How are we securing identity in the cloud? Unlike on-prem, the cloud requires you to cede control to a vendor. So what can we do to keep identities safe?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is our sponsored guest, Adam Bateman, CEO, Push Security.
The SaaS attacks matrix community resource mentioned by Adam in the episode can be found here.
Editorial note: Geoff Belknap is an advisor to Push Security.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Push Security
Block phishing attacks, detect session hijacking and stop SSO passwords being exposed. Find out what else the Push browser agent can do at pushsecurity.com.
Full Transcript
Intro
0:00.000
[David Spark] How are we securing identity in the cloud? Unlike on prem, the cloud requires you to cede control to a vendor. So, what can we do to keep identities safe? What control do we have?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, I know you all love him. You get to hear him again right now. It’s Geoff Belknap. Geoff, say hello to the nice audience.
[Geoff Belknap] I love you, too. No, not you. You. That’s right.
[David Spark] Geoff expressing his love for certain audience members and not others.
[Geoff Belknap] That’s right. I want to see more support from the rest of you before I commit.
[David Spark] Okay, that’s a good point, so step up your game. Audience members, you know who he’s talking about. Our sponsor for today’s episode is Push Security – stop identity attacks. Push is a browser based agent that detects and prevents identity breaches specifically in the cloud. And guess what? They’re responsible for our guest today. But we’ll introduce him in just a moment. I do want to talk about our topic. So, Geoff, our audience knows that identity is a key security parameter because it’s a top target, if not the top target for threat actors. But securing identity in the cloud seems like an entirely ball game than on prem. There’s fundamentally less direct control in terms of creation and management. And as an industry, how have we historically been managing cloud identities, and how well is that working today, do you think?
[Geoff Belknap] It’s perfect, no notes. Nobody has any identity problems. And, frankly, Push Security has no reason for existing. Which is apparently what way too many people, and I think the reason why I think companies like our guests are so important is because this is in many ways the only way people are initially enduring attacks is through and against identity systems. And so just you cannot have a conversation now about security without it really centering on identity. Whether it be end user identity or system identity.
[David Spark] Yeah, and it’s part of sort of the Shadow IT discussion we’ve had for many, many years. So, we’re going to get into the discussion. I’m going to introduce our guest. I do want to disclose and let everyone know that Geoff is actually an advisor for our sponsor, Push Security, as well. So, let me introduce our guest right now. He is he cofounder and the CEO for Push Security. He gets paid twice as much, I believe, if you’re cofounder and CEO, isn’t it? Isn’t that how it works?
[Laughter]
[David Spark] I’m not sure about that.
[Geoff Belknap] Yeah, what’s two times zero, Adam?
[Laughter]
[David Spark] It is Adam Bateman, our sponsored guest from Push Security. Adam, thank you so much for joining us.
[Adam Bateman] Thanks, David. It’s great to be here. Thanks for having me.
What are they doing wrong?
2:58.092
[David Spark] Christina Morillo of the New York Football Giants said, “I can tell you what many organizations are not doing but should be doing.” She’s got a great list, and I’m going to go through them. One, regular user accounts are members of the global administrator role or other highly privileged roles. So, that’s regular users. So, making it easier for attackers to move laterally from on premises to a cloud tenant. Two, unrestricted external sharing access for SharePoint or OneDrive. Three, multifactor authentication is not enforced for user accounts and admins. And four, legacy basic authentication is still enabled with no plans to be disabled due to business constraints. And lastly, no configured emergency break the glass accounts, or they are not implemented according to best practices. And lastly, Christina says, “Another one I’ve seen as of late is synchronizing local admin accounts to the cloud.” Is this a pretty good list, Geoff?
[Geoff Belknap] This is a phenomenal list. In fact, the only thing I would add here is building an understanding of we call it shadow IT but at least an understanding of what other identities are being used in the environment other than the ones you already know about. Because, surprise, there’s a bunch.
[David Spark] Yeah, and that goes to just it’s a classic case of how many applications you know are running in your environment. Every time we talk to vendors who often do scans of these kinds of things, the customer or the potential customer always underestimates. It’s always the case. You always have way more than you can guess. You’ve seen this. Yes, Geoff?
[Geoff Belknap] I’ve seen it a whole bunch in several of the roles that I’ve held. You’re working around as a security leader, and you’re thinking, “You know, maybe there’s a dozen or two systems I don’t know about, or someone has bought something on a credit card that they didn’t go through the purchasing system.” And the reality is when you really dig into it, it’s probably 100+ that you don’t know about. And now, I know, dear listener, that you are sitting here going, “Well, that’s Geoff’s environment that’s very, very large.” No, no, that is… A small organization could easily be using 100+ cloud apps, for example, that don’t have SSO, that nobody really knows is being used. And that is a very reasonable number when you come down to it.
[David Spark] All right. I’m going to get the person who can probably answer this far more clearly than either one of us, and that is our guest, Adam Bateman. Adam, what has been your experiences in terms of what people see and not realize how exposed they are in their environment? I got to assume you ask them, “What do you think you got?” And then you show them.
[Adam Bateman] Yeah, exactly. What Geoff just said is exactly true. We see in data that companies with as small as 30 people have up to 150 SaaS applications in use at any time. We’re actually like that ourselves. But I think it’s interesting because that’s just the ones that are actively being used. What you also see is people signing up to five or six different applications, to experiment with them, to determine which one they want. And then once they’ve made a decision out of those say five, they bring the one forward that they want to go through security compliance and follow the process, and that gets plugged into SSO. Then the other ones just sort of remain on the internet.
So, I think the number of identities that exist is probably even a lot larger than that. People do sometimes think, “Okay, but maybe they’re test systems.” But you’d be amazed what people put in those test systems. Because the SaaS vendors make an effort to want you to make values. They want you to use it as… The onboarding process encourages you to use it as actively as possible. You see people put production data in there. You see people do integrations back into core systems. And in some cases, you can use those test systems even to tunnel back into more critical applications.
[Geoff Belknap] Certainly no one would do that. No one would connect a test system to production to test it, right?
[Laughter]
[Adam Bateman] Definitely not, no.
[Geoff Belknap] And everyone listening knows which systems they have that are tests that are connected to production, right?
[Adam Bateman] [Laughs]
[David Spark] I don’t think everyone is nodding in agreement right now, Geoff.
[Geoff Belknap] Yeah, I’m seeing a shocking lack of nodding in agreement here.
Why does this still happen?
7:21.566
[David Spark] Brandon Maytham of Kroo Bank said, “What we are missing is a single SSO standard. The issue we have isn’t the lack of SSO, single sign on, or its implementation. It’s that there are many standards. For example, SAML, OAuth, OIDC, or OAuth with OIDC. Many times a service won’t support a particular provider.” Sean Turner, CISO over at Twinstake, said, “Choosing SaaS products and tiers for some products that charge extra for such enterprise features that support industry standard SSOs such that we can provision, permission, authenticate, and of course deprovision from our cloud based IDP across the board.” So, I’ll start with you, Adam, on this. How much would everybody being on one SSO standard help us solve this problem?
[Adam Bateman] It’d help enormously. And it reminds me a little bit of when cell phones all had different chargers. And it was like collaborate and create one, damn it. Because every time you go anywhere and your phone runs out of battery, everyone has about ten different ones. We’re very much in the same state. But I think actually it’s even more complex than it looks like on the surface there. So, he’s absolutely right. Lots of different standards. But the extra complexity that we see is the implementation of each of those standards is also very wildly different. Right? So, the way that a SaaS vendor will implement SAML will vary significantly.
What you find is sometimes if there are local accounts on those SaaS applications, even if they’re connected to say SAML, you can still login if you go to the app directly with a password, or with IDC, or with single sign on. So, you get the choice. Other ones are implemented a bit more robustly. So, if you go to them, they’ll use what you’d call home realm. And it would discover the domain, know it was on SSO and redirect you. But they’re just wildly, wildly different. The way people create and handle sessions is different. There’s just enormous variation between them. So, it actually becomes difficult to provide recommendations for customers on how to handle these sorts of things because there’s so much variation. And so I think this is a really big thing for the industry. Because if we can get some collaboration going and get some consistency going between those, we can give much more general useful advice to the industry on how to scale themselves.
[David Spark] It’s interesting. The whole point of SSO, Geoff, was to simplify and make the user experience better but also improve security. But as Adam is pointing out, given all these variations, there is back doors aplenty to side step this.
[Geoff Belknap] Well, there are… I would at least characterize it as there are many opportunities for improvement among people who build enterprise applications and certainly in identity implementations in those stacks. The two things I would just call out here are I don’t know that I have personally seen the problem being too many standards. It feels like most people are using a SAML or OAuth, depending on what they’re doing. And it is a problem because the implementation of each of those things can vary wildly from very mature and robust to just sort of like we checked the internet, and just copied and pasted some code and hoped it worked. But the real problem that I think most security teams run into is that it’s not offered by default. And a lot of times, SSO is offered at a premium tier. I think Sean kind of covers that. Same as there are still organizations that are charging extra for audit logs.
These are both basic things you need if you’re buying any kind of enterprise application to secure that application. And certainly in this conversation where identity is one of the primary vectors for attack, you have to have a robust identity system built into whatever app you’re buying. And I think the reality is we’re not there yet as an industry. Now, moving in the right direction, but we still need lots of we’ll say capabilities and capacity to understand where we have some areas that we haven’t looked at, where we have some areas that we’re not getting visibility into today. I think that’s really where we need to spend much more of our energy. Like I said before, this is why I’m an advisor for Push. This is the kind of solution that more people need because you’re not getting the visibility into the problem that you have, and the problem is immense.
[Adam Bateman] Yeah, on the visibility front, if I can add one thing. So, the analogy that I’ve started to think about is you know right back in the late ‘90s, the attack surface was loads, and loads, and loads of open network ports all across the internet, and we didn’t even have firewalls. It was just a complete free for all attack surface. And then firewalls came along, and it reduced that attack surface and gave us some control over it. But we realized quite quickly that it wasn’t this silver bullet, and people make configuration issues, and people spin up posts on other public IP address ranges that aren’t protected. And so what do we do?
We verify it. We got port scanners and vulnerability scanners, and we check the estate. We looked at it from the attacker’s perspective rather than just trusting what the network diagram said. And identity hasn’t reached that same point. At the moment, we’ve got identities scattered all across the internet. We don’t know what that looks like. SSO, I guess, in this analogy is kind of like the firewall, but it can have configuration issues. We see it all the time. So, why don’t we verify it? Why don’t we look from the attacker’s perspective and understand what’s out there, which ones are vulnerable, and patch the issues that are there? I think that’s the big step that needs to happen, with Geoff’s point about visibility. Verify is the step that’s missing in identity security.
Sponsor – Push Security
13:18.908
[David Spark] Who’s our sponsor this week? Why, it’s the spectacular Push Security. And let me tell you about them. Imagine a situation. It’s Friday afternoon, and one of your employees reports a suspicious SSO login page they’ve been prompted to authenticate through. Huh, were we just talking about this? You take a look, and it’s clearly a phishing webpage. The employee that reported it says they immediately closed it, but you know how these things go. They didn’t fall for it, but others probably have. So, you run some more checks to see who else visited the phishing site and find 50 more hits. At this point, you’re probably cancelling your evening dinner plans and scrambling to get in touch with those employees to find out who entered their credentials into the page. Maybe you also kick all 50 employees out of their sessions or force them to reset their SSO password. But at this point, it may also be already too late.
Who knows what other apps have been accessed and what backdoors the attacker has already put in place. At the prospect of reviewing every connected SSO app, it’s looking like a long weekend ahead. Now, imagine that situation with Push Security. You’re not only able to see who visited the phishing site but also who entered their credentials, and the answer is zero because Push has automatically blocked those 50 users from entering their SSO credentials into any page that doesn’t belong to the SSO provider. This is just one example of how Push Security’s browser agent can detect and respond to identity attacks. If you want to find out what else it can do, you got to go to their website. Head to pushsecurity.com. It’s spelled just the way it sounds. Pushsecurity.com. Check it out.
What’s our visibility into this problem?
15:09.366
[David Spark] Jay Dance of StubHub said, “Identity is the new border that we are striving to protect.” Oh, yes, we have heard this many times. Going on, Jay says, “Identities keep expanding both in amount and scope, and the ways to identify entities is ever evolving. It seems we have a gap in being able to track all those different types of identities against a predictable life cycle and expected uses. And Jeff Moncrief of Sonrai Security said, “Awareness and mitigation of the entire unused permission attack surface. From identities to services and everything between. A holistic shift in how we view everything that’s unused but turned on across our cloud estates. The ‘unused’ problem is much bigger than just unused identities.” I want you to start with this, Adam. This unused problem. I mean we see this everywhere. Unused S3 buckets, unused accounts on prem. And I think it’s got to be way worse in the cloud because people spin up instances and then log in once, and then long forget about it, don’t they? Adam?
[Adam Bateman] Yeah, 100%. Similarly, we were talking about the traditional [Inaudible 00:16:34] from the 2000s. Carrying on with that analogy, it’s kind of like you have that whole, sprawled out attack surface, and you can just secure your website, and your VPN, the things you know about. But actually they’re the ones that gets the most security attention. Usually, from my experience as a pen tester, the way you get in is through that dev server on the side that no one knew about. It’s the insignificant thing on the infrastructure you weren’t aware of that gets you a foothold and brings you into the network. Right?
And the similar thing is very, very true from an identity perspective. An enormous sprawl of identities across the internet, and you need to kind of get visibility across and know which ones of those exists. The other thing as well is even when you know about them, it’s having visibility of the actual login process. So, we’ve seen a number of high profile incidents and on the rise recently where people just take credentials online or they guess credentials, and they just spray them across that attack surface and login. So, actually having an understanding of what the health and the hygiene of those identities look like as well is important from a visibility perspective.
[David Spark] Geoff, I throw this to you. The unused problem, how much of that is an ongoing issue that you have seen? Just accounts left open, specifically in the cloud. Because I know we’ve dealt with this on prem, yes?
[Geoff Belknap] Yeah, it’s a big problem. The bigger part of this is that most people aren’t thinking about it this way. You provision an identity. You think about the mindset or the frame that people use to think about identity today is still very user centric, which is good in many ways. But the reality is there are a bunch of identities, like system to system identities, people are using for integrations or for automation. And people are not thinking about so much looking at what if that identity hasn’t been used of a while. That is an opportunity to close a door that maybe doesn’t need to be open. But even scarier, what if that identity hasn’t been used for 180 days, and now all of a sudden it was used a million times last week.
That’s also very strange and probably very concerning. But like building visibility, building detection rules around that, it requires two things. One, it requires some very forward thinking from detection and response engineers. And two, it requires enough telemetry to even be able to know how to gather that information, how to build detection on top of it, and what to do once you see it. All of those things are really only right now in the realm of some of the most well-funded, most mature security teams. But the reality is they are not the ones that are facing that threat, and certainly they’re more prepared for that threat than most people. Most people who are running medium sized enterprises don’t have those capabilities today, and that is a real problem.
[David Spark] Let me ask you a quick question, Adam. I just had an experience with this where I had to shut down an account, and I wanted all my data on it, which wasn’t a lot, completely deleted. There was no simple way to do this on this service. I had to go through the help desk, submit a ticket, lots of messages back and forth. And I also had to send them the listing of the right to be forgotten, which is now a request that you can make. It was an involved process. And it was just one account, just me doing it. I couldn’t imagine having to do this on scale. How often do you see this, and is there any way to make this better?
[Adam Bateman] Well, it comes back to what we were talking about before standards as well, and I think we’ve seen a new role come up recently, like product security. So, it’s kind of like when you have app security you generally test the security of lots of different apps inside an organization. And production security is like that but much more focused on your own SaaS application [Inaudible 00:20:24] security controls that go within that. I think it’s a welcome role for the industry, and it’s one that’s becoming more popular. And that would really fall under the realm of this, right?
Because that making it difficult to remove data is something driven by marketing and product growth teams. So, if we make it harder to get rid of the account, we’re more likely to keep contact with that user, and they’re more likely to use it over time. But you need the product security person on the other side of those to say, “Yeah, but then the other side of this is it sits online unused, and they can’t get rid of who they want to. So, you have this dormant identity sitting on the internet, exposed for a long, long time that no one knows about that can be compromised at any point.
[David Spark] Can you detail why that’s an issue? Because I don’t think a lot of people understand that like I log on once. I create an account. I never use it again. It sits there dormant. Why is that an issue?
[Adam Bateman] Well, because, as I said, there’s a really big uptick in product led growth, which basically means have the product do the selling for you rather than talk to a salesperson. It’s a great model. We saw great companies like Slack and Zoom benefit from this model. Very, very popular. It’s really, really good. But you have dedicated teams that are focused on removing friction from the onboarding process. Therefore there will be arguments about whether or not to enable MFA by default I’m sure in a lot of those companies. But also trying to encourage time to value. So, when an employee signs up to an application or a user signs up to an application, getting them to value as quickly as possible.
And that usually means getting them to use the application in as real worlds as they can straightaway. So, what you see a lot of is things like… You might be familiar with social media aggregators. Right? Rather than you logging in directly to X and directly to LinkedIn, you log into one social media platform, and you can do one post, and you can schedule it all of them in one go. Very convenient. But you’ll see apps like that they’re completely useless you connect up your social media accounts. And so on the onboarding process, they’ll block until you connect up your accounts. It’s not often people have a test social media account, so they connect their real one.
And what you’ve then done is you’ve now got a single identity to compromise all social media, but then they invite in five or ten different of the marketing team to try it, which means you’ve just 10x the attack across those. If you then can’t delete them, they will stay on the internet forever. The company might abandon it and say they don’t want to use it, but those identities don’t go away, and they form part of the company’s attack surface for as long as that SaaS application exists online. Right? So, I think the ability just to delete the data and go, “Right, I’ve shut down my tenant now,” is as important as a lot of these other features we’re talking about in terms of securing accounts in the first place.
What are the elements that make a great solution?
23:05.089
[David Spark] Colt Blackmore of Reach Security said, “Kill OAuth permissioning with fire. Not even FIDO2 can save you if users are allowed to authorize apps nilly-willy.” Isn’t it willy-nilly? I think it’s willy-nilly.
[Geoff Belknap] I think it is.
[David Spark] But we’ll go with it, Colt. Colt goes on to say, “This includes disabling first party apps. Example, Microsoft’s own apps if you’re on Microsoft and shutting down hinky auth flows. Adapt controls to people. Least privilege everywhere, more restrictive policies for more sensitive resources, bulletproof vests for the high-value targets.” And Nihar Dhruva of SunPower Corporation said, “We need to ensure continuous access reviews and Risk and SOD violations as defensive mechanisms. One of the architectures being very effective these days is Risk based provisioning for both, cloud based identity provisioning as well as SSO based provisioning.” Wow. I’m saying that at the very end, but that’s a good interesting thing. Have you heard of Risk based provisioning for cloud based and SSO based provisioning, Geoff?
[Geoff Belknap] Yeah, but the reality is that is not available in most products today. And so I think this whole conversation goes like this. The stuff we’re talking about for the last 20-some odd minutes is not rocket science. I know all you dear listeners have been listening, going, “Yeah, that’s great. I already know all this.” But the reality is everybody knows all this. It’s still a very difficult problem. And the reality is if you have a system that’s going to give you risk based access controls, and it’s going to automatically turn off accounts that aren’t in use, and it’s going to sort of do what Colt is talking about here, which is push people away from OAuth and into FIDO2 or some other stronger auth mechanisms, fantastic. Buy those products where you can get them.
But the reality is even if you work in a company that is prioritizing only products like that, you’ve got sort of the example Adam gave earlier. You have at least a third of your apps internally that are just like single password, no two-factor auth, aggregating things across multiple accounts, no SSO. It’s not integrated into Entra, or to Okta, or whatever you’re using. And that’s where the problem space exists. So, if you can get somebody to standardize on risk based provisioning and pairing back accounts, fantastic. But that’s not going to be your entire estate. That’s going to be one part of it.
[David Spark] All right, Adam, I’m going to let you close this sucker up. Where do you stand? I mean you were nodding your head with, yeah, that would be wonderful, but you rarely see it. Or it’s not everywhere.
[Adam Bateman] No, no, I completely agree with what Geoff was saying. I never want to discourage anyone from [Inaudible 00:26:10] any security controls. The one thing I would say is Geoff is absolutely right. This stuff is not rocket science. But I think sometimes as an industry, we have a habit of overcomplicating things. Right now, we’ve been fighting [Inaudible 00:26:20] attackers off of end points and got very, very good at it. And we’ve regressed as an industry because attackers are buying credentials and logging in. There’s no hack. There’s no… And this is a big problem. We are doing everything we can to help with this problem, but it’s an industry wide problem that we need to get with. So, I think all of these other complexities, they’re all really good.
But I think right now, it’s the good old basics. The things we’re talking about. It’s like what passwords… What identities exist? Do they have weak, stolen credentials where you can guess the login? And do they have MFA? It’s the age old stuff repeated in the new era, and so that’s the thing I would encourage people to focus on as a priority. All the other good things like defense in depth, and risk based provisioning, and all the other stuff I encourage, too, but it’s a fundamental… We should solve that problem as an industry and try and standardize the support for that as much as we can.
[David Spark] It is security fundamentals. Honestly, I just don’t think the average user who keeps signing up for these accounts sees all of these as their identity. I think they, in their mind…they think their identity is the account they login to get onto their computer, which gives them access to all the enterprise systems on their computer. Or maybe their identity is… Because they’re on Google cloud, that’s their identity there. But I don’t think they envision every single thing they sign up is an element of their identity. And what both of you just said is the answer is just the same old security fundamentals we’ve always been doing. Just apply it to the darn cloud now.
[Geoff Belknap] Yeah, I think it’s important to point out, too, you can’t expect your users to constantly be vigilant for those kind of things. You’ve got to be building, buying, or borrowing something in your environment that’s going to be flagging to you when they’re doing these things that are risky.
Closing
28:17.787
[David Spark] Good point. All right, we’ve come to the very end of the show where I ask both of you which quote was your favorite and why. And, Adam, I’m going to start with you. Which quote is your favorite and why?
[Adam Bateman] My favorite quote is Brandon’s, when he was talking about missing a single standard. He was talking about a single SSO standard here. But taking that a little broader, I think the industry working together to build out what is the best overall standard for authentication and agreeing on that. And getting that consistent across the industry, I think, is going to have the biggest impact overall. So, we agree on SAML, but we should agree on things like the ability to kill sessions in case sessions are stalled and the ability to delete data directly out of accounts with a click of a button if you need to tear down those identities and those sorts of things. So, I think that’s a really important point.
[David Spark] All right, I’m throwing to you, Geoff. Your favorite quote and why?
[Geoff Belknap] I’m going to go with my buddy, Colt Blackmore, here. Even though I disagree strongly with saying something is nilly-willy…
[David Spark] [Laughs]
[Geoff Belknap] …I agree emphatically that people should be really taking a harder look at OAuth permissioning. And to be clear, I don’t think Colt is saying here… Although I am sure he will correct me in the comments. I don’t think Colt is saying here that you shouldn’t use OAuth. I think what he’s pointing out is you either need to manually or build or buy tools that will help you consistently and regularly evaluate what are the OAuth scopes that are being handed out in your organization. Because to his point here, it is really easy for users to just click “approve.” Lots of apps ask for it. They sort of, in many ways, tell you you have to click approve. You have to enable this OAuth scope to make something work. And the long-term effect of that is you don’t know that that’s there, but the attackers will. So, waste not, want not. Somebody will find a use for that thing that you are not using anymore, so maybe start taking a look at those things.
[David Spark] And that comes to the very end of our show. I want to thank your company, Adam. That would be Push Security. Stop identity attacks. Push is a browser based agent that detects and prevents identity breaches. You want to know more? You got to go to pushsecurity.com. It’s spelled just the way it sounds. Pushsecurity.com. Adam, do you have anything last to say? Anything you want to mention about Push? Are you hiring at Push? Can people contact you directly? Please let us know.
[Adam Bateman] We are very much int his not just to sale the product that we’ve built but because we have been in this game for a long time, and we’re here to make a difference to the industry quite generally. Like we want to leave this in a better place than where we are…than where we’ve found it. So, we are putting out a lot of research and a lot of advice on this area, which is ungated. You don’t need to talk to us. Just things are out there. Good advice. So, we’ve got, for example, the SaaS Attacks Matrix available on GitHub, which is a community resource that people are contributing towards. So, I would just say if you’re interested in this area, check it out. You can follow us or myself on LinkedIn or X. Hopefully you’ll find this as a useful source to try and get [Inaudible 00:31:33] of this very complex area.
[David Spark] Excellent. Well, thank you very much, Adam. Thank you for supporting the CISO Series. And thank you, Audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.