Summary:

Timothy De Block and Ed Bailey, a former customer and current Field CISO at Cribl, discuss how the company is tackling the twin problems of data complexity and AI integration. Ed explains that Cribl's core mission—derived from the French word "cribé" (to screen or sift)—is to provide data flexibility and cost management by routing the most valuable data to expensive tools like SIEMs and everything else to cheap object storage. The conversation covers the 40x productivity gains from their "human in the loop AI", Cribl Co-Pilot, and their expansion into "agentic AI" to fight back against sophisticated threats.

Cribl's Core Value Proposition

• Data Flexibility & Cost Management: Cribl's primary value is giving customers the flexibility to route data from "anywhere to anywhere". This allows organizations to manage costs by classifying data:

  • Valuable Data: Sent to high-value, high-cost platforms like SIMs (Splunk, Elastic).

  • Retention Data: Sent to inexpensive object storage (3 to 5 cents per gig).

  • Matching Cost and Value: This approach ensures the most valuable data gets the premium analysis while retaining all data necessary for compliance, addressing the CISO's fear of missing a critical event.

• SIEM Migration and Onboarding: Cribl mitigates the risk of disruption during SIM migration—a major concern for CISOs—by acting as an abstraction layer. This can dramatically accelerate migration time; one large insurance company was able to migrate to a next-gen SIEM in five months, a process their CISO projected would have taken two years otherwise.

• Customer Success Story (UBA): Ed shared a story where his team used Cribl Stream to quickly integrate an expensive User and Entity Behavior Analytics (UBA) tool with their SIEM in two hours for a proof-of-concept. This saved 9-10 months and the deployment of 100,000 agents, providing 100% value from the UBA tool in just two weeks.

AI Strategy and Productivity Gains

• "Human in the Loop AI": Cribl's initial AI focus is on Co-Pilot, which helps people use the tools better. This approach prioritizes accuracy and addresses the fact that enterprise tooling is often difficult to use.

• 40x Productivity Boost: Co-Pilot Editor automates the process of mapping data into complex, esoteric data schemas (for tools like Splunk and Elastic). This reduced the time to create a schema for a custom data type from approximately a week to about one hour, representing a massive gain in workflow productivity.

• Roadmap Shift to Agentic AI: Following CriblCon, the roadmap is shifting toward "agentic AI" that operates in the background, focused on building trust through carefully controlled and validated value.

• AI in Search: The Cribl Search product has built-in AI that suggests better ways for users to write searches and utilize features, addressing the fact that many organizations fail to get full value from their searching tools because users don't know how to use them efficiently.

Challenges and Business Model

• Data Classification Pain Point: The biggest challenge during deployment is that many users "have never really looked at their data". This leads to time spent classifying data and defining the "why" (what is the end goal) before working on the "how".

• Vendor Pushback and MSSP Engagement: Splunk previously sued Cribl over cost management, though resulting damages were only one dollar, demonstrating that some vendors initially get upset. However, Cribl is highly engaged with MSSP/MDR providers because its flexibility dramatically lowers their integration costs and time, allowing them to get paid faster and offer a wider suite of services.

• Pricing Models: Cribl offers two main models:

  • Self-Managed (Stream & Edge): Uses a topline license (based on capacity/terabytes purchased).

  • Cloud (Lake & Search): Uses a consumption model (based on credits/what is actually used).

• Empowering the Customer: Cribl's mission is to empower customers by opening choices and enabling their goals, contrasting with other vendors where it's "easy to get in, the data never gets out".

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]

Summary:

Timothy De Block sits down with Matt Topper of Uber Ether to discuss the critical intersection of Identity and Access Management (IAM) and the current cyber threat landscape. They explore how adversaries have shifted their focus to compromising user accounts and non-human identities, making identity the "last threat of security". Matt Topper argues that most enterprise Zero Trust implementations are merely "VPN 2.0" and fail to integrate the holistic signals needed for true protection. The conversation dives into the rise of cybercrime as a full-fledged business, the challenges of social engineering, and the promising future of frameworks like Shared Signals to fight back.

Key Takeaways

The Identity Crisis in Cybersecurity

• The Easiest Way In: With security tooling improving, attackers focus on compromising user accounts or stealing OAuth tokens and API keys to gain legitimate access and exfiltrate data.

• Cybercrime as a Business: Cybercriminal groups now operate like legitimate businesses, with HR, marketing, and executives, selling initial access and internal recon capabilities to other groups for a cut of the final ransom.

• The Insider Threat: Cybercriminals are increasingly paying disgruntled employees for their corporate credentials, sometimes offering a percentage of the final ransom (which can be millions of dollars) or just a few thousand dollars.

• Social Engineering the Help Desk: Attackers easily bypass knowledge-based authentication (KBA) questions because personal data has been leaked and they exploit the help desk's desire to be helpful under pressure to gain access.

Zero Trust, Non-Human Identity, and the Path Forward

• Zero Trust is Underwhelming: Matt Topper views most enterprise implementations of Zero Trust as overly network-centric "VPN 2.0" that fail to solve problems for multi-cloud or SaaS-based organizations. True Zero Trust is a holistic strategy that requires linking user, device, and machine-to-machine signals.

• The Non-Human Identity Problem: Organizations must focus on mapping and securing non-human identities, which include API keys, service accounts, servers, mobile devices, and runners in CI/CD pipelines. These keys often have broad access and are running unchecked.

• Shared Signals Framework (SSF): A promising solution developed by the OpenID Foundation, SSF allows large vendors (like Microsoft, Google, and Salesforce) to share risk and identity signals. This allows a company to automatically revoke a user's session in a third-party application if a compromise is detected by the identity provider.

• User Behavior Analytics (UBA): Effective security requires UBA, such as tracking users' browsing habits and using data analytics to establish a baseline of normal behavior, moving toward the "Moneyball" approach seen in sports.

Data Quality and the IAM Challenge

• Data Quality is Broken: Many problems in IAM stem from poor data quality in source systems like HR and Active Directory, where there is no standardization, legacy data remains, and roles are misaligned.

• Selling Security to Marketing: To gain funding and traction for UBA and data analytics, security teams should pitch the problem to the marketing team by showing how it can track user behavior, prevent fraud (like "pizza hacks" from rewards program abuse), and save the company money in chargebacks.

Resources & Contact

• UberEther: Matt Topper's company, which focuses on integrating identity access management tools to build secure systems right from day one.

• Shared Signals Framework (SSF): A framework from the OpenID Foundation for sharing security and identity signals across vendors.

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]

Summary:

Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).

Key Insights from the State of the API Report

• API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.

• The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).

• API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.

• Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.

• Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).

AI, MCP, and New Security Challenges

• Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.

• The AI API Readiness Checklist: For APIs to be effective for AI agents:

  • Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.

  • Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".

• AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.

• MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.

Actionable Advice and Engineer "Cheat Codes"

• Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.

• API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.

• Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:

  1. Generate a DPA (Data Processing Agreement) using an AI tool.

  2. Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.

  3. This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".

About Postman and the Report

• Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.

• Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.

Resources

The Developer’s Guide to AI-Ready APIs - Postman

Agent Mode - Postman

First Malicious MCP Server Found Stealing Email in Rogue Postmark-MCP Package - The Hacker News

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]