THEOS Cybernova: The Cybersecurity Podcast for APAC Leaders

Paul Jackson: Welcome to the THEOS Cybernova podcast. Season two is well underway, and today I have a very special guest in a very special environment. We’re here live at the THEOS Cyber offsite. We have the entire company in front of us, and I’m here with the leader of our offensive security department. His name is Jason Vallente, or better known to all of us as JV. JV, welcome to the podcast, everyone.

Jayson Vallente: Thank you for having me here. Yeah, excited to be here.

Paul Jackson: Yeah, we’re very excited to have you because we want to learn more about what your role is, not only in the company, but also in the community, because you’re one of the great leaders in offensive security. So why don’t you tell us a little bit about your story, how you got into OffSec and how you came to end up as a leader in this?

Jayson Vallente: Sure, definitely. So, I’m looking back on my experience. I would say I have just been very lucky to really have been a lot, to have a lot of mentors. So I started, actually, as I think most of everyone here started from more of an IT admin background. And then afterwards, you know, I know I really liked, security also been thinking about it, you know, being curious about it and then when I moved away, my company in HP, that’s where I met my first mentor, and he was apparently my onboarding buddy, but he was actually also the founder of ROOTCON, Dax Labrador. So when I met him, of course, I didn’t know who he was then. He was just my onboarding buddy. But we talked a lot about servers, and talked about security. And then that’s when I asked him, How do you know a lot about this? And, I’d like to know more about it. And he was very happy to invite me to the gathering of ROOTCON, which was called Beer Talk then.

So that’s why he became my first mentor. He told me what I need to learn, what they need to study, then I knew I got really, I fell in love with it, of course. And then I decided to move out of IT, move into information security (infosec). And then that’s where I met my second mentor, he’s my second mentor, because he gave me a chance to do you know, from having no back in security to be a system administrator for a bank.

My next mentor was Dan Duplito, who was the CISO of one of the banks here in the Philippines. So was also awarded as the CISO of the year in Asia at the time. So I was really very fortunate to have him as my mentor. And then, after my experience with being in infosec in the bank, I decided, no, I really want to pursue it.

So I went into consulting. I think that at that time, there was no offensive security, yet for the security team in the Philippines, as of that time. So I went to Singapore, I did some consulting. And then, you know, my mentor from HP before, Dax, he called me out and said, Hey, JV, think it’s time to go back to the Philippines.

We are forming the first pen test team in the Philippines, which was HP Fortify in Demand in Manila. So when they got the call, I said, I want to be part of it. So I came back home, and then I was part of the pioneer team for HP Fortify On Demand. And then of course, I learned a lot from there. And then that’s when I started to learn about, you know, management and being a leader. At the time, it was more due to circumstances. There were no managers at that time. And instead of having the team be under someone whom we didn’t know, I might as well step up. So I stepped up, I gave it, and I was given a chance to be a manager. And then, you know, I enjoyed that, that role, being able to just really guide new people in security, being able to support the team on, you know, the same mind that people would love security and being able to support them, give them exciting projects. So that’s where I got really excited about. And then after HP, I think that’s when a lot of my next roles were about starting teams.

So after HP, my previous boss at HP moved to SpiderLabs, Trustwave. So he asked me to form SpiderLabs in Manila. So I had time. I moved just as with SpiderLabs. I started the first team in SpiderLabs in Manila. Started with about three people, grew it to about 30 and then, you know, like I said, I was enjoying the being able to really just, you know, have really passionate people who love security and being able to grow them and support them.

And, being able to start something, build something and grow it. It’s one of the things that really excited me. And then afterwards, that’s when I think there are a couple more things I tried, but I think in the end, that’s when I met Alex. And of course, we had, and I was very impressed with his vision, what he wanted to do with THEOS at the time. And then, you know, his vision for the kind of team that he wanted to have. And then. So I joined the team, I joined THEOS with the same mindset of, you know, growing another team, but this time also with the values and with what I really wanted to have for my team, and so that’s when I started this. And now we have the offense team with us. I’m very happy and very proud of the team that we have right now. Not only very cool, you know, but they’re also very skilled and just very fun to be with. So I love the culture.

Paul Jackson: Right? Right. And I love the way you refer to these cool guys because yes, they definitely are. ROOTCON, you mentioned ROOTCON and look, we’re here in Pampanga at the moment for the offsite. And yeah, when I was driving up here, I drove past the new venue, the Royce. The Royce venue. I mean, it’s pretty exciting. It’s huge. It’s a beautiful-looking venue. And, you know, it’s kind of filled me with a sense of excitement for ROOTCON, which is obviously happening in September 24th to 26th. Is that right? That is right. That’s correct. Yeah. So take us back a little bit. I mean, ROOTCON, you said it started as what, Beer Con?

Jayson Vallente: Yeah. So it started as a very small gathering of people who were very passionate about hacking and information security. So it initially started as Beer Talk.

So we go into a bar, we have some beers, and we just talk about hacking. We just, you know, have some challenges. And then there’s, you know, just a gathering of really like-minded people. And then it grew. So it just, you know, it grew and grew, from about 30 folks in the bar. Then it was going into 50 to about 100. It was time for us to really consider it as a conference. So when we started, we wanted to be like the bigger conference, which was DEF CON in us. So we coined it as DEF CON PH. So, during our third or fourth turn, it was called DEF CON, but at the time, DEF CON or they said that no, we can’t use the brand DEF CON itself.

So we changed it. But it went through a lot of name changes, and ultimately it went into what? Well, it’s now called ROOTCON. So you mentioned, sorry from a small, well, gathering of individuals who love security. And then when it was growing, you know, we just became a conference. And the goal remained the same. It was not about business, not about, you know, products. It was really just, you know, people gathering. We want it to be a neutral ground for everyone. It should be focused on just technical sharing, as it is, focus on hacking. So we wanted to be the kind of conference where it’s not a business conference, but a hacker conference.

So now it’s grown to be, I’d say, the number one hacker conference in the Philippines. And now it’s attracted a lot more people. We are now on our set 16 or 19. It’s been a long time, but another 16th or 17th run. That’s where I have been on the rise. Basically, I’ve been in the industry for 17 years or so. And now, like an engine, we came from 30. We are now expected. Last year we had 800, close to 800. And now we’re expecting around a thousand people. It’s really big. And you know I said passing through the new venue. Well, it’s a huge venue. So very excited for it.

Paul Jackson: Yeah. And modern as well, isn’t it? So it’s a brand new venue. So it’s, you know, the modern facilities that you need for a high-tech conference like this.

Jayson Vallente: Yeah. For sure, for sure. I think, of course, we loved our previous venue in Taal Vista, but we’ve just outgrown the venue. And now it is all, you know, enough space for us to all be in one single space. And then, of course, be able to accommodate, you know, now, we are getting a lot more speakers from international. So we want to be closer to the airport as well. So it’s more accessible. And it’s also kind of brings the, the, the ambience or the environment of a, you know, the usual conference in DEF CON when you are in like a casino or, you know, area resort vibe. So yeah. Yeah.

Paul Jackson: No, it is amazing. And you’re right to point out that the previous conferences were held in a beautiful location overlooking an active volcano, right? Down south of Manila. But this is close to Clark International Airport. So we’re expecting a lot more international attendees from all around the region. And I took a quick glance at the website, the ROOTCON, and there are some amazing presentations out there lined up. I saw that, for example, talking about a deep dive into North Korean hackers.
You know, which is obviously a pretty hot topic at the moment. And one that particularly intrigues me is the use of AI in red teams. What are your views on that? Because obviously, you know, there’s definitely going to be an impact of the greater use of AI in creativity in red teaming. How do you view this?

Jayson Vallente: I definitely view it with much more in a positive note because I think, like people are saying right now, if you’re not into AI, your chances are that you are falling behind with a lot of what’s new right now. And I think, right now, a lot of the adversaries are using AI, and it’s really becoming relevant at the same time. Also, I think, we are now at a stage where an AI has matured to be something that can really be valuable to be used on actual engagements for us. So I think for me, I’m really excited to see what the presentation would look like, but I think on our end, with THEOS in our team, we are actually already using it. So we are trying it out, and we have had a lot of success in terms of being able to leverage AI. It’s not about, you know, making I do everything, but it’s about like I think the topic would be like it’s about having like sixth man as a support that you could use for anything and have the team focus on what they want to do in terms of their engagement and then have AI support with the rest. So I think that’s the key.

Paul Jackson: So let’s take a little step back, because many of the listeners may not understand what a red team is, right? So, in your field, can you explain the differences between vulnerability assessments, VAPT, penetration testing, RT, red team, purple team, etc.? So how do you explain the differences between those?

Jayson Vallente: Sure. So I actually that’s a question that is being asked a lot by clients. So, I would say that I think what we need to kind of think about in terms of when we try to differentiate these three, these exercises, would be the purpose or the goal of the exercise. First, when we talk about vulnerability assessments, we talk about finding vulnerabilities within a certain scope or a system. It’s about validating what the weaknesses are within the system, as opposed to penetration testing. It’s similar in a way that it also looks for vulnerabilities, but now you’re trying to exploit those vulnerabilities and assess the impact of a certain vulnerability. So, you’re trying to assess the controls around it as well. Aside from just finding the loopholes, they are also trying to exploit them and therefore see if there are some controls that will prevent you from going deeper within that, within that context.

As for the red team, it would be more of the next level in a way that you are not. You are still looking for weaknesses, but this time not just on the technical aspect of it. They’re also covering different vulnerabilities in terms of the processes, in terms of people’s awareness. So in all layers at the same time, not just testing controls, but also now testing the response to certain attacks. So I think these are the different goals that, you know, this exercise would fall into.

And I would say, when do you usually want to use each of them? I still say that all of them are equally important. It’s just a matter of when you are supposed to be using each of these kinds of assessments. So, with the assessments, you use them when you’re just trying to have a quick, ordinary scan of your check of the hygiene or the security of your assets.

Penetration testing is something that you do more of. Let’s say that, you know, with the assessments, you run them maybe quarterly and then, penetration testing, you do them at least annually to try to see, you know, and be able to validate controls. Red Team, like I mentioned, this is a longer-term exercise. So it takes a lot more effort, a lot more cost as well. So, something that you only do when you want a certain level of maturity. And, you know, also at least maybe just annually. So, overall, like I mentioned, the goals are different, but all of these exercises are equally important. It’s just a matter of, you know, being able to implement on different layers in your security.

Paul Jackson: Understood. And, you know, we also hear talk about purple teaming. And I notice there’s one of the presentations coming up in ROOTCON called 50 Shades of Purple. So nice. How do you explain purple teaming as different from the other types of testing?

Jayson Vallente: So Purple Team is very interesting in a way that it’s now not just having one team, you know, trying to assess, or that’s the security of our organisation.

Purple team is now more of a collaborative exercise between the teams, not just the red team as our offensive team, but also the blue team as well. So basically, the idea here is that we have our red team come in with a couple of you know, attack scenarios, attack vectors, and then we work with our blue team and try to see if our blue team is able to detect. Are they able to respond to it as they should, and therefore be able to identify what the gaps are in terms of their defences in their process, in their playbooks? So it’s more, more of a collaborative exercise wherein we are not just trying to get in, but also really work together in terms of improving the, the defensive capability as well as the, of their organisation.

Paul Jackson: Got it. So, although you know, your team is predominantly, well, it’s based in Asia and predominantly the majority of your team is here in the Philippines. I’ll ask you a couple of questions relating to this. Firstly, what makes Filipinos so good at Offsec? So good at ethical hacking. And I stress ethical.

Jayson Vallente: Well, actually, with us in the Philippines, we grew up in hardship. So we are very good at finding ways around things, around systems. But I think it also goes not just with the Filipinos, but, you know, I think everyone in security, it’s something that we need to kind of learn how to go around the system. But I think the advantage of being in this region is that, I remember when I went to Singapore before, I was doing consulting when there was an issue with a certain system. So we have our usual support team come in.

But when it’s something that they couldn’t solve, then they call in our special team, which apparently are the Filipinos. Guess it’s not because, you know, it’s more like you mentioned, we are very used to finding workarounds. We’re very used to finding, you know, how to work with whatever limited things that we have.

So I think that’s the key. But, in terms of the region itself, I would say that I think the security in the Philippines is also just growing right now. So there’s a lot of really young talent that is starting to discover information security and is starting to learn. So I think, in the Philippines right now, there’s a lot of talent and people are very passionate and eager to be in cybersecurity. So, yeah, I think that’s the scene of infosec in the Philippines right now.

Paul Jackson: Yeah, absolutely. And I think we’ve seen because obviously we’ve been advertising for newcomers to the team, and we’re getting a lot of response. So it just shows that there is a thriving ecosystem, if you like, a lot of talent that is out there, which is good news, right?

Jayson Vallente: Yes, definitely. Definitely.

Paul Jackson: And ROOTCON is a conference. And your involvement in the community plays an important role in encouraging and energising youngsters. What does it have to be youngsters for anybody to participate or to be, you know, somebody who wants to be involved in this industry, right?

Jayson Vallente: Yep. Yes, definitely. I think I forgot to mention last time, but I think the ultimate goal when we started ROOTCON was actually to spread awareness of security in the Philippines, because there was really none at the time. I just mentioned it’s thriving now. I think we want to continue to raise awareness and share it, and infosec is a real career. And then there’s a lot of exciting stuff that we can do in the industry.

Paul Jackson: You raised an interesting point, though, about the maturity of the Philippines’ cybersecurity landscape. How do you, because you work with clients throughout the world. Really, you know, so how do you, you know, as a Filipino yourself, how do you compare the level of maturity here in the Philippines with organisations from elsewhere?

Jayson Vallente: First and foremost, I would note that, in terms of talent, there’s not a lot of a gap. There are a lot of really experienced, really skilled experts in the Philippines. It’s more about maturity — in terms of the number of professionals and how aware the country is when it comes to information security performance.

Before, when we were talking about it, I think we were about, I would say, ten years behind. That was what we were kind of calling it. A lot of the industries, corporations, companies in other countries are already, you know, have security as a practice in their companies. They’re not just doing it out of compliance or doing it as freely, you know, as it should be in the Philippines. It’s still something that’s growing. Companies are slowly getting into security, and therefore, a lot of people are now more interested in learning about it. I think that’s where I would say so again. And that’s expertise. We’re not really falling behind. There are a lot of experts, as the industry is still new in the country, and there’s still a growing number of people and professionals here. Hopefully, you know, as it grows a lot more, we’ll be able to be on the same level as the other regions as well.

Paul Jackson: Yeah. Good stuff. So here at THEOS Cyber, we have three core pillars, right? You know, we have the offence which you run, we have the defence, and we have the incident response capabilities. How does having these additional services benefit you in your work? You know, having the incident response capability and the defense capability?

Jayson Vallente: I was actually very excited when you said response was brought in. I think it just really kind of completed the, you know, the, made our service more holistic. And in a way, you made it whole. How does it benefit us? I think, for the longest time, we have been saying that we wanted that, we, each of the teams, were kind of helping each other out. That’s what we kind of were marketing before. But to be honest, we’re struggling initially. But right now, we are really seeing the value of having these three pillars in the same company.

Right now, we are able to feed off knowledge and experience from the different pillars. Like right now, I’m, you know, teams are able to learn about how the defense are actually securing it. And therefore, we try to learn how we could improve our attacks and bypass them. At the same time, they’re also able to see how we usually attack, as well. So, in terms of incident response, it’s also very nice because I think a recent exercise with Nate engaged our team in terms of thinking about scenarios of how we were supposed to attack a certain component. That’s where he kind of thought about how to use it for a purple team exercise, and I use it as well in terms of when doing investigations, he calls for us and tries to see, you know, and stop at a certain point. How do you think the attacker actually, you know, went through, after this, what would you be if you, the attacker, what would be your next steps in terms of this?

So we were really getting a lot more feeding of knowledge and experience from each other. So we’re now able to do that, which just grows from our personal studies or research. But now being able to really, actually ask and gain information, and gain learning from the other pillars to help us. And yeah, all three things go.

Paul Jackson: And I spoke to Nate just recently on the podcast, actually, and he said exactly the same from the opposite perspective in the investigations. It’s so critical to have the hacker mindset. Yeah, that you guys bring to the table in unravelling what might have happened during a complex investigation. So I definitely feel that, you know, your teams are very complementary in that regard. And talking about incident response, obviously, as part of resilience for companies, mature companies, or companies that are on that journey towards maturity, resilience is critical. And as part of that resilience, incident response retainers. Yep, are also critical incident response retainers in a nutshell, having that emergency service on standby should you need them in a crisis. You know, you don’t want to be signing paperwork, agreeing to limits of liability or other contractual terms during a crisis. So is having that relationship in advance, but, you know, people might think, well, that only really applies to incident response, but how does it, you know, how do you get involved in these kinds of retainers?

Jayson Vallente: So, yes, we are definitely involved with these kinds of retainers. And when I learned about this type of retainer, I was saying that, I was thinking, this is actually very brilliant. So why do I say so? Because, as you mentioned, response retainers are designed to make it easier for you to have someone to support you when an incident happens.

But the question now is, I’m spending money for that retainer if something happens as an insurance. But what if nothing happens, right? Like, how do I get value from the money that I paid? So now that’s where this, that’s where we come in. So, if you have, still have budget in your retainer that you could use, now you are able to utilise, or use that retainer to access our offensive security services via, you know, pen testing, red teaming or could also be just, you know, little things about, you know, maybe having, like, some sort of a briefing, some sort of, you know, scenario based exercise. It could also be just some hours in terms of consulting. So I guess that’s what I find really brilliant, it’s about having insurance. It’s someone to help you out, but also, you know, that you will get value from it because you you’re able to use it for all other services that you actually already, you know, have. And the last point is that you don’t have to go through all the trouble of procurement. So, I guess it is very brilliant.

Paul Jackson: Yes, it is. So it’s very versatile. I think your points are well made there. But you also touched on an interesting point about tabletop exercises, because again, if you’re designing scenarios, you have to have that hacker mindset. So, of course, the crisis management team, the incident response team can lead in terms of managing the crisis, but developing this scenario in the first place needs a hacker mindset. And I guess you and your team enjoy coming up with. We had wacky scenarios for clients, of course.

Jayson Vallente: Definitely. I think it’s having us imagine these kinds of things is something that really excites us. You know, it gets our mindset cracking. So, yeah, definitely. In terms of the retainers, you’re right. I think, aside from just the response to incidents, but also just having or bringing a team, trying to simulate, this type of incident and scenarios could also bring value to that side of security, I would say.

Paul Jackson: Yeah, absolutely, absolutely. And by the way, the listeners who are still with us at this point. Don’t forget to click the like or subscribe buttons on whatever platform you’re listening on. It makes a big difference to us. And getting the messages out there, these important messages. So I’d like to sort of finish up by asking, what advice would you give to an aspiring offset or offensive security professional? And what would they have to do to join your elite team at THEOS Cyber?

Jayson Vallente: I guess my advice would be to, as they would say, try harder. In information security, this career is never easy. So it’s not trying hard, but really, you know, going above that and trying harder is my advice. Also, the other thing is that information security is not a sprint. It’s more of a marathon. I would say. So you don’t have to really try to run so fast. It’s just a matter of you continuously and slowly, step by step, to see learning and growing, and that’s how you’re able to grow and grow in your career in information security.

And, so I guess when you are new, that’s what I would like to say is learn one thing at a time, focus on the things that you want to learn, even if just a topic a month, a topic every six months. Learn an operating system for six months, learn applications for six months, and then get a certification in a year. You just have to go step by step. Like I said, you know, be patient and really try hard. And then, you know what? Once you have the skills or the opportunities, they will come for you. So it’s about, you know, trying to find that it’ll be in, in infosec, there’s a scarcity of skills and talent. So if you have it, you know, all companies will be gunning for you.

Paul Jackson: Okay. Now, one of the challenges, though, of being a youngster who’s interested in getting into ethical hacking is perhaps crossing the line between ethical and unethical. How do you advise, you know, because it’s so you know, I mean, it must be quite easy to cross that line either inadvertently or in a rash, ill-advised or reckless moment. Well, how do you advise, youngsters who are just sort of learning about ethical hacking and want to test their skills?

Jayson Vallente: First and foremost, I think curiosity is a very good thing, right? I think, as we are in the industry, we have to really remain curious and try to learn. But I think you also have to be careful until you know, and not cross the line.

And if ever you have to, do not get caught. But I think, to be honest, it’s, it’s, every now and then we, we are able to learn from, from experiences that we have when we are researching and when we are being curious. But what I would want to say, though, is just be careful, because I have seen people who are really very, very nice and very talented and have good potential. But because they crossed the line and then, you know, made a small mistake that they had made before, they were not able to go back into the industry. So, in the infosec industry, trust is very important, and if they find out that they lose trust in you, you won’t be able to get into the industry. So I think that’s the only advice, you know, stay curious. But of course, think about the bigger things. Right. What you want to achieve, those dreams that you have. Because, you know, if you step across the line, and sometimes you know, if you’re very unlucky, then you’re not able to go back below, you know.

Paul Jackson: Yeah, trust is very important. And I don’t think don’t get caught is the best advice, you know, stay legit. And honestly, this is a great career to get into, isn’t it? But, you know, make sure that everything is done ethically because it’s that magic word, trust.

Jayson Vallente: Exactly.

Paul Jackson: All right, so, look, I always close the podcast by asking my guests what music they listen to because I know everyone has a way of dealing with stress. My own personal way is I love to unwind with some good music and a good book. What music do you listen to?

Jayson Vallente: So I’d like to say that I listen to, you know, alternative rock and punk rock. I mean, it’s just not. But I think right now, I have recently become a dad. So I’m now into Ms. Rachel and a lot of the baby songs right now.

So that’s what I had no choice but to listen to.

Paul Jackson: But you’re great, Dad. You’re great. You’re Jason, you’re a great leader. You’re a great dad. And it’s been fantastic having you on the show. And, you know, it’s been a fascinating conversation. And I’m sure, the listeners will have learned a lot about this murky world of ethical hacking and offensive security, and hopefully, you know, in the future, we can have a follow-up conversation for THEOS Cybernova podcast. Thank you for joining me today.

Jayson Vallente: Thank you. It was a pleasure. Thank you so much.

Paul Jackson: As I mentioned, we are in front of a live audience, so please give Jayson a round of applause. THEOS Cybernova was presented by myself, Paul Jackson, the studio engineer and editor was Roy D’Monte, the executive producer was myself and Ian Carless. And this podcast is a co-production between THEOS Cyber and W4 Podcast Studio in Dubai.