>>I’ll tell you a story of when we were developing a product here States-side. We worked with one very gifted development team and we put all of our eggs into that basket.
They were doing great work for us but eventually, there was a business event where they left.
-------
"Business event" aka budget cuts? Benefit cuts? Change in leadership? Bad leadership?
People in the US often do not leave if things stay the status quo, managed well, and are given appropriate accolades for their performance. Absurd way to deflect blame and justify cutting fair wages
The level of double-speak is off the charts. Also "It is very expensive to spread intellectual property and know-how amongst the number of US-based resources."
It gets even better than that: "unfortunately, the economic benefits [of outsourcing to Argentina] started to fail when the Argentine economy started to improve."
> We are in Ukraine now, where the talent pool is abundant and economic conditions are favorable.
They are probably routing for the Russo-Ukrainian War to continue as long as possible. Makes for more "favorable" conditions too. The worst event for them would be if Ukraine joined the EU, with all that pesky labor protection laws.
It’s a little mind blowing to see an atomic version of how business interests end up favoring outcomes that are negative for an entire country. If many of these small businesses end up dependent on low-wages, political instability, etc., it doesn’t seem far fetched to imagine that in aggregate they start institutionalizing lobbying efforts to maintain these circumstances.
This introduces possible outcomes like failed states, and counter measures like authoritarian strongmen to maintain modicums of stability. This can then lead to greater, unintended geopolitical consequences. And it all stems from a bunch of businesses trying to shave a few dollars off of wages...
Not getting any richer. It's just there is inflation, but the exchange rate for exporting services is fixed by the gov at a low valuation (90) vs the actual dollar on the street (160)
Two points:
The war is happening in the Russian speaking part of Ukraine. To that point I'll put everything I have and double down with debt that a westerner would not be able to tell which folks are "Russian" and which are "Ukrainian" in this conflict.
Civilians are getting the brunt of it on both sides. Don't think for a second that Ukrainian forces avoid hitting civilian targets in some display of galantry. It's a brotherly war and nobody wants it.
This reminds me of someone I was talking with about their growing, modestly successful startup. They were bragging to me about how they didn't even have to worry about paying benefits, healthcare, retirement, etc. to their contractors in Mexico.
I said something like "Yuck, who needs healthcare and basic life standards" and he sincerely replied "Exactly!"
Business is full of people like this. If it's not full blown sociopathy then it's definitely a grievous lack of awareness, turning humans into an inhumane abstraction.
I don’t know why people are taking this at all seriously. It’s a poorly-disguised advert and SEO bait. “Look at how awful and scary outsourcing can be. See all the years of effort we have put into overcoming these obstacles to become the experts you need to outsource successfully.” Complete with a call to action that feeds into their sales pipeline at the bottom. It was likely written for pennies by somebody who had a list of keywords to repeat for SEO.
The unstated information behind this bit is probably more important to understanding than all the rest. It might be wages or budgets or leadership or something else, but if it was innocuous they likely would have not been so vague.
I often right click where I want to click then left click out of the right click menu. It solves my subconscious desire to click, and lets my mind accept waiting. Plus, no negative effects, like going to the wrong link :). Perhaps it might help!
I know a few folks who do full time between things like SynAck and BugCrowd. SynAck is the ideal model in my opinion for pivoting to full time vs part time as a professional bug bounty individual, although it takes a ton of skill and hardwork. I'd say it's the exception moreso than the norm.
If you are interested in learning more about SynAck and it's model shoot me an email: i@willcode.it I can try and setup some contacts from their side that are working full time on platforms like it
Do the folks you know that are doing this full time actually depend on that income for their livelihood? I was on the receiving end of a large program for a short stint and have been watching it casually over the past few years. It's very much a feast and famine way to live, and you need to not only be very skilled, you also need to be dedicated to the effort and be very disciplined with your money. A $20K chained RCE looks great on paper until you're trying to live on a constant diet of clickjacking and IDOR bugs for two months straight.
I would caution anyone thinking about this to do it as a side hustle for at least six months if not a year to test the waters, understand the subculture a bit, and take a few rounds on the roller coaster.
Yes the ones I know do it full time as their only income AFAIK. Most do live in low cost of living areas, none of them that I know are living in places like San Fran :)
I would say only 10-15% of our reports were from folks in the USA and I don't recall any being full time. The dedicated folks were mostly from eastern europe and middle east...i'm guessing that has changed a bit over the past few years.
>>Nobody is doing anything to try reduce or manage complexity so it's only getting worse.
I disagree, I see a number of large corporations starting to standardize either 1) their entire development stack from IDE all the way to how the code is deploy 2) Reengineering entire languages to have one language be used e.g Quartz at BofA 3) at the very least, companies are starting to standardize their middleware stacks, to at least avoid the configuration related issues of having a development team managing that.
While I do agree, that the complexity of third party libraries has exploded and is increasingly difficult to manage, I'd say companies are well on their way to standardizing that, with tools like Nexus, SonaType, Blackduck, etc.
We're obviously a long ways away from being even 75% effective across the board, but to say nobody is managing the complexity is a bit short sighted :)
The biggest areas for growth for Cyber at the moment are of the not-so-sexy jobs. The asset inventory, patch management, vulnerability management, third party management, risk management, etc. If you are good at any of those and are innovating in any of those areas, you are as close to naming your own price as you can get in Cyber.
As for the most "needed" areas of Cyber, it comes down to education. Not your bachelors degree, but educating and raising awareness to your business, your IT staff, and even your development teams. It's extremely tricky to measure your return on investment, but almost always it comes down to a lack of knowledge causing one massive hole in the fence, leading to a breach.
No amount of controls will stop someone truly motivated and skilled, so you're better off raising the fence a bit higher and hoping that it deters the truly malicious.
Disclosure: I run Vulnerability Management and Assessments globally for one of the largest companies in the world, so my answer may be a bit bias :)
I keep telling to people who want to get into infosec one thing over and over: most of the infosec work is not about breaking [into] things, it's about incredibly boring reporting.
The truly interesting bits are on what to investigate/automate, what to report from it - and how.
If you're really good, I recommend to focus your long-term efforts into usability. Security gets a bad rap because far, far, FAR too often increasing security of <something> means reducing that thing's usability. But if you can find a way to improve <something> in a way which makes it more secure and more usable, you can't keep people away.
Fact of life: people gravitate towards convenience.
I keep telling people that the person who applies the patches needs to be qualified, paid, AND TRAINED just as much as the guy who wrote the fancy paper on maintaining security, and that development and infrastructure need to be more simplified, otherwise security will likely not be implemented properly... companies rarely heed the warning. And that leads to breaches that PR teams get paid a LOT within companies fight furiously to squash.
This is a huge component of my work, and in my industry truly underappreciated. I'm the only programmer in a manufacturing environment and as our business grows so does our exposure, attack surface, and potential bounty. Some days I feel like my co-workers think I'm goofing off or ignoring my other other hats by messing with obscure systems. Sometimes I feel guilty. It's one of those professions where nobody notices you when you're doing things right, and the only way you know for sure it's right is after it's gone horribly wrong.
> No amount of controls will stop someone truly motivated and skilled, so you're better off raising the fence a bit higher and hoping that it deters the truly malicious.
I also want to second this. As angering as this statement is its entirely true. You cannot stop someone forever. You can just increase the difficulty of their tasks to beyond a reasonable or obtainable threshold. A "secure" network with ineffective monitoring can quickly become worse than a terribly insecure network that is tirelessly monitored. Complacency is a killer.
The word cyber is almost exclusively used when discussing security of computer systems. It's used very heavily by government and academic circles and it propagates to other industries from there.
In the 90s I used the word to describe an instant messenger version of "phone sex" and I haven't been able to take anyone that uses the term seriously after that, but I never really took the goverment or academia seriously to begin with.
Even in academia, at least in my corner of it, "Cyber" as a term has a very government/military/suit connotation. Academics will sometimes use it when writing grant proposals or presenting in a DARPA-ish context, but most researchers prefer to call what they do "cybersecurity" (or even just "security", if a CS context is clear).
Yeah, not only is "Cybersecurity" a "Thing" (I work in s/w security and hear it all the time) but people still talk about "Artificial Intelligence" when they mean image filters and classifiers, and have been doing so since the 1980's.
Language fires the imagination. This is mostly a good thing. Sometimes it's also stupid, but not necessarily bad for it.
It’s usually used by either people working with the government, or by people who are tech-illiterate (marketing etc). The rest of the security industry is likely to snicker if they hear that word.
“Computer security” is too narrow; you want to secure more than just computers (phones, for example, which are technically just little computers but no one calls them that).
“Information security” is too broad as it covers more than technological systems—sensitive information often exists on paper, for example.
A close plain English name would probably be something like “information systems security” and I have heard some people use that, but it’s kind of a mouthful.
I guess I wonder why people get so upset and offended by the word cyber. Sure it’s a made up word, but all words are made up. IMO a lot of the resistance to using it comes down to weird cultural signaling like “I’m too smart or informed to use this dumb word.” It’s just a word, and even people who complain about it know what it means.
For me that cultural signal goes the other way around. When faced with people using "cyber" unironically I'm attributing that to government proximity, weird processes and TED talks for managerial types instead of actual technical content. Which is fine in context I guess, that doesn't make the term any less stupid, for me it signifies a certain cultural distance from the subject matter of a generation that has been left behind. I always assumed the term stemmed from the old use of cyberspace or cyber information highway in the 70s/80s(?), we've moved on from that era of the internet being a sci-fi construct. Even school children get at least some technical understanding these days and are made aware of larger implications like privacy.
While I absolutely agree that it's a pointless discussion, I don't believe it's completely insignificant.
You're not the only one. Brussels, the self proclaimed capital of the European Union and seat of many lobbies, is full of those "cyber-security" types. They proudly declare themselves experts in the field but are hardly pressed to discuss any product other than what they've been told to sell.
Ah, cheers, forgot about that one. I'm not saying the word "cyber" is generally stupid but the use as a pop culture prefix is... problematic and misleading in my view if you'd prefer other terms. It's just used as theatrics from the type of people that classify getting hit by ransomware due to unpatched systems as some APT, at least everywhere I see it.
I agree with you -- I think there's a lot of cultural signalling, perhaps some unintentional by those who use the word 'cyber'. Generally speaking, I'm off-put when someone uses the word "cyber" because I generally interpret that as a signal that someone doesn't really know that much about infosec/cyber-security. For example, let's suppose that I'm meeting with a rep from Company X's cybersecurity team and we're reviewing my threat model, counter-measures, the specifics of the encryption, etc... and I'm asked "this all looks good, but is it cyber?" -- it's just plain off-putting. That said, I'll still do my best to smile and be helpful because, at the end of the day, we're trying to improve the world, not cut people down.
They needed a fancy word to attract and anchor the ridiculous investments made. This area has attracted so much attention, it has become an overlay IT organization that demands a lot of care and feeding. Nothing escapes the cyber-amoeba... even sleepy areas like asset management need expensive cyber tools and expensive cyber people.
Think of it like front end web development in the 90s. Webmasters ended up with a lot of independence and cash, because the company had to get on the information superhighway.
This is way off, the security community at large rejected the term cyber for years, but it was necessary to play ball with govt. That's it. The fact that vendors now leverage the word is irrelevant, that happened way later.
Sometimes I wonder how much money is out there waiting for the Magical HN Unicorn that is anti-cloud, anti-network, pro-RDBMS, pro-POSIX, old-school Dirty-Grandpa-Fighter[0] ultraconservative about computer security. My gut tells me $LOTS.
Marshaling the latest innovations in AI, ML and self-driving infrastructure, we protect your company with time-tested compromise-free MIL-SPEC IT solutions!
60000% more secure than Palantir, 134% more secure than AWS Government Cloud, according to "Fair and Balanced" independent testing.
Free yourself from the Cloud! Guaranteed physical isolation of mission-critical assets; armed guards 24/7 in front of your dedicated StatiDyn Security Cell; biometric six-factor authentication using the Gillette's Razor™ protocol.
I thought Asset Management was the next sexy thing in security - heard about a lot of security startups that facilitate in Asset and inventory management - BitDiscovery, Senrio etc.
Everyone is trying to get a piece of the pie :) trickiest thing right now is defining what an "asset" truly is.
An asset could be ephemeral cloud infrastructure, an uncompiled piece of code, an API endpoint, a server, a compiled application, a third party vendor, a group of microservices, a fax machine, an employee, a filing cabinet with sensitive information, a virtually defined CI/CD pipeline, and a million other things. At what point do you cross line from paranoia to proper asset inventory, tracking, triaging, remediation, etc. How do you find commonality between all of these devices, critical infrastructure, and data?
Bonus points of trickiness, how do you manage inventory when it changes constantly like cloud, like a third party, a web app, etc. Things like certificate management get extremely dicey. Where do you cross the line between data management, asset management, etc. It's currently the most open area of IT and Cyber that there is, and no one, in my opinion, has a grip on it.
I've never even seen a company that properly tracks assets when they're only defined as "servers" and "software packages". The closest I saw with hardware, before virtualization really took over, was when the datacenter wasn't allowed to hand out IP addresses to new servers without them being in the master inventory list. Then virtualization happened and things got bad again. Any company with Devops is going to run into challenges too.
I've never understood people who say: "No amount of controls will stop someone truly motivated and skilled". I don't think that's true.
Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right? It's not about hacker/pirate skill. It's about whether or not the target has plugged all their holes or not.
If you’re going against a three letter agency, Israeli or Chinese intelligence, you also have to consider all of your hardware sourcing. They don’t even need to compromise vendors, they just need to intercept a package en route.
Not sure where OP was coming from. It’s virtually impossible to protect yourself against a dedicated advanced persistent threat group.
In the purest, most academic sense of the conversation; yes, it is impossible to comprehensively defend against 0-days, APTs and nation states.
If we want to be pragmatic about the discussion, then it’s all about your threat model. In that sense, OP is right. If you’re a mom and pop shop selling a catalog of hardware, your LAMP stack isn’t going to face the same scrutiny as a “GooFacePayZon”. According to how he defines his threat model, he can call himself ‘secure’.
Software is only one part. Do you trust your hardware, your people, your supply chain, your physical security. "Truly motivated" can mean extreme resources and willingness to cross all boundaries.
Are you secure if your admin's child is kidnapped and the ransom demand is for network access?
Are you secure from the Secret Police wanting to hijack your service for their purposes?
Once you accept you CAN'T stop truly all attacks you can be comfortable with acceptable risk and work to mitigate realistic risks.
Yep - this is why you might try to limit pivoting based on an assumption that everything is compromised, you can require coordination from multiple geographies to unlock access to certain highly sensitive resources, you ensure that these protocols aren't published, and above all you follow the New York Times Test: don't type anything that you wouldn't want to see on the front page of the NYT. This requires pride in security at all levels of your organization, and it's something that few organizations outside of the military get right.
I am referring to a CIA (confidentiality, integrity, availability) related incident. Less so the availability. If an attack was truly motivated, the web stack / application stack is not how you compromise the system. The user is how you compromise the system. Do you have proper physical security to prevent unauthorized access? Do you have proper password and 2 factor auth configured? Do you educate your employees on how to identify phishing? There are numerous other ways to compromise a system than remotely via the web or application stack :)
>Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right? It's not about hacker/pirate skill. It's about whether or not the target has plugged all their holes or not.
Similarly if a ship is unsinkable the passengers will never drown. Easier said than done.
I think you may be imagining a comprehensive numbered list of exploits. Some products are sold that indicate things like this.
It may be possible to write a software component that is not vulnerable to exploits, but any non-trivial system built of many components will almost certainly be exploitable.
As much as people say they value security, they also value delivery of working software.
Additionally, as others have said, no system is invulnerable from the CIA, NSA, KGB, etc. Someone knows the passwords (or where the passwords are stored) for your system. They may be vulnerable to bribery, blackmail, torture, etc.
Unfortunately it is never that simple. Even if you have thing well plugged on your end, other software /services that interact may provide a path. I recall one instance a few years ago where a hacker chained password recovery services together to breach an apple account, by bouncing through Amazon. One of the password recovery methods for Apple at the time was providing the billing address, and at Amazon you could recover a password by providing the full CC# of a card on file. But Amazon also let you add a CC# for an account you weren't logged into, so the hacker got a Visa giftcard, added it to the Amazon account of the victim, reset the Amazon password with that CC#, and then used the shipping address in Amazon to recover the Apple account password.
Then there are the security holes that exist and are known about by select groups which they sit on and use for big plays...
> Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right?
Right. But there's a saying. "Nothing in unhackable". There in lies the problem. If you can build an unhackable system you literally can get whatever salary you want. If you can convince someone that such a thing is possible. But I'm pretty sure that'd count as fraud.
> If you can build an unhackable system you literally can get whatever salary you want.
Does it have to be useful?
On a more serious note, similarly to being able to break RSA in ‘little’ time, having that kind of skill would not result in financial wealth but a huge risk to your physical and mental/emotional well-being. Imagine who would come knocking on your door (assuming they won’t straight out abduct you), and trying to tell them no.
> It's about whether or not the target has plugged all their holes or not.
You're not exactly wrong, but you're assuming something that's impossible. How do you know where all the holes are? You (I'm using the generic you here, as though speaking to a CIO) cannot even inventory all the net-connected software and hardware you own, and even if you could the list would be out of date in 24 hours. But let's say you had that fictional inventory. How do you find its vulnerabilities? You might be able to design an automated process to look at your source code and match against the CVE database. Whoops! You don't have source code for most of your resources because they're proprietary and came from outside vendors. So maybe you look at object code. There are tools that do that. Whoops! A lot of the code is in ROM and you cannot extract it. Even if you could extract all your object code and analyze it against CVEs (which you can't), that's only going to catch known vulnerabilities. What about the unknown ones?
Oh and now we have to talk about all the stuff that's not net-connected which is vulnerable to employees plugging in USB drives...
So no, you can't know where all the holes are so there's no way to patch them all. This doesn't mean security is impossible. It just means there's no such thing as perfect security and there are no magic bullets. Security is a necessary, expensive, and mostly boring part of any company's day-to-day business operations, like, say, accounting and the legal department. But that's not quite right, because most of your employees probably don't need to know much about accounting or the law. But they do need to understand the basics of safe computer use, so ongoing training should be a fat budget line item.
Anyway security is a process, not a thing you can just buy a little of from a vendor. You ignore the security process at your peril.
There is no plugging all of the holes. Not in a general case. It's like the halting problem (it's technically equivalent) - maybe you can say for one program there are no holes, but not for arbitrary programs, for arbitrary definitions of holes.
This is rice's theorem.
More practically, you can simply assume that for an arbitrary program of 'reasonable size' with a moving codebase there are effectively infinite exploitable vulnerabilities.
They'll just rubber-hose your teenage son until you give it up. I'd certainly give up a database password before I'd let my son get beaten by Bin Laden.
Two problems with that - knowing about all of your holes, and whether or not they are plugged, is impossible. Second, many breaches don’t even involve holes in your web app stack. Low tech attacks like phishing and malicious attachments are remarkably effective to get a foothold into a network.
I guess the stack itself is probably so deep and wide generally that the attack surface goes on and on. More than anything though, humans. Staff can be exploited easier than anything else in a lot of cases (I'd wager, not my area of expertise).
A combo of in house tools for creating findings from "non-standard" tools, (standard tools being nessus, app scan, etc.) Such as pen tests, responsible disclosure, red teamings, etc. We partner with Kenna Security pretty heavily in terms of tracking and consolidating our vulnerabilities, along with remediation prioritization and strategy
Completely agree. We're working on an idea to handle the boring stuff as part of YC's Startup School 2019. GDPR, HIPAA, CCPA, PCI, etc. compliance + penetration testing and risk assessments.
We'll be building it at: https://secquity.com or if anyone has any specific questions, feel free to reach out at info@secquity.com
I think this is a bit short sighted and shows a lack of knowledge of the industry and the subject.
I know for a fact that almost every large institution of even the slightest quality is currently in full panic mode regarding their cyber posture. Look at JPMC, spending nearly 1 billion dollars a year on cyber. I know most of the other big financials are right there as well in terms of % of revenue.
In the financial industry alone, there's a huge uptick in regulatory responsibility globally for asset, vulnerability, and threat management. The SWIFT (messaging system that all major banks communicate and send money on) auditors and regulators are requiring almost all of these issues be "solved" for or having a meaningful workflow within your respective organization. Guess what happens if you don't meet it? You have a serious finding against your institution and you will struggle to do business with any of the other more mature cyber organizations that rely on SWIFT. Worse yet, when large customers request the output of these audits and findings -- if you do not comply, they will move their money. I know several of the largest financials lost massive clients and revenue due to not complying with the cyber standards set forth by SWIFT.
I know for a fact within the US the OCC (governing body for financial institutions regarding cyber) is coming down very hard on the cyber posture of a lot of the banks and is making them move faster, otherwise they face a long uphill battle to expand or make significant changes within the US.
>>1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
I think those + your typical scanners (Nessus, Nexpose, etc). One gap I know of, is proper organizational tooling. I.e how do store your results / reports / findings in an effective manner to be consumed downstream via other tooling. For us, it was a big uplift to standardize how our pen testers store and score results. We ultimately end of settling on a numeric score rather than "High" "Medium", "Low", etc and mapping back to CWE.
>>2. How is MFA beaten in today's enterprises ?
I think there are a variety of ways -- the biggest gap I've seen is improper configuration. I.e, not properly enforcing MFA on all aspects of your application. What if I steal your session and call the API to disable MFA on your account? Are all of your forms / pages / etc accounted for? Or just your home page?
>>3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
There are definitely multiple levels of how tests happen in larger enterprises, we have some pivot externally to internally (both virtually externally, and physically externally, e.g getting past physical security). So it really depends on how much your budget is and your paranoia level :)
>>4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
Some testers come from engineering backgrounds and have deployed the tooling in the past and know a bit about it. We've even found vulnerabilities in some of the defensive tooling and products themselves. But, I've enforced the policy of not caring for my organization. Controls fail, new techniques come out, tooling becomes out dated.
We do factor defensive controls into the localized "prioritization" score for how we make developers and engineers prioritize what to fix, but ultimately, our pen testers do not care. Not to say that's the same for everyone else.
>>5. How do you keep up ? aside from Reddit
The "massive" banks have a lot of great user groups and information sharing -- personally, I keep up by constantly developing in my free time. If I'm not a great developer, then I'm not going to be great at what I do now.
>>6. any advice to future job seekers working their way into learning more infosec ?
Don't focus too much on being the most skilled hacker. Focus on the field you want to work in, and target the types of attacks and vectors that would be relevant to that area. Too many testers I interview are only focused on "look at how quickly I can place a shall on this box!" vs. talking to me about how "as a bank, you are more likely susceptible to physical attacks on ATMs and tunneling through some approved firewall rules to the core infrastructure, here's how I'd scope out some of the issues and pivot from there".
Granted my view is from more of an executive level than an actual tester these days, but I still have my share of fun finding things broken across the environment and discovering vulnerabilities and flaws :)
YMMV, but, in my experience the biggest difference between these platforms and "real world" is the amount of data available (generally). At big companies, if you were to run a red team exercise or pen test, most of the probing and data gathering you do is on confluence, open git repos, and other places of documentation. Not running nmap or sitting in the middle of two services and inspecting packets. That's not to say that more advanced testers don't employ those methods, but the reality is, the most effective way is to expose yourself to the data available in front of you.
Disclosure: I run Vulnerability Management and Assessments globally for one of the largest companies in the world
I've been trying to learn infosec for a few years now with the eventual goal of either an offense/defense role. Plan to work on my OSCP next.
I have a few basic questions please:
1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
2. How is MFA beaten in today's enterprises ?
3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
e.g. Alphabet soup of products in a large enterprise for defensive solutions - NGAV, EDR, SIEM, honeypots etc. etc.
5. How do you keep up ? aside from Reddit
6. any advice to future job seekers working their way into learning more infosec ?
Happy to have a chat -- I run VM for a large tech company and have a lot of openings