Securing Hybrid Environments Without Slowing Operations

Welcome to the Hitchhiker’s Guide to IT, brought to you by Device42. On this show, we explore the ins and outs of modern IT management and the infinite expanse of its universe.

So buckle up and get ready to explore the ever changing landscape of modern IT management.

Hello, and welcome to the Hitchhiker’s Guide to IT where we explore the evolving landscape of enterprise infrastructure and the strategies that keep it secure, scalable, and resilient. I’m your host, Michelle Dawn Mooney. Today, we’re diving into the intersection of cybersecurity and IT operations, specifically how red team tactics and proactive risk assessment can strengthen infrastructure reliability. And joining me is Matthew Toussaint, founder of Open Security and former senior cyber tactics development lead for the US Air Force with deep experience in vulnerability assessment and offensive security. Matthew brings a unique lens to the challenges IT teams face in protecting hybrid and cloud environments.

Matthew or Matt, if I can call you, you know, three, two, one.

Matthew, thank you so much for joining me today. Excited to have you here with us. Matthew, so great to have you here with us today. Looking forward to the conversation.

I can’t wait to get started. Cybersecurity is a thing that I nerd out on in the absolute extreme. So, every single topic that you can kinda consider within cybersecurity is my, bread and butter.

Nice. Nice. Well, before we kind of get into the bread and butter, I’d love for people to learn a little bit more about you. I mean, I gave a a very quick snippet or two, but can you give us a little more insight into your resume, please?

Absolutely. Well, so, like, once upon a time, the choice was to become a lawyer, and that’s entirely what I intended to do. Growing up, I saw the, the JAG show, if anyone’s familiar with that once upon a time. You had Maverick or, with with Harm, excuse me, with his white, like, a navy shirt and all that kind of stuff.

Oh, man. I was totally into that. My family is long time, military. My sister was navy, and army.

I’m air force. My I married a marine, and my father was air force for twenty one years as well. So we’ve been, like, kinda all around the block there, and I was supposed to become a JAG. But we just happened to have made the cybersecurity field in the military right when I was coming in, and I went to the Air Force Academy.

And, if you wanna be a JAG, you’ve gotta spend two years in the military doing something else that you can bring that to your your legal, perspective, if you will. And so I chose cybersecurity, and, I never left because I loved it. I absolutely adored, the work that we were doing, and I’ve done it for the past, oh, man, twenty years. I’m I’m dating myself here, but worst things have happened.

Yeah. I love it, and I love the fact that sometimes the path that we end up on is nowhere near where we thought we were going, and it turns out to be exactly where we’re supposed to be and exactly where you’re supposed to be. So happy to have you here once again. So I wanna get into those questions because we have so many things to touch on today. So, obviously, you come from a strong red team and cybersecurity background, and you kind of gave us a story of how you ventured into that line of things. But how are those insights now being applied to support more resilient IT infrastructure?

Absolutely.

So one of the things that that I do and my organization does, because I run a I run a cybersecurity company now called Open Security. And one of the things that we occasionally do is incident response. We prefer not to do incident response. We prefer to respond before an incident actually occurs.

But, well, you know, worst case scenario, we might meet an organization when they’re experiencing a breach from some kind of, foreign actor. And one of the most interesting ones that I was able to, to be involved with was a compromise by Lazarus Group. And so Lazarus Group is a, an intrusion set. So that’s a remote, malicious attacker, but they’re an intrusion set from North Korea specifically.

And when I was in the military, I was actually the, battle planner for a small amount of time for the Korean theater. So I was doing this, private sector engagement, and I’m looking at the techniques and the tactics that the adversaries are using. And I’m thinking to myself, I’ve seen these guys before. I know exactly what this is.

And so I reach out to the FBI cell out of, Alaska, ironically, which is also where I’m from. But they happen to be the, FBI cell for Lazarus Group. And I’m like, hey. Look.

What’s been going on with these folks recently? And so the ability to take public and private sector, put that together in order to help heal an organization that’s experiencing a compromise, oh, man. That’s so amazing to be able to do. And I and I think that the military has has been one of the most specific things that allowed me, to have that opportunity, which is amazing.

Matthew, I have to tell you, just in that answer, it sounds so cool. I mean, you sound like an episode of JAG, but just a different cybersecurity slam. So I can’t wait to dive further into all of your knowledge. So I want to ask you this, Where do you see the biggest blind spots in hybrid or cloud infrastructure when it comes to vulnerability risk and then operational exposure?

Absolutely. So I think that the blind spots in in, say, hybrid and cloud infrastructure and environments is is quite interesting because we’ve got the traditional blind spots, and then we have the emerging and evolving ones. And the emerging and evolving ones, I think everyone is kind of starting to become aware of in a very significant fashion, but we might be overemphasizing them just a little bit. Specifically, I’m talking about artificial intelligence.

And so if we’re looking at hybrid cloud infrastructure environment, we have a lot of infrastructure as a service that’s being provisioned and built up, and then we’re looking at that as kind of a connective tissue with many large language models as well. And that may or may not be ideal from a security perspective. More importantly, if we’re looking at the development of those, tooling, if you will, vibe coding is starting to become one of the most prominent things in the IT space in general. And so that’s the idea of leveraging artificial intelligence from an agentic perspective to create the code for you based off of the ideas that you have in your head, which is fantastic.

I I’m a I’m I’m a long term developer myself, and recently, I’ve been doing a fair amount of Vibe coding as well. So I I completely understand why developers wanna do that. But from a security perspective, the amount of horror that I experience just living in that that, like, zone, if you will, and then seeing how artificial intelligence might create code and create vulnerability simultaneously, I think that this, particularly, if we’re talking about, serverless cloud environments and development in serverless cloud environments because the, the continuous integration and continuous development pipeline is so tight that I feel like there’s going to be the amount of opportunity for exposure, particularly business logic flaws, very quickly in this space right now because of AI and because of how we’re doing development in the AI space.

We’re starting to see problems between development and infrastructure as a code in intersects. And I feel like that intersectionality itself is rather dangerous because because we’re talking about operating system level vulnerabilities. And from an organizational perspective, this could legitimately take companies and put them out of business.

And the biggest thing here is to be prepared. I mean, we’re having this conversation to inform people about what they need to know, what they need to do. So you have worked across both offensive and defensive security. How can IT operations teams adopt a more proactive mindset without becoming full blown security teams?

Absolutely. Well, I’m not entirely sure that teams can adopt the mindset without also incorporating significant amount of information security into their lexicon of how they think about things. So I think that IT teams today really need to try to focus on becoming a hybridized from both a availability, development, IT, support perspective, and then also the operational side of cybersecurity where we have to deal with the effects of the work that we are supporting in IT in the first place. So I think the teams, like, from the very most basic perspective, I think that teams need to start growing because information security is everyone’s responsibility, and IT teams are at the ground level of that.

If we’re able to incorporate a just a little bit, I I’m a big fan of the I of the eighty twenty rule. And so the idea there is that you get eighty percent of the value with twenty percent of the effort. I think that the missing component for IT teams today is the twenty percent of information security effort. Because if we do that, we’re gonna get eighty percent of that value.

And I think that the organizations that have been able to incorporate something of an integration between IT and information security are not only the most secure, but they’re the ones that are able to iterate continuously and keep up with the emerging security, conversation.

Working together is so key with all of this. How should should IT and security teams collaborate when assessing the operational risks of infrastructure, misconfigurations, or untracked assets?

Absolutely. I think that’s a great question. So the thing is, triage.

If we think about it from a medical perspective and and coming from a military background, triage is the way that I’ve lived and breathed it for way too long. But the idea there at the end of the day is that we need to prioritize what needs to get changed or adjusted. And so I think that if we’re looking at most organizations from a cybersecurity perspective, particularly if we look at it from a vulnerability management lens, is that we tend to look at this and focus from a, like, a task based perspective where maybe you have a thousand things that we wanna re remediate, and then we go from the top to the bottom.

One, two, three, four. Buy the numbers. We try to fix things. And, unfortunately, that’s not necessarily the right way to do it because remediation is really difficult, and full remediation, like fixing problems, is generally speaking not necessary.

And so if we look at last year, for example, last year had about forty two thousand unique CVEs, common vulnerabilities and exposures, that came out. But if we think about it, there’s no adversary on the planet. Right? There’s nobody in their right mind that’s gonna be picking up forty two thousand new techniques per annum in order to exploit your environment.

And so the real question is, which of those forty two thousand really matter? And the answer is about twenty per year. Which are those twenty? It depends a little bit on your organization, but twenty is a lot more accessible than forty plus thousand.

And I think that most organizations today really need to focus in on what their twenty look like per year as opposed to trying to fix everything.

As a follow-up to that, what would you say are some of the most common infrastructure layer vulnerabilities that red teams uncover, and then how can they be addressed without having major overhauls here?

I love that question.

So I think that major overhauls could theoretically be necessary, but I also don’t necessarily know that that’s true for most organizations.

I would say that for most organizations, it’s all about going back to the basics.

Passwords are a really big problem. Can we get away from passwords, and can we get away from passwords for infrastructure, level access? If we look at the Colonial Pipeline breach, I think that’s a very poignant one to identify because the attackers logged in with a password that was reused on another site on the Internet completely unrelated to the organization that got compromised. So, effectively, the attackers went online, got some information, and used it to directly log in and compromise this major, oil pipeline in the United States of America, calling a geopolitical incident.

That kind of thing should never be allowed to happen. Both we should have layered defenses, so we call this defense in-depth, that should help to alleviate the problem of a single point of failure. But, secondarily, vulnerabilities are much bigger than a lot of folks identify because we tend to look at vulnerabilities if they were just straight up bugs, but they’re often just configuration flaws too. Are we looking for those?

Are we evaluating the configuration flaws? Are we doing, let’s say, offensive services like penetration testing that should be able to identify these vulnerabilities and tell us that we should respond before an adversary exploits us?

As organizations more and more scale cloud and data center environments, what is one foundational security control or practice that you believe gets overlooked? Because there are a lot of moving parts here. There are a lot of steps to be taken, but if you could designate one thing that we really should be extra aware of.

Easiest question ever. So this one, credential management. Kind of coming back to the previous section, right, where we’re talking about adversaries using the tools that are meant to, administer systems and log in to systems, control them, but using them against us. With Colonial Pipeline breach, it was all about credential management.

The, the individual that they were able to exploit and gain access to the environment via didn’t even work at Colonial anymore at that time, which is to say that account should have been deprovisioned. If we were doing proper credential management, that could help. I think this is even more important if we’re looking at it from a cloud specific perspective though. Because if we’re talking about the cloud, the cloud is all about authentication.

It’s all about how one thing communicates with another thing and validates that it is the thing that is allowed to communicate with said other thing. And how do we manage that? Do we manage credentials with a secrets fault like an HSM? Do we use HashiCorp?

Are we having an actual identity access management component to our cloud infrastructure provisioning? And what is exposed to the world versus what is internal that is accessible? Do we check out credentials? These kinds of things.

I think that that is the most important component of the cloud. Because if we look at cloud based security, we’re talking about modern ecosystems of, technical controls. Right? So we’re talking about modern code.

We’re talking about modern implementations. If we’re talking about a cloud infrastructure, we are, generally speaking, not talking about things that are twenty years old and that were created and set and forgotten about twenty years ago. We’re talking about modern stuff, which is good. From a security perspective, that gives us a lot of just core resiliency.

But then the question becomes not about vulnerabilities that are in the infrastructure that we’re building stuff upon, but are more related to how we use that infrastructure itself, configuration, essentially.

There’s a big learning curve here. I mean, obviously, things are just changing so rapidly. So how are red team methodologies evolving to account for today’s dynamic infrastructure from edge environments to multi cloud deployments?

Yeah. You know, as a red teamer myself, I find it to be a really funny question because they’re not.

If we look at red teaming, operations and such in the cloud based perspective, we’re still doing the same thing that we did in the past. So cloud equals opportunity. In fact, one of the things that I love about the cloud is that we can really fundamentally define, what its differentiation is versus on prem. So, like, if we’re looking at on prem environments, in order to start attacking them, you gotta get on prem.

Right? Like, you gotta get in there in order to start exploiting around. But one of the interesting parts about the cloud is that if we’re looking at a threat, a threat is a confluence of opportunity to attack, hostile intent, and availability, if you will. And so, essentially, the opportunity is default when we talk about the cloud because it’s just exposed to the Internet.

And so now you’ve got everyone and their mother attacking your infrastructure because we’re leveraging the cloud. So we have a higher level of resiliency as a requirement, like, as a core requirement. We’re talking about cloud infrastructure versus on prem. Fortunately for us, most of that resiliency is also built in directly to things like Azure or AWS.

And so as a result, we don’t necessarily have a huge amount of additional controls that we need to do directly, and I’ll give you a direct example of this. So, in the most traditional sense, we might have Microsoft Exchange on prem, and so we’re managing our own email. That means that we have to patch this email server, and we better make sure that we patch the email server and keep that sucker up to date because there’s constantly vulnerabilities for Microsoft Exchange. If we’re using, o three sixty five and Microsoft in the cloud, we effectively transfer that risk to Microsoft and that responsibility as well. And so we’re less required to deal with that kind of issue, because we’ve, again, we’ve we transferred it to somebody else as their responsibility.

As we are wrapping up here, what’s one thing you wish every CIO or IT operations leader understood about the role of cybersecurity in infrastructure reliability?

Absolutely.

I think that when we’re looking at, CIOs and such inside of major enterprises, one of the biggest problems is recognizing that cybersecurity is intrinsic. So bugs, for example, are bugs. Like, if we’re developing new software or developing new tools, implementing new features or software, maybe third party tools into our environment, what we’re effectively doing is we’re increasing the attack surface. Now there’s nothing wrong with that. There’s a trade off there from a security perspective versus the usability of the environment perspective, and I, as a cybersecurity person, am always in the category of improving usability.

Forget about cybersecurity. I almost don’t even care. But and here’s a big but.

Maybe we shouldn’t let accessibility ruin the ability to access said accessibility if a negative event were to occur. Right? So what we’re really talking about with cybersecurity is taking the things that we want to have and making sure those things are resilient and that they’re going to work in perpetuity and not work against us. I think that when we look at CIOs today, they tend to look at, say, bugs in software and say, this is a bug that’s going to prevent our customer base from using the thing.

Guess what cybersecurity bugs are? They’re the same exact thing. They’re vulnerabilities that might prevent the customer base from being able to use the software and tooling that we have designed and that we have intended to, and they might even have additional reputational risk that’s actualizable if we were to get defaced or hacked or anything of the sort. So if we were to treat bugs like bugs, cybersecurity bugs, software bugs, you name it, if we were to treat them kind of in the same way, we would end up with a better situation.

And to kind of bring that all the way into full, like, scope, I think that looking at it from a vulnerability management perspective is extremely key. If you think about it, vulnerabilities exist. They are going to just by default to the fact that we have requirements for an organization and that there could be downsides. Guess what a downside is? That’s a vulnerability.

If we understand that, we can actually evaluate the vulnerability life cycle within organizations. And for many organizations, the vulnerability life cycle is just something that they have, but they haven’t evaluated whatsoever. So you get something new that comes in, you process it, and then, hopefully, you make that vulnerability exit the program at some point in the future. But a lot of organizations, kind of do this organically. I mean, most organizations, frankly, do this organically. The organizations that have a process to take in problems, process them in a significant standardized way and triage those, and then deal with the ones that come up on top and matter the most are the organizations today that tend to be the most resilient and secure against the emerging attacks that we tend to see.

Any final thoughts here, Matthew?

Absolutely. So final thoughts.

Look at your you look at your programs. Your programs exist for a reason. They’re there to keep you safe. They’re there to keep you on top.

And evaluating the program itself to determine, does it have those three phases, vulnerability discovery, vulnerability processing, and vulnerability exit, remediation is the standard exit for that, if you’re treating everything the same. And here’s an example of where a lot of organizations are not. We might find vulnerabilities with our vulnerability scanners, process them in a certain way. Oh, that was a hard word.

And, alternatively, we might actually find vulnerabilities because we have a third party penetration tester come in, but we process them in a different way. Look. At the end of the day, bugs are bugs. Vulnerabilities are vulnerabilities.

And for our environment, we should treat them the same, and we should address them with, hopefully, a fair amount of velocity. I’ll leave you with this last little idea. So last year, for the second time in the last three years, we had a study from, Rapid7. They’re a major vulnerability, scanning organization.

And what they found was that over fifty percent, fifty three percent last year specifically, of mass compromise events were actually accomplished by single vulnerabilities that were zero day at the time. That effectively means is we didn’t know about the vulnerability until it hit us. That’s unfortunate.

However, the organizations that experienced real compromise didn’t have layered defenses.

It turns out that today, the agility of adversaries is rapidly increasing, and so the velocity of our defenses need to be commensurately upgraded. And so if anyone’s got further questions on this, I like to make myself super available. What folks might not realize is that I’m an educator. I used to work for the SANS Institute.

I used to teach for the US Air Force, and now I even teach for myself. But at the end of the day, what I’m very specifically passionate about is sharing information about information security. And so if you if you’ve got any questions about that kind of thing or if you’d like to have a follow-up conversation, I would be more than happy to to host it. I’ve been on, Twitter for far too long, at osmosis, which is my cybersecurity hacker handle, handles when you choose them as fourteen year olds, generally don’t live up to the expectations.

And so mine has certainly done that. But, but yeah. No. I I’d be very happy to have conversations with folks in the future about, cybersecurity implications, how we can grow things, and how resiliency is really possible for the rest of us.

I also run a Discord server to that effect, and, we have conversations. I think the Discord server is over three thousand members to it now. So we have conversations about vulnerability assessment, vulnerabilities themselves all the time. There was a recent vulnerability that came out for a Next.

Js application that kinda took the world for storm, and, we had a long conversation to talk about that. And so for the organizations who were very specifically trying to patch and fix the the vulnerability, it was useful for them to be able to understand what the impact might look like, so then be able to triage that. I’m happy to facilitate that kind of conversation, and we do it on a week to week basis.

Matthew Toussaint, a founder of Open Security, thank you so much for your time. Appreciate you being here for the Hitchhiker’s Guide to IT. No doubt I have learned a lot, and I’m sure people wanna learn even more. So thank you for providing the resources there. Thank you for being with us today. Appreciate your time.

My absolute pleasure. This was ridiculously fun. I would love to do it again.

Yeah. I had a great time as well, Matthew. Thank you for being here. And I wanna thank all of you for tuning in and listening to the hitchhiker’s guide to IT.

If you found today’s discussion helpful, be sure to subscribe so you can hear more interesting conversations like the one you heard today. I’m your host, Michelle Dawn Mooney. Thanks again for joining us. We hope to connect with you on another podcast soon.