Bill Murphy's RedZone Podcast | World Class IT Security

World Class IT Security – Strategic and Tactical Thought Leadership, Advanced Topics for Top IT Leaders: Innovation, Ideas, Creativity, Neuroscience of Optimal Performance – Fearlessness Living Principles.
RSS Feed Subscribe in Apple Podcasts
Bill Murphy's RedZone Podcast | World Class IT Security






All Episodes
Now displaying: Category: Security
Aug 15, 2019

Today, my guest is Shannon Emmons, Senior Product Manager at SonicWall.

It was great having Shannon talk with our CIO and Lieutenant community. She is the top person for managing the product development of the Cloud App Security line with SonicWall   

From a security strategy perspective the Importance of a Platform for Security Threat Management, Blocking, Detection and Response as it relates to SaaS apps and your data has never been more important as more and more of your business applications are moved to the cloud and Securing Office 365, OneDrive, G Suite, Box, Dropbox, and other SaaS apps takes on a higher and higher priority.

I was eager to talk with Shannon and I was lucky to catch up with her after our Cloud and Email Kill Chain Defense Innovation lunch event. Here are some of the key questions we discussed:

  • Why should you care about multiple log-ins?
  • What is your strategy when you have multiple users who are not based at headquarters?
  • What about Machine Learning?
  • If we want a single-pane-of-glass, should we disable Microsoft?

        - Why is layered security key?

  • Can you guarantee that files are only scanned in the USA? (for export control)
  • Can you pick your databases?
  • Does CASB track successful and unsuccessful logins?
  • Do you need to have other SonicWall products to use SWCAS?
  • If you use Azure AD for permission, can you apply PIM for elevated access?
  • For data compliance, what protection do you use for secured data?

Cloud App Security 

  • Data Stored in the Cloud is the Customer’s Responsibility and not the cloud vendor. 
  • Why default SaaS app security controls are not enough? 
  • What's in your cloud?

        -  How to regain visibility and control of your SaaS email, apps and data with a holistic approach. 

  • How does the security actually work with Office365, Box, Dropbox and G Suite? 
  • How to protect against account takeovers (ATO), insider threats, and compromised credentials theft. 
  • The importance of API based security. 
  • The difference between a CASB and CAS. 

For CIOs I believe that choosing the correct security platform vendor has never been more important 

Shannon Emmons is a Senior Product Manager at SonicWall, the global, network security leader delivering automated real-time breach detection and prevention that keeps small and medium-sized businesses, enterprises and governments safe from cyber threats.

Shannon focuses on protecting SaaS email with data compiled from more than one million sensors around the globe to defend against today’s most sophisticated cyber threats. She is a customer focused, product leader who previously spent 14 years at McAfee where she concentrated on cyber threat visibility and remediation through management platforms.  Emmons is a 16-year cybersecurity veteran, and 13-year CISSP.

Jan 11, 2019

Dmitriy Ayrapetov has been with SonicWall for over 13 years. He is currently the Executive Director of Product Management at SonicWall, in charge of product security. Prior to this position, Dmitriy held product management and engineering roles at SonicWall and at enKoo Inc., an SSL VPN startup acquired by SonicWall in 2005.

As a cybersecurity expert, he speaks at industry conferences including, RSA, Gartner Security Summit, Dell World and is a regular presence at SonicWall's annual partner conference Peak Performance. Dmitriy holds an MBA from the Haas School of Business at U.C. Berkeley and a BA in Cognitive Science at UC Berkeley.

My conversation with Dmitriy ranges from philosophical to tactical and technical especially with his positions on Machine Learning and AI with security.

Jan 27, 2016

In this episode, I interview Rahul Kashyap, Chief Security Architect and Head of Security Research at Bromium, a company that focuses on stopping cyber-attacks where users are most vulnerable—the endpoint—through virtualization isolation. One of Silicon Valley’s 40 Under 40, Rahul has built a career around developing cyber defense technologies that focus on exploit prevention. At Bromium, Rahul manages R&D and product security, while simultaneously conducting robust industry outreach, speaking at leading security conferences including BlackHat, BlueHat, Hack-In-The-Box, RSA, DerbyCon, BSides, ISSA International, OWASP, InfoSec UK and others. 

Sponsored By:

  • CIO Security Scoreboard – Go to to learn more about how to communicate the status of your IT Security program visually and in minutes.

Time Stamped Show Notes:

  • 02:00 – Rahul joins to the show
  • 02:41 – Talking about the 40 Under 40
  • 03:30 – The importance of being “unstoppable”—no one believes in you at the front-end—you need to be relentless in your confidence and determination
    • 04:47 – The genesis of being “unstoppable”
  • 06:05 – The importance of taking on big challenges versus small challenges—Rahul’s Gandhi example
  • 06:43 – We are a function of the problems we choose
  • 07:25 – Even when you don’t hit the target when you take on a “big challenge” when you fall, you’ll fall somewhere along the path and that’s a great place to be
  • 07:55 – The problems Bromium tackles
    • 08:34 – Attackers have found a soft-spot—the end users—and all it takes is one bad click
    • 09:12 – Attackers have nothing to lose, and end-users will continue to make mistakes
    • 09:44 – No one can build the perfect security engine—it’s impossible
  • 10:15 – The key is not worrying about users making mistakes, or attackers attacking—the key is isolating the attack at the end-point and confining it there
  • 13:25 – Bromium focuses primarily on desktops, laptops, and tablets
  • 14:00 – Micro-virtualization is at the executable side
  • 14:46 – Rahul defines Bromium Labs
  • 16:09 – Defensive security versus offensive security
    • 16:52 – Every security company should invest in offensive security because it most accurately resembles how hackers think
    • 18:23 – Offensive security gives you the Why
    • 18:44 – Defensive security gives you the How
  • 20:04 – Anti-Virus is approximately 5% effective
    • 20:30 – It has lost its efficacy because the technology—in principle—hasn’t evolved
  • 22:45 – Bromium Labs’ first focus is to keep your network from getting infected in the first place
  • 25:35 – Does Bromium need to be run in isolation or can it bundled into the software stack at the end-point?
  • 26:49 – The security architecture behind managing disparate end-points
  • 28:02 – Bromium’s pre-deployment analysis tool is under development but will launch soon
  • 28:28 – Bromium’s partnership with Microsoft for Windows 10
  • 30:33 – The frequency of patching has become SUCH a burden for small business, which is why Bromium developed a unique position towards patching
  • 32:15 – Patching is often human error related
  • 33:48 – It’s a new way of doing security—isolation versus prevention
  • 34:16 – Sandboxing, Hardware enforced isolation, micro virtualization
  • 35:18 – Most of your browsers already have a sandbox
  • 36:55 – Companies are tired of investing in so many security products…the industry is too fragmented—Bromium is looking to change that
  • 38:08 – It’s vital to understand the architectural limitations of each technology
  • 38:55 – Rahul’s favorite new technology?—Hive which is exploring the intersection between big data and security
  • 40:48 – Rahul shares his thoughts on machine learning and A.I.
  • 42:33 – Rahul has taken up kayaking to manage stress and stay focused…and Call of Duty on X-Box One

4 Key Points:

  1. We are a function of the problems we choose—an important concept to live by.
  2. The true soft-spot in today’s cyber-security market is the end-user—end-users always have, and always will make mistakes that result in compromised systems and networks.
  3. It is impossible to engineer a perfect security system—the threats change to rapidly—instead of trying to focus on prevention, let’s focus on technologies that accept attacks as the inevitability they are…technologies that let an attack happen, but isolate it immediately at the end-point.
  4. The cyber-security business (like most businesses) can be extremely taxing—find an outlet for healthy stress management.

Key Resources:

  • Rahul Kashyap – Today’s guest—Chief Security Architect and Head of Security Research at Bromium
  • Sandboxing – Default security mechanism that operates through isolation of threats, now available on most browsers
  • Bromium Labs – Dedicated to advancing the “state of the art” of information security by performing advanced research into current and future security threats.
  • The Hive – An incubator that uses deep learning (a new discipline in AI) and neural network models to automate the learning of data representations and features.
  • Micro Virtualization – A proprietary technology that abstracts applications and sub-processes from hardware and runs them in isolated environments.


Show Notes provided by Mallard Creatives

Oct 28, 2015

In this podcast episode I interview Bill Brenner, who is an expert at digesting threat intelligence information and making this information available to a wide pool of people from C-Suite Executives to coders and developers. Bill is a Senior Technical writer for Akamai and has been a writer for CSO Online, and Liquid Matrix Security Digest. Additionally, he created and writes in a blog called the OCD Diaries where he discusses mental health issues with IT Executives and staff within the technology industry.

Top 3 items for an IT Security Decision Maker to be concerned about moving forward:

  1. Super-vulnerabilities like Heartbleed, Shellshock, Poodle and OpenSSL - Identify the risks these pose your assets within your company and remediate them.
  2. Incident Response – Remember to develop a BCP/DR plan for IT Security Incidents
  3. Protect Your Brand – Which hacking groups don’t like your company or brand that leave you vulnerable to DDoS, cyber espionage, and ransomware style of attacks?

You will also learn some of the best sources for IT Security threat information:


  1. Mike Rothman - Securosis
  2. Rich Mogull - Securosis
  3. Adrian Lane - Securosis

Blogs and Podcasts:

  1. Jack Daniel - Tenable
  2. Security Bsides movement
  3. NAISG – National Information Security Group
  4. CSO Online
  5. State of the Internet Security podcasts
  6. Security Kahuna podcasts

Vulnerability Information Sources:

  1. Threat Post
  2. CSO Online
  3. Security Ledger – Paul Roberts
  4. CSI Group
  5. SANS Institute - Internet Storm Center

Humanity in Security - Mental Health

The importance of good mental health in the IT Security profession as it relates to depression, anxiety, coping with stress, OCD, Asperger’s, Autism.

The OCD Diaries – An opportunity to destigmatize mental illness and to give people in our industry a life raft and share tools that can help them. Taking your mental disorders and turning them into super powers!

Additional Show Notes

  • Communicating what threat intelligence researchers are seeing directly to a more complex audience and hitting it at all levels - geared towards the larger security industry or community
  • What does alignment between product managers and the threat intelligence team mean? The data [Akamai] receives is coming from the deployment of their products in the field. “Taking what we are seeing from our technology deployments and sizing it up against what other companies see and you know at the end of it giving people a bigger picture so that they can take actions that they need to take.
  • Sharing of research is crucial – the benefits of information sharing between companies and how it helps keep out the bad guys. You can't take the information that you receive internally and makes proper sense of it without comparing it with what's going on elsewhere.
  • How can we get to the point where it’s actually actionable sharing?
  • What does it mean to have a third-party attack? A common platform like WordPress can have third-party widgets and plugins that they didn’t create and essentially those can be malware or exploit kits of some sort so we need to be aware that they can be leveraged. Be aware of where the vulnerabilities are.
  • The next step with SSL and moving towards TLS – pros and cons.

How to reach Bill Brenner:
Akamai Blog
The OCD Diaries

Former Publications:
Liquid Matrix Security Digest
CSO Online

What is Your Plan for: Super-Vulnerabilities| Brand Take-down| & Incident Response| Humanity in Security - RedZone

This episode is sponsored by the CIO Scoreboard, reducing the complexity of your IT Security initiatives. Sign up for a demo here.

Leave a podcast review here

How do I leave a review?

Bill Murphy is a world renowned IT Security Expert dedicated to your success as an IT Business Leader. Follow Bill on LinkedIn and Twitter. Subscribe here for weekly podcast, CIO Mastermind and CISO Mastermind updates delivered to your inbox easily and effortlessly.



Oct 17, 2015

If you have questions about Microsoft Azure Security you will love this interview with David Cross.

David Cross is the General Manager in charge of Security with Microsoft Azure. He has been the primary inventor of over 25 security patents and is the author of numerous publications and white papers. Prior to Microsoft, he served 5 years with the aviation electronic warfare community with the US Navy. He has a BS in CIS and a MBA.

One of the really fun parts of this interview is actually learning about his invention process as I was very curious about it since he has so many patents!

Oct 2, 2015

Ron is an expert in what it takes to develop the next generation of cyber security leaders.

• He is the Air Force Association US CyberPatriot 2013-2014 Mentor of the Year for his work with high school cybersecurity competitions.

• Ron Woerner is the Director of Cybersecurity Studies at Bellevue University. He has over 25 years of corporate and military experience in IT and Security

Resources for Cyber Security Team Competitions

1) Cyber Patriot Youth cyber security team competitions and explanations of the various levels of competition

2) ISC2/MITRE Cyber Challenge Academy Competitions – Capture the Flag

3) National Collegiate Cyber Defense Competition (CCDC)

4) Dr Dan Manson Cal State Pomona who created a single site to coordinate all cyber security competitions into one site called Cyber Security Federation - Single Site for information - Creating a sport out of cyber security competitions

Sep 16, 2015

Uris is a leader in the world of research as it relates to IoT Security. This interview is a great learning tool to educate business leaders and your peers about where IoT is going and what it means to you and your business.

Sep 2, 2015

The CISO Should Not Report to the CIO |Assume you Have Been Hacked|6 Kill Chain Fundamentals You Must Know|How Can You Deny Command and Control Attacks| The Best Cyber Security Books - Hall of Fame|Alan Turing Should be a Hero|7 x ‘Must Ask and Prove’ Questions and CIO/CISO must ask about their Next Gen Firewall |Scaling Security with Real Cooperation|AI’s Role in Info Sec| The Beginnings of AI and Security

Aug 19, 2015

Hacking-Back vs Attribution| APT Attack vs Targeted Attacks| Mobility and Virtualization| Leadership and Team Innovation| Ethics and the Selling of Vulnerabilities| The Best Zero Day definition Ever| Options of How to Avoid Poisoning Your Phone| Geo fencing| The One Question that you need to ask to Prevent Losing Your Job after a Breach Incident| Who has the Worse Cyber Criminals China or Russia?| Pinball Machines and Teaching Kids How Things Work Versus Consuming Things

Aug 6, 2015

Kayvan is an authentication expert. He gives a fascinating review of the old and future related to User Authentication Trends and Methods for Native Mobile Applications. Do you want to know pros and cons with various authentication methods of the future like IRIS, Selfie Based Authentication, Voice, Finger print, Face Recognition, Gesture and other Trends in Mobile Security ?


Jul 29, 2015

In the following interview Hadi and I discuss Big Data Security Topics like the Mosaic Effect, Mobile Security, The Demise of Passwords, IoT TOCTOU Attacks, Driverless Cars, Atomic Views of IoT, Orchestration Layers Limitations with Big Data Security, and what he describes as ‘Loose Membranes’ with IoT security

May 27, 2015

Alex Hutton major bank CISO, thought leader, influencer, presenter, award winning speaker, as he discusses with me inspiration he gets from the best sushi in the world and a having a vision of craftsmanship in his profession.

I have written about Craftmanship in the past and after talking with CISO Alex Hutton this was emphasized even more. Jiro Ono owns the most famous Sushi restaurant in the world. Similar to Jiro’s you can approach your profession as a master would.

The importance of IT Ops and Security being run as a craft is important because most CIOs and CISOs feel that their biggest value unfortunately is when there is a problem (data breach, failure of a system, etc)

Alex Hutton has served as CEO for Risk Management Insight. He served as a principal in the Risk Intelligence group for Verizon, involved in the development of the VDBIR. He is an avid security blogger, speaker and conference organizer. He brings a wealth of knowledge and experience on risk management and metrics to any discussion. He is a passionate and experienced public speaker

May 20, 2015

Jack Jones is widely considered a thought leader in risk management and information security, Jack has been employed in technology for the past thirty years; specializing in information security and risk management for twenty-four of those years. During this time he has garnered a decade of experience as a CISO, including five years for a Fortune 100 financial services company. His work has also been recognized by his peers and the industry, earning him the 2006 ISSA Excellence in the Field of Security Practices award, and the 2012 CSO Compass Award for Leadership in Risk Management.

Jack is the originator of the now industry standard risk management framework known as Factor Analysis of Information Risk (FAIR). FAIR has seen adoption globally, within organizations of all sizes, and is now regularly included in graduate-level university courses on information security and referenced by other industry standards. He also recently co-authored a book on FAIR entitled "Measuring and Managing Information Risk - A FAIR Approach".


Apr 29, 2015

You are really going to enjoy my interview with Mark Robnett, CIO Justice Federal Credit Union. Mark is a rising star in the Credit Union industry and I asked him to detail for you in this episode how he put together his presentation to his board regarding his IT security strategy and tactics. I have found that Justice FCU is about 1-2 years ahead of Credit Unions of its size. I would put them on par with firms many times their size. Mark also has the added pressure of having a very smart and technically savvy board. There is no hiding behind jargon and complexity with them because the board is comprised of individuals with backgrounds in FBI and Justice Department. What a challenge!

Feb 11, 2015

A great podcast with Kelly Dempsey of NIST covering Printers, Printer Security, Risks embedded windows 2000, embedded xp. printer service contracts, network takedown risk, DDOS, patching risk, monitoring risk, printer capability, overwriting, encryption, segmentation, non-volatile storage, port management, non-volatile storage confidentiality, risk management, printer lease agreement

Jan 20, 2015

In this episode I talk with John Milano, SR VP of RCMD. I ask him questions on his cyber security insurance business and what an IT Leader needs to be asking from their insurance carrier. We cover every conceivable topic and situation. In addition he has suggested questions that all CIOs and IT and business leaders need to be asking. We discuss limits of coverage and how to buy the best appropriate policy for your business.

The topics covered include: Security & Privacy Liability, Media Content, Regulatory Acts Coverage, Breach Response Fund, Legal & Forensic Expenses, Cyber Extortion, DDOS and Business Interruption, Business Interruption, Crisis Fund then listen below.