In this episode, we speak with JP Bourget: virtual CISO, industry expert, and recovering SOAR founder. We discuss JP's unorthodox career progression and explore how Microsoft is set to take over the security market using software bundling. JP provides unique insights given his history as a founder paired with his experiences working with multiple companies at a high level; we hope you enjoy it as much as we did.
Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.
Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.
Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.
PODCAST TRANSCRIPT
[00:00:00] Lucas Nelson: Welcome to Adventures in InfoSec, where we explore the area of cybersecurity through leaders in the field. Today it is my pleasure to welcome JP Bourget, I've known JP since he was a founder, and he's now an EIR at Lytical Ventures. When I first met JP, he was a founder of a SOAR company, which he then sold, and since then he's been doing work along with being a CISO for a mid-size company. So without further ado, JP, how's it going?
[00:00:26] JP Bourget: Well, not bad. We're, up here in Rochester and, we did not get six feet of snow, so we're doing good.
[00:00:36] Lucas Nelson: Well, as long as you can dig yourself out, you're in good, shape there. So, why don't we start with your career in, InfoSec. How did you get started in cyber security?
[00:00:48] JP Bourget: Yeah. So, I grew up in Buffalo. I moved to Rochester in my, early twenties. I ended a restaurant career to go into computers and, so I went to community college. Then that led to, RIT, Rochester Institute Technology. And, I got a bachelor's in it, and then I ended up, getting convinced, not convinced, but I, got interested in cyber right around then.
I went to my first Defcon, my first ShmooCon, in 2005. So then I went on and got a master's in cybersecurity. Fast forward a few years, to maybe 2010, I found myself, I was teaching, as an adjunct in the evening, and I was, functionally a CIO during the day at a manufacturing company, based in Rochester, New York. And, a couple of years later I got really into cycling and I went to my boss, I said, Hey, I wanna take next summer off to ride a bicycle across the US. And he kind of looked at me funny and said, well, I'll give you a couple of weeks off, but like, I can't give you the summer off. So I actually went to Defcon that summer. And I met this guy called Mike Murray, who, actually passed away a few months ago. But, he was an awesome guy. I met Mike Murray at a company called Matt Security, and I started doing, a subcontract network for them. And, like my kid thinks this is really cool, my first job for them, I went to NASA to teach, like a pen testing class in Alabama.
And then , that led to me, going, flying around the world for, for mad, doing subwork for McAfee. Fixing sim deployments and doing net new sim deployments. And so I, got to see. Lots of different environments from global fives to random companies in California or Australia. A little bit of government work here and there.
And as I was on that journey, now we're in 2013. I kind of noticed a problem. And so, I did do the bike ride, by the way, in 2013. Took six or seven weeks off, and we rode from the east coast to the west coast. Stopped at Defcon, raised the money for the EFF. It was a great time. It was actually almost 10 years ago.
Lucas Nelson: Who was the we in that story? I'm sorry, who was the we in that story?
JP Bourget: Oh, so it was, Bruce Potter, who runs Shmoocon, and myself. And his wife Heidi actually. Heidi is, you know, the other, you know, she, she, she's the real operator behind Shmoocon. But, Bruce and Heidi and, their family went and my dad came also. And then, we had 2 follow cars and, you know, we learned that the country's way bigger than you think it is. You know, that's a story, for another day. But, you know, I went to parks, the country I would've never gone to otherwise amazing hospitality in places you would not think, you know. And, you learn how to live without telephone service for a week and a half. So, yeah. No, but it was a ride. It definitely was a challenge.
[00:03:34] Lucas Nelson: And you're doing, security incident, response management, sim deployments, and that's when you kind of start to get the idea to pivot into being a founder.
[00:03:43] So let's, let's talk about that idea and the founder journey.
[00:03:46] JP Bourget: Well, yeah, that's where I was going. Yeah. As I was doing all these sim deployments or sim, I'm trying not to, I won't square, but sim repair going in and, and fixing things. I noticed that organizations or security teams didn't have the people, the process, the skillset, or the tools to, really handle alerts or respond to incidents.
And so I started, working with a guy, Mike Pinch, who at the time was the CSO of the University of Rochester, and we tried to actually create a case management or a ticketing system for the SOC or for security operations in, a GRC product called R-SAM. And, we failed miserably. It was just not built for the use case, etc, etc.
So, we had the bright idea to go start a company. Or I had the brand idea to go start a company. I didn't even realize I had a software company until the year end, but, you know, that's a whole other thing. But, you know, I was very naive. I didn't really know what I was doing. But we basically went and built an MVP.
I tried to raise money in upstate New York, which is, not an easy place to raise for software. And, so we ended up moving down to DC and, we got into mock 37 and that's kind of when things started to, take. And so now we're in 2015. So, so we graduated mock three seven in fall of 2014.
Yeah, so Mock 37, it still exists, although in a different form. It was a cyber security product accelerator, based out of, Northern Virginia run by, guy Rick Gordon. And Bob Stratt and then another guy, Dan Willie. They all got together and built this model to essentially have a, I think it was a 13 or 14 week boot camp to launch founders to, to help launch companies.
And, I have to say that like my master's degree followed by my bike ride, followed by mock 37 were 3 key points in my career progression. Of me kind of going to the next level. And, the team that Rick and Strat and Dan put together, I got injected in this boys and girls club of people who had built billion dollar companies.
Who would, you know, founding Secretary of DHS came and had dinner and told us his story. Like, the amount of like, support and perspective I was able to get from that really, changed the game for me. So, yeah, so, look like we hired f you know, I was the CEO and founder for three years.
We hired, another CEO and I went back to being like an innovator, a geek. And, one thing led to another and, we sold the swim lane in 2020. And then, you know, since then I've started consulting, consulting company, which is, really based on helping. Security operations centers, mature. You know, we kind of go in and we do an assessment and we try to meet them where they are.
When I was doing the soar, when I, when I was in the SOAR business, I got to see anywhere from like three to 400 security operations centers over the period of four or five years. And I also got a lot of hands-on work with all the security APIs that exist. And so I've got to see the good, the bad, and the ugly, and I've been able to kind of take that.
Bring obviously the, the better parts to that some of the top 10% of security teams are doing, you know, out to my clients.
[00:07:14] Lucas Nelson: And so during that period, you ended up being an interim CISO for a bit. Can you tell us a little bit about that experience?
[00:07:18] JP Bourget: Yeah, it's really funny. So, a buddy of mine, I'm not gonna use names here, but a buddy of mine, called me up one, I guess it was about a year and three months ago. He called me up on Labor Day weekend. He's like, Hey, can you help me with some work at this client in Rochester? We kind of had something go, you know, had something happen. And, one thing led to another. And, the next day I ended up having a 30 minute interview to be the interim CISO there.
And, so I kind of went into an environment where, the prior CSO. Had had just moved on to a new job and, they needed someone, on the ground. And, so I jumped into about a, a quarter billion dollar or 250 million, private equity funded or, you know, private equity owned business, that was split between the US and India.
And, had a lot of work to do when I went in there and, Some of the more interesting things is, well, and I know we'll talk about Microsoft and, what they're doing in a, in a few moments, but, I was able to ignore risk as a practice for most of my career, but I kind of got forced into it and, I have a very, I have a lot of respect for the people that are trying to go in and manage.
Risk at that, from that perspective. You know, cause I'm really a blue team operator and a blue team, strategy or advisory guy. And, I had to go in and kind of play in the risk world. And, I learned a lot about kind of how it works, how people are successful with it. And not only just in cyber, but how risk plugs into a larger enterprise risk management plan. And, it's hard. especially when you have a private equity business that you know isn't bleeding money it becomes very challenging to balance the goals of, of the shareholders with the goals of, well, let's just say with best practice in cyber or in the larger enterprise risk management space.
[00:09:17] Lucas Nelson: Let me double click on that for a second, because you're talking about risk versus cybersecurity. Can you explain that to, folks that think of cybersecurity, just as a bunch of tools and practices to prevent hackers.
[00:09:30] JP Bourget: Well, I think that, the tools and practices to prevent hackers is just another way to describe risk. So, so, you know, if I'm trying to stop somebody from getting my network, you know, I would identify that as a risk that I could, have an, a, a threat actor, get control of my network. The, thing is, is that in cyber, in information security, which, I'm not prepared to really precisely define the difference. But you know what one is, is kind of everything data related. One is more network and systems and all that, but in information security, risk is not just the meta exploit tool. You know, all the different tools that one might use.
Risk is hey, could a sprinkler system go off in a server room that causes the servers to break? You know, it is. Do we, do we have, You know, the right badge systems. Do we, do we have, the right fraud controls on our bank accounts to get notified when wires happen, right? So it's not just like, Hey, can somebody get past my firewall?
It is what are, it's any event that could disrupt or, either disrupt or totally bring the business to a halt that would cause an impact to revenue and impacts to, our public perception or the optics of how we run as a business or like, you know, from public relations perspective or else, you know, cause harm to employees internally or to, to any asset that we have.
[00:10:57] Lucas Nelson: Where I was really leading is, you know, there's, ways of preventing hackers and there's ways of mitigating risk. And sometimes those two things are, no, we're just gonna hire, we're gonna buy insurance. Right? We'll accept that risk. The hacker might get in, but we're insured, so it's fine.
[00:11:11] Versus if you're a blue team person, your job is to keep people out. So that's, that's where I was driving at. But look, maybe that's not what you're saying.
[00:11:20] JP Bourget: Well, let's click on that for a second. So, I was kind of saying, Hey, well here are types of risk, right? And so for each one of those types of risk, you could risk accept it, right? I think a key challenge, and I actually had a really interesting conversation with somebody, yesterday, who's somebody you should talk to. But, he goes and helps, let's just say Fortune 100's. Rethink or refactor how they're managing risk. And what he's found is that it's very difficult to define, what risk is for the business.
And so, you might have 10 people that are involved somehow in, you know, risk management and organization and they all think something different. So, you could have a sentence written in a piece of paper, and it's almost like developing and design requirements, you know, the agile process, the goal is to get very precise.
Statement that can't be misinterpreted. Well, risk has the same issue where I say, Hey, the risk is like somebody breaks in the front door. Some one person might think that means they stole a badge. Another person might means they take a hammer to the glass. Right? And so being able to actually calculate and present a risk perspective to the leaders organization so they can make better decisions is very difficult.
That said you're totally correct. We're might say, Hey, we fund a risk. Well, we're gonna put a compensating control in place that might be transfer the liability to an insurance company. That might be, we're going to add two factor authentication. That might be we're gonna just accept it, or maybe we're gonna put something, you know, like not to get into minor attack right now, but we might say, Hey, well, if we can identify a piece of the motor attack path that we can actually,
if we have a detection, we can prevent it earlier. Then, you know, that might be how we, how we control it. So, it's, it's all about how do you, how do you actually, well, I guess what I'm trying to say is, the hardest part of that whole process is actually finding a way to characterize the risk so that the people who have to make the decisions can make well-informed decisions that maximized the, the ability for the company to stay operating.
[00:13:39] Lucas Nelson: All right, so it was during this process where you were the interim CISO that you first kind of explained a fundamental change in kind of the Microsoft security ecosystem to me that I thought was really eyeopening. I don't think the world is quite there yet, though. It's probably coming there quickly. So why don't you explain what you think of the Microsoft security ecosystem today and how it works.
[00:14:00] JP Bourget: Okay, so one of the, one of the tasks that, that I was presented with was I had to go and stand up some security operations and reevaluate the endpoint detection response or EDR product that was in place at this company. As, I had been doing some work with Microsoft. It was Azure Sentinel, and that's called Microsoft Sentinel. That's Microsoft's cloud sim. And I had been doing some work with that for some other projects in a adjacent with another product called Cribble that's like, I do a lot of work around like data pipeline engineering and so I actually went out to the market and I had two things to do. I had to identify an MSSP. And I had to identify, not only a potential sim depending on the MSSP, but also, what were we gonna, how were we gonna move our EDR situation forward? And so a couple things happened, so I'm actually gonna give you kind of two. I'm gonna give you something you asked for and something you didn't ask for. So the first one is that, and this is my opinion, is that when I went out shopping for MSSPs, it quickly dawned on me that as I, if I'm, depending on what I'm trying to solve, for a lot of MSSPs. Today, you go and you, you onboard your MSSP, and then there's no off-ramp mssp. So without this off ramp managed security service provider, so this is where you outsource, let's say the initial triage of your security alerts in your organization to a third party, and they respond 24/7. They have, follow this on operations and, they will throw over the fence. Alerts that are concerning or they determine that need get escalated. And so there's really a couple ways that people call that today. So, MSSP there's one acronym managed detection response, which is MDR or Extended Detection and Response, which kind of adds the network component and some other value add. The acronyms in the market are confusing. Everyone kind of marks this slightly differently, but at the end of the day, it's the outsource of the hand of the level one operations of your stock. Sometimes maybe level two also. So back to what I realized was that if I intended on possibly having the SOC of the future, or let's say, I don't know how long I might want to be with, you know, a particular MSSP.
One of the criteria I didn't have in the beginning was like, well, how do I get off of this MSSP? What does my security operation center look like when I go and get, you know, onboard to their product, you know, to their service offering? Sometimes they might bring, you know, their own, case management system, their own, you know, set of tools that they work in. But, if I let's say don't renew my contract, I might just get turned off and so a couple things happen. Is there switching costs? There is the ability for me to there's the ability for me to, or I'm sorry, not ability, but, but I now have to, let's say, onboard my new, my next MSSP six months early and pay double for six months just to make a switch. So one of my criteria became, when I buy an MSSP when I procure this offering, this, you know, security operations outsourcing. I want to be able to own the architecture when I'm done. And so that really changed the lens for me. So anyways, now onto your question. Which is I had some competency with Sentinel. I, you know, I've worked with most of the Sims out there, as you might guess, like with, you know, MacAfee, IBM, you know Microsoft Sentinel, Divo, like, pretty much if the SIM exists, I've at least touched it, if not implemented it many times. We really liked Microsoft Sentinel because it was in the cloud and we could do something that you couldn't do in most other sims, which was, we could actually define detections as code, so we could use a declarative language to say hey, this is the detection. We can put it in source control, we can push it up to the cloud. We can have change control, all that stuff with it. So, then we started we decided we were gonna do that and, you know, one EDR product. But we started looking at the Microsoft ecosystem. And so at the time this business had a Microsoft E-three license. And, if you've been following the EDR market, you have kind of like, you know, like the top tier is kind of like crowd strike Sentinel one. And two years ago, I wouldn't have said this, but today, Microsoft Defender for Endpoint, it used to be called something different back then, but I'll just use current terms right now. Microsoft Defender for endpoint, and really the whole defender ecosystem, which will talk more in depth in a second, has really kind of come outta nowhere. I wouldn't say it's come out of nowhere because I'm sure Microsoft had a plan, but it's kind of shown up to the scene as like a top tier player. But the thing that's super interesting if I'm a CISO or if I'm a you know, if I have to go buy this stuff, is that Microsoft's built out this entire defender ecosystem. That is actually chipping away, I think in a lot of the, a lot of cyber markets. So, you have you have, you have the EDR market defender front point. Inside that product there's also vulnerability management. So any endpoint that has the defender agent also can do vulnerability scams. In addition, it can also report SaaS app application usage. That's just from like that one EXE and one license, that's I think it's about eight bucks a month per endpoint. Where something like CrowdStrike or Sentinel One, if you're on their top tier plan, it's way more than eight bucks a month. It's probably 13 to 20 bucks a month. And in addition, so let's, let's hone in on this security license that you can buy from Microsoft. So, if you have an E-three license that's kind of like, you know, that gets you, like the office applications, it gets you kinda like the, probably what most people would think of is a, is like the Microsoft Suite for, you know, productivity.
If you add on security you get defender front point, you get CloudApp security, which is like, I wouldn't call it exactly Casby, but it's like encroaching on Casby. It's encroaching on zero trust with some of its capabilities. We looked at a company not too long ago. Define Casby.
Okay. So Casby's cloud access security broker, is designed to help you, kind of identify or, be a central point of administration, for all the different, let's say cloud products you might wanna authenticate to and use as a business. There's a lot of overlap between a lot of different kind of like identity and, network access products and, the zero trust type stuff today.
So, the market's kind of confused, but, so if we look at the Microsoft E5 environment. So I just kind of explained what the E3 is it's the productivity stuff. You can add on security and you can add on like risk. So there's, there's basically two pieces to the E3 E5 license.
You can buy the security or the risk separately, or you can combine them. And that's called an E5 And so on the E5 plus security or the E3 plus security side, you have defender for endpoint, you get defender for Office 365, like the online stuff. So that's for things like malware scanning in OneDrive, SharePoint, all that kind of stuff.
There's also fishing protection, so that that's built into Office 365. So like, that's going after like Proofpoint and Mimecast. You also have, defender for cloud apps, which can identify traffic and OAuth Authentication into third party SaaS application.
So like, did a user go and give Salesforce access to your OneDrive? Did a user go and give some shady, you know, website that has Microsoft authentication access to like all your email addresses, things like that. and then you also have, and then the final one is, defender for cloud. So Microsoft, has the ability to not only monitor like VMs running in Azure, but also monitor like your AWS cloud trail.
For operations. Aws, same thing with GCP. So this is all like, except for the cloud part, which is a, a separate add-on, that's all included for this license $8 dollars a month, which to me is crazy. Right? So if I look at, like, I just, I just rattled off I think five different capabilities that most enterprises are paying a hundred to 200K a year minimum.
Like, you know, if you're, if you're at least. , let's say a 1500 seat organization, you're probably paying, you know, at least a hundred thousand dollars a year for each of those functionalities. And Microsoft saying, Hey, we'll give it to you for eight bucks a month per user, which is, which might be 300-400K for all that functionality.
In addition, they also, like any Microsoft integrated service, is free to send logs into Sentinel. So it just gets crazier and crazier. And so, the real thing though that is just amazing is that they've gamified the whole process of doing it right, doing it well, doing it right. So, they have this thing called secure score on their dashboard.
If you're like, you're the traditional corporate ad on-prem ad in the cloud environment, all those products that I just rattled off and remember, we haven't even talked about risk yet and governance, but all those products that I rattled off, like they have an entire set of instructions to like how to deploy your policy, how to reconfigure your cloud, how to do all the stuff.
And it goes, as you make these changes, your score goes up as a new vulnerability shows up, it says, Hey, will you have more risk here? Because like Log4j's out and we found it on this machine. Right? And so they've literally gamified the entire process of better secure in your environment, in one, I hate to say this, but in a single pane of glass and, it's just crazy.
Like it's what it, kind of fulfills the promise of like, what a lot of folks have been promising on the sales and marketing side for a long time in this one pack is $8 a month. And so, that's my, the wow factor. Is that if I look out, you know, like we're, we're, you know, political's a VC firm, right?
And as we go out to the market and we say, hey, well what's novel today? You know, a lot of what Microsoft's doing was novel three years ago. It was novel five years ago, but they've gone, they've bought companies, they've built their own stuff and packaged it into a way that's actually consumable to somebody that's let's say below the security poverty line, who can't afford, you know, 25 jps to run a sock or can't afford, you know, doesn't have a $3 million labor budget in cyber, they've gamified it.
They've made it really simple. They've made it cost effective to go in and actually do security pretty well. And that's just, you know, on the surface, you know, they have a lot of other stuff going on, just like in how they deliver those products. So like, you know, Microsoft has telemetry to like every Windows machine on the planet.
So they have, you know, their threat and tell research group that pushes back into this product. So, I could go on and on. And I think the craziest thing here is I'm a Linux. Right. I'm not even, I'm not really a Microsoft fanboy, but like, I can't ignore it. It's just like they've done such a great job at bundling all this stuff together.
I think it makes, you know, if I were a lot of these other vendors, I'd be scared, right? I've talked to some vendors and, you know, they're, they're having a hard time selling against what Microsoft's put together, and it's just, it's kind of nuts that. It's turned out to be Microsoft. That's, that's been the one that's been able to, you know, put it together so well.
[00:25:45] Lucas Nelson: Yeah. I've heard from a couple CISOs that you know, Microsoft is going to the CIOs of those organizations and saying, oh, well you, we used to upgrade at E five and you can pay for the upgrade by getting rid of these four products. Right. And so the CISOs being handed this. Yep. Like, Hey, I want E5 , so, you know, please get rid of X, Y, and Z. I won't name names, but I, I think it's pretty interesting. So, you know, you've an eye towards being a founder given this new landscape, what does excite you? What areas do you think, yeah, this is a great place to be playing right now, given that Microsoft is sucking the air outta the room.
[00:26:23] JP Bourget: Yeah. That's a, I don't want, I wish that was an easy question, right? So like, I think that so there's still lots of opportunity in I'll give you a couple areas where at least that I'm interested in. So, one of them is the whole idea of like I want to be able to type Terraform apply, and for those who aren't, you know, DevOps folks, like I want to be able to stand up a security operation center with like one command.
[00:26:50] Right? I wanna be able to have everything in my, for my tenant configured and type terraform reply. And it just goes meaning like, you know, I put in a few variables like customer name, EDR products, you know, what plan they're on, and then just goes builds up the infrastructure for that. I think there's you know, one of Lytical's companies, LimaCharlie is definitely going in that direction. They're, they're starting to build the building blocks for that. Same thing with detection engineering. So I mentioned before. It's really, I think it's really cool how Sentinel allows you to like write code to declare detections where like most of the other sims today are all database configuration based, so you can't like, you know, push to GitHub and to make a change there. I think that there's some companies that are out there that are starting to not only deliver the product functionality, but deliver like detection, engineering as a service. I think that there's a lot of promise there. And then I think in you know, as everybody knows, I'm a recovering SOAR founder. Product security actually is very interesting to me because it's a lot of the same integration challenges that we had in SOAR, but from a CICD perspective so if you look at the DevSecOps, figure eight as you're building out your ability to get telemetry into the security team during the build process, like I'm a big believer that the, like, I want the developer to get the security alert.
Not the security team right before release. Right. So the more tooling we can have the earlier on. And so, I think that there's a lot of, you know, start like nascent startups in the product security space. They're trying to, provide ways to better glue together the, the DevSecOps pipeline.
And that's kind of a product to me, that's a product security problem. I think there's one other area that is pretty interesting, which is if I'm a CISO and we know that GRC exists and that's like, you know, Identifies risk, but like I have lots of dashboards to gimme alerts. So like I have my sim, I have like my bone scanner, I have my I have alerts coming out of development or my software teams.
I think there's an opportunity to kind of do well, to attempt to do what SIM did for, like alerts from like all these, you know, on the network devices to boil all the alerts from like product security, from vulnerability management, from, you know, container builds from cloud, cloud security configuration.
To build that all into one like alert dashboard to help a CISO better understand, whereas realtime operational risk is. I think there's, there's and I've seen a few. I'm aware of a few folks that are like starting to work on that problem. One of the big, the big challenges there is that there's nobody who has done a great job of building de-duplication around findings with code scanning and things like that.
Like every, there's like, let's say there's 75 code scanners and they all have different types of findings, but like, if you put those in your pipeline, you can have 36 findings, but there's actually just one, right? And so the hard job of de-duping, that's a challenge. And then, I feel like there's one more, but I can't think of it right now.
[00:30:02] Lucas Nelson: No worries. All right, so we're, we're running up on time here, so I'm gonna ask a couple last questions for you. So, for first one, for people, you know, getting into InfoSec or new to information security, what resources would you point them to? What do you love?
[00:30:16] JP Bourget: Okay, so for me, I was always in into computers.
Like, I didn't know I was a hacker until I had been a hacker for 10 years. Right, like I like, you know, you know, like a hacker's, like in my definition is somebody who wants to figure out how to get a system to work in a way it wasn't designed or intended. RIght? And so I took my Nintendo apart when I was like 9 years old cause I wanted to know how it worked.
Then I had to buy a new Nintendo cause I couldn't put it back together. So like that's one way, right? Is to like to learn. Right? You know I went through like the traditional academic route. I think that your mileage varies. Like there's kind of different qualities of schools and stuff out there, but like I needed a structured plan to execute on to be, you know, to get educated.
But then once I escaped, Or I graduated. For me it's like really signing up for things that I don't know how to do yet, going and executing going to conferences and just like not going to talks, but just like meeting people and talking to people, like got me really far. And then there's also like, there's tons of online like CTFs and labs that people can do.
And like I found. Like you captured the flag. They, they're not always the Yeah. Capture the flag. So like, like there's, you know, there's anything from like, you know, the global championship of hacking and the Defcon ctf to like, you can spend $99 to play CTF for a month. That's kind of like, you know you're kind of guided along Open Sock, which is actually a it's an event at, at Defcon and they, they do some online stuff, is a really good way to, to kind of get into at least the, the blue team side of it. And there's kinda like Blue team and Red Team CTFs mean like defense and offense. And so you know, that's what's worked for me, right. I've taken some Sands classes. I, I've kind of like done a little bit of everything, but for me, I like the applied side of things, so I was like, to be able to like go kick the tires and try it out ,that's where like I consume and retain and learn the best.
[00:32:15] Lucas Nelson: You've mentioned blue team and red team a couple times. Can you define those for everyone?
[00:32:20] JP Bourget: Yeah. So, there's also Purple team, right? So Blue Team is generally like the defenders, red team is like the, the penetration testers or the, the folks that are trying to identify ways into the network that are unintended. And then you have what's called purple team, which is really when the red and blue team work together.
To, let's say the red team will identify a path into the network. The blue team will then let's say remove that path, but also put detections in place to find out if someone's trying to get in it again. So, that's kind of how that works.
[00:32:52] Lucas Nelson: Cool. Alright, so quick question, A rapid fire here. What's your favorite information medium? How do you like to learn? You kind of answered this actually before.
[00:33:04] JP Bourget: Yeah. Really hands on labs, right? Yep. And, reading the dots. What's your favorite book? What's my favorite book? I would say Little Brother by Cory Doctoral. That's a great one.
[00:33:19] Lucas Nelson: Yeah, so that's it's a, Cory Doctor is a sci-fi writer who's been around for a while, but Little Brother is a, it's actually kind of a tween book. It's aimed at tweens, but I, I read it too, and I love it. Mm-hmm. , you know, kind about being a hacker, yeah. Being a hacker, being against an oppressive system. Great, great choice.
[00:33:38] JP Bourget: So yeah Cory Doctor and I played hacker pyramid at DEFCON. Oh, awesome. I got to be on his team.
[00:33:45] Lucas Nelson: It was awesome. Yeah I found his lost phone at a O'Reilly event once, which is the only time I met him in person, I got to hand him his phone back. Yeah. All right. So any plugs you wanna add at the end?
[00:33:58] JP Bourget: Yeah, so look, if you wanna find me my website's bluecycle.net, you know, we're like a boutique, Blue Team or security operations, maturity and advisory services company.
We also do a lot of data pipeline work. So you know feel free to reach out. But I also love to just talk shop with people. I actually do a lot of mentoring work, so I'm happy to talk to anybody who's trying to get into cyber, or somebody who's, you know, also founders, right?
I love kind of like helping founders, I guess get unstuck right? You know, I end up talking to a lot of people that have an idea and either they're afraid to jump off the cliff or they're not sure if it's a good idea. So I like to, you know, help them figure out, go to market or you know, can I actually build a business with us?
So those are some of the things that folks can reach out to me from. And then you can find me on, on LinkedIn if you look up Lytical Ventures, you'd probably be able to find me.
[00:34:54] Lucas Nelson: Awesome. Well, JP, I wanna thank you so much for taking the time to talk with me today. It was informative and excellent.
[00:34:58] JP Bourget: I really appreciate it. Yeah, no problem. All right. Great to chat with you as always.