Episode 109 - Honest Security with Jason Meller

In this episode of Hacker Valley Studio podcast, Ron and Chris are joined by Jason Meller, Founder, and CEO of Kolide. Jason has over 10 years of experience in managing and leading security organizations. Jason’s interest in technology and cybersecurity began in the 1990s when he began programming in Visual Basic and building AOL Instant Messenger bots. Building offensive tools accelerated Jason’s interest in defending networks and helped him learn how much honesty plays part in building security solutions. 

Jason mentions that the security monitoring software at most organizations have the same functionality as spyware or surveillance tools. In addition, these tools are designed to scrutinize all the actions that occur on a device. COVID-19 has increased the rate of organizations going through a digital transformation; as a result, users at an organization are not in a cubicle but at their home. This could mean that security teams have an extremely elevated level of access to devices without transparency as to what is being monitored to protect an organization. This is why Honest Security was created - to create a transparent relationship between security teams and end-users. 

Jason has collaborated with Jesse Kriss from Netflix who is actively working towards incorporating user-focused security. Jason describes that organizations should build a culture based on trusting users, treating them like adults, giving them the tools that they need to do their job, and not treating them as suspects from day one. Instead, organizations and security teams should seek teachable moments by giving recommendations and educating users.

Throughout the episode, Jason describes situations that involve users and security team members maneuvering around security tooling obstacles to get their job done. Since working at home, traditional tools have created friction in the user experience. For instance, not having the ability to use USB ports on work devices, disabling corporate VPN to watch a YouTube video, and having to create a ticket to install software to help them with their job. When this friction is created, users will resort to using their personal devices for work activities and miss the opportunity to benefit from security. In some cases, there are “evil” applications found on a device created by a user - but often bad applications installed by users are Chrome extensions or helper utilities that are sending browsing history to a marketing firm.

In the Honest Security manifesto, there’s a section on empathetic intelligence, Jason describes this concept as thinking of the daily life users, thinking of what challenges are users attempting to solve in their workflow, and what part of that workflow could pose a risk to the organization. An example of this would be a security team member trying to empathize with someone who is a developer- and thinking of their daily workflow. When empathizing the security team may realize that the developer is attempting to fix issues on a production application. While fixing the production application, the developer may try to bring a copy of the application database to their local device. Creating a local copy of the database could pose a security risk the copy of the database is not deleted in a reasonable time or the user has their device auto-backup folders to their corporate or personal cloud storage solution (ie. Google Drive). Creating education for avoiding this mistake is a prime example of empathic intelligence when practicing Honest Security.

As the episode progresses, Jason goes into depth and explains more tenants of Honest Security - The goal is not to give unlimited power to the user or security team but to enable everyone to be in the position to make the right decisions and give appropriate recommendations. When consequences are articulated, users can understand that when maneuvering around security tools can pose a risk to their device and organization. Ie) disconnecting from the corporate VPN. When coaching and education are put as a priority when practicing security, James describes it as empowering the user to be successful and more transparent.

 

0:00 - Intro

2:28 - This episode features Jason Meller, Founder, and CEO of Kolide!

2:54 - Jason shares his background and his path into cybersecurity.

4:07 - What is Honest Security?

5:22 - Jason’s examples of dishonest security

8:08 - Collaboration with Netflix and User-Focused Security

16:00 - Jason describes Empathetic Security

19:17 - Tenants of Honest Security

35:32 - Wrap Up and Resources for Honest Security

Links:

Learn more about Jason Meller and connect with him on LinkedIn.

Learn more about Honest Security and read the manifesto.

Learn more about Jason’s company Kolide

Learn more about Hacker Valley Studio.

Support Hacker Valley Studio on Patreon.

Follow Hacker Valley Studio on Twitter.

Follow hosts Ron Eddings and Chris Cochran on Twitter.

Learn more about our sponsor ByteChek.

Episodes

Cover for https://HackerValleyStudio.podbean.com/e/episode-151-health-is-wealth-with-alexis-robertson/

Episode 151 - Health is Wealth with Alexis Robertson

Today in the studio, we have Alexis Robertson, Director of Diversity and Inclusion at...

Details

Cover for https://HackerValleyStudio.podbean.com/e/episode-150-making-a-difference-mindfully-with-natasha-barnes/

Episode 150 - Making a Difference Mindfully with Natasha Barnes

In this episode, we talk to our special guest, Natasha Barnes. Natasha is the Associa...

Details

Cover for https://HackerValleyStudio.podbean.com/e/episode-149-permission-to-launch-with-kelsey-hightower/

Episode 149 - Permission to Launch with Kelsey Hightower

In this episode, we've brought in a special guest, Kelsey Hightower.  Kelsey is Princ...

Details

Cover for https://HackerValleyStudio.podbean.com/e/episode-148-immersed-in-cybersecurity-with-james-hadley/

Episode 148 - Immersed in Cybersecurity with James Hadley

In this episode, have James Hadley, CEO of Immersive Labs, and we talk about the best...

Details

Cover for https://HackerValleyStudio.podbean.com/e/episode-147-learning-cybersecurity-until-you-get-it-right-with-john-strand/

Episode 147 - Learning Cybersecurity Until You Get It Right with John Strand

In this episode, we brought back fan-favorite, John Strand.  He is owner of Black Hil...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-season-2-finale/

Hacker Valley Blue Season 2 Finale

This is the finale of Know Thyself. What an incredible journey, we feel like this ent...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-s2-episode-7-kevin-allison/

Hacker Valley Blue S2 Episode 7 - Kevin Allison

In this masterclass of HVB season 2 we brought in a master story teller in Kevin Alli...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-s2-episode-6-john-strand/

Hacker Valley Blue S2 Episode 6 - John Strand

If want to get into computer security, you're going to learn to love it, you're going...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-s2-episode-5-jamie-dicken-and-aaron-rinehart/

Hacker Valley Blue S2 Episode 5 - Jamie Dicken and Aaron Rinehart

In this episode, we brought in two exceptional guests that are no stranger to chaos. ...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-s2-episode-4-lenny-zeltser/

Hacker Valley Blue S2 Episode 4 - Lenny Zeltser

In this episode, we brought back our good friend Lenny Zeltser.  Lenny is Chief Infor...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-s2-episode-3-chani-simms/

Hacker Valley Blue S2 Episode 3 - Chani Simms

In this episode of Hacker Valley Blue, we brought in a guest who has been on a journe...

Details

Cover for https://HackerValleyStudio.podbean.com/e/hacker-valley-blue-s2-episode-2-marcus-carey/

Hacker Valley Blue S2 Episode 2 - Marcus Carey

Know thy organization is key! Wise words from the powerful Marcus J. Carey.  Don’t be...

Details


Philosophies

Chris Cochran

Chris Cochran

Cybersecurity is not technology centric, in my opinion. It is human centric. I am driven by my duty to not only protect people, but enlist and inspire the next generation of cybersecurity professionals.

Ronald Eddings

Ronald Eddings

The pursuit of knowledge always leads to something, so be open to whatever that is. It could be becoming the best, but it’s going to lead something and it’s most likely going to be a positive impact on your life.

Allan Alford

Allan Alford

It's not enough to be knowledgeable and skilled. Without passion you might as well be doing something else. Surround yourself with people who are passionate about what they do and the rest will come together.

CJ Howard

CJ Howard

Learning and listening allows you to access new perspectives and frames of mind. I believe that information is meant to be shared generously, but understanding without compassion is like a map without a legend.

Episode 151 - Health is Wealth with Alexis Robertson

00:00:00
00:00:00