January 3, 2023 • 30 mins
In this episode, Eveline Oehrlich is joined by Brian Smith to discuss the importance of humans in cybersecurity.
Brian is a computer scientist and veteran entrepreneur with 30 years of experience ranging from academics to startups, from multimedia to computer security. Passion and skill for innovation and for defining and solving difficult and challenging problems at the intersection of technology and market needs that unlock massive value for customers and investors.
Enjoy the Humans of DevOps Podcast? We’re incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Want access to more DevOps-focused content and learning? When you join SKILup IT Learning you gain the tools, resources and knowledge to help your organization adapt and respond to the challenges of today.
Have questions, feedback or just want to chat about the podcast? Send us an email at podcast@devopsinstitute.com
Brian is a computer scientist and veteran entrepreneur with 30 years of experience ranging from academics to startups, from multimedia to computer security. Passion and skill for innovation and for defining and solving difficult and challenging problems at the intersection of technology and market needs that unlock massive value for customers and investors.
Enjoy the Humans of DevOps Podcast? We’re incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Want access to more DevOps-focused content and learning? When you join SKILup IT Learning you gain the tools, resources and knowledge to help your organization adapt and respond to the challenges of today.
Have questions, feedback or just want to chat about the podcast? Send us an email at podcast@devopsinstitute.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:02):
You're listening to the Humans of DevOps Podcast, a
podcast focused on advancing thehumans of DevOps through skills,
knowledge, ideas and learning,or the SKIL Framework.
Brian Smith (00:17):
In a lot of companies they see the CISOs.
They were doing all this, butthere's this DevOps group over
here, and I'm not quite surewhat they're doing, I fully
understand it and so bridgingthat gap, I think is sort of
where a lot of companies arefairly immature.
Eveline Oehrlich (00:34):
Hello, all this is Eveline Oehrlich, Chief
Research Officer at DevOpsInstitute, and this is the
Humans of DevOps Podcast. We areexcited to have a wonderful
gentleman with us today, BrianSmith. But before I introduce
Brian, to you, the title of ourepisode today is the Importance
(00:54):
of Humans in Cybersecurity. Asyou all know, we're focusing
much on the human angle withinDevOps and and the greater
topic. So welcome, Brian. Hello,there.
Brian Smith (01:07):
Hi, It's great to be here. Thanks for Thanks for
having me.
Eveline Oehrlich (01:11):
Thanks for taking the time out of your busy
day to come to us and speak withus and me quizzing you on a
variety of things. So let me, toour audience, introduce Brian a
little bit here. There's a lotof things I will read because I
cannot remember them all. SoBrian Smith is a 20 year
veteran, an entrepreneur inmultimedia, cybersecurity, and
(01:34):
technologies alike. He is cofounder and CTO at Spyderbat, an
automated runtime securityplatform, we'll talk a little
bit about Spyderbat in a minute.spider bit Just quickly, stops
attacks and automates root causeanalysis on cloud native
environments by proactivelyrecording cloud systems and
(01:55):
container activities into aliving Google Map. That sounds
very intriguing. So Brian hassome background here and
technologies in 2000, Brianfounded in conjunction with
somebody else, tipping pointtechnologies, which was acquired
by three come. Then in 2009. Hefounded click Security acquired
(02:17):
by alert logic. I remember thoseguys, that's exactly the time
when I was thinking about goinginto security, but I stayed in
doing infrastructure andoperations at my former company.
Brian has a PhD in ComputerScience from the University of
California at Berkeley, and in1994, and was the Xerox
Professor of Computer Science atCornell University until 1998.
(02:39):
I'm sure maybe there are someformer students of yours, Brian,
who are listening in wouldn'tthat be super? And he holds 13.
One three patents and is afellow of the Alfred P. Sloan
Foundation. Fantastic. Thisreads wonderful, Brian, we're
excited to have you here. Myfirst question, I have to ask
(03:03):
this Spyderbat. That's quite aname of a company. So first, how
did you come up with this name?And second, tell us a little bit
more about Spyderbat?
Brian Smith (03:12):
Yeah, so when you this is like you said, this is
my kind of my third startup thatI've done. And when you are
coming up with names forstartups, there's couple of
considerations. One is you wantit to be memorable. One is it's
it needs to be not too cute ortoo tricky. These names where
you say them and you can neverspell them and say can never
(03:34):
find a website. And so when wewere coming out when we're
talking about names with acompany, we wanted something
that was kind of fun. And we'refrom Austin. So Austin, I don't
know if you know it has this bigbridge that goes across the the
Colorado River, that big lakethere in central Los I have been
there. And it's the CongressAvenue Bridge, and underneath it
(03:57):
has the largest colony of bats,Mexican free tailed bats in the
North America, I believe. Andthey're like the million bats
live under there so often isknown as bats. And the city has
that. So we there's a type ofbat called the spider bat. And
so we decided to have that asthe name but it's spelled SPI D
or that they expire. And so whenwe went to open up our bank
(04:23):
account, we're just gettingstarted. The guy at the bank
misspelled the name with spyder,and we thought well that's
pretty cool. So we we hadn'tactually fired the corporation
documents yet. So we readincorporated under under that
name. And that's it story.
Eveline Oehrlich (04:39):
That is a great story and the banker has
done you a favor by making aspelling mistake. That's a great
story. And at some point youwant it to be instead of you go
Google it you want to say you gospyder batted right. That's kind
of the goal. So when people saylet's go Spyderbat, did what?
What does that mean? In whatwhat? Tell me about this Google
(05:01):
map recording? Tell us myself,of course, I'm curious as I'm an
analyst. Tell us about Spyderbata little bit.
Brian Smith (05:09):
Yeah, we've been, you know, I've been working in
security for for 20 years nowand one of the toughest problems
is, you'll usually get notifiedabout a security incident when
sort of when it goes boom, whensomething goes boom. And then
the tricky problem is trying toroot cause that trying to figure
out what actually happened, doyou have a bunch of
(05:29):
considerations? Like, what is itstill happening? What happened?
What was the impact? How do Ihow do I stop it right now, who
do I need to inform and how toprevent it in the future. And a
lot of that is trying to figureout what happened. And the
problem we have right now is thetraditional way that people do
that is they start going throughthe logs and trying to figure
(05:50):
out, you know, just from fromlog analysis, it's painful. And
a lot of times the data that youneed is not there in a box. But
we looked at that and said, youknow, the, these things are all
just computers running. And soif we could record everything,
build this kind of DVR likecapability of everything good,
(06:10):
bad and different that happened,and then use that data to flag
this is interesting, this isinteresting. This was something
bad happening. Once you have thebad, you could trace back to
root cause where this thingstarted. So we started building
something that could recordeverything that happened like a
DVR for your entire network. Itbuilt this map, we put that raw
(06:35):
data is if you just looked atthe raw data, you'd be kind of
sad. So it built an analyticsystem that turned that into a
amount that you couldunderstand, have a world call a
causal map that for anyinstance, you can say this
caused all this stuff to happen.And this is the stuff that
caused it. And then if you canjust attach a security incident
onto that, then you can go fromthat and say, Okay, this is all
(06:55):
the bad stuff that happened. Asa side effect of that, and work
backwards to this is what causedit. When you have that base
capability, then it's not a longstretch to add in security
content on top of that, thatsays these are bad things
happening. And then pretty easyto add on top of that, well,
let's stop it dead in itstracks. Because what we find is
(07:17):
that when something the averageindustry time at I'm sure you
know this level is that whensomething bad has happened, it's
56 days that they've been inyour network, because the what
they call the dwell time, andthen it's 178 days to actually
inventory everything thathappened and figure out of
(07:37):
investigation time and then 96days to clean it up. That whole
process is this massive manualeffort. And so we by having this
recording, we can really crushthat time.
Eveline Oehrlich (07:49):
So you really reducing MTTR quite
significantly, right. That's,that's I think, to me and
infrastructure and operations,which is what I come from, it
sounds like it is anapplication. It's almost like a
dependency map, right? As wesometimes have application
dependency maps, but with thefocus on what's actually
happening from a securityperspective, which then allows
(08:10):
me as a team member, notnecessarily security, but maybe
others to kind of look at it,where we can collaborate and
say, Hey, here's something andthis is where we need to hone in
and need to do something file.That sounds fantastic. Great. I
love the name spiral badsuperduper. Well, thanks for
sharing that anybody out there?Go check out spinal bad. But
(08:33):
again, I wanted to focus on afew things here. Because when I
started at Forrester, I had acolleague, and I know your
LinkedIn with him a John Kinderbag. I know, you know, John, so
John, dear friend of mine. Hetold me once, Eveline, you know,
you have to remember insecurity,it's not really, it's not really
(08:56):
to technology, it's to humans.It's the people who make the
change. And challenges alwayshave a head and into shoulders.
Right? And I never really, Inever had the chance to do
research with him. But I wasalways intrigued. And I did some
research before this podcast.And there's a couple of
(09:16):
challenges and a couple ofshifts were actually a few
shifts happening. This is fromGartner want to make sure I
shout out to two colleagues,Gartner. And I want to highlight
them quickly. So first of all,this role of the CFO, the chief
information security officer isreshaping. So Gartner saying
it's reshaping from preventingbreaches to facilitating risk
(09:38):
management. So that's verydifferent, a very different
role. second shift is from cyberrisk is a security problem to
cyber risk is a businessproblem. And I think we've seen
that there's multiple headlinesout there, which made to the to
the demise of those. And thenthird, from security being a
road plaque blog to say Speed.Security is actually an Abler of
(10:03):
agile and secure products. Andthat's the one for me in the
DevOps in the DevOps folks,which is, that's a great
statement of shifts. But if youthink about so now, your
question for you, Brian, if youthink about the three shifts,
and think about the clients andyour connections and your
(10:25):
networks, and the folks you talkto and your experience of 20
years, and I don't believe that20 years, I think you'll have
more than that. But we'll leaveit at that. Where are we there?
We will somewhere in these threethings? Are we somewhere at the
beginning? Are we already kindof if we think of a hype cycle,
right, are we somewhere at thebeginning of those things? Are
(10:45):
we somewhere in the middle? Orhave we already matured on to
organizations making theseshifts from that, to that? What
What are your thoughts on that?
Brian Smith (10:56):
Well, I think there's three, there's a lot to
unpack there. But there's,there's from the risk
standpoint, I think that theCISOs have been taking that
attitude for for a fair amountof time. So I think most
companies are fairly mature. AndI think part of that is just,
it's an acknowledgement of justhaving a very pragmatic approach
(11:17):
to it. One way, that the sort ofnotion that you can prevent all
breaches through, you know, somemagic bullet security project or
some magic bullet process is isjust kind of fantasyland.
Honestly, it's the waste I bestway I heard described as imagine
a castle, like a medievalcastle. And so it's got it's out
(11:41):
on a plane, and there are, youknow, hundreds of windows and
hundreds of doors. And it's and,and you're the defender of that,
you have all these differentways that, that an attacker can
come in, and you have to defendevery single possible entry
point. And it's just kind ofthis impossible, impossible
task. So the pragmatic approachis, to certainly shore things
(12:04):
up, you don't want to leave justeverything unlocked. But then
also have, you know, sort ofpatrols and guards and humans in
there that are, that arewatching watching the fortress
and saying, that's a littleweird and being able to
investigate. And so the riskmanagement is focusing on those
areas that give you the mostbang for your buck on those
things. Whereas if a breachhappened here, it doesn't really
(12:26):
matter if a breach happens here,that's really, really bad. And
so the risk is, you know,assessing, assessing that
situation, it's fairly,depending on the organization
fairly mature. The, the agilitypart is really interesting part
to me. Because traditionally,the security opera, you know,
(12:47):
security was a bit of aroadblock. And part of that was
the developers bring in securityas they're the main guys come in
at that the last minute, andthen they're the guys that say,
Hey, wait, we need to make thissecure. And it feels like it
slows things down. And byinvolving them earlier, earlier
in the cycle, which is a lot ofthe ship left stuff, that
opportunities that we've seen,you end up being able to, for
(13:12):
them to become enablers ofhaving things go faster, but
still, we still have to besecure as we deploy these
things. And part of the reasonfor that is just that, if you if
you're not secure, if yourapplication gets popped, you're
gonna have a really bad week, orreally bad month while you try
(13:35):
to, you know, clean up andassess the damage and stuff as
as a developer or developmentmanager, DevOps. So it's all in
all our interest to prevent thatfrom happening also from from
the business standpoint, and Ithink the business side is just
the recognition of, of all thedamage that these things do to
the business. And so it's gottenbored level attention at this
(13:56):
point. So it's not just thesecurity group that says
isolated silo, but it's muchmore on the business side.
Ad (14:04):
Are you looking to get DevOps certified? Demonstrate
your DevOps knowledge andadvance your career with a
certification from DevOpsInstitute, get certified in
DevOps Leader, SRE or DevSECOps, just to name a few. Learn
anywhere, anytime. The choice isyours. Choose to get certified
through our vast partner networkself study programs, or our new
skillup elearning videos. Theexams are developed in
(14:25):
collaboration with industrythought leaders, and subject
matter experts in the DevOpsspace. Learn more at
DevOpsInstitute.com/certifications.
Eveline Oehrlich (14:37):
So I've heard conversations, or I've
overheard, and I've heard at RSAor other places. Now, of course,
most of them might joinvirtually, hopefully soon, I can
go again, we can all travelagain, where I've noticed that
I've actually seen more businesspeople at those conventions and
(14:57):
joining so I an admin Many timesI always wondered, so why is
business not wandering? Inasking it more questions
relative to those types ofthings? What is your what are
your thinking? What's yourthinking on the wise business,
they don't seem to chime up whenthings have happened. And then
they are all worried and now,but they haven't in the past
(15:19):
kind of worried about it.They're just like, Oh, you guys,
techies, you guys got it?
Brian Smith (15:24):
Well, I think I mean, I think there's a couple
different things going on. Oneis, you know, I like the part of
the shift towards pragmatism isthis realization that, it's,
it's really hard to make it makeyourself completely bullet proof
for one of these things. Ifsomeone really wants to go after
you like a nation state, it's,it's very difficult to defend
(15:45):
against that practice, and toprevent the breach. But if you
can have a rapid response to it,then that involves people and
processes and technology. So youwant you have to do a little bit
rehearsal. But that means it'snot just a security only kind of
these guys, the guys in thesecurity group, it really has to
(16:07):
be kind of everyone's business.And the other is that where we
get, you know, a lot of thebreaches come in at is through
exploiting people, honestly,exploiting social engineering
attacks and things like that,which is why companies focus on
training the people is a goodway. One of the one of the many
(16:27):
good ways to prevent breaches,but what I've seen is that, you
know, sort of the, their, thistraditional security group has
been focused on securing sort oflaptops and mobile devices, and
IT systems and things like that.And then as we've moved into
DevOps, and more cloud nativeworld, those are often are,
(16:51):
especially in Kubernetes, thoseare Linux systems. And they're a
little outside of the expertise.So I must have seen these
bifurcation of the securityresponsibility falling on DevOps
dev SEC ops and sre. And thisother group, on the side, LLC,
suicide in the traditional SECops group, sort of managing the
the people and processes overhere, and bridging those two
(17:14):
gaps together, I think is abusiness thing, because it has
it. Otherwise, the two sides,sort of can fight each other.
And in a lot of companies, I seethe CISOs say, We're doing all
this. But there's this DevOpsgroup over here, and I'm not
quite sure what they're doing,and they don't fully understand
it. And so bridging that gap, Ithink, is sort of where a lot of
(17:37):
companies are fairly immature.
Eveline Oehrlich (17:39):
Yeah, I would agree. I would agree with seeing
that in our research. And you'llbe delighted to hear in our
latest upskilling, it 2022 Whichreport is out on our website,
security, and cybersecurity wasthe number one technical skill,
even before even above cloud, sothat, you know, cloud computing
(18:01):
skills and things like that. SoI think that's fantastic. So if
people are out there thinkingabout new careers, whatever
changes you want to makesecurity, cybersecurity is one
of those I wish, I wish I wouldhave followed John, way back
into into this field. And Itried to get my kids into it.
(18:21):
Unfortunately, one is anarchitect, the other one is a
psychologist. So they neverreally got interested in either.
Brian Smith (18:27):
Now, one thing I heard along those lines is there
was my data was from a couple ofyears ago, but at that time,
there were something like half amillion open jobs in
cybersecurity was forecast togrow by 2025 to over a million
open positions. And some of thatis because at least at the time,
and still is the job is somanual. And so one of the ways
(18:52):
we have to look at is automatingit, but not automating it away.
But automating it as inproviding, making the computer
these automated systems,partners with humans that make
the there are force multipliersfor the humans.
Eveline Oehrlich (19:10):
That gets me to my next question, actually,
because there is behaviors andculture, right, which play into
all of that, you know, if Ithink of my family in terms of
their laptops and their devices,I probably could break in easily
to most of them because thepasswords are, I can get them.
(19:30):
But there's also there's morethan just on the client side.
But there's other challenges. Soaround humans and cultural
changes, what have you seen andwhat would what can you suggest
to our listeners, what shouldthey do? What should they look
out for? What advice can yougive folks how to respond and
(19:51):
how to work within thischallenge of helping out in
around organizations and both inIT and business?
Brian Smith (19:59):
Yes. So I, you know, I think, you know, part of
this is what I was saying beforeis that traditionally, this was
viewed as a SEC Ops problem.And so we could kind of
compartmentalize it and saythat's their problem, I'm just
going to focus on what happened.And I think there's this growing
recognition. And this is, thisis a good thing, that it is a
(20:20):
business problem, and so thateveryone has a has a bit of a
role to play, because you don'twant your laptop to be the entry
point for a giant breach of somesort. So some of this is just,
you know, go, if you're aleader, make sure you start
training, have company widetraining on this. Because every
(20:41):
individual should know what thesigns are of someone trying to
trying to break in or trying tofool you. Social engineering is
a big attack. But the the, theother that that sort of, from
the human standpoint, from the,from the, you know, frontline
(21:03):
workers, people and in nontechnical positions, for people
in technical positions, itstarted building those bridges
to the SEC Ops and not treatingthem as the enemy, but kind of
inviting them in to try to tryto work together. And I think a
lot of the problem there is thatwe, we almost talk in different
worlds. And in those things, sofinding ways that we can
(21:26):
communicate with each other sothat we can, the developers, for
example, that are developingapplication can pass along
artifacts to sec ops to say,this is the way I expect my
application to behave. If it'snot behaving, contact me be that
way. Because I want to know,because we're all you know,
DevOps, we're all responsiblefor keeping our piece up and
(21:47):
running, and we know our piecebetter than any anything else in
the world. So I see that kind ofrole of DevOps, if they can
establish those communicationsof this is what my piece is
supposed to be doing. That wouldbe that would be awesome. And
we're kind of working on atabout about, about developing
those artifacts that helpautomate those processes. But
(22:09):
then, in the the other parts ofthe roles are, you know, there's
typically like SRS or more kindof DevSEC Ops, which are
responsible for the fullplatform security, and as
opposed to individual componentsecurities. And so I think all
of those have kind of roles toplay within this. But there's
(22:31):
but it's, it's treating it notas the SEC ops problems, but SEC
Ops being more of a coordinatorof how we how we deal with
responses and sort of bestpractices for longest, and then
facilitating communication andtreat them as a partner.
Eveline Oehrlich (22:47):
I love that when you said coordinator, I
would actually sometimes thinkthat word means different
things. Maybe it's more of anorchestrator. But I think that's
the same idea, right? It's saidorchestration, going out and
bringing those folks togetherbecause many of those folks have
their own roles. And they havetheir own projects and things to
do on a daily on a daily list ona daily the daily tasks.
(23:11):
whenever necessary. I'mresponsible for whatever on call
plus I'm supposed to be alsodoing some development, but
really highlighting that andorchestrating what have we done
now, that makes me think of thisis not something I have any done
any research, but metrics,sometimes. We don't, it seems
like we don't measure the rightthings. We don't incent people
(23:35):
to be reaching out andorchestrating right. Have you
seen any, any specific examplesof organizations who say, Well,
we're going to go and dosomething completely different,
we're going to incent everybodyon doing one security thing a
week, or having little jamsessions or little whatever
those things are calledanything, anything creative.
(23:58):
You've seen on on humans gettingtogether and saying we need to
change something.
Brian Smith (24:03):
You know, the one thing I think about is there's
this this book called ThinkingFast and Slow. Oh, yes. And it's
about, you know, how did thissort of help? There's parts of
our brain where we really engageour brain and our rational
thought, and that's the thinkingslow part. And then there's the,
(24:24):
I don't know, scrolling yoursocial media feed. And that's
the thinking fast part, right?Where you just kind of you're,
you're doing what I think theycall the information scavenging
where you're scrolling throughand just looking around, and
that tends to be based on ourbiological. It's the information
equivalent of our biologicalversion of scavenging for food.
(24:48):
And for us just looking aroundand trying to find pattern
matching. You're saying, Oh,this looks interesting to go get
or this is a threat. And what IThink once you there, one of the
most interesting things istrying to teach people about
that and use it to train thattrain the people not to kind of
(25:11):
just click on things mindlessly,because but actually spend it,
but sort of see the warningsigns, train train them in that
information scavenging to seethe warning signs and say, Well,
that looks like a threat andturn on the slope. And, and, and
and think before they click onthat thing or do that, that I
(25:31):
haven't seen too much in the wayof, you know, kind of what I
what I think about metrics of,you know, sort of dials on
gauges. Yeah, thanks.
Eveline Oehrlich (25:39):
I think there is still there's still some work
to do in this in this notion ofthe safety culture, and shaping
that safety culture, as yousaid, first, just quickly
summarizing, so first, reallynot just sick ops, but really
the DevOps and the other sideof, of security, to bridge
across to the SEC ops folks whodo the normal things, and then
(26:02):
for business to ensure that theyare aware of what's happening,
right. So if we do designthinking, for example, in that
stage, right, if we dodevelopment of products and
projects, that we have thatawareness, and then for us, as
individuals, no matter if we'rein it, and business in whatever,
then we have a safety cultureand start helping ourselves and
(26:24):
training each other and helpingeach other out. So fantastic.
Anything, any other thoughts youwant to share with us?
Brian Smith (26:30):
Yeah, the one other thought is just, you know, in
general, security tends to havethese trends. And one of the
more recent trends was in theship love culture was we would
try to build, get everything tobe invulnerable, before we
actually shifted ship. And thatsort of, I've seen sometimes
Eveline Oehrlich (26:50):
That is that is a that is great advice. I
that sort of great being theenemy of the good in the sense
of, Well, once I do that, Idon't have to monitor anything.
It's sort of like I've builtperfect locks on my house. So I
don't need an alarm system. AndI think that's a not a pragmatic
approach. So I think as we as wego through this evolution
(27:14):
towards, you know, sort ofunderstanding spirit, just try
to be pragmatic about it, don'ttry to vote and the focusing on
risk is a good part of that. Andthe focusing kind of what is
actually happening as opposed towhat theoretically could happen.
Is a good general trend. Andjust don't let the the
(27:38):
perfection over here be theenemy of good.
remember, Diego and myself atForrester talking about shift
left many, many years ago. Ithink we took too much of a
theoretical approach at thetime. So what you just said,
really thinking about that in aprogrammatic way is great advice
to our listeners. Appreciate it.I have one more question has
(28:01):
nothing to do with security.What do you do it? And don't
tell me you're doing securitythings on the weekend. But what
do you do for fun, Brian?
Brian Smith (28:10):
Oh, recently I've gotten into tennis see, I have
two boys. They're they're 18 and21. Now, but my younger son had
gotten really into tennis, fromabout the age of nine. And I
started playing with him. Andthen he rapidly advanced and I
couldn't play with them anymore.So last year, I've been trying
(28:31):
the last three years, I've beenplaying tennis pretty
aggressively to try to get upthe points just so I can play
with my boy.
Eveline Oehrlich (28:38):
That sounds great. Well, maybe there's a
natural Roger Federer justretire. So maybe there was a
Roger Federer out there in oneof your sons, who knows, never
know. Well, Brian, this has beenwonderful. We learned a lot.
This was great meeting you greatchatting with you. And thanks
for your time always interestedin few points from the other
(29:01):
groups such as security. Iffolks want to learn more about
your spider bat company, I guessit's easy to find, but anything
else you want to point out toany white papers, any other
things?
Brian Smith (29:16):
No, just it's one thing in I guess the one thing I
doubt in Spyderbat is that it'sgot a free mode. So one of the
things that's always annoyed meabout companies is where they
you have to talk to a sales guyand sign away things I want
people just to try it,experience it. And then if it
turns out to be useful for you,let's talk but just getting
(29:38):
feedback is always good.
Eveline Oehrlich (29:40):
Excellent and as an analyst I approve that
because that's exactly what werecommend to our vendors. Super.
Thank you Brian this waswonderful. Enjoy your upcoming
day for me. I will enjoy therest of my day as well and
everybody else here listeninginto this is Eveline Oehrlichm
Chief Research Officer DevOpsInstitute with Brian Smith from
(30:01):
Spyderbat. Thank you, Brian.Have a great day everybody out
there. Thank you.
Narrator (30:08):
Thanks for listening to this episode of the Humans of
DevOps Podcast. Don't forget tojoin our global community to get
access to even more greatresources like this. Until next
time, remember, you are part ofsomething bigger than yourself.
You belong.
You're listening to the Humans of DevOps Podcast, a
podcast focused on advancing thehumans of DevOps through skills,
knowledge, ideas and learning,or the SKIL Framework.
Brian Smith (00:17):
In a lot of companies they see the CISOs.
They were doing all this, butthere's this DevOps group over
here, and I'm not quite surewhat they're doing, I fully
understand it and so bridgingthat gap, I think is sort of
where a lot of companies arefairly immature.
Eveline Oehrlich (00:34):
Hello, all this is Eveline Oehrlich, Chief
Research Officer at DevOpsInstitute, and this is the
Humans of DevOps Podcast. We areexcited to have a wonderful
gentleman with us today, BrianSmith. But before I introduce
Brian, to you, the title of ourepisode today is the Importance
(00:54):
of Humans in Cybersecurity. Asyou all know, we're focusing
much on the human angle withinDevOps and and the greater
topic. So welcome, Brian. Hello,there.
Brian Smith (01:07):
Hi, It's great to be here. Thanks for Thanks for
having me.
Eveline Oehrlich (01:11):
Thanks for taking the time out of your busy
day to come to us and speak withus and me quizzing you on a
variety of things. So let me, toour audience, introduce Brian a
little bit here. There's a lotof things I will read because I
cannot remember them all. SoBrian Smith is a 20 year
veteran, an entrepreneur inmultimedia, cybersecurity, and
(01:34):
technologies alike. He is cofounder and CTO at Spyderbat, an
automated runtime securityplatform, we'll talk a little
bit about Spyderbat in a minute.spider bit Just quickly, stops
attacks and automates root causeanalysis on cloud native
environments by proactivelyrecording cloud systems and
(01:55):
container activities into aliving Google Map. That sounds
very intriguing. So Brian hassome background here and
technologies in 2000, Brianfounded in conjunction with
somebody else, tipping pointtechnologies, which was acquired
by three come. Then in 2009. Hefounded click Security acquired
(02:17):
by alert logic. I remember thoseguys, that's exactly the time
when I was thinking about goinginto security, but I stayed in
doing infrastructure andoperations at my former company.
Brian has a PhD in ComputerScience from the University of
California at Berkeley, and in1994, and was the Xerox
Professor of Computer Science atCornell University until 1998.
(02:39):
I'm sure maybe there are someformer students of yours, Brian,
who are listening in wouldn'tthat be super? And he holds 13.
One three patents and is afellow of the Alfred P. Sloan
Foundation. Fantastic. Thisreads wonderful, Brian, we're
excited to have you here. Myfirst question, I have to ask
(03:03):
this Spyderbat. That's quite aname of a company. So first, how
did you come up with this name?And second, tell us a little bit
more about Spyderbat?
Brian Smith (03:12):
Yeah, so when you this is like you said, this is
my kind of my third startup thatI've done. And when you are
coming up with names forstartups, there's couple of
considerations. One is you wantit to be memorable. One is it's
it needs to be not too cute ortoo tricky. These names where
you say them and you can neverspell them and say can never
(03:34):
find a website. And so when wewere coming out when we're
talking about names with acompany, we wanted something
that was kind of fun. And we'refrom Austin. So Austin, I don't
know if you know it has this bigbridge that goes across the the
Colorado River, that big lakethere in central Los I have been
there. And it's the CongressAvenue Bridge, and underneath it
(03:57):
has the largest colony of bats,Mexican free tailed bats in the
North America, I believe. Andthey're like the million bats
live under there so often isknown as bats. And the city has
that. So we there's a type ofbat called the spider bat. And
so we decided to have that asthe name but it's spelled SPI D
or that they expire. And so whenwe went to open up our bank
(04:23):
account, we're just gettingstarted. The guy at the bank
misspelled the name with spyder,and we thought well that's
pretty cool. So we we hadn'tactually fired the corporation
documents yet. So we readincorporated under under that
name. And that's it story.
Eveline Oehrlich (04:39):
That is a great story and the banker has
done you a favor by making aspelling mistake. That's a great
story. And at some point youwant it to be instead of you go
Google it you want to say you gospyder batted right. That's kind
of the goal. So when people saylet's go Spyderbat, did what?
What does that mean? In whatwhat? Tell me about this Google
(05:01):
map recording? Tell us myself,of course, I'm curious as I'm an
analyst. Tell us about Spyderbata little bit.
Brian Smith (05:09):
Yeah, we've been, you know, I've been working in
security for for 20 years nowand one of the toughest problems
is, you'll usually get notifiedabout a security incident when
sort of when it goes boom, whensomething goes boom. And then
the tricky problem is trying toroot cause that trying to figure
out what actually happened, doyou have a bunch of
(05:29):
considerations? Like, what is itstill happening? What happened?
What was the impact? How do Ihow do I stop it right now, who
do I need to inform and how toprevent it in the future. And a
lot of that is trying to figureout what happened. And the
problem we have right now is thetraditional way that people do
that is they start going throughthe logs and trying to figure
(05:50):
out, you know, just from fromlog analysis, it's painful. And
a lot of times the data that youneed is not there in a box. But
we looked at that and said, youknow, the, these things are all
just computers running. And soif we could record everything,
build this kind of DVR likecapability of everything good,
(06:10):
bad and different that happened,and then use that data to flag
this is interesting, this isinteresting. This was something
bad happening. Once you have thebad, you could trace back to
root cause where this thingstarted. So we started building
something that could recordeverything that happened like a
DVR for your entire network. Itbuilt this map, we put that raw
(06:35):
data is if you just looked atthe raw data, you'd be kind of
sad. So it built an analyticsystem that turned that into a
amount that you couldunderstand, have a world call a
causal map that for anyinstance, you can say this
caused all this stuff to happen.And this is the stuff that
caused it. And then if you canjust attach a security incident
onto that, then you can go fromthat and say, Okay, this is all
(06:55):
the bad stuff that happened. Asa side effect of that, and work
backwards to this is what causedit. When you have that base
capability, then it's not a longstretch to add in security
content on top of that, thatsays these are bad things
happening. And then pretty easyto add on top of that, well,
let's stop it dead in itstracks. Because what we find is
(07:17):
that when something the averageindustry time at I'm sure you
know this level is that whensomething bad has happened, it's
56 days that they've been inyour network, because the what
they call the dwell time, andthen it's 178 days to actually
inventory everything thathappened and figure out of
(07:37):
investigation time and then 96days to clean it up. That whole
process is this massive manualeffort. And so we by having this
recording, we can really crushthat time.
Eveline Oehrlich (07:49):
So you really reducing MTTR quite
significantly, right. That's,that's I think, to me and
infrastructure and operations,which is what I come from, it
sounds like it is anapplication. It's almost like a
dependency map, right? As wesometimes have application
dependency maps, but with thefocus on what's actually
happening from a securityperspective, which then allows
(08:10):
me as a team member, notnecessarily security, but maybe
others to kind of look at it,where we can collaborate and
say, Hey, here's something andthis is where we need to hone in
and need to do something file.That sounds fantastic. Great. I
love the name spiral badsuperduper. Well, thanks for
sharing that anybody out there?Go check out spinal bad. But
(08:33):
again, I wanted to focus on afew things here. Because when I
started at Forrester, I had acolleague, and I know your
LinkedIn with him a John Kinderbag. I know, you know, John, so
John, dear friend of mine. Hetold me once, Eveline, you know,
you have to remember insecurity,it's not really, it's not really
(08:56):
to technology, it's to humans.It's the people who make the
change. And challenges alwayshave a head and into shoulders.
Right? And I never really, Inever had the chance to do
research with him. But I wasalways intrigued. And I did some
research before this podcast.And there's a couple of
(09:16):
challenges and a couple ofshifts were actually a few
shifts happening. This is fromGartner want to make sure I
shout out to two colleagues,Gartner. And I want to highlight
them quickly. So first of all,this role of the CFO, the chief
information security officer isreshaping. So Gartner saying
it's reshaping from preventingbreaches to facilitating risk
(09:38):
management. So that's verydifferent, a very different
role. second shift is from cyberrisk is a security problem to
cyber risk is a businessproblem. And I think we've seen
that there's multiple headlinesout there, which made to the to
the demise of those. And thenthird, from security being a
road plaque blog to say Speed.Security is actually an Abler of
(10:03):
agile and secure products. Andthat's the one for me in the
DevOps in the DevOps folks,which is, that's a great
statement of shifts. But if youthink about so now, your
question for you, Brian, if youthink about the three shifts,
and think about the clients andyour connections and your
(10:25):
networks, and the folks you talkto and your experience of 20
years, and I don't believe that20 years, I think you'll have
more than that. But we'll leaveit at that. Where are we there?
We will somewhere in these threethings? Are we somewhere at the
beginning? Are we already kindof if we think of a hype cycle,
right, are we somewhere at thebeginning of those things? Are
(10:45):
we somewhere in the middle? Orhave we already matured on to
organizations making theseshifts from that, to that? What
What are your thoughts on that?
Brian Smith (10:56):
Well, I think there's three, there's a lot to
unpack there. But there's,there's from the risk
standpoint, I think that theCISOs have been taking that
attitude for for a fair amountof time. So I think most
companies are fairly mature. AndI think part of that is just,
it's an acknowledgement of justhaving a very pragmatic approach
(11:17):
to it. One way, that the sort ofnotion that you can prevent all
breaches through, you know, somemagic bullet security project or
some magic bullet process is isjust kind of fantasyland.
Honestly, it's the waste I bestway I heard described as imagine
a castle, like a medievalcastle. And so it's got it's out
(11:41):
on a plane, and there are, youknow, hundreds of windows and
hundreds of doors. And it's and,and you're the defender of that,
you have all these differentways that, that an attacker can
come in, and you have to defendevery single possible entry
point. And it's just kind ofthis impossible, impossible
task. So the pragmatic approachis, to certainly shore things
(12:04):
up, you don't want to leave justeverything unlocked. But then
also have, you know, sort ofpatrols and guards and humans in
there that are, that arewatching watching the fortress
and saying, that's a littleweird and being able to
investigate. And so the riskmanagement is focusing on those
areas that give you the mostbang for your buck on those
things. Whereas if a breachhappened here, it doesn't really
(12:26):
matter if a breach happens here,that's really, really bad. And
so the risk is, you know,assessing, assessing that
situation, it's fairly,depending on the organization
fairly mature. The, the agilitypart is really interesting part
to me. Because traditionally,the security opera, you know,
(12:47):
security was a bit of aroadblock. And part of that was
the developers bring in securityas they're the main guys come in
at that the last minute, andthen they're the guys that say,
Hey, wait, we need to make thissecure. And it feels like it
slows things down. And byinvolving them earlier, earlier
in the cycle, which is a lot ofthe ship left stuff, that
opportunities that we've seen,you end up being able to, for
(13:12):
them to become enablers ofhaving things go faster, but
still, we still have to besecure as we deploy these
things. And part of the reasonfor that is just that, if you if
you're not secure, if yourapplication gets popped, you're
gonna have a really bad week, orreally bad month while you try
(13:35):
to, you know, clean up andassess the damage and stuff as
as a developer or developmentmanager, DevOps. So it's all in
all our interest to prevent thatfrom happening also from from
the business standpoint, and Ithink the business side is just
the recognition of, of all thedamage that these things do to
the business. And so it's gottenbored level attention at this
(13:56):
point. So it's not just thesecurity group that says
isolated silo, but it's muchmore on the business side.
Ad (14:04):
Are you looking to get DevOps certified? Demonstrate
your DevOps knowledge andadvance your career with a
certification from DevOpsInstitute, get certified in
DevOps Leader, SRE or DevSECOps, just to name a few. Learn
anywhere, anytime. The choice isyours. Choose to get certified
through our vast partner networkself study programs, or our new
skillup elearning videos. Theexams are developed in
(14:25):
collaboration with industrythought leaders, and subject
matter experts in the DevOpsspace. Learn more at
DevOpsInstitute.com/certifications.
Eveline Oehrlich (14:37):
So I've heard conversations, or I've
overheard, and I've heard at RSAor other places. Now, of course,
most of them might joinvirtually, hopefully soon, I can
go again, we can all travelagain, where I've noticed that
I've actually seen more businesspeople at those conventions and
(14:57):
joining so I an admin Many timesI always wondered, so why is
business not wandering? Inasking it more questions
relative to those types ofthings? What is your what are
your thinking? What's yourthinking on the wise business,
they don't seem to chime up whenthings have happened. And then
they are all worried and now,but they haven't in the past
(15:19):
kind of worried about it.They're just like, Oh, you guys,
techies, you guys got it?
Brian Smith (15:24):
Well, I think I mean, I think there's a couple
different things going on. Oneis, you know, I like the part of
the shift towards pragmatism isthis realization that, it's,
it's really hard to make it makeyourself completely bullet proof
for one of these things. Ifsomeone really wants to go after
you like a nation state, it's,it's very difficult to defend
(15:45):
against that practice, and toprevent the breach. But if you
can have a rapid response to it,then that involves people and
processes and technology. So youwant you have to do a little bit
rehearsal. But that means it'snot just a security only kind of
these guys, the guys in thesecurity group, it really has to
(16:07):
be kind of everyone's business.And the other is that where we
get, you know, a lot of thebreaches come in at is through
exploiting people, honestly,exploiting social engineering
attacks and things like that,which is why companies focus on
training the people is a goodway. One of the one of the many
(16:27):
good ways to prevent breaches,but what I've seen is that, you
know, sort of the, their, thistraditional security group has
been focused on securing sort oflaptops and mobile devices, and
IT systems and things like that.And then as we've moved into
DevOps, and more cloud nativeworld, those are often are,
(16:51):
especially in Kubernetes, thoseare Linux systems. And they're a
little outside of the expertise.So I must have seen these
bifurcation of the securityresponsibility falling on DevOps
dev SEC ops and sre. And thisother group, on the side, LLC,
suicide in the traditional SECops group, sort of managing the
the people and processes overhere, and bridging those two
(17:14):
gaps together, I think is abusiness thing, because it has
it. Otherwise, the two sides,sort of can fight each other.
And in a lot of companies, I seethe CISOs say, We're doing all
this. But there's this DevOpsgroup over here, and I'm not
quite sure what they're doing,and they don't fully understand
it. And so bridging that gap, Ithink, is sort of where a lot of
(17:37):
companies are fairly immature.
Eveline Oehrlich (17:39):
Yeah, I would agree. I would agree with seeing
that in our research. And you'llbe delighted to hear in our
latest upskilling, it 2022 Whichreport is out on our website,
security, and cybersecurity wasthe number one technical skill,
even before even above cloud, sothat, you know, cloud computing
(18:01):
skills and things like that. SoI think that's fantastic. So if
people are out there thinkingabout new careers, whatever
changes you want to makesecurity, cybersecurity is one
of those I wish, I wish I wouldhave followed John, way back
into into this field. And Itried to get my kids into it.
(18:21):
Unfortunately, one is anarchitect, the other one is a
psychologist. So they neverreally got interested in either.
Brian Smith (18:27):
Now, one thing I heard along those lines is there
was my data was from a couple ofyears ago, but at that time,
there were something like half amillion open jobs in
cybersecurity was forecast togrow by 2025 to over a million
open positions. And some of thatis because at least at the time,
and still is the job is somanual. And so one of the ways
(18:52):
we have to look at is automatingit, but not automating it away.
But automating it as inproviding, making the computer
these automated systems,partners with humans that make
the there are force multipliersfor the humans.
Eveline Oehrlich (19:10):
That gets me to my next question, actually,
because there is behaviors andculture, right, which play into
all of that, you know, if Ithink of my family in terms of
their laptops and their devices,I probably could break in easily
to most of them because thepasswords are, I can get them.
(19:30):
But there's also there's morethan just on the client side.
But there's other challenges. Soaround humans and cultural
changes, what have you seen andwhat would what can you suggest
to our listeners, what shouldthey do? What should they look
out for? What advice can yougive folks how to respond and
(19:51):
how to work within thischallenge of helping out in
around organizations and both inIT and business?
Brian Smith (19:59):
Yes. So I, you know, I think, you know, part of
this is what I was saying beforeis that traditionally, this was
viewed as a SEC Ops problem.And so we could kind of
compartmentalize it and saythat's their problem, I'm just
going to focus on what happened.And I think there's this growing
recognition. And this is, thisis a good thing, that it is a
(20:20):
business problem, and so thateveryone has a has a bit of a
role to play, because you don'twant your laptop to be the entry
point for a giant breach of somesort. So some of this is just,
you know, go, if you're aleader, make sure you start
training, have company widetraining on this. Because every
(20:41):
individual should know what thesigns are of someone trying to
trying to break in or trying tofool you. Social engineering is
a big attack. But the the, theother that that sort of, from
the human standpoint, from the,from the, you know, frontline
(21:03):
workers, people and in nontechnical positions, for people
in technical positions, itstarted building those bridges
to the SEC Ops and not treatingthem as the enemy, but kind of
inviting them in to try to tryto work together. And I think a
lot of the problem there is thatwe, we almost talk in different
worlds. And in those things, sofinding ways that we can
(21:26):
communicate with each other sothat we can, the developers, for
example, that are developingapplication can pass along
artifacts to sec ops to say,this is the way I expect my
application to behave. If it'snot behaving, contact me be that
way. Because I want to know,because we're all you know,
DevOps, we're all responsiblefor keeping our piece up and
(21:47):
running, and we know our piecebetter than any anything else in
the world. So I see that kind ofrole of DevOps, if they can
establish those communicationsof this is what my piece is
supposed to be doing. That wouldbe that would be awesome. And
we're kind of working on atabout about, about developing
those artifacts that helpautomate those processes. But
(22:09):
then, in the the other parts ofthe roles are, you know, there's
typically like SRS or more kindof DevSEC Ops, which are
responsible for the fullplatform security, and as
opposed to individual componentsecurities. And so I think all
of those have kind of roles toplay within this. But there's
(22:31):
but it's, it's treating it notas the SEC ops problems, but SEC
Ops being more of a coordinatorof how we how we deal with
responses and sort of bestpractices for longest, and then
facilitating communication andtreat them as a partner.
Eveline Oehrlich (22:47):
I love that when you said coordinator, I
would actually sometimes thinkthat word means different
things. Maybe it's more of anorchestrator. But I think that's
the same idea, right? It's saidorchestration, going out and
bringing those folks togetherbecause many of those folks have
their own roles. And they havetheir own projects and things to
do on a daily on a daily list ona daily the daily tasks.
(23:11):
whenever necessary. I'mresponsible for whatever on call
plus I'm supposed to be alsodoing some development, but
really highlighting that andorchestrating what have we done
now, that makes me think of thisis not something I have any done
any research, but metrics,sometimes. We don't, it seems
like we don't measure the rightthings. We don't incent people
(23:35):
to be reaching out andorchestrating right. Have you
seen any, any specific examplesof organizations who say, Well,
we're going to go and dosomething completely different,
we're going to incent everybodyon doing one security thing a
week, or having little jamsessions or little whatever
those things are calledanything, anything creative.
(23:58):
You've seen on on humans gettingtogether and saying we need to
change something.
Brian Smith (24:03):
You know, the one thing I think about is there's
this this book called ThinkingFast and Slow. Oh, yes. And it's
about, you know, how did thissort of help? There's parts of
our brain where we really engageour brain and our rational
thought, and that's the thinkingslow part. And then there's the,
(24:24):
I don't know, scrolling yoursocial media feed. And that's
the thinking fast part, right?Where you just kind of you're,
you're doing what I think theycall the information scavenging
where you're scrolling throughand just looking around, and
that tends to be based on ourbiological. It's the information
equivalent of our biologicalversion of scavenging for food.
(24:48):
And for us just looking aroundand trying to find pattern
matching. You're saying, Oh,this looks interesting to go get
or this is a threat. And what IThink once you there, one of the
most interesting things istrying to teach people about
that and use it to train thattrain the people not to kind of
(25:11):
just click on things mindlessly,because but actually spend it,
but sort of see the warningsigns, train train them in that
information scavenging to seethe warning signs and say, Well,
that looks like a threat andturn on the slope. And, and, and
and think before they click onthat thing or do that, that I
(25:31):
haven't seen too much in the wayof, you know, kind of what I
what I think about metrics of,you know, sort of dials on
gauges. Yeah, thanks.
Eveline Oehrlich (25:39):
I think there is still there's still some work
to do in this in this notion ofthe safety culture, and shaping
that safety culture, as yousaid, first, just quickly
summarizing, so first, reallynot just sick ops, but really
the DevOps and the other sideof, of security, to bridge
across to the SEC ops folks whodo the normal things, and then
(26:02):
for business to ensure that theyare aware of what's happening,
right. So if we do designthinking, for example, in that
stage, right, if we dodevelopment of products and
projects, that we have thatawareness, and then for us, as
individuals, no matter if we'rein it, and business in whatever,
then we have a safety cultureand start helping ourselves and
(26:24):
training each other and helpingeach other out. So fantastic.
Anything, any other thoughts youwant to share with us?
Brian Smith (26:30):
Yeah, the one other thought is just, you know, in
general, security tends to havethese trends. And one of the
more recent trends was in theship love culture was we would
try to build, get everything tobe invulnerable, before we
actually shifted ship. And thatsort of, I've seen sometimes
Eveline Oehrlich (26:50):
That is that is a that is great advice. I
that sort of great being theenemy of the good in the sense
of, Well, once I do that, Idon't have to monitor anything.
It's sort of like I've builtperfect locks on my house. So I
don't need an alarm system. AndI think that's a not a pragmatic
approach. So I think as we as wego through this evolution
(27:14):
towards, you know, sort ofunderstanding spirit, just try
to be pragmatic about it, don'ttry to vote and the focusing on
risk is a good part of that. Andthe focusing kind of what is
actually happening as opposed towhat theoretically could happen.
Is a good general trend. Andjust don't let the the
(27:38):
perfection over here be theenemy of good.
remember, Diego and myself atForrester talking about shift
left many, many years ago. Ithink we took too much of a
theoretical approach at thetime. So what you just said,
really thinking about that in aprogrammatic way is great advice
to our listeners. Appreciate it.I have one more question has
(28:01):
nothing to do with security.What do you do it? And don't
tell me you're doing securitythings on the weekend. But what
do you do for fun, Brian?
Brian Smith (28:10):
Oh, recently I've gotten into tennis see, I have
two boys. They're they're 18 and21. Now, but my younger son had
gotten really into tennis, fromabout the age of nine. And I
started playing with him. Andthen he rapidly advanced and I
couldn't play with them anymore.So last year, I've been trying
(28:31):
the last three years, I've beenplaying tennis pretty
aggressively to try to get upthe points just so I can play
with my boy.
Eveline Oehrlich (28:38):
That sounds great. Well, maybe there's a
natural Roger Federer justretire. So maybe there was a
Roger Federer out there in oneof your sons, who knows, never
know. Well, Brian, this has beenwonderful. We learned a lot.
This was great meeting you greatchatting with you. And thanks
for your time always interestedin few points from the other
(29:01):
groups such as security. Iffolks want to learn more about
your spider bat company, I guessit's easy to find, but anything
else you want to point out toany white papers, any other
things?
Brian Smith (29:16):
No, just it's one thing in I guess the one thing I
doubt in Spyderbat is that it'sgot a free mode. So one of the
things that's always annoyed meabout companies is where they
you have to talk to a sales guyand sign away things I want
people just to try it,experience it. And then if it
turns out to be useful for you,let's talk but just getting
(29:38):
feedback is always good.
Eveline Oehrlich (29:40):
Excellent and as an analyst I approve that
because that's exactly what werecommend to our vendors. Super.
Thank you Brian this waswonderful. Enjoy your upcoming
day for me. I will enjoy therest of my day as well and
everybody else here listeninginto this is Eveline Oehrlichm
Chief Research Officer DevOpsInstitute with Brian Smith from
(30:01):
Spyderbat. Thank you, Brian.Have a great day everybody out
there. Thank you.
Narrator (30:08):
Thanks for listening to this episode of the Humans of
DevOps Podcast. Don't forget tojoin our global community to get
access to even more greatresources like this. Until next
time, remember, you are part ofsomething bigger than yourself.
You belong.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.