Resilient Cyber Newsletter #32
Jen Easterly CISA Exit Interview, Startups Look to Federal/Defense, GenAI Red Teaming Guide, U.S./EU At Odds on AI, & The State of AppSec Workflows
Welcome!
Welcome to #32 of the Resilient Cyber Newsletter.
2025 continues to be off rapidly, from major changes among U.S. Federal and Defense leadership, startups increasingly looking to the public sector, a growing divide between how the U.S. and EU look to govern AI, and the continued evolution of Application Security (AppSec).
We will touch on that and more, so here we go!
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 16,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
SecOps teams face a constant stream of alerts, many of which turn out to be false positives or benign. Investigating them is a time-consuming process, requiring analysts to juggle multiple tools and data sources, which hinders timely response and increases burnout and security risks.
Prophet Security leverages LLMs and machine learning to tackle these challenges head-on. Prophet AI augments SecOps teams by investigating alerts in minutes, filtering out false positives and prioritizing true positives for remediation. By harnessing AI-powered triage and investigation, organizations can eliminate manual tasks, free up valuable resources for strategic priorities, accelerate response times, and improve their overall security posture.
Curious to see how it works? Request a demo of Prophet AI today.
Cyber Leadership & Market Dynamics
Federal Cyber Ecosystem - 2024 Recap and 2025 Look Ahead
I had a chance to sit down with the team at OrangeSlices AI to chat about the trends we saw in the 2024 Federal Cyber Ecosystem and what lies ahead for 2025.
For those unaware, I’m the CEO and Co-Founder of Aquia, a digital services firm specializing in Cyber, Cloud, and Automation that focuses on the Public Sector. We currently work with the VA, DoD, CMS, HHS, USPTO, and other Federal agencies as well as states such as NJ.
You can find out more about my team at Aquia here.
We touched on:
Key attacks, efforts such as Secure-by-Design, and the vulnerabilities impacting critical infrastructure
The Presidential administration change, implications for Cybersecurity and agencies’ security posture
Modernization efforts for FedRAMP, the software supply chain and ongoing push for Zero Trust maturity
CISA Former Director Jen Easterly’s Exit Interview
If you’ve followed me, you know I’m a big fan of some of the great work and security evangelism Jen Easterly and CISA, more broadly, have been doing over the last several years. With the presidential administration change, she is moving on. She did her exit interview with Wired, which was great.
It discusses some of the attacks the U.S. has recently dealt with, such as Salt Typhoon, which targeted U.S. telecommunications providers. It also discusses attacks against critical infrastructure, largely by China, and past attacks, such as SolarWinds.
It also covers the current state of the cyber landscape, threats to U.S. critical infrastructure and national security, and much more. It also dives into some of CISA's challenges, such as budgetary constraints and a lack of enforcement authority, and its role in providing guidance and free services to enable a more resilient digital ecosystem.
During the interview, Jen admitted that defense is hard. She emphasized that we must defend US systems and infrastructure and hold actors accountable, which is possible via sanctions and indictments. She also mentioned offensive cyber capabilities, which I was surprised to hear. On one hand, it is easy to argue that offensive cyber actions could escalate tensions, but on the other hand, one way to get a bully to back off is to stand up to them.
This is where there may be more alignment between Jen’s comments and the incoming administration than some may think, such as this recent story that broke titled “Trump and others want to rap up the cyber offense, but there’s plenty of doubt about the idea.” The article discusses the new administration's desire to ramp up the cyber offense in response to some of China’s activities towards the US but also discusses some of the nuances and challenges of doing so.
I strongly recommend checking out Jen’s interview. I am excited to see what Jen does next. Undoubtedly, she will continue to be an incredible leader in the U.S. cybersecurity ecosystem!
EO Survivor Game: Biden’s Cyber, CHIPS Orders Remain Standing - For Now
The first week of the new U.S. presidential administration has been a blitz, to put it lightly. Tens of Executive Orders (EOs) were rescinded. However, to some people's surprise, the Cyber EOs issued under Biden and the CHIPS Act remain standing, at least for now.
This aligns with projects I have made in recent interviews because cyber is a largely bipartisan issue, especially in areas such as protecting critical infrastructure and national security. That said, this doesn’t mean they won’t be impacted soon either by overriding them or issuing new Cyber/AI-focused EOs by Trump.
Cyber Safety Review Board (CSRB) Future in Peril
Speaking of major changes with the administration change, news broke that the Cyber Safety Review Board (CSRB)’s future is in question. All non-government members were removed and the future of the CSRB remains unclear.
For those unfamiliar, the CSRB was formed to investigate and report on major incidents impacting the ecosystem such as SolarWinds, the Microsoft Exchange incidents and at the time of this writing was investigating Salt Typhoon and the impacts to U.S. critical infrastructure and telecommunication systems and providers.
I personally am not crazy about this announcement, and do hope the CSRB continues to function, even if it means with new faces. This group has produced excellent reports and analysis about major events impacting many organizations around the world, as well as the U.S. government and in my opinion should receive bipartisan support.
Startup Founders Flooded Inauguration Parties, Hoping for Dealmaking
There’s no denying there’s a sense that we’re headed for a more business friendly environment, especially when it comes to technology. This piece from TechCrunch discusses how startup founders swarmed the inauguration events, with excitement that longstanding difficulties of working with the Federal government may finally be alleviated to some extent and the opacity of navigating the complex bureaucracy of the government may become clearer.
I would argue it isn’t just startups either, as we see big tech leaders from Google, Facebook, Apple and of course Tesla and SpaceX present in and around the presidential inauguration as well as those from the venture capital (VC) community.
Anecdotally I also have noticed trends favoring innovators continuing to disrupt the legacy prime contracting environment in the Government as well. For example, it was just announced that there is a new Federal CIO at OMB, who previously spent a decade at Palantir. Scott Kupor, a managing partner at VC firm Andreessen Horowitz was selected as the next OPM Director, Steven Feinberg, who is the co-founder and CEO of Cerebus Capital Management has been selected as the Deputy Defense Secretary and the list goes on.
This should come as no surprise, as we saw tech and venture have close ties with incoming President Trump, including David Sacks, who now will function as the Crypto and AI Czar under Trump, and help implement the latest AI Executive Order (AI EO).
It’s safe to say that the ties between tech, both big and small, as well as VC and capital with the DoD is very strong with the incoming administration.
I personally hope this leads to drastic overhauls of the way the Government currently procures and implements innovative technologies, streamlining collaboration and removing barriers for small businesses looking to do business with the government, and also makes a more small business friendly environment for services firms as well, disrupting some of the legacy primes who have dominated the ecosystem for decades, often with poor track records of projects being over budget and behind schedule.
The government has massive problems with the way it acquires technology, with countless examples of policy and compliance burdens on small businesses, while impeding access for Federal/Defense mission owners to innovative technologies. This hurts both citizen civic services as well as national security.
Many are excited based on several recent events, one of which is the new DoD’s Secretary of Defense, Pete Hegseth first message to the force, which includes a bullet stating the below:
Security Needs to Start Saying “No” Again
I previously shared a piece from Rami McCarthy that discussed how security has over-corrected to try and shake the stigma of being the “office of no” to the extent that it is starting to hurt our credibility and potentially even introduce organizational risks.
This is a great follow-up piece on DarkReading that includes commentary from Jessica Barker, who is a cyber practitioner with a background in behavioral scientist that discusses the cascading effects of saying no, for good and bad.
To me, saying no in cybersecurity is like shooting a bullet or spending scarce political capital. It needs to be well-timed, context rich, informed, and enforceable. If we do it too often, we risk further bolstering silos between us and our peers. If we don’t say it when it is truly necessary then we are exposing the organization to risk, versus effectively managing it, which is the entire purpose of cybersecurity.
The article closes with a solid framework for better “no’s”
Over Half of the U.S. Had Private Data Stolen in UnitedHealth Hack
News broke recently that about 190 million people had their private data stolen as part of the 2024 cyberattack on the insurance giant UnitedHealth’s Change Healthcare.
The attack impacted Change Healthcare for weeks and impacted insurance payments to providers. Original estimates we’re about one-third of Americans, which proved to be significantly under-estimated now based on the latest announcement. The types of data involved included general health information, diagnoses, test results, billing information, account balances and even SSN’s and financial and banking information in some cases.
For those interested in a detailed write up of the ransomware attack, you can find that here.
AI
Transforming SecOps with AI SOC Analysts
SecOps continues to be one of the most challenging areas of cybersecurity. It involves addressing alert fatigue, minimizing dwell time and meantime-to-respond (MTTR), automating repetitive tasks, integrating with existing tools, and leading to ROI.
In this episode, we sit with Grant Oviatt, Head of SecOps at Prophet Security and an experienced SecOps leader, to discuss how AI SOC Analysts are reshaping SecOps by addressing systemic security operations challenges and driving down organizational risks.
Grant and I dug into a lot of great topics, such as:
Systemic issues impacting the SecOps space, such as alert fatigue, triage, burnout, staffing shortages and inability to keep up with threats.
What makes SecOps such a compelling niche for Agentic AI and key ways AI can help with these systemic challenges.
How Agentic AI and platforms such as Prophet Security can aid with key metrics such as SLO’s or meantime-to-remediation (MTTR) to drive down organizational risks.
Addressing the skepticism around AI, including its use in production operational environments and how the human-in-the-loop still plays a critical role for many organizations.
Many organizations are using Managed Detection and Response (MDR) providers as well, and how Agentic AI may augment or replace these existing offerings depending on the organization maturity, complexity and risk tolerance.
How Prophet Security differs from vendor-native offerings such as Microsoft Co-Pilot and the role of cloud-agnostic offerings for Agentic AI.
New AI EO - Removing Barriers to American Leadership in AI
Speaking of AI and EOs, the Trump administration released a new AI EO titled “Removing Barriers to American Leadership in AI.” It is entirely focused on empowering the U.S. to continue its lead and advantages around AI and removing any barriers that would impede that, including the previous AI EO, which the Trump team just revoked.
It calls for various individuals and groups in Government to develop and submit a plan to the President within 180 days that lays out how to sustain and enhance America’s global AI dominance and promote human flourishing, economic competitiveness, and national security. This is a significant shift from the previous AI EO, which emphasized areas such as Safety, Security, Privacy, and Bias.
Speaking of what will survive or not in terms of cybersecurity policies and requirements, Jason Healey, who I consider one of the sharpest folks on cyber policy and regulation recently published this great image below.
It quickly captures what is likely to survive, be modified, or even outright cut. I agree with his assessment, and I think we will see a loosening of regulation and policies for commercial industry but stay the path of raising the bar and requirements for securing Federal/Defense IT systems, looking to defend “forward” (e.g. more cyber offensive activity, versus always playing defense) and look to continue improving in areas such as Zero Trust and Supply Chain Risk Management (SCRM).
GenAI Red Teaming Guide
Red Teaming continues to be a hot topic around GenAI and AI more broadly. I recently shared Microsoft’s report on lessons learned from Red Teaming 100 GenAI systems. OWASP has now published the most vendor agnostic comprehensive red teaming guide I’ve seen yet.
It outlines actionable insights for cyber practitioners and others looking to take a holistic approach to securing GenAI with Red Teaming, including:
Model Evaluation
Implementation Testing
Infrastructure Assessment
Runtime Behavior Analysis
This is definitely a great resource to check out and I continue to be impressed with the pace and quality of resources coming out of OWASP related to AI!
OWASP AI Maturity Model Assessment
Many who have been around AppSec for some time may be familiar with OWASP maturity model assessments, such as OWASP Software Assurance Maturity Model (SAMM).
OWASP recently announced their AI Maturity Assessment Model, and it is currently in draft. This will help empower organizations to navigate the complexities of AI by providing a structured framework for making informed decisions about acquiring or developing AI systems.
This will definitely be one to keep an eye on and a good vendor-agnostic way to measure an organizations AI readiness and maturity.
The Price of Intelligence
Three risks inherent in LLMs. This is an excellent paper from Mark Russinovich, Ahmed Salem, Santiago Zanella-Béguelin and Yonatan Zunger
They discuss:
The characteristics of LLMs that give rise to three behaviors
This includes Hallucination, Indirect Prompt Injection and Jailbreaks
The risks of each behavior, as well as mitigating measures that can be taken to address these risks
As they mention, these vulnerabilities present challenges but can be addressed to enable secure adoption and responsible use of these powerful technologies.
The key is security being involved in the adoption and implementation process to help drive those mitigating measures versus playing the age-old bolt-on, not a built-in model of security.
One of the Authors, Mark R. from Microsoft was recently on a podcast where he broke down the new paper titled “To Use AI and Know AI Limitations”.
EU, U.S. at Odds on AI Safety Regulations
We continue to watch the EU and US take significantly different approaches to AI regulation and governance. As I discussed above, the EU is taking a very rigorous approach with efforts such as the EU AI Act, while the US is taking a different approach focusing heavily on innovation, empowering the US to sustain its lead with AI on the world stage (primarily contrasted with China).
Each path has its own pros and cons and considerations. I had a chance to chat with TechTarget about some of the key differences and potential implications as well as others who provided commentary.
Current State of Autonomy
We continue to see a lot of excite around AI and its potential in various areas of cyber, arguably most emphasized in SecOps. Filip Stojkovski, who I have interviewed previously on Resilient Cyber, took to LinkedIn to discuss the current state of autonomy and provided a great visualization.
As he sees it and explains, right now we’re seeing high autonomy in Tier 1 type activities (e.g. enrichment and identification) and a decreasing scale towards containment and ultimately eradication and recovery. That said, that isn’t to say this won’t change in time, as tools continue to improve and organizations adoption with AI grows, as well as their comfort levels with its effectiveness and trustworthiness.
Securing AI Systems Against Adversarial Attack
Sid Trivedi recently sat down with HiddenLayer CEO and Co-Founder Chris Sestito and had a great conversation around AI security. Chris walks through a number of AI security issues, from shadow usage, data exposure, model compromise, supply chain concerns and much more.
Safeguard Your Generative AI Workloads From Prompt Injections
Prompt injections, both direct and indirect continue to be some of the most problematic types of attacks against GenAI systems. This is an excellent blog from Anna McAbee at AWS discussing how to implement safeguards AI workloads on AWS, specifically in the context of prompt injections.
It also provides a good overview of key aspects and differences between direct and indirect prompt injections.
The article uses a hypothetical chatbot architecture to demonstrating defending against prompt injections, and the examples use AWS as the hosting environment of choice.
AWS’s native services have built in security features and capabilities, such as Amazon Bedrock Guardrails, which is used to apply safeguards for running models on AWS.
Above you can see Amazon Bedrock’s native capability to implement guardrails on both input, output and interactions with LLM’s running on AWS. These native services are user-friendly and help organizations implement LLM security without specialized AI security expertise.
The blog goes on in much more depth with various scenarios and architectural recommendations and I recommend giving the full article a read.
AppSec, Vulnerability Management, and Software Supply Chain
LeanAppSec Live - Winter 2025
Endor Labs is hosting their next “LeanAppSec” live February 19th from 8-10AM PT. It is a free virtual conference featuring industry leaders from Peloton, OWASP and Relativity among others. I have spoken at this event in the past and it is always a great chance to discuss the latest AppSec trends and topics.
This winter edition will feature topics such as:
Showing your CISO that AppSec Matters
Your Devs are Using LLMs…Now What?
Helping Devs Make Good Security Decisions
Be sure to tune in and catch these discussions and takeaways.
The State of Application Security Workflows
So much of the work we do in AppSec is tied to the workflows of the individuals involved, including both Developers and Security. Kodem produced a concise and insightful report on the state of AppSec Workflows.
The paper starts by addressing systemic challenges such as security’s inability to keep pace with modern development cycles and the expanding attack surface which has created a mismatch between security and modern development driven by cloud, API’s and microservices.
Some of their key findings are below:
The paper goes on to discuss some of the challenges driving these trends, such as alert fatigue, inefficiencies in triage and remediation, and more. It also emphasizes the rise of runtime security tooling, as many realize shift left is valuable but runtime visibility and protection is absolutely critical and adds context of production environments that is often missing with tools that focus on earlier aspects of the SDLC.
One topic touched on that I found doesn’t get enough attention is the need to shift from a reactive to proactive approach to security and driving that change by making security a core development KPI, similar to code quality and performance. The challenge here, as I have discussed many times will be organizations first determining what those security KPI’s should be, and getting them to be prioritized on par with quality and performance, given organizations have competing interests as well, such as speed to market, feature velocity, outpacing competitors and more - all of which may or may not conflict with security KPI’s.
Interestingly, respondents predicted real-world exploitability scores will replace CVSS metrics by 2025, but I think that is optimistic, to put it lightly, given many organizations still rely on legacy prioritization metrics such as CVSS to drive their activities.
They close the report with predictions on industry trends and best practices:
The first two I agree with (aside from potentially SBOM which has struggled), but the third I do not think is correct. In fact, as I discussed above in the AI section of the newsletter this week, we’re seeing a growing divide between the US and EU with regulation, and I suspect it will grow wide with the Trump administration taking a much less regulatory-driven approach, especially when contrasted with the EU.
This will create challenges, as organizations navigate vastly different regulatory landscapes between the two entities.
Wireshark for the Cloud - Stratoshark
Everyone in cyber knows the tried and true Wireshark, which is used to analyze network traffic. Stratoshark is a new tool that lets you use a tool that looks familiar to Wireshark but focuses on application-level behaviors of systems in the cloud by capturing system call and log activity.
It was created for the community by security vendor Sysdig.