The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at

Today's Topic: Security Waste - Buying new tools without maximizing use of current tool set

It’s not just a security problem but we often add to our arsenal without fully (or even mostly) utilizing the tools that we do have.

Problems associated with this are:

  • Have more complexity in your environment
  • Needing more staff or requiring current staff to stretch themselves thin to support differing tools
  • Increased cost (capital, operational, support)
  • Information overload - even with a SIEM more data requires more analysis
    • Increased chance of missing key events
    • Increased false positives
  • What am I missing?


How do we work through this when you’re not the decision maker?

  • “Operational Excellence” - Martin’s story


How do we work with our vendors to ensure that we are leveraging their tools without over dependence on one tool or vendor?

Direct download: SFS_Podcast_Ep_-_192.mp3
Category:podcasts -- posted at: 9:02pm EDT

The Southern Fried Security Podcast - Episode 191 - Gone Phishin’


Phishing your employees - Does it make them aware or do they feel mistrusted?


  1. Intro - Phishing - what is it typically?
    1. Example - Emails from a Prince in Nigeria, phished on, etc
    1. What is it? An email designed to get employees to click on suspicious links or give their credentials
    2. Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
    3. Designed an email, google doc, supplied AD user list, launch
    4. Stats from our phishing campaign
    5. How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
    6. Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when “see something, say something?” becomes a good thing? How to get employees to follow it?
  2. What about when you phish your employees to improve security?
    1. How often?
    2. Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
    3. What about Engineering? How do you trick them?
  3. What are the benefits of a targeted phishing campaign?
    1. Start with education first. Then to sanctions.
    2. Use to teach - not ridicule.
    3. C-Levels *have* to be part of it.
  4. How do you prevent employees from feeling that Security doesn’t trust them?
  5. People are still the weak link! Solutions and hardware can’t prevent that one user from clicking on a link that creates havoc for the company.
    1. We blow holes in security to allow Phish email through.  What if vendor gets compromised?
  6. Downsides?

Direct download: SFS_Podcast_-_Episode_191.mp3
Category:general -- posted at: 6:55pm EDT