing a robust Software Bill of Materials (SBOM), managing dependencies, and governing your open source program effectively. Explore the parallels between autumn's vibrant farm stands and the diverse ecosystem of open source projects, and gain insights on balancing innovation with security. Whether you're a seasoned tech farmer or just starting to cultivate your digital fields, this episode offers a cornucopia of actionable advice to help your organization reap the benefits of open source while mitigating potential risks.

In this thrilling episode of Plan B Security, we're diving headfirst into the treacherous Legal Labyrinth of cybersecurity. Picture this: You're a valiant CISO, armed with firewalls and patched systems, suddenly faced with a dragon named "Negligence" breathing hot legal fire your way. We'll guide you through this maze of bits, breaches, and bureaucracy, showing you how to slay the beast of data negligence and rescue Princess Data from the clutches of cybercriminals and overzealous attorneys general. From the perils of leaving your claims file on the digital equivalent of a park bench (we're looking at you, Harleysville Insurance!) to the pitfalls of playing ostrich with your head in the sand, we'll equip you with the knowledge to navigate the murky waters of FTC actions, state AG smackdowns, and the ever-looming specter of privilege waiver. So grab your digital sword and shield, and join us on this quest to keep your data safe and your legal team off your back. Remember, in the realm of cybersecurity, there's always a Plan B!

Build vs Buy is a tale as old as time - something every business leader has been challenged with deciding. In this episode, we talk about 5 scenarios on when building vs buying make sense from not just a security perspective, but also a procurement and data privacy perspective. From building your own SIEM to data sharing platforms, we talk about our own experiences and when constraints help you go faster or when they'll slow you down.

Whether you’re big or small company or maybe even a solo entrepreneur, third-party risk management is a key part of your business staying secure. In this episode, we talk about a few ways to get ahead of all the international regulations that require compliance with third-party risk programs. As you listen, be sure to pause and apply some of the key concepts into your own business whether it’s data mapping or risk mapping two and from a vendor. So grab your favorite snack and your favorite beverage and let’s get ready to have a party.

Security Controls can make or break a business - it could be the difference between going fast or screeching to a halt. Learn how we can use industry data from Marsh McLennan (link at the bottom) to help quantify and justify which controls we should invest in first, and how all the controls in the world may just end up backfiring. Be sure to take a few moments to think through the thought exercises to help bring some of these lessons to your organization whether you're an employee, in management or an executive. https://www.marshmclennan.com/news-events/2023/april/groundbreaking-research-from-marsh-mclennan-reveals-direct-link-.html

Pace of Action is all about understanding how fast, or how slow, you should be moving. It is a concept that applies to everything from handling tickets and defining an SLA to incident response. Take a server offline to mitigate a malware-based attack and lose forensics information? That's a tough one. But, you can learn how to make a thoughtful and informed decision by defining your pace of action.

Sometimes it feels like there's a war happening between Product/Eng and Security/Privacy team. Speed vs Stability can make or break a business. Not getting a feature out fast enough? You could loose the market edge. The service constantly going down? The only thing you'll grow are detractors. Listen to this tale of how to apply security principles using things like tests and data presentation layers to build a compromise between these conflicted team, and grow your impact at the business!

Join us in Celebrating not just our first podcastiversary, but also, a great perspective in growing a security mindset. Learn how to start good habits just like waking up when your alarm goes off. Building strong security habits in yourself allow you to grow those around you. Like a plant, you must water and find your purpose first, before you can inspire. Sometimes, you can inspire yourself through trying to inspire others using techniques like learning together. Lastly, learn how to apply a choice-driven discipline in your day to day personal and professional life as well. While there's a lot you can't control, the only true limitation is yourself.

A picture says 1,000 words is something everyone has heard. In lieu of a picture, data visualizations tell the story for the author. Sometimes, it's what the data shows that's most important. Sometimes, it's what the data is missing that speaks louder. Come along for this quick lightning round on direct and indirect data and the dangers that hide within.

Everyone always asks for a piece of advice when it comes to getting started in infosec. The problem is, everyone is different. My story started when I was young kid, because I wasn't into sports, comics, sci-fi or dragons. I just wanted to make computers do the cool things I always thought of. So, in this episode of PlanB Security, listen to a little bit of my story on how I got to where I am today and to the 3 things I attribute my success to!

This is a quick episode geared at showing the importance of making security usable. Using the GDPR and e-Privacy Directive cookie consent popup as an example, we can explore the difference the letter of the law vs the spirit of the law makes. Usable security follows the spirit of the law, where as bad security experiences are just to satisfy the letter of the law. So put on your most comfortable socks and join us for this great episode!

Authentication (Authn) and Authorization (Authz) are two of the most overloaded and incorrectly used words in the field of cybersecurity. It's with good reason - they are the two most fundamental principles behind building trust in the digital world. Authentication is when an identity is validated and verified to be who it say's it is. Authorization is the enforcement of permissions of the verified identity. Join us in this episode to learn all about this space and where the future is bringing us!

Have you ever been in the middle of an important life event and the dreaded happens? A page for a security event comes in? And worse, you're not prepared or don't have everything you need to handle it. Let's take a scenario and break it down on how we can detect it, mitigate it, remediate it and recycle it through creating playbooks and replaying it at future table top exercises.

Your customers need access to your data - that is the service you provide that they're willing to pay you for. But what if you're on opposite sides of a river? You would build a bridge. How do you make sure it's safe? How do you make sure they can travel across the bridge with privacy in mind? What happens if there was an accident on the bridge? It's a simple metaphor you can use to explain the important of information security to business partners who are just thinking about the business, and why information security matters so much.