Episode Description
What We Discuss with Chris Cochran & Ronald Eddings:
- Multi-Cloud
- What is a good maturity in the Cloud Security space?
- How does Security change in a world of COVID19?
- What are people not talking enough about cloud security?
- Mentorship and Cyber Security Podcast
- And much more…
THANKS, Chris Cochran & Ronald Eddings!
If you enjoyed this session with Chris Cochran & Ronald Eddings, let them know by clicking on the link below and sending them a quick shout out at Twitter:
Click here to thank Ronald Eddings on Linkedin!
Click here to thank Chris Cochran on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Academy
Ashish Rajan: [00:00:00] Hello and welcome to Virtual coffee with Ashish. I’ve got two amazing guests today. You guys, may know them as Hacker Valley Studio, Chris and Ron. I have only, well, feels like I’ve been watching the content for a long time, but I’ve been codified, it’s only been a year since that they’ve been creating content.
So it’s quite often, , that I was able to get, get them in. So this is for people who are joining in. This is going live on Twitch as well as, , LinkedIn and on YouTube as well. So when you guys get to it. Just feel free to share it and do whatever. This would be available on Cavalli studio as well. And I’m not going to put your, the introduction pack.
Well, it’s true. So I’m going to let Ron and Chris do an amazing job as they always do with their content. I will let them introduce themselves. , you guys know who I am. So my name is Ashish. , I run the cloud security podcast and I am going to pass over to Chris and Ron to introduce themselves. You can take [00:01:00] whoever wants to go first.
Ronald Eddings: [00:01:01] I got away. Chris,
Chris Cochran: [00:01:02] what’s going on? Everybody? Chris Cochran from hacker Valley studio along with my cohost Ron Eddings. I work at Netflix on the information security team, leading threat intelligence. , happy to be here. Ashish, appreciate the invitation and, , looking forward to the conversation.
Ronald Eddings: [00:01:19] Yeah, I think Chris said it best.
Also cohost the Hacker Valley studio. , when I’m not blogging or podcasting, I’m a security architect and also leading a team of security architects that Palo Alto networks
Ashish Rajan: [00:01:31] that it’s awesome. And because we had Oregon cyber security, I’m sure a lot of people are curious, how did you guys get into cyber security?
Well, you always, I guess.
Ronald Eddings: [00:01:44] For me. Absolutely. , ever since, , I got my first computer, there was kind of the situation I found myself in. I used to chat a lot with my friends in the AOL instant messenger chat rooms and, , I ended up getting the direct, , some type [00:02:00] of direct message. And you know, back then with AOL instant messenger, there was this feature called direct message where it allowed you to send someone else files.
So me being young and dumb, I just said, all right, I want to see what this file is that someone’s sending me. And it happened to be a virus. , luckily for me, this person that, , took my computer down, I, it turned my computer off. I turned it back on, and then I went back into the chat room. I found the person.
I was like, how did you do this? And. He gave me the name of the program. It was called pro rat. And I was like, what? This is the most amazing thing ever. But ever since then I really just like picked up programming books, , security books. And I had a great mentor at a very young age. I was around 17, and I met someone named Marcus Kerry.
He’s the author of tribe of hackers, and he, he, , took me under his wing and really showed me the way, and. That was kind of my path into the game.
Ashish Rajan: [00:02:58] Right. Wow. [00:03:00] So wait, so you’re 19 though, is that what you’re saying?
Ronald Eddings: [00:03:03] No, when I was
Chris Cochran: [00:03:09] wrong,
Ronald Eddings: [00:03:12] head the head shows, right?
Ashish Rajan: [00:03:16] We were 19 like Chris.
Chris Cochran: [00:03:20] Yeah. So I got into the game early. I got. Really in the technology, taking apart computers, putting components together, just seeing how they work. Of course, you know, like most people that were tinkerers, I had one of those radio shack kits where you could build alarm systems, you could build radios and things like that.
I was just fascinated with technology and eventually I joined the Marine Corps and luckily I joined a field of intelligence that allowed me to stay close and connected to technology, and lo and behold. , my actual job became what is threat intelligence today? And so just staying in touch [00:04:00] with tech and touch with all of the attacks and adversaries that are out there, it’s just been kind of a seamless path for
Ashish Rajan: [00:04:06] me.
Oh, that’s awesome. I thank you for your services all by the way.
Chris Cochran: [00:04:11] Absolutely.
Ashish Rajan: [00:04:12] It’s amazing to have it. It’s interesting that Ron, you had a mentor, and Chris, you kinda came from a military background as well. How did you guys meet to start a curiosity?
Chris Cochran: [00:04:24] Yeah, so we actually met at a company, , we worked at iron net, , cybersecurity.
That was a general Alexander’s startup. He’s still there. , general Alexander was the director of the national security agency for eight years, and so I was the Intel guy. Ron was the Hunter, and so we would work hand in hand, , trying to, you know, keep folks protected.
Ashish Rajan: [00:04:49] Awesome. And for people who don’t know what, when you say Intel and threat Hunter, like what’s what, how do you share that with people who are not from security?
What do you guys tell them when you [00:05:00] meet a non-security person as to what you guys do?
Chris Cochran: [00:05:03] Yeah, so for threat intelligence, I keep track of all the things that bad people are doing from a cyber perspective. So I keep track of all the hackers, whether they’re. , , hackers for nation States like a part of the, you know, different nations, military or you know, criminals, cause there’s huge, gigantic criminal organizations that are doing bad things with the internet, with fraud and other types of malicious activity.
And hunters are the folks that are looking for the bad folks within your network. So you’re, they’re looking for the things that your common conventional security applications aren’t picking up. Sweet,
Ashish Rajan: [00:05:43] by the way, just just before, , one reference, we do have coffees with us, right?
Chris Cochran: [00:05:51] You gotta have coffee.
Ashish Rajan: [00:05:53] Is that a beer that looks like beer.
Ronald Eddings: [00:05:57] This is for the, the people that drink a lot of [00:06:00] coffee. They need a cup like this.
Chris Cochran: [00:06:03] My Marine Corps emblem right there. There you go.
Ashish Rajan: [00:06:07] And also like how, and , what are you good tend to mention. With the whole. , and I’m gonna switch back to the technology side, but, , quickly touching on the whole, I guess working, working from home during Colbert and you meant, it mentioned threatened denture intelligence, has working from home changed your view on security?
I guess for both of you, because now I’m sure both of you are working from home, although Ron looks like he’s working from a hacker studio, but I’m going to start with you first, Ron. , has your opinion about security while working from home changed. ,
Ronald Eddings: [00:06:43] I wouldn’t say necessarily my, my idea of security has changed, but I think the way that we’re looking at opportunities and security has changed.
The opportunities insecurity are, I think are even more vast than they were previously. , [00:07:00] just because now the security practitioners are working remote, , the ones that aren’t in the field yet, they have even more time to study. There’s nowhere to go. So they might be hitting the books really hard.
Right now. I’m also for all of the people that have switched to remote, , it’s really opened up the gate for, for migrating to the cloud. Everyone’s kind of going that direction already, but now we’ve really just jumped, started the whole thing, and we’re going to start seeing a lot more adoption in the cloud.
, I think it’s still a transition. It’s still a journey. It’s going to be a while until we see organizations, large organizations that are a hundred percent adopted in the cloud. But I think that’s the opportunity that has shifted since, , being locked down.
Ashish Rajan: [00:07:44] What about yourself, Chris?
Chris Cochran: [00:07:45] Yes, so the only thing I see is a bit of a change in scale, right?
Because there are plenty of companies right now that are working remote, , some more than others. Some companies are completely remote, some are 50, 50, some do occasional little remote [00:08:00] work. It’s the companies that had to adopt remote work quickly are the ones that had the grow the most. So the only thing I see that is going to be different is that more people are going to be able to work remotely, but that’s actually going to end up paying dividends over time because you’ll be able to hire talent that’s not in your area.
You’ll be able to manage your devices in a way that’s a slightly more intelligent, , through technology. There’s a lot of benefits to working remotely. , so we always try to look on the bright side of things.
Ashish Rajan: [00:08:29] Oh, sweet. And thank you for sharing that as well, because I think there’s almost like a, people kind of tend to forget that to Ron’s point.
It doesn’t change my, but I guess the landscape kind of varies a bit, but I heard about it. It just like still the same kind of security. It’s just that now you probably are a bit more cautious than most of your stuff or remote.
Chris Cochran: [00:08:49] You
Ronald Eddings: [00:08:49] might even have a more simplified view of security after kind of working from home.
There’s less less devices being used on and off prem.
Ashish Rajan: [00:08:59] Oh [00:09:00] yeah, actually that’s a good one. And I guess, , just for people who are like, I’m just trying to think through, we’ve got about seven people on I guess on, well, I didn’t realize that Fritz had seven people were looking at us and there are quite a few on LinkedIn as well.
If you guys have any questions, feel free to leave it in the comments section as well. , Ron, you touched on cloud, which is my Polyface, my, my favorite topic at the moment, but thanks to my account security podcast. What is cloud security look for you.
Ronald Eddings: [00:09:28] Oh, the cloud. That’s a, that’s a great question. , just because there’s so many different definitions of cloud security, I think it really depends on the cloud provider that you’re using and also what kind of cloud customer you are.
That would kind of, dictate what kind of cloud security or what cloud security means to you. But for me, I live in a world, in a world of automation. So for me, , I look at a lot of services and the alerts that they generate, and my whole goal being a security [00:10:00] architect and where I fit in with cloud security is taking and making sense of a lot of applications, a lot of logs.
The output from a lot of services. And enriching them to make it meaningful for an analyst or an engineer to triage. , so I look at, , cloud security. It’s the same as traditional security, but there’s just a shift. And maybe not securing the device, but kind of securing the application.
Ashish Rajan: [00:10:28] What about you, Chris?
Chris Cochran: [00:10:30] W the way I look at cloud security is, I think of one word, agility. Being able to change your infrastructure, being able to change your security posture with changes in code is, I think is phenomenal, especially for, you know, nimble companies that. And you know, my be smaller. , but even if you have large organizations where you need to change, , based on divisions, based on roles, things like that, , you’re focused on, , identity, right?
Identity is huge in cloud. So that’s [00:11:00] where a lot of your security actually ends up coming from. And so being able to have this agility and focus your efforts on being agile, I think is what is one of the main components of being in cloud security.
Ashish Rajan: [00:11:13] Sweet. And I think the moment you guys mentioned it as a question from Alvarez, , what is, what is your security concern in Azure data factory?
I’ll probably, I’m going to reword that instead of just calling specifically Azure data factory is cause I think that’s more, if I were to reword that, you can answer that directly if you feel like. But just so that people understand the broader context, what does data security mean in the cloud context?
And for you guys, if it’s like, I think that’s kind of where he’s coming from as well. Or he or she is coming from, there’s no picture. So I don’t know if it’s a he or she. Sorry. , so the question is where does security concerns in Azure data factory?
Chris Cochran: [00:11:56] So, not necessarily, you know, [00:12:00] pointing the finger at at Azure or any other brand out there.
But when you’re looking at data security, what you want to do is you want to first classify your data. That’s one thing. And you know, these basics don’t change. Just because we’re moving to the cloud doesn’t mean that we don’t do some of the same stuff. So data classification first. Because that tells you all the controls that you need to have to protect that specific data.
Right. And then how much do you ramp it up? What encryption are you using for that specific data? Right? Think about data just as you would on prem. It’s not any different. So you know, covering your basics, making sure that things are as secure as it needs to be while being available is going to be primary or
Ashish Rajan: [00:12:41] sweet.
Ron, anything that you want to add to that? , no.
Ronald Eddings: [00:12:44] I w I would kind of just echo what Chris said and , you have to really understand the type of data that you’re storing and how it needs to be accessible. , maybe not all types of data or the kind of all places where you’re storing your data [00:13:00] need to be secured in such fashion.
So it might not make sense to try to go after everything. I think it’s really understanding your data and. Kind of working from there and securing what you need to secure and whatever fashion it needs to be secured in.
Ashish Rajan: [00:13:16] Sweet. Not. Thank you. , hopefully that answered your question, but, , feel free to leave it on the quick, I guess, comment or question if you guys, if you want more clarification with the cloud security, , going back to the cloud security, , definition and it’s really great that I’ll raise, , brought up Azure.
Cause one of the things that I’m noticing, and I wonder if it’s the same for you guys as well. Do you guys feel like the cloud is a thing. Yep. That was, that’s it. That’s like you said, those synchronous. Yes, but is it more, cause I feel like people kind of confuse multicloud sometimes we say, Oh they thing is running over says I’ve bought Azure and AWS.
Like what do you guys think when you say mighty cloud is, which version is yours?
Chris Cochran: [00:13:59] Yeah, [00:14:00] I mean, do you want to go first round? ,
Ronald Eddings: [00:14:01] I think multicloud is kind of both. So the first definition that, , I might look at is, alright, does that mean you’re just having applications in both clouds or are you really using all of the features and even infrastructure, , in both clouds?
But I think either way, , definitely a thing, big banks, often have multicloud environments of some sort. , just because the, the sensitivity of the data and also how available the data has to be. You kind of want to ensure that by going to multiple clouds.
Chris Cochran: [00:14:37] Yup. And one size doesn’t fit all. , there might be applications that you need to have in Google cloud.
There might be a features that AWS has that you really depend on for your operations. So really looking at all of your options and kind of piecing things together. I like to kin things to Bruce Lee. He says, you know, take all the [00:15:00] things that you can use and then everything else, just throw it away.
Ashish Rajan: [00:15:04] Oh, Bruce Lee.
And he’s like, it’s way too early in the morning,
Chris Cochran: [00:15:08] and Richard Dean
Ashish Rajan: [00:15:10] do with some coffee in my hand. , so talking about visiting spoke about multicloud, we spoke about cloud security and obviously, , I think we have a varied audience here. Where does maturity in cloud look like for you? What, like what do you consider a, is almost like a baby step for cloud security versus like super advanced cloud security.
What does that look like look like for you guys.
Chris Cochran: [00:15:36] Yeah. , for me, cloud security in a mature organization, I think of redundancy. I think of high availability. If something has to come down because there’s a configuration area or error or something like that. Being able to transition over to maybe like a warm site in the cloud is pivotal.
Being able to deploy infrastructure in a way [00:16:00] that makes sense quickly and efficiently. It’s going to be pivotal, making changes in the cloud. Keeping track of those changes is what, to me, is a part of being a mature organization. And then don’t forget asset management. Asset management doesn’t go away because you don’t, you have less end points.
Asset management is still huge because you need to keep track of what applications you have. You need to keep track of the dependencies those applications have, and also, , the vulnerabilities that they have as well.
Ronald Eddings: [00:16:31] Yeah, I think, , I would say high availability. And Chrissy, you, you already said that.
, but when you’re in the cloud, one of the biggest perks is availability. So how can you secure your applications while, , maintaining very available applications? , so what I look at is,,, the application. Itself and how it’s designed. And if you’re able to detect a [00:17:00] security vulnerabilities or security and respond to security alerts, you’re going to probably have to redeploy your application.
So having a lot of flexibility in your environment is also very important. But, , I think that your security. Alerting and response strategy has to be flexible in such a way, and I think that’s where the term, that’s why the term, the term detection engineering is very popular today.
Ashish Rajan: [00:17:25] Let’s see. What, what does the detection setting, what is introduction to genetic for people that don’t know about it?
Ronald Eddings: [00:17:31] I would say it’s a bit of being a security engineer and the incident response analyst, you’re able to, , create the detection logic and that detection logic might have some response logic built in. Maybe once you see a specific alert on an ECE two instance, you automatically go and redeploy that ECE two instance, but block that activity from that other center.
Ashish Rajan: [00:17:56] Also in other putting in other words, , [00:18:00] unlike traditional data center security where a lot of it has to be, I guess you log into a server and if you need need to bring up new Boggs, you just go to this VMware massive things or bring up a new washing machine and sort of just doing that use API APIs to automate a lot of that.
Is that another way to put it? I guess.
Ronald Eddings: [00:18:19] Yup. Absolutely. And, but it’s not necessarily exclusively that, but that is a component of detection engineering that could be a component of it. Right.
Ashish Rajan: [00:18:28] And so to both of your mentioned, I think so that’s a great example. I think I hear that more from a mature perspective where I guess people already have like a big security team and they have engineering capability.
Cause a lot of, I guess, I don’t know if it’s an Australia thing and you can, you guys can correct me if I’m wrong. But a lot of companies that I’ve seen around, I guess somebody who countries not as a U S as well. A lot of people don’t. Are you going to have a security engineering person? They usually have the traditional, and this is not in a thing as a bad thing.
They have [00:19:00] security architect, they have a SOC team, they have an application security guy, and sometimes they’ll be like, why do I need a , engineering guy? And, but it’s too, what are you, how do you answer that?
Ronald Eddings: [00:19:13] You want to take a stab at it, Chris?
Chris Cochran: [00:19:15] Yeah, so I mean, there’s a couple of ways you can do it. I mean, actually not a couple of ways.
There’s like a million ways you can do security in any organization, but a four, you can have a distributed security model where the majority of the people on your security team are enabling the application owners. They’re enabling them. Data owners to do all of their operations more efficiently. So you’re building, you’re helping them build tools to keep them safe.
You’re creating pave roads for them to do their development. , but you can also have folks that are doing like operations, so you can have a sock, like you were saying, you can have folks that are actually doing, , , incident response, things like that. But, , there are so many models that you can take.
It really depends on. You know, your [00:20:00] industry, it depends on compliance. It depends on your maturity. It depends on your size. So many different things.
Ronald Eddings: [00:20:07] Oh,
Ashish Rajan: [00:20:07] right. And anything to add to that wrong,
Ronald Eddings: [00:20:10] I would say take a look at security as, , kind of like what Chris was saying, enabling the application owner, , but bringing the security related events to them that are related to their application.
So creating, , some type of alert that’s easy enough for that application owner to respond to
Ashish Rajan: [00:20:30] themselves. Right. And I guess your point about where. I guess if that’s the case in, in, in this scenario, if I were to just kinda change the tables a bit. So for people who haven’t started this journey and they want to go down, that part is there are like other baby steps that you guys recommend that they can take.
Ronald Eddings: [00:20:56] From, I guess it would depend on where they’re getting started from. Are they getting started from [00:21:00] scratch or if they’re getting started from like some type of foundation.
Ashish Rajan: [00:21:03] Now that I think about the question for me, like pretty big, but I think it’s like more in terms of they, for example, I’m a, I’m a head of security in the company and I’ve got a couple of people in my team.
And I’ve gone after guy saw guy, but I’ve slowly noticed that I’m going into the cloud space. , I think I normally recommend people to go and explore what kind of services are already available in cloud to start, I guess in some engineering accounts against. I think that’s kind of where it was coming from.
But I guess if you have another opinion in terms of like, is there a better way to approach it than like just use the tool or just don’t go into a tool first. What do you guys recommend in that space? Go for a tool straightaway if you can afford it. I guess.
Ronald Eddings: [00:21:48] Well, I mean, I think, I think Chris has the best answer.
It’s the easy button.
Chris Cochran: [00:21:58] Good old easy button.
[00:22:00] Ronald Eddings: [00:21:59] Right. This, this actually answers the question too.
Chris Cochran: [00:22:03] Yeah. Yeah. For folks that don’t know what the easy button is, I actually made it specifically for threat intelligence, and then I ended up converting it over for cyber security writ large. , the easy button is E, a list of requirements.
So what are the things your stakeholders need to do? The missions that they’re doing, a assess collection plan. Where are you getting your data? Where are you getting your people, your resources, where you, I’m looking for things that you need to do to support everybody else. , strive for impact because that’s, that’s huge.
Maybe you want to show value, so you want to show. Specific metrics to the board. Maybe you want to show metrics to the CSO, maybe you want to show it to stakeholders, you know, different things like that. , and then why yield to feedback? Because obviously if someone’s giving you feedback, whether it’s a peer, whether it’s a superior or even a direct report, something needs to happen.
Maybe there’s a miscommunication. [00:23:00] Maybe something needs to be improved, or maybe something just needs to change in general, but, , yeah, easy. , easy button for, , just about everything in cybersecurity.
Ashish Rajan: [00:23:10] Easy PVM.
Ronald Eddings: [00:23:11] Yeah. And to add to that, right. Just to break that down even further. So when you’re trying to find your, kind of your requirements, you’re, you’re the E part of the easy button.
You might. Want to do something really cool as security, but that might not provide the organization any value. So I think like before checking out like what does AWS have specifically, you have to understand what are your organizations needs and their values and the goals, and try to help the organization reach those points instead of just doing something cool just for the fun of it.
Ashish Rajan: [00:23:48] Ooh, I like that. And then I just realized, actually, sorry, I was seeing the ticker and I realized I had the wrong upside. Then
I had [00:24:00] a cloud security port, costs.com instead TV, sorry. Cause I sent, you said easy button. I’m looking at this button like why does it look so different? I’m like, Oh, no different. That’s all right. I’ve got hot more than half of the video just to have it with the wrong website that’s live for you. So, , now I’m going to switch gears a bit and I would love to hear from you guys.
Where does the most common misconception you hear about cloud or security in cloud?
Ronald Eddings: [00:24:33] I, I would, I w I will start out. And, , I think there’s a few, , one that comes to mind is the price. And I think that the, some will say, Oh, cloud is expensive. Some will say, Oh, it’s, cloud is cheap. And I think the answer is it always depends.
It always depends on what you’re bringing in, how much, how much you’re going to use it, how often it’s going to be used. , so I think that the price is [00:25:00] often, , what’s assumed and often the most incorrect.
Ashish Rajan: [00:25:05] Cool. Good answer. Chris, do you wanna add
Chris Cochran: [00:25:07] something to that? That it is. , vulnerable by design, I think is one of the biggest misconceptions that I’ve heard.
Because you hear about all these, , S three bucket dumps and things like that. It’s not AWS that’s the problem, or, or the, you know, it’s not their technology. It’s the implications and the application of their technology. So by, you know, having folks that might not know exactly what they’re doing, maybe it’s the first time they’re rolling out a cloud infrastructure.
Maybe they had a configuration, a mishap. , I would say definitely work close with your cloud provider and make sure that you are deploying things in a safe and secure manner.
Ashish Rajan: [00:25:52] Sweet. , and just to take that step a bit further, what do you both feel that people are not talking enough [00:26:00] about in cloud and security of cloud?
I guess.
Ronald Eddings: [00:26:06] Maybe the basics, basics of the services. I think that there’s a lot of resources out there. It’s, it can be overwhelming at times, and it can also be hard to find some good resources. , so I, I, I personally look at AWS security hub when I’m trying to find out more about AWS specific topics. I think that’s a great resource.
And, , there’s a lot of basics to all of these services. And once you understand those, it’s a lot easier not to go wrong.
Ashish Rajan: [00:26:38] Oh, I love that one. That’s pretty good. , basics one Oh one
Chris Cochran: [00:26:43] slash
Ashish Rajan: [00:26:44] yeah. , cause anything to add to that or you just
Chris Cochran: [00:26:48] echo. Yeah. The only thing I would say, and this is a meme, this is a tee shirt.
, they, they say cloud is just somebody else’s computer. And in some ways they are a 100% correct. So [00:27:00] a lot of the same things that you can do from an on prem perspective, you can do in the cloud. So, , definitely, , keep that in mind. Don’t, don’t over mystify cloud.
Ashish Rajan: [00:27:11] That love that. I love the answer.
Thanks guys. , I’m gonna switch over to some of the questions that were asked in common set. We had, , posted last time. So we’ll have a question from Jacqueline rider. A question was, I’d love to hear from Kristen Ronald about having a day job and a podcast. They seem to be complimentary, but have there been any conflicts or challenges.
Has a side hustle brought any unexpected benefits to their careers. Like the couple of questions in there, however you guys wanna take it. Whoever wants to take it first.
Chris Cochran: [00:27:42] Yeah, I’ll go ahead and start with that. So, , the podcast has been the most, one of the most amazing things I’ve ever done in my life.
Being able to have conversations with brilliant people, record it, and share with the world. I mean, you can’t get much better than that. I feel like a lot of the reason [00:28:00] why, you know, even while we’re having coffee with you is shisha is because we put out a cot, a podcast, and we put out content. And so just by virtue of being connected to all these amazing people, all these amazing practitioners and content creators, I think you really can’t go wrong, both from a personal perspective and from a work perspective.
, from, , like, , my day job. , there, there’s not a lot of overlap. To be honest. I might be able to articulate answers and communicate a bit better now that I’ve practiced communicating, , so much over the last year. But, , I don’t, I don’t think anyone, , at my day job is Pat me on the back. Like, Oh my gosh, you’re getting promoted cause you have a podcast.
But I will say that my stock, and I think that the same for Ron’s as well has, has grown, , just by putting ourselves out there.
Ronald Eddings: [00:28:52] Absolutely. Yep. I would a hundred percent agree. It’s actually a complimentary, I would say more [00:29:00] than anything just because our podcast is about cyber security, but more so about the human element, which isn’t really talked about enough in my opinion.
And also, um. It’s good for the company. Right. , I also do a lot of public endorsement and, , speaking for Palo Alto networks. So, , it’s kind of a blend of both and when it actually leads to more opportunities at work. So I was just recently, , asked to do a webcast for another business unit at Palo Alto networks cause they saw the podcast and they liked the content and they’re like, Hey, would you mind doing something for us also?
So I would say it’s very complimentary.
Ashish Rajan: [00:29:41] And do you, I guess you take that a bit. The other half was, has a side hustle board. Any unexpected benefits to the career? So do you guys consider this as a side hustle though?
Chris Cochran: [00:29:51] Absolutely, absolutely. So I’d say, , just recently we launched our Patrion page, , for a while [00:30:00] we were doing everything completely out of pocket.
, but we found out that if we really want to take of the show to the next level, bring the best guests, bring the best equipment, bring the best content that we can bring is going to take, , the strength of the community. And so we launched our Patriot on page. , if you don’t mind, I mean, we can, that, you know.
Put it in the, in the comments below or something like that, just so people could check it out. But yes, patrion.com forward slash hacker Valley studio. Well, and then, but the thing is that you’re not just giving us money for the stuff that we already do. We’re going to continue to do podcasts. That’s not going to change the thing.
The school about patron is we actually have tears that we. Provide additional benefits. Right. So like in one tier, we have a mastermind meeting once a month and a one tier getting exclusive content that we don’t put out for everybody, and it’s just for our patrons. So, , yeah. So now technically it’s a side hustle.
Ashish Rajan: [00:30:55] Wow. And it’s pretty awesome that you guys are going to, so many of you guys start with the [00:31:00] podcast
Chris Cochran: [00:31:00] April of last year.
Ronald Eddings: [00:31:02] Wow.
Ashish Rajan: [00:31:03] Wow. This is one year and one month later. Looking back, , and I’m assuming Jacqueline is probably asked that question, probably she considers probably going down that part as well.
, what would your recommendation be for other people who are trying to get into the space? And I guess from the learning that you guys have for an ear, like what would you want to give back to her? She wants to start down that path as well.
Ronald Eddings: [00:31:29] I would say be be relentless. You have to keep on going. Um. The podcast is going to be for someone.
Hopefully it’s not just for you and your ego. Hopefully, you know, you want to put something back out for someone to appreciate and enjoy. And even if it’s just one person, that’s still a win. And if it’s thousands of people, that’s even better. , but either way, do it for the love of it and do it because you want to do it rather than because of the numbers.
Chris Cochran: [00:31:58] Yep.
[00:32:00] Ashish Rajan: [00:32:00] And would you guys say, and this is just something that I’ve done personally, but I’m curious. , cause I normally tell people to go on YouTube as well. And she pointed about Patrion. And I guess having it as a side hustle is, it doesn’t make sense to start with Patrion and YouTube early. Or did you go, cause you guys started a bunch of data, but looking back, would you start it earlier?
Chris Cochran: [00:32:22] , I wouldn’t start it earlier. , just by nature of, , I, I would say it’s more ego and more perception for yourself, like self perception. Because if you launch a podcast tomorrow and you have a Patrion page, I almost guarantee you no one’s going to have a, I mean. It’s going to take a while for you to start getting paid, , to do your craft in most cases.
Sure. You have those one offs where, Oh, yeah, I started yesterday and I have 50,000 followers already. You know, like, so, I mean, you have those, those out, those outliers. But, , I would [00:33:00] say. Focus on your craft first. Focus on getting good and don’t break the bank in the beginning. Like we didn’t have the, Oh, I didn’t have this mic in the beginning.
You know, we were using headsets for a long time. , so yeah, don’t break the bank. Do what you can do. Get sharp work on your craft. And then eventually when you start to invest in it yourself, then you can start asking others to invest with you. Sweet.
Ashish Rajan: [00:33:25] Anything to add drawn.
Ronald Eddings: [00:33:27] That’s it. That’s it. I
Ashish Rajan: [00:33:30] think the podcasting, remind me, I remember Singapore from you guys, but you did five interviews in five days or seven and three weeks in seven days.
Chris Cochran: [00:33:38] Knows nine interviews in one day. We
Ronald Eddings: [00:33:41] had, we had 10 scheduled. Yeah. Yeah. There was crazy traffic. I was,
Chris Cochran: [00:33:45] I couldn’t get there.
Ashish Rajan: [00:33:49] I think I find one a day sometimes quite intense. So you almost feel like all your energy goes into it. You guys did like nine of them in one day.
Chris Cochran: [00:33:58] Yeah.
Ronald Eddings: [00:33:58] Mine. It’s [00:34:00] actually, it’s actually interesting cause the energy builds up as you do more and more.
So once you’re three in, you’re actually very, you’re very into it and you kind of get lost in it. It was one of the fastest days I’ve ever had and I loved every minute of it.
Chris Cochran: [00:34:15] Yeah, I have a, a, a mentor, a yell Nagler. She was actually on the podcast and she told me that if you really want to find out what you really want to do is think about the thing that you will pick up the phone to discuss, no matter how tired you are.
At the end of the day, if you pick up the phone and you know you’re going to have energy doing it, that’s what you need to be doing. And so when we do podcasts, it just gives us energy.
Ashish Rajan: [00:34:41] Wow. Well, I am totally, , I guess exuding it energy into it throughout the interview as well. That’s somewhat awesome.
I’ve got one more question on the comment from the previous posts from Taylor Harrison. His question was, what’s the number one most exploited security weakness from malicious hackers? In your [00:35:00] opinion? It can be high level and agnostic rather than religious specific system.
Chris Cochran: [00:35:06] You want that one around
Ronald Eddings: [00:35:07] the number one most exploited.
Chris Cochran: [00:35:10] Vulnerability
Ashish Rajan: [00:35:11] about security, weakness, vulnerability from malicious hackers.
Ronald Eddings: [00:35:14] Oh, okay. Yeah. That’s an easy one. It’s a humans. Exactly.
Chris Cochran: [00:35:19] I mean, it sounds cliche. It really does sound cliche. All come on like, no, really, what is the number one vulnerability, but I mean that that is it. Because a lot of the attack vectors, you need a human being to be a part of it, so that’s absolutely the number one.
Ashish Rajan: [00:35:37] Sweet, and that’s a great answer. , I think Jacqueline, just this one, are you guys on the chat as well too? She’s already a felon fan of you guys and she’s just gonna check out the Patrion track. So, , I’m going to leave it on the comment as well for, I guess I’ll just check out. So you guys are definitely doing an awesome job in that space.
I think this is towards the end of our, the last segment, and. [00:36:00] So just fun questions, non technique questions. Feel free to answer as much or as little as you want. The first one is what do you spend most time on when you’re not working on technology?
Chris Cochran: [00:36:13] The podcast, I literally wake up thinking about the podcast and I go to sleep thinking about the podcast.
Ashish Rajan: [00:36:19] Wow. That is awesome. What about you, Ron?
Ronald Eddings: [00:36:23] Same here. Same here. We’re, we’re constantly, you know, strategizing and talking about it. , so I would have to say podcasts if I had to give something else, if someone wanted another answer besides that, because Chris just gave it away. , when we weren’t locked down, I spent a lot of time in the gym, so maybe like an hour and a half a day.
, just hanging out, working out. Yeah, little escape,
Ashish Rajan: [00:36:49] like weightlifting or that, like more cardio or,
Chris Cochran: [00:36:53] Ron’s a beast
Ronald Eddings: [00:36:54] lifting and yoga. I love, I love yoga.
Ashish Rajan: [00:36:58] Red needed to flex those guns. Man.
[00:37:00] Flex your guns though.
Thanks. Thanks for the flex, man. I’m praying. I’m pretty sure we are impressed already. I guess, , pre logged down. , I guess it’s funny cause I think the only reason I started watching coffee with a sheet was because pre logged on, I used to have coffee with a lot of people, like new people or reach out to them and meet up, meet them out for coffees.
But logged down has kind of forced me to start the thing as well. Otherwise it wasn’t like a thing. And I’m like, Oh, I’ll watch your coffees. , so it’s a great answer. I’m actually curious, and this may maybe a slightly or flag, but what’s the goal for your podcast. How you guys are so passionate about it.
Chris Cochran: [00:37:53] The the purpose or the ultimate goal, like the end goal of the podcast. Ooh,
Ashish Rajan: [00:37:58] maybe let’s talk man [00:38:00] the goals first and then come back. Maybe it’s part of the purpose and then go with the goal. I’m happy to hear bullets.
Chris Cochran: [00:38:05] I’ll take purpose if you take a angle run. Does that sound fair? Yeah. The purpose of this podcast is to reveal and highlight high performers across cyber security and to.
, share experience, knowledge and advice to get people from where they are currently to where they want to be. We want to supply top 10, top tier information to the top 1% of cybersecurity practitioners. We want people that wake up. Eat, breathe this stuff to be able to be their best every single day when they go into the office.
So any information that will supply them to be able to do that as what we’re looking for. So stuff like mindfulness, we’re looking for stuff like fitness, nutrition. What are the things on the fringes of cybersecurity that people need to know to bring their best a
Ashish Rajan: [00:38:56] game? Oh [00:39:00] yeah.
Ronald Eddings: [00:39:01] And the goal kind of going forward, right, is to spread it further.
, kind of go into other areas, but also adopt areas outside of cybersecurity, more so general to technology. So looking at the technology practitioners, cause there’s so much overlap. There’s so many interesting stories, there’s so many reasons why. People are the way they are and know the things that they do.
So, , we have a great network and we’re seeing opportunities to mingle with other people’s network and bring them on the podcast. We’ve been learning a lot, and it’s great to give all that information back to the community.
Ashish Rajan: [00:39:40] That was awesome. I love the, it’s a probably, this is kind of why I feel like I got attracted towards Hakka Valley studio is because it’s, it feels so selfless and not in a bad way.
It’s more to the point that you guys are trying to help the community and share the information. It’s not about how awesome I am and how sexy my voice is. Like [00:40:00] it’s more about giving back to the community and what you could be doing more. And I love the angle that you kind of brought in from. Because each cyber security person is multiple layers.
We don’t just have, I guess someone goes to the gym for an hour and a half and I’m sure you like to mow the lawn from the cat. Looks suffered like Chris and
Chris Cochran: [00:40:20] unfortunately I do not mow my lawn, but I do work out as well. I just usually let Ron take all the fitness stuff because he is in way better shape than I am.
Ashish Rajan: [00:40:34] Jack and Ron is just like the more cut, shaken breakfasts. He shared it like,
I love the fact that, , you guys are bringing in the other elements of the cybersecurity community as well. That it’s not just about. Knowing how amazing, I guess a blue team or a purple team or writing you are at smart fitness and other things as well. It’s amazing. So, , is that something that you’re already set foundations for [00:41:00] or is that stole?
It’s slowly going to get added into Hakka Valley studio.
Chris Cochran: [00:41:04] It’s been since day one since day one. The very first episode was this concept of site cyber alchemy. Like what does that even mean? Right? So it’s actually still up on Apple or Google podcasts. Just go check it out. But yeah. I mean, what were you like three episodes in where we brought somebody in to talk about fitness and nutrition?
, it’s been a part of who we’ve been this entire time. I think it’s taken time for us to dial in and have people be like, Oh, I get it. What they’re doing. Cause in the beginning it seemed chaotic. Like first we’re talking about threat intelligence. All of a sudden we’re talking about, you know, meditation, like what is this podcast?
But people are starting to get it and they’re starting to love it.
Ashish Rajan: [00:41:43] Oh, wow. That’s more like a holistic view of cyber security as well. Actually talking about connecting to the community, , in sort of just going, here’s some amazing hacker content. Then go and protect yourself from all the bad hackers out there.
Chris Cochran: [00:41:57] Right.
Ashish Rajan: [00:41:57] Sweet. All right. I’m going to continue with [00:42:00] the fun question, but this is a great answer. Thank you for sharing that. , what is something that you’re proud of but you don’t have, but you don’t have any social media? Who wants to take this first,
Chris Cochran: [00:42:10] you said, but we don’t have it on social media.
Ashish Rajan: [00:42:12] Yeah.
You don’t have it on social media. ,
Ronald Eddings: [00:42:16] there’s something for me, , non-related to work or cybersecurity, but, , I don’t use, I don’t use, , social media too much, so I don’t post a lot of personal things. I post a lot of things that I read. , things that Chris and I are doing, things that you know about these types of conversations.
, but one thing that I’m proud of was my sister’s recently came to visit and, , we went up to Napa Valley. It was a great trip. We rented a bus, , that day. It was a beautiful day out. , that was just a coincidence. I didn’t play in that part. , but, but it was a great day. , and it’s going to be, you know, something that we remember for quite a long time.
Chris Cochran: [00:42:59] Yeah.
[00:43:00] Ashish Rajan: [00:43:00] What about you, Chris?
Chris Cochran: [00:43:01] Yeah. I’d say the one thing that I don’t like to brag about because I feel like it’s more of a duty and a service that I do then for something for me to like be, Hey guys, look at me. Look what I do. But I have, I have mentees that I talk to on a regular basis. I help coach people like through their career.
I hope. Coach them through life. , all the people that reach out, , just w maybe sometimes we’ll bring up like reviews, like on the podcast or, you know, some nice things that people say about the podcast. But I rarely share the deep, intimate stories that people share with me and with Ron about how, you know, the podcast is actually changed their life.
And that’s a huge driver for us to keep doing what we’re doing. And it’s a good signal for us because we know that we’re doing stuff that changes people’s lives. In some, some ways, people have reached out to us and said that, , Oh, I got promoted.,, because of the content that you guys are producing.
And that’d be, that’d be [00:44:00] great. Social media stuff, but I don’t think that’s something that. , needs to be shared. , I think there are some things that can be left sacred and, , you can keep with yourself and feel good about it. It’s like, , you know, doing something for a charity or, you know, donating something fantastic to a school.
, if you posted it on Instagram because you want likes, I mean, that kinda takes away from it to be honest. So, , you know, doing something just because it’s the right thing to do and it makes you just feel good inside, I think is a great thing. Sweet
Ashish Rajan: [00:44:32] and I think I lost Ron. He’s back again. But yeah, you’re back, man.
Wrong button. It does it wrong. Easy button
Chris Cochran: [00:44:47] escape.
Ashish Rajan: [00:44:49] That’s pretty much it. Chris is on again, let me just pretend to disconnect. So Ron, I think you’ve kind of shared your Napa Valley thing [00:45:00] as well. A lot. Napa Valley experience. And you mentioned talking about the weather is better, not usually great in Napa Valley being a winery. Is that why you kind of mentioned the great weather?
Ronald Eddings: [00:45:10] , well, we went, this was in February. In February is still kind of a rainy season. It’s not as , sunny, so I’ll, right. It might not be as beautiful.
Ashish Rajan: [00:45:21] Right, right. Sorry, I just told like why I’ve mentioned to the national, the weather, like the rainbow
Chris Cochran: [00:45:29] there is great weather. I heard it though, for sure.
Ashish Rajan: [00:45:31] You know, and sorry, coming back to you, Chris, I would have thought you would have put in your communists, but then I realized you actually did post about your comedy
Chris Cochran: [00:45:38] stuff.
Yeah, I did. So like a lot of the things that I do, , the, the uncomfortable situations that I put myself in, I do share those because I do feel like people can learn that, Oh man, Chris is putting himself in all types of uncomfortable situations, like stand up comedy, like. Poetry reading and Ron is doing the same, same stuff.
So I do share that because I [00:46:00] want people to see like get out of your comfort zone. Being comfortable. Never made anybody great. So I do share that stuff.
Ashish Rajan: [00:46:07] So I’m curious, what’s the most uncomfortable thing that both of you have done, or maybe it could be together or individually?
Chris Cochran: [00:46:14] Go ahead, Ron. ,
Ronald Eddings: [00:46:15] the most uncomfortable.
, that’s a, that’s a good question. , I don’t, I don’t necessarily get uncomfortable too easily, but, , maybe it would be, I would say dancing, like, , kind of being a part of a dancing group. So I do Zoomba from time to time, and that’s a little uncomfortable for me, but, , I still enjoy it. It’s no shame.
, but I guess that would be the most thing the most. Wow.
Ashish Rajan: [00:46:45] Cool. Like the spray. I was going to say Zumba too. , cause I think they had like an arm BZ EMBA and the other versions as well. Like is there a kind of song Shondra that you kind of prefer doing
Chris Cochran: [00:46:57] the magic.
Ronald Eddings: [00:46:59] Oh, no, no [00:47:00] preference, no preference. , but if I do, I do like doing some type of movements that I’m not used to.
So I do enjoy the uncomfortable situations also. So, , I, I like it all. And I think the latest one that I did was like a hit type of Zoomba where you’re running all over the place, but still trying to do some type of a dance at the same time. All
Ashish Rajan: [00:47:21] right. I’m going to check that out. Take the name from you for that.
Might get into it as well. What about you, Chris?
Chris Cochran: [00:47:29] Standup comedy. That was, that was the hardest thing I’ve ever done on any stage. So I actually was a dancer before the Marine Corps, and so I travel around the country. I’ve done dance overseas, and that’s easy. , public speaking is easy in comparison to doing standup comedy in front of anybody.
In my. Humble opinion. , I would say I learned so much about not only the craft of comedy by [00:48:00] doing that, but also I learned about, , you know, what does good public speaking look like? By doing that, I learned, it seems like I learned a year’s worth of stuff by doing one five minute bit in front of a bunch of amateur comedians at an open mic.
Ashish Rajan: [00:48:18] Whoa. That dude close to both of you for putting yourself in uncomfortable situations. As soon as this is now a selfish question, , as someone who has a sound that comedies sketch or sketch as a bucket list item in my life, what is your recommendation on how long or how quickly were you into, , I guess from not doing any sound of comedy to standing in front of an audience and doing your five minute skate?
Like how, what was that duration like.
Chris Cochran: [00:48:47] Seven days,
Ashish Rajan: [00:48:49] seven
Chris Cochran: [00:48:49] days, seven days. Me and my brother, we had a, we always challenge each other on so many different levels. , we actually did a fitness [00:49:00] competition where we did a, we did physical comedy for like three minutes, and we ended up winning an award for it.
It was, it was great, but, , the standup comedy bit, we were both headed to LA. We were just hanging out. We were gonna go to universal studios, things like that. And my brother was like, Hey, , let’s challenge ourselves when we go down there. I was like, alright, what do you want to do? He was like, I don’t know.
What do you think? I was like. Stand up comedy. Let’s do it. He’s like, all right, it’s done. We were going to go to the softball place. , like softball is in like an easy, like almost like a comedy school, , in the beginning. And we show up. We have our five minutes all set up. , cause my brother and I, we just kept going back and forth, iterating and try to get it better.
And we went to the place and it was closed. I was like, Oh my gosh. I was like, we put all this work into doing comedy. We’re doing comedy today. So we did. We looked on Google. We were like, where’s the nearest thing? And there’s this studio, this, this club called the laugh [00:50:00] factory down in LA. I mean, these are where serious comedians have been.
Like some of the best names in comedy have performed at the laugh factory. And
Ashish Rajan: [00:50:11] sorry, it’s gone.
Chris Cochran: [00:50:12] Oh yeah. So actually I take it back. It wasn’t the left factory is the ha ha club. There we go. Oh yeah, it must be, yeah, the hockey club. And so we went to the hot club and my stress level went from here to here because not only was I going to be doing this in front of people that were just coming in from off the street just to enjoy comedy, but there were probably like 16 or 17 amateur comedians that were going on as well.
So these would be with have been doing it for years and here we are. My brother and I, first time doing comedy, stepping up in front of this shark tank of a, of an audience. , but it was, it was awesome experience. Wow.
Ashish Rajan: [00:50:51] Have you done comedy on signup comedy before
Ronald Eddings: [00:50:54] we, we were actually gonna plan on it. , Chris, , myself and another friend, but we [00:51:00] never got around to it.
We did poetry. We held ourselves to that, but we didn’t have a set plan to do comedy for comedy stand up. But I definitely would. That’s definitely something that I know would it make me uncomfortable. But you learn so much and there’s nothing better than being a great storyteller and also a great comedian.
Ashish Rajan: [00:51:20] Oh, I’m uncomfortable to ask you. What’s the next uncomfortable thing that you guys have planned? Can you do it?
Chris Cochran: [00:51:27] Who? I don’t know. I don’t know. Uncomfortable thing. I feel like there’s not much left. , maybe skydive or something.
Ashish Rajan: [00:51:37] Well, yeah, I’ll let you go without, cause I kind of feel like if every, if I have to sign a waiver form anywhere.
Like my Brown guy person takes in. I’m like, not if you weren’t assigned, this is not me. , alright. One more final question. What’s your favorite cuisine or restaurant that you can share.
Chris Cochran: [00:51:59] Yeah. My [00:52:00] favorite meal that I’ve ever had in my entire life was in Hawaii at a place called sushi show. Susie show does two dinners a night, 10 seats.
That’s it. Usually I have to book it months in advance. I was able to call that day and I was like, please tell me you have an opening. And they said, yeah. We have one, and I was out there for work and I went and I tell you what is the absolute closest I’ve come to crying because of how good the food tasted.
, Ron and I, we, we are fine. Diners, we love a good meal. , we did mini bar and DC. We’ve done a man race here in the Bay area. , but for me, that, that actual meals, number one
Ashish Rajan: [00:52:43] or. I got ready to try it. I can’t wait to try it out. What about you Ron?
Ronald Eddings: [00:52:48] So are we talking about best meal or just like favorite type of cuisine?
Ashish Rajan: [00:52:53] You can typically either.
Ronald Eddings: [00:52:57] All right. I’ll give both the shot. For me, [00:53:00] the, the best meal that I can recall off the top is, , being in the Philippines and we ended up getting stranded because, , there was a typhoon, it was typhoon season was round, I think, , September. And I was with some friends and their family.
So, , we ended up getting stranded on an Island and the waters were too rough to, , go back to the bigger Island that we were on. And, , luckily for us, some fishermen also got stranded with us. And they had already had their catch. So we had like a seafood from them. It was the freshest that I’ve ever had.
It literally off the boat right to us, cooked up. , we had, , squid. We had,,, , scallops fresh. I never saw a scallop in its shell until that time. And, , it was absolutely delicious.,, favorite food. I would say right now, I [00:54:00] love a great cook steak. Like if you cook a great steak, , would love to have it,
Ashish Rajan: [00:54:07] but the other protein right.
Hashtag gains
well, , that, that was pretty much all the questions that I had. , and then thank you so much for taking the time out, Chris and Ron, it’s way, it’s been really informative and it’s all been also been really good to know you both as, as people as well. And I’m glad we were able to share the messaging. And the purpose that you guys started hacker Valley studio with as well.
So hopefully it sounds like looking at the comments and number of views and stuff as well. It looks like a lot of people got some value from it as well. So this is amazing. I enjoyed a lot of our conversation, so thank you so much for taking the time out. Really appreciate that.
Chris Cochran: [00:54:43] Thanks for having us. This is great.
Ashish Rajan: [00:54:45] Well, people who want to reach out to you guys, , you can probably shut out your socials. I’m going to put them in the link and stuff anyways. Is there a, I think you guys have a website as well. What’s the website that people can reach out to you guys
Chris Cochran: [00:54:58] on. [00:55:00] It’s easy.
Ronald Eddings: [00:55:00] Her Valley dot. Studio
Chris Cochran: [00:55:02] easiest website ever.
Ashish Rajan: [00:55:04] Studio full few hundred for us. We’ll be here like Chris and Braun, , from hacker Valley studio. Thanks so much for taking the time out guys. I’m really, I’m really thankful that you guys did and share, so to candidate responds to a lot of questions as well. Thank you so much. I’m going to stop the podcast, but I just want to, I’m looking forward to having another while I guess many of the conversations with you guys
Chris Cochran: [00:55:27] at this site.
Ronald Eddings: [00:55:28] Absolutely. All right. Thank you
Ashish Rajan: [00:55:30] so much.