Unlock the mysteries of cybersecurity and learn to navigate the complexities of compliance with expert insights from Bala Ramaya, CEO of ISSquared. This episode takes you on a journey through the evolving world of managed service providers, shedding light on how IA Squared transformed itself into a cybersecurity force. Bala not only shares the company's bootstrapped origins but also reveals strategies for overcoming talent shortages and optimizing cybersecurity investments. Discover the delicate balance companies must strike between cost and security, and why choosing the right solutions matters more than you might think.
Imagine a world where cybersecurity threats are not just anticipated but predicted with revolutionary precision. Our conversation with Bala Ramaya takes a turn into the future with StarWatch, an innovative platform that merges system health with security data for predictive event analysis. We tackle the tough challenges that big corporations face, from managing B2B relationships to navigating the evolving Cybersecurity Maturity Model Certification. It's a revealing look at the threats lurking in the shadows of our increasingly connected world, from IoT vulnerabilities to the potential impact of quantum computing on encryption.
For small businesses, cybersecurity can seem like a labyrinth of confusion, but it doesn't have to be. Wrapping up our discussion, we lay out a straightforward approach to keeping your business data safe. We examine the critical role of layered security, the necessity for third-party testing, and the often-overlooked importance of cloud service configurations. Bala's expertise offers a compass to guide small businesses through the security maze, ensuring they can defend against the ever-growing threats in
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
Hello everybody, welcome to another episode of
Cybersecurity and Compliancewith Craig Pacinello.
Obviously, no needs, nointroduction.
Craig is here, of course I amhere, Blake, as always, and we
have a special guest from IAS,squared Bala.
Please introduce yourself.
Speaker 3 (00:19):
Hello folks, I'm Bala Ramaya, ceo of IA Squared.
We are a cybersecurity MSSPcompany.
We also have a number ofproducts, very specifically
around identity and accessgovernance.
We do a lot of work pre postevents.
(00:43):
We help our customers managetheir identity posture.
We use our products where thecustomers don't have a solution
or we are open to supporting thesolutions that the customers
have.
Speaker 1 (01:02):
Tell us about the journey of IS Squared and how
you guys evolved into an MSP andMSSP.
Speaker 3 (01:09):
So IS Squared.
I started the company in 2010.
And I used to work for anenterprise and pretty much my
entire journey has been workingfor the enterprises.
I was an identity and securityarchitect a global architect in
a pretty large biotech company,and I had certain product ideas
(01:35):
that I wanted to bring it tomarket and that's how the
company was formed in 2010.
I quit and I started IA Squaredand we are completely
bootstrapped company.
We didn't go for any funding oranything like that.
So we started off doingconsulting work in the security
(02:00):
and the identity space and weuse those funds to fund the
product development.
So it was basically slowlyevolved over the last 14 years
or so in building thisparticular set of products and
as we built the products, wealso built the consulting and
(02:22):
the managed services arm.
And as we got customers aboardin the enterprise mid space, we
found that the cybersecurityrequirements were changing and
evolving pretty rapidly.
So we expanded the portfolio ofservices that we actually gave
to the customers and we splitthe services that we actually
(02:44):
gave to the customers and wesplit the services that we
provided into MSP and MSSP withspecific focus for the
cybersecurity.
We basically brought in a CISOwho took care of the security
side, and then a completelyseparate person who took care of
(03:06):
the infrastructure side of thebusiness.
So that's how we are actuallystructured.
We basically have a separatearm that takes care of all the
security-related stuff and aseparate arm that takes care of
the non-security stuff.
Speaker 1 (03:23):
Fair enough.
What are some of the biggestchallenges that you guys faced
as an MSP, MSSP, and how does IASquared address those to the
customers?
Speaker 3 (03:36):
There are two aspects , I think, from a management of
infrastructure and security arecritical from a customer
perspective.
One, availability of talent,which is difficult in today's
market because the need forcybersecurity has grown so much
(04:00):
that everybody wants the toptalent and everybody cannot get
the top talent and yet there iscertain budget into which you
have to actually play in.
And then, because of therequirements, the landscape,
with the number of vendors whoare bringing products, is
constantly evolving.
So one year one vendor, youhave the best product.
(04:20):
The next year, someone elsebasically becomes the best
product and you can't keepchanging best product.
The next year, someone elsebasically becomes the best
product and you can't keepchanging the product.
So it's a fine balance that thecustomers have to go through to
keep things under wrap, providethe best security for the
business, and what we have seenis the customers are starting to
(04:45):
think towards hey, how can Iactually get the best bang for
the buck?
And in that case what we areseeing is the customers are
trying to do more architectureand more design and higher level
work and keeping it within thehouse and then trying to
(05:07):
outsource a lot of theoperational activities that are
repetitive tasks or tasks thatcan be shared across people to
someone like an MSSP, so theybasically get the best of both
worlds From a costingperspective.
(05:27):
Also, what we are seeing iscustomers who actually don't
have a need for presence ofpeople to be in the US not on
the DoD side or on thenon-governmental side.
They are looking to run their24 by 7 operations on a 24 by 7,
companies that can provide 24by 7, follow the Sun model to
(05:50):
keep their costs down.
So those are all some of thethings that the customers are
doing today to get the best bangfor the buck and to provide
better security for what theycan, given the budget
constraints and the peopleconstraints.
Speaker 1 (06:11):
Yeah, they sound like pretty complicated challenges,
as always.
Speaker 2 (06:17):
How do you balance Go ahead, no, go ahead.
I was going to say how do youbalance the pressures of price
versus giving them the rightsolution, Because obviously you
can't always have the best orlowest price and offer the
highest security.
Speaker 3 (06:38):
Yeah, from an mssp perspective, the advantage that
we get is one from a softwareand hardware side, sourcing.
So when we are basically doingthe msp model for a number of
customers, we buy licenses involume and we basically get
(07:03):
better discounts, so thosediscounts can be passed on to
the customers so we are able tobasically reduce the cost if the
customer has to go and buy itby themselves.
That's one.
Two, and one of the reasons whywe are building our own
products is because then weactually get the cost advantage
because we own the product.
So we basically again bring thecost there because we own the
(07:28):
product, so we basically againbring the cost there.
From a people perspective it'sone half dozen other.
The cost is pretty much thesame whether you go with us or
with someone else, because youare still going to source the
people from the US.
You're going to pay the sameamount.
But we also have offshoreoptions and from a US
(07:50):
perspective, we also have anoption of hiring people in Guam
and some of those places wherethe costs are a little bit more
competitive in terms of peoplewho are US citizens.
So we basically allow puttingthese three things into the
equation to keep the cost forthe customers down.
(08:13):
Having said that, unfortunatelysecurity is not all about
reducing the cost.
We ought to be very carefulthat we don't bring wrong
solution to the customer so wedon't cut corners in bringing
wrong solution to the customer.
So we are careful in notpitching the MSSP as just a cost
(08:35):
proposition.
It is about what we canactually provide as a value
chain to the customer at the endof the day.
Speaker 1 (08:44):
Yeah, we find that it's challenging to balance an
off an offensive strategy versusa defensive strategy.
So you obviously, as an MSSP,have to coach your customers
that, hey, you need to beproactive here to do things to
develop and grow your business,but then you still need to have
some form of defense.
You know, obviously a footballteam cannot win with an all
(09:06):
offensive team or an alldefensive team, and that is a
huge challenge that we'venoticed ourselves personally.
Speaker 3 (09:15):
You are absolutely right and enterprise customers
are a little different than theSMB, are a little different than
the SMB, are a little differentthan the midsize customers and
when you traverse across thespectrum, the understanding of
what the needs are aredrastically different.
(09:36):
If I take an SMB customer, thedifference between a backup and
a DR their thought process isdifferent than explaining a
backup and a DR to an enterpriseright?
A lot of people think that if Itake a backup, that's my DR
strategy.
They expect right.
Or some people think that if Ihave a DR, then I don't need
backups.
(09:57):
So you absolutely bring up agood point that it's always not
offensive, it's also defensivestrategy.
We try to explain to thecustomers hey, even if you have
all the tools in the world, youcould still get hacked and most
likely you will get hacked.
How quickly can you recoverwhen that hack happens?
(10:20):
That's important.
How quickly can you identifythat you are in middle of an
event is critical.
So when you put a strategy tothe customer, it's not just
about the fact that how can weprotect you, it's about the fact
when the event happens, howquickly can you recover and how
(10:42):
can you actually reduce theblast.
Radius is as important as notgetting hacked itself.
So those are all the thingsthat we actually work with the
customers when we are givingthem a solution for
cybersecurity.
We noticed those are goodpoints go ahead.
Speaker 1 (11:08):
Oh, I was right, I was thought you were.
Um, uh, so yeah, we've noticeda lot of our listeners are kind
of small to medium-sizedbusinesses that are essentially
trying to to play-doh their owncyber security.
Um, so if you could literallyreach directly out to small
business owners and ourlisteners, right, and you could
(11:30):
give them kind of a strategy, amap or advice.
To you know, obviously,reaching out to somebody like
you or us, vice versa, but ittakes, it takes companies to get
there.
Obviously, there is a huge partof the market that doesn't want
(11:51):
to come off as ignorant ornegligent, whichever you prefer
to use to event.
You know you have to a lot ofbrands, a lot of companies have
to suck up their pride beforethey make contact with a brand
like yours or ours before theysay, hey look, I am not
compliant, I am not doing theright things.
(12:11):
It takes a lot to get there.
So, um, if you could saysomething to that audience, I
mean so, um, don't try to boilthe ocean from a security
perspective.
Speaker 3 (12:26):
Don't, don't try to boil the ocean from a security
perspective.
Sometimes security is not justabout how much money and how
many tools you are spending.
Some very basic stuff that youcan do to protect, to start with
is what we tell the customerspatching, changing the default
passwords on the devices andlaptops, rotating the passwords,
(12:53):
using long password chainsthese are all some things that
the small businesses can dowithout spending a dollar on
additional security productswhen you go to the products.
Antivirus, basic web hygiene.
Training your regular employeeson the cybersecurity is very
(13:18):
critical.
Something like Ninjio, whichbasically creates small,
bite-sized cybersecuritytraining modules it's four
minutes modules and we actuallydo this every week, even within
our company that everybody hasto take the training, everybody
has to go through these fourminute modules, and we keep
(13:39):
repeating this week after weekafter week on small topics
phishing, sphere phishing orwhatever that might be but at
the end of the day, it basicallystarts recording into
everybody's brain that, hey,before I click the email, should
I really click this link?
Is the email coming from theright person?
These are some of the basicstuff which is not that
(14:05):
expensive to do.
It's where you actually start.
You don't need to spendmillions of dollars in building
a big strategic infrastructureto protect your environment.
So these basic stuff is where Iwould actually start for the
small businesses.
Don't share the passwords.
Create individual accounts forpeople, admin passwords.
(14:26):
Put it in a vault, right.
You don't need to buy a bigsolution for the vault.
Just take an open source keypass and store it there, right.
So these are all some of thethings that everybody should be
doing.
Speaker 2 (14:42):
You know.
Well said.
Tell us about your Fabulixsolution.
Well said.
Speaker 3 (14:46):
Tell us about your Fabulix solution.
So we started looking atFabulix somewhere around 2011.
And this is when everybody wastrying to move to the cloud.
We felt that cloud was a greatsolution for workloads that can
be moved to a centralizedlocation.
(15:07):
But there are still going to beworkloads that basically have
to stay on-prem, and theexamples that I can give you is
manufacturing, utilities, oiland gas, construction.
They need to have certainamounts of workloads that
basically needs to be behind thefirewall, in a segregated
(15:31):
environment, and you need to runthis particular piece of
infrastructure and you neededthe same cloud flexibility to
run the infrastructure.
But you wanted it behind thefirewall, not connected to the
external world.
So that's where the Fabricscomes in.
(15:51):
So we actually have built an HCIsolution which comes in
multiple flavors.
We actually have an edge.
So where we actually go anddeploy it in buildings which can
be shared with the tenantswithin the building, and then it
is connected to say, with thetenants within the building, and
(16:12):
then it is connected to say,the AWS or the Azure, if you
want to actually have a DR or abackup plan, or to our
centralized what we call it, thehub and the core, which is
again connected to the AWS orthe Azure for allowing you to
migrate workloads betweenon-prem and off-prem as you need
.
So that's where the Fablix comesin.
It's basically a suite ofproducts which consists of
(16:35):
hardware, software and it'sbasically our infrastructure
management platform.
It has its own ticketing system.
It has a cloud managementconsole.
It basically has an HCI stackwhere storage, compute network.
It comes in different flavors25 gig backplane, 100 gig
(16:58):
backplane, 400 gig backplane,depending on what you need and
we actually have our own carrierdivision which basically brings
the last mile connectivity intothe box.
So you basically write anSD-WAN network on the backplane
to connect your remote sitesinto your centralized hub.
So that's Fabrics in a nutshell.
Speaker 1 (17:19):
Wow, seems like you guys just literally just
capitalized on the huge needthat was out there.
And we kind of brought it alltogether.
Speaker 3 (17:29):
Yep, that's pretty much what we are trying to do
and we are actually getting verygood response from customers.
Now that the customers aretrying to segregate their
manufacturing plants because ofsome cyber events that happened
a few years ago with a lot ofcompanies in the IoT space, it's
(17:51):
basically bringing back theneed for some secure compute
environment behind the firewall,which is not connected to the
web.
Speaker 1 (18:01):
I'm curious for you to talk a little bit about your
external identities andgovernment, like your EIAG
platform, which is I mean I'mgoing to speak to a lot of our
audience here.
Speaker 3 (18:14):
So a lot of focus over the last couple of decades
was actually given to theinternal employee, contractor
type identities.
How do you manage the lifecycle?
How do you basically get theminto the system, give them
access whether it is birthrightaccess or eliminating them when
(18:37):
their attributes change, likewhen they move from one
department to the other?
How do we basically give themnew access to new applications
or remove access?
But there was a gap where youstill had a lot of vendors,
suppliers, distributors, whowould come in into your
(18:57):
environment or applicationsusing, potentially, their
accounts.
So if I'm a vendor who wants towork in a large company, the
large company would have toactually consider me and create
an account for me on theirinternal network and treat me
(19:19):
like an employee for allpractical purposes, and HR in
that company didn't want to dealwith my account because I was
not paid by a W-2 or a 1099.
So there was a need for thesetypes of accounts that need to
be managed and we saw, westarted seeing that the
customers were struggling withhow do we handle these accounts.
(19:42):
There were custom solutionsthat were being built.
Federations made it easier forthese applications to be plugged
in.
But then, once you werefederated these identities when
they went out of scope in theircompany, did not go out of scope
in the other side, because theother side never knew that these
(20:07):
people don't no longer work intheir source company.
So there was a lot of gaps inthe grc space.
So that's where the eieg comesin.
The eieg basically provides aframework for the customers to
be able to onboard, manage,recertify and off-board people
(20:30):
who are not part of yourorganization, who do not come in
directly using a W-2 or a 1099,but they are more of a B2B type
of relationships, who arecontrolled by contracts managed
by the business directly, not bythe IT, not by the HR.
So it basically tries toautomate all those things, tries
(20:53):
to integrate that into yourinternal identity platform, if
you have one, or else itintegrates into our identity
platform for provisioning,deprovisioning, into the targets
identity platform forprovisioning deprovisioning into
the targets.
Speaker 2 (21:10):
Wow, very cool.
Speaker 1 (21:11):
Sounds like a pretty awesome little solution.
Speaker 2 (21:13):
Yep, okay.
So what about CMMC?
Do you guys do anything withthe new cybersecurity maturity
model?
Speaker 3 (21:24):
certification for the defense industrial base.
We are working on putting asolution for the customers to
get to that.
We are not there yet.
Things are rapidly evolving inthat space.
From an IS Quiet perspective,we don't have a lot of customers
(21:45):
who are in the federal space.
We are more on the commercialside of the customer.
So for us from a focusperspective, that is not a
primary focus that we are in,but we have gotten pinged with a
few customers because of ourGo-On presence.
They are looking for thosesolutions.
(22:05):
So the CISO is actually workingon putting a solution together
for that okay are there certain?
Speaker 2 (22:14):
verticals that go ahead.
No, sorry, go ahead, I wasgoing to ask you if you had a, I
guess, pick top three verticalsof your specialty.
What would they be?
Speaker 3 (22:25):
um, we are very deep in pharma, healthcare sector.
I would say that's number one,two would be financial and
number three would bemanufacturing.
So we do a lot of the IT, otintegration, operational
(22:51):
technology, those types ofsystems.
So we have a pretty deepunderstanding of that.
So how do we marry the ITrequirements to the OT
requirements?
We do a lot of work around it.
Speaker 1 (23:04):
Okay awesome, something that sticks out to me,
and obviously I was doing alittle bit of homework before
you came on.
An interesting product that Ithink was very cool is Starwatch
.
I noticed you didn't mention it.
You didn't mention it when wefirst started talking, but I was
like why are you not talkingabout this?
Speaker 3 (23:27):
it is a product.
That's because, um, there aresome we are working through some
patent slash legal stuff aroundthe star watch platform.
It's not fully out yet that'sthe reason why I didn't want to
talk a whole lot about it, butbut since you brought it up.
Let me give you a little bit ofa flavor of what we are trying
(23:48):
to do with the platform.
Speaker 1 (23:49):
The cat is out of the bag.
Speaker 3 (23:51):
Yeah, cat's out of the bag.
Exactly Without going into thespecifics, that's a platform
that is going to bring thesystem health, system
performance and system securitydata all together and perform
(24:14):
analytics on the data correlatedbetween system performance,
health and security and dopredictive event analysis and do
predictive event analysis.
So what we are trying to get tois be able to predict certain
(24:36):
events that are going to happen,given certain data elements
that we are seeing combinedtogether with performance,
health of the system andsecurity.
So, for example, if we see thatthere are too many logon events
and the system performance haschanged, say, about 10% over the
(25:01):
last two hours, and we see thatthere are certain types of
event IDs that are gettinggendered I'm just getting a very
, very high level overview thenwe will be able to predict that
this potentially could becorrelating the event that there
is a lower performance eventsthat are specific to login ID
onto a database or onto adirectory server or something
(25:24):
like that.
Hey, is there something wronggoing on?
So we will be able to correlatethat based on oh, but this
event was exactly the thing thathappened yesterday.
Same thing was happened daybefore.
So we'll basically bring allthat data together and then give
you a score saying that, hey,the potential that this is an
(25:46):
event security event is 90%.
So you want to go take a lookat this.
Or we can actually say you knowwhat?
This is more of a network event.
So you have a performanceproblem, you have to increase
the memory or processor orwhatever.
So that's StarWatch.
So we are going to watchthrough, gather all the
(26:07):
analytics, and what we are goingto do is we are basically
creating pods across theinternet where we are going to
gather data based on what'shappening on the internet and be
able to say, hey, we saw thesetypes of events happening in one
part of the world and we sawthe same event happening after
(26:30):
two hours in this part of theworld.
So something is moving.
So we will be able to dopredictive analytics on.
Okay, some event is happening.
So can we actually protect thecustomers based on events that
are moving across the parts ofthe globe?
Moving across the parts of theglobe?
Speaker 1 (26:49):
Does it not only act as a forecasting model but also
like a threat detection andprevention, so like, let's just
say, for example, it does pickup on an odd event?
Does Starwatch, then what?
Communicate a message to thesystems administrators to say,
or does it actually put measuresin place to keep that event
from continuing to happen?
Speaker 3 (27:11):
So right now we are working on passive mechanisms
rather than aggressivemechanisms.
So basically, what we will dois, if we see certain events
happening, certain threatshappening, we are working.
Let me give one example withlike IPSs, where we can actually
change the policy to protectthe customer, or with firewalls
(27:34):
to protect the customer or tonotify, but what we are not
doing yet is to go and attackthe vector from where this event
is happening because of a lotof legal implications of that.
So it's more of a defensivemechanism, but predictive, not
(27:57):
an offensive mechanism.
So that's where we draw theline right now.
Speaker 2 (28:03):
So I guess what's different about your vision of
this solution?
Because I've seen solutionsthat exist like that today.
So what's different from yourperspective?
Speaker 3 (28:14):
So the goal of this would be to actually have
central solutions, centralintelligence created across
which can be shared between ourcustomers.
But I mean, there are thingsthat are already there that we
(28:40):
are leveraging, like threatdatabases and stuff like that,
and the idea would be to reducethe number of events that
actually happen before itactually happens.
That's our goal, that's wherewe want to be.
We want to be more of apredictive company than a
(29:02):
response post-incident responsecompany.
So that's pretty much where theStar Watch is going.
And what we are trying to do iswe are trying to not only
correlate just the securityevents.
We are trying to correlateperformance and system events
with the security events and tryto do correlation to see, hey,
(29:25):
when there is a security event,what type of performance hit do
the networks take, or what typeof performance hit do the
networks take, or what type ofperformance hit do the systems
take?
Can we actually correlate thedata to reduce the amount of
time of exposure of an event andrecovery of a breach?
So that's where Starwatch isgoing.
Speaker 2 (29:46):
So is one of the focal points forensic analysis
to maybe help with a breach wereto happen, or is it more on the
front end?
Yes, yes.
Speaker 3 (29:58):
And we are working on some.
I would say I don't want tothrow the word AI, as you have
seen that I have not actuallyused that word, but that's the
catchphrase of today butbasically, at the end of the day
, these are algorithms that needto be written and that's what
we are actually working on inthe backend.
Speaker 1 (30:18):
Obviously, during development of this product, you
guys are obviously probablyusing mass amounts of data,
ingesting tons of data, tocreate results.
So, yeah, I'm assuming, duringthat ingestion process, you guys
are probably seeing new typesof threats that maybe be that
(30:39):
maybe haven't you know existed,or maybe like new, uh, new types
of breaches, new types ofattacks.
Um, is there anythinginteresting that you guys have
seen during this ingestionprocess that you can speak about
?
Of course, I noticed you'rebiting your tongue a lot.
Speaker 3 (31:01):
So let me just keep it.
Yes, we see a bunch of stuffwhen, basically, we are coming
through a bunch of stuff, when,basically, we are coming through
A lot of new tactics and a lotof new, I would say, change in
(31:22):
the attack vectors themselves.
What is being attacked is alsochanging.
We are actually seeing it.
Just as an example, right, thevoice platform is actually being
now heavily used becauseeverybody is using MFA, so
everybody's going after MFA now,right?
So those types of changes aresome of them, space, because
(31:46):
most of the IoT unfortunately,the IoT devices and OT devices
that were built were built for apurpose of doing, not connected
to the internet, so they arecompletely open and these are
systems that controlmanufacturing, systems that were
(32:10):
built to perform certain thingsand it is not easy to just rip
and replace these things.
These are controlled, these arecertified and those are places
where we are actually seeing thethreats are moving to attack
those.
Because those are open, it'seasier I would call it Apple to
(32:34):
catch at the bottom of the tree,right?
So those things, we areactually seeing a lot in what we
see.
Of course, we strip out a lotof the specifics before we put
that into the model, because wedon't want customer data privacy
(32:54):
.
There's lots of other things,but yes, you are right, we are
seeing interesting stuff.
Speaker 1 (33:03):
Amazing and, as far as the evolution of
cybersecurity, this is somethingthat we always ask our guests
about.
We had a previous guest thattalked about oauth breaches, you
know, which is something likethat nobody really talks about.
We had another previous guestthat talked about the um, the
(33:25):
actual security infrastructureon on airplanes, which, again,
is something that nobody'stalking about.
So, in terms of the threatevolution within the next decade
, how do you see these breacheschanging?
Speaker 3 (33:45):
that I can actually bring up a topic about what just
happened to one of I can callmy friend.
Recently their car was stolenfrom a lot and the car was
stolen because they couldactually simulate the signals
(34:06):
that were coming between the carand the key fob and they could
basically coming between the carand the key fob and they could
basically break into the car.
Yeah, craig has that device.
Speaker 2 (34:17):
Craig was that you no , but, as you know, we are a
cybersecurity and pen testingcompany, so that is one of the
things that we help companieswith.
But go ahead.
Speaker 3 (34:31):
Yeah, so I think, with everything having some
digital component that isactually being built on and a
lot of it being used, whether itis Bluetooth or infra or any of
these um I would say near umdistance communication
(34:56):
mechanisms, which are a littlebit more open than, say, a wifi
or or or 5g, 6g, whatever youwant to call it Um, that is
going to be a lot of be a lot ofcyber events that are going to
happen here, because you aretalking about regular people who
(35:17):
probably don't have a lot oftech savvy.
It's day-to-day users, right,and it's easier to con that
system than, potentially, youand me.
I'm not saying that I'm nevergoing to get conned.
Probably there is going to be.
It also depends on humanemotions, what state of mind you
are in lots of things that goesin when someone is basically
(35:40):
getting hacked, but this type ofevents are actually going to
become a lot more prevalent inthe next couple of decades.
My worry is um self-drivingcars or self-driving modes of
transport.
(36:00):
What happens if a bad actortakes over?
Do we really need anything elseto cause havoc?
Speaker 1 (36:09):
so you saw, saw the Netflix show Me and Craig were
talking about it the Netflixmovie or whatever with Sandra
Bullock, where the self-drivingTesla you see that and they
hacked the.
You saw that.
Speaker 3 (36:20):
Yes, I did not see that movie, but I have seen some
horror trailers of that becauseI was involved in 2010, I think
, yeah, somewhere around 2010when we were actually trying to
integrate an application usingBluetooth to communicate with
(36:43):
the car and to be able to bringthings on the dashboard.
That was my first work withintegrating phones with the cars
.
So that time we were like, howdo we secure this communication?
Should we build a PKIcertificate based private keys?
(37:05):
We went through a lot of things, but then there was also ease
of use from a.
You cannot make it so techheavy that the end users cannot
use it.
So there's like a lot of giveand take that you actually have
to work through.
But yeah, that scares me.
Speaker 1 (37:24):
Something that scares me is obviously, like I
remember TVs, for example, usedto be like, um, you know, tvs,
for example, used to be likecrazy expensive.
Like you know, you used to beable to get like the nicest TV
for like 3000, $4,000.
And you're like, cool, I got aTV.
But now those same TVs, uh,like six or seven years ago,
eight years ago, are now like300, 400.
(37:44):
And so, you see, the cost toproduce technology is going down
.
So, in relatable to our industry, um, that, that technology, uh,
savings.
Right, if we whatever we'regoing to call it the the value
is, as the technology isevolving, it makes, uh, it makes
(38:06):
uh, access to hackers, likeaccess to hackers, like access
to equipment, access totechnology, more obtainable.
You know, like 20 years ago,like nobody would be able to get
into a car but the flipper, youknow you could buy it on.
I probably shouldn't have saidit out loud, but you know people
can buy it on Amazon, right,you know, and you know it's 150
bucks, or I think it's evencheaper than that, now 120.
(38:28):
You know, and you know it's 150bucks, or I think it's even
cheaper than that, now 120.
Speaker 3 (38:33):
Um, so this, this technology, is getting cheaper
and becoming more accessible,and then that's what scares me
so the other thing that I canactually um think of right now
is um, I know that quantumcomputing is still in its very
infancy stages, but it is not amyth anymore.
(38:56):
There are quantum computers thatare available and today's
encryption technology that wetake it for granted is going to
protect us most likely is goingto go away overnight when, at
some point in time, quantumcomputing becomes available to
(39:18):
the masses.
Right, and that's probably five,10 years, depending on how much
effort is being put in and howmuch money is pumped into that
system.
But it is going to becomeavailable one day or the other.
And what we walk with 4096-bitkeys today, which we feel are
one of the most secure and it'sgoing to take many years to
(39:41):
break is probably going tobecome many minutes to break,
become many minutes to break.
So post-quantum encryption isslowly starting to get a feet to
stand on and I think that'sgoing to be one of the most
critical things that at leastthe financial industry and the
(40:02):
industry which has a lot ofintellectual property to protect
is going to spend time andmoney on that.
They are not sure if I can usethe word naked stand naked on
the street on the day, when ithappens.
I think that's another thingthat scares me, because when
(40:23):
that day comes, and if you arenot ready, it's going to be a
problem.
Speaker 2 (40:28):
Yeah, I would agree with that too.
It's mind-boggling to me thatbanks still think that 128-bit
encryption is strong, and it'salso mind-boggling and
unsettling that why can't wejust keep increasing that
strength Because it's trivial todo, you know, typically in
(40:50):
situations to extend the bitlength, I mean, if the, like you
said earlier, you know theaverage user is really oblivious
to the rabbit holes that we godown.
But you know we put or at leastyou know people put a lot of
trust in these vendors that theykind of take that headache away
(41:11):
.
Right, but I think that thereneeds to be more pressure on the
vendors to take security moreseriously and hire companies
like us to do the testing ontheir products.
You know one of the big fearsthat I have is satellite
security and blockchain security, and you know you brought up
quantum computers.
You know one of the big fearsthat I have is satellite
security and blockchain security, and you know you brought up
quantum computers.
You know that obviously is abig issue.
(41:32):
So there's all these big issues, but but it it does boil down
to the people that are makingthese products and offering
these things to market.
Like the guy.
What was the guy's name?
Saggy or soggy?
Speaker 1 (41:45):
I mean.
I mean, what was the guy's?
Speaker 2 (41:46):
name, uh, saggy or soggy, oh yeah.
Yeah, I mean, I mean I'm scaredto fly right now.
I mean it's like, it's like soyou know, but but like the
everyday user doesn't see thestuff that we see and they're
not exposed to it like we are.
So you know, it's kind of likeout of sight, out of mind, I
guess I.
But but yeah, anyway, I guessguess my point is that I feel
(42:07):
like there should be constantelevation of security, not just
like, oh well, we'll just keep128 bits, we're a bank, we're
secure.
We've been this way for threedecades or whatever.
Yeah, almost three decades now.
Speaker 1 (42:22):
I think banks are some of the worst that we've
dealt with because they have somuch oversight right.
They're handling everybody'smoney right Mostly everybody's
money.
Speaker 2 (42:34):
Well, look at what happened with the bank that
hired us to do that huge test.
Yeah, yeah Scary.
Speaker 1 (42:43):
It's scary what I did .
Well, not just you yeah, yeah,what what what I went through uh
uncover yeah, what I wentthrough was very scary, um, but,
but as technology evolves too,like I was just thinking in my
mind, like by the year like 2100, like our kids will be able to
(43:05):
build their own satellites andlaunch them.
You know like, like lego buildsyour own satellite kit, you
know like, or you'll be able toget a quantum computer on on
amazon for 200, you know.
And yeah, sometimes it's scaryand depressing to think about
the future and I think about.
Speaker 3 (43:25):
yeah, about 50 years ago, 50, 60 years ago 8088 was
used to launch a satellite andnow we are walking with like
supercomputers for that age inour pockets these days, if you
compare right, um, yeah, it's.
It's like I remember that Istarted with a, the computer,
(43:52):
where I had to actually addextra math processing processor
and memory and I had to load.
I mean, I started with loadingthe DOS image from a floppy disk
five and a quarter floppy disk.
Dos image from a floppy diskfive and a quarter floppy disk,
right.
So, and and one point, when1.44 meg disks came in, it was
(44:13):
like revolutionary for me.
Whoa, I can store one and ahalf megs.
Speaker 1 (44:18):
Yep, I remember my dad used to have this real
estate company and this wasright when floppies evolved.
But the period before floppies,youies it goes to show you how
old I am.
But there was a big littlevinyl disc.
It was really flimsy.
It was the size of a recordthat would slide into the side
of the computer.
Yeah, that was.
(44:39):
How old have we?
Speaker 3 (44:42):
changed.
Speaker 2 (44:45):
Yeah, I grew up on the 8086.
8088, the quote-unquoteportable, first portable laptop
computer.
That was about 100 pounds andit was, uh, you know, green
screen and two, five and aquarter inch drives on it.
Speaker 1 (45:00):
Yeah, yeah yeah, I don't, I don't think we have
much yeah yeah.
I was just gonna say, we shouldprobably wrap up was there
anything that you feel like wedidn't touch on that um that
you'd like to to pass to ouraudience?
Speaker 3 (45:18):
no, just just from a cyber security point of view, I
would just say this first do thebasics before you start trying
to spend money.
It's a lot of times commonsense items that we actually do
and tend to forget could protectyou pretty well before you
don't need a lot of budget.
(45:38):
I'm not saying you don't needbudget, but start with the
basics.
Don't don't start with.
I want a flashy tools.
Tools will come and go.
Speaker 2 (45:49):
We like to say and also sorry, just want to
interject one thing off of whathe just said.
I think a lot of people makethings more complex than they
need it to be too.
I mean, back in the day, youknow admin system administrators
, you know it would behorrifying to allow the user
local administrative rightsright, and I feel like that kind
(46:11):
of got real slack, slack witheverything, slack with security,
slack with loaded code, all ofit.
My point is that back in the90s, you know, a system
administrator would only givethe user access to what they
absolutely needed to have accessto to do their work and nothing
more, and they could notinstall anything.
And I would say that that isnot normal nowadays or not
(46:33):
common, where I would say mostcompanies don't do that.
Most companies give most people, especially small businesses,
full access to everything and itcreates a nightmare for
security.
And I think it just all boilsdown to what I've said for many,
many years now it's a layeredapproach, multiple layers, not a
single system or hardware orwhatever to buy.
(46:56):
You have to do a layeredapproach, you have to train your
people and blend the people,process and technology together
and if you have a weak point,like we found with the bank, it
was a people issue.
They had plenty of money, theyhad plenty of budget, they had
good equipment, but they didn'thave the right people watching
it and configuring it properly,so they had gaps and exposures.
And if you don't do the thirdparty testing on you know your
(47:20):
systems across all of the abovepeople, process, technology and
the layers you're going to havegaps that you're not going to
realize and you're going to haveexposure.
And if you simplify yourenvironment, you simplify your
systems and you simplifyeverything and distill it down
to just what your people have tohave access to to do their job.
It makes everything easier andI do.
Speaker 1 (47:42):
Go ahead, please.
Speaker 3 (47:43):
Sorry.
I just want to add one morepoint to what you just mentioned
.
Ever since people startedmoving to cloud, especially on
the small business side mid-sizethe idea behind the cloud was
to make it easy, simple, right.
(48:04):
What has happened is thebusinesses.
It has made it simpleabsolutely.
What it has also done isanybody with a credit card a
company credit card can actuallygo and buy stuff off the cloud,
and it has created a lot ofshadow IT which ID doesn't know.
Something that you don't knowyou cannot protect.
(48:25):
That's one problem.
Id doesn't know Something thatyou don't know you cannot
protect.
That's one problem.
Number two is people think thatanything on the cloud is secure
by default.
Hey, it isn't the cloud, it'ssecure.
No, it's not.
It is secure from aninfrastructure perspective, from
(48:46):
a cloud provider perspective.
They have security measures,but if you are bringing a server
up in the cloud, you still needto follow your security best
practices to secure that server.
If you put an RDP port on theserver open and open it to the
internet and not put a firewallin front, it is going to get
(49:07):
hacked.
It's not an if it will.
So those are some of the thingsthat the small businesses think
, and it's not that they don'twant to do it, it's just that
they feel that it's just thehype that something was created,
that everything is secure bydefault, is not true something
(49:28):
was created.
Speaker 2 (49:28):
That everything is secure by default is not true.
Yeah, I think that's absolutelytrue.
I think people think that, ohwell, I'm with Microsoft or I'm
with Amazon and I'm secure, butthey don't realize that they
still need to have the sametalent and expertise to properly
configure that environment.
And one could argue that eventhey might need even more talent
and expertise because they havemore controls, more dials, more
setting, and we've been hiredto do forensics and
(49:50):
investigations for businessemail compromise and different
kinds of cases like that.
And they were using Office 365and they absolutely did not
properly secure it.
And the point here is that youhave all of these things at your
fingertips, that you have allof these things at your
fingertips and to your point,val you know could be other
people's fingertips that you maynot be aware of, that are
(50:11):
making these changes and you'renot aware of it or your team's
not aware of it.
And now you have exposure andyou have gaps.
So it's just, in my opinion,super important to have an
outsider, third party, trustedvendor do testing regularly to
show you and show the C-suite.
Hey, look, yeah, you guys aredoing a great job here, but you
might need to have someimprovement here in other places
(50:33):
.
Speaker 1 (50:34):
I think and this is a vast oversimplification, but
there's three questions you needto ask yourself from a
cybersecurity and forensicsperspective what data are you
collecting, how is that databeing transmitted, collecting,
how is that data beingtransmitted and where is that
data being stored.
And if you can look at thosethree things from a
(50:56):
magnification lens, or if youcould blow up how all that works
.
And if you can't do it, ofcourse you can reach out to any
of us.
But if you can answer, do it.
Of course you can reach out toany of us.
But if you can answer thosethree questions, then you are
going to be making steps tosecuring your business.
Alright, guys, I think we'rewrapping up here.
(51:21):
Reached our time cap here.
Thank you so much for theopportunity.
Speaker 3 (51:25):
It was good talking to both of you.
Thank you so much, we'll seeyou was good talking to both of
you, thank you so much.
Speaker 1 (51:29):
We will see you on the next one, I'm sure Sure.
Hello everybody, welcome to another episode of
Cybersecurity and Compliancewith Craig Pacinello.
Obviously, no needs, nointroduction.
Craig is here, of course I amhere, Blake, as always, and we
have a special guest from IAS,squared Bala.
Please introduce yourself.
Speaker 3 (00:19):
Hello folks, I'm Bala Ramaya, ceo of IA Squared.
We are a cybersecurity MSSPcompany.
We also have a number ofproducts, very specifically
around identity and accessgovernance.
We do a lot of work pre postevents.
(00:43):
We help our customers managetheir identity posture.
We use our products where thecustomers don't have a solution
or we are open to supporting thesolutions that the customers
have.
Speaker 1 (01:02):
Tell us about the journey of IS Squared and how
you guys evolved into an MSP andMSSP.
Speaker 3 (01:09):
So IS Squared.
I started the company in 2010.
And I used to work for anenterprise and pretty much my
entire journey has been workingfor the enterprises.
I was an identity and securityarchitect a global architect in
a pretty large biotech company,and I had certain product ideas
(01:35):
that I wanted to bring it tomarket and that's how the
company was formed in 2010.
I quit and I started IA Squaredand we are completely
bootstrapped company.
We didn't go for any funding oranything like that.
So we started off doingconsulting work in the security
(02:00):
and the identity space and weuse those funds to fund the
product development.
So it was basically slowlyevolved over the last 14 years
or so in building thisparticular set of products and
as we built the products, wealso built the consulting and
(02:22):
the managed services arm.
And as we got customers aboardin the enterprise mid space, we
found that the cybersecurityrequirements were changing and
evolving pretty rapidly.
So we expanded the portfolio ofservices that we actually gave
to the customers and we splitthe services that we actually
(02:44):
gave to the customers and wesplit the services that we
provided into MSP and MSSP withspecific focus for the
cybersecurity.
We basically brought in a CISOwho took care of the security
side, and then a completelyseparate person who took care of
(03:06):
the infrastructure side of thebusiness.
So that's how we are actuallystructured.
We basically have a separatearm that takes care of all the
security-related stuff and aseparate arm that takes care of
the non-security stuff.
Speaker 1 (03:23):
Fair enough.
What are some of the biggestchallenges that you guys faced
as an MSP, MSSP, and how does IASquared address those to the
customers?
Speaker 3 (03:36):
There are two aspects , I think, from a management of
infrastructure and security arecritical from a customer
perspective.
One, availability of talent,which is difficult in today's
market because the need forcybersecurity has grown so much
(04:00):
that everybody wants the toptalent and everybody cannot get
the top talent and yet there iscertain budget into which you
have to actually play in.
And then, because of therequirements, the landscape,
with the number of vendors whoare bringing products, is
constantly evolving.
So one year one vendor, youhave the best product.
(04:20):
The next year, someone elsebasically becomes the best
product and you can't keepchanging best product.
The next year, someone elsebasically becomes the best
product and you can't keepchanging the product.
So it's a fine balance that thecustomers have to go through to
keep things under wrap, providethe best security for the
business, and what we have seenis the customers are starting to
(04:45):
think towards hey, how can Iactually get the best bang for
the buck?
And in that case what we areseeing is the customers are
trying to do more architectureand more design and higher level
work and keeping it within thehouse and then trying to
(05:07):
outsource a lot of theoperational activities that are
repetitive tasks or tasks thatcan be shared across people to
someone like an MSSP, so theybasically get the best of both
worlds From a costingperspective.
(05:27):
Also, what we are seeing iscustomers who actually don't
have a need for presence ofpeople to be in the US not on
the DoD side or on thenon-governmental side.
They are looking to run their24 by 7 operations on a 24 by 7,
companies that can provide 24by 7, follow the Sun model to
(05:50):
keep their costs down.
So those are all some of thethings that the customers are
doing today to get the best bangfor the buck and to provide
better security for what theycan, given the budget
constraints and the peopleconstraints.
Speaker 1 (06:11):
Yeah, they sound like pretty complicated challenges,
as always.
Speaker 2 (06:17):
How do you balance Go ahead, no, go ahead.
I was going to say how do youbalance the pressures of price
versus giving them the rightsolution, Because obviously you
can't always have the best orlowest price and offer the
highest security.
Speaker 3 (06:38):
Yeah, from an mssp perspective, the advantage that
we get is one from a softwareand hardware side, sourcing.
So when we are basically doingthe msp model for a number of
customers, we buy licenses involume and we basically get
(07:03):
better discounts, so thosediscounts can be passed on to
the customers so we are able tobasically reduce the cost if the
customer has to go and buy itby themselves.
That's one.
Two, and one of the reasons whywe are building our own
products is because then weactually get the cost advantage
because we own the product.
So we basically again bring thecost there because we own the
(07:28):
product, so we basically againbring the cost there.
From a people perspective it'sone half dozen other.
The cost is pretty much thesame whether you go with us or
with someone else, because youare still going to source the
people from the US.
You're going to pay the sameamount.
But we also have offshoreoptions and from a US
(07:50):
perspective, we also have anoption of hiring people in Guam
and some of those places wherethe costs are a little bit more
competitive in terms of peoplewho are US citizens.
So we basically allow puttingthese three things into the
equation to keep the cost forthe customers down.
(08:13):
Having said that, unfortunatelysecurity is not all about
reducing the cost.
We ought to be very carefulthat we don't bring wrong
solution to the customer so wedon't cut corners in bringing
wrong solution to the customer.
So we are careful in notpitching the MSSP as just a cost
(08:35):
proposition.
It is about what we canactually provide as a value
chain to the customer at the endof the day.
Speaker 1 (08:44):
Yeah, we find that it's challenging to balance an
off an offensive strategy versusa defensive strategy.
So you obviously, as an MSSP,have to coach your customers
that, hey, you need to beproactive here to do things to
develop and grow your business,but then you still need to have
some form of defense.
You know, obviously a footballteam cannot win with an all
(09:06):
offensive team or an alldefensive team, and that is a
huge challenge that we'venoticed ourselves personally.
Speaker 3 (09:15):
You are absolutely right and enterprise customers
are a little different than theSMB, are a little different than
the SMB, are a little differentthan the midsize customers and
when you traverse across thespectrum, the understanding of
what the needs are aredrastically different.
(09:36):
If I take an SMB customer, thedifference between a backup and
a DR their thought process isdifferent than explaining a
backup and a DR to an enterpriseright?
A lot of people think that if Itake a backup, that's my DR
strategy.
They expect right.
Or some people think that if Ihave a DR, then I don't need
backups.
(09:57):
So you absolutely bring up agood point that it's always not
offensive, it's also defensivestrategy.
We try to explain to thecustomers hey, even if you have
all the tools in the world, youcould still get hacked and most
likely you will get hacked.
How quickly can you recoverwhen that hack happens?
(10:20):
That's important.
How quickly can you identifythat you are in middle of an
event is critical.
So when you put a strategy tothe customer, it's not just
about the fact that how can weprotect you, it's about the fact
when the event happens, howquickly can you recover and how
(10:42):
can you actually reduce theblast.
Radius is as important as notgetting hacked itself.
So those are all the thingsthat we actually work with the
customers when we are givingthem a solution for
cybersecurity.
We noticed those are goodpoints go ahead.
Speaker 1 (11:08):
Oh, I was right, I was thought you were.
Um, uh, so yeah, we've noticeda lot of our listeners are kind
of small to medium-sizedbusinesses that are essentially
trying to to play-doh their owncyber security.
Um, so if you could literallyreach directly out to small
business owners and ourlisteners, right, and you could
(11:30):
give them kind of a strategy, amap or advice.
To you know, obviously,reaching out to somebody like
you or us, vice versa, but ittakes, it takes companies to get
there.
Obviously, there is a huge partof the market that doesn't want
(11:51):
to come off as ignorant ornegligent, whichever you prefer
to use to event.
You know you have to a lot ofbrands, a lot of companies have
to suck up their pride beforethey make contact with a brand
like yours or ours before theysay, hey look, I am not
compliant, I am not doing theright things.
(12:11):
It takes a lot to get there.
So, um, if you could saysomething to that audience, I
mean so, um, don't try to boilthe ocean from a security
perspective.
Speaker 3 (12:26):
Don't, don't try to boil the ocean from a security
perspective.
Sometimes security is not justabout how much money and how
many tools you are spending.
Some very basic stuff that youcan do to protect, to start with
is what we tell the customerspatching, changing the default
passwords on the devices andlaptops, rotating the passwords,
(12:53):
using long password chainsthese are all some things that
the small businesses can dowithout spending a dollar on
additional security productswhen you go to the products.
Antivirus, basic web hygiene.
Training your regular employeeson the cybersecurity is very
(13:18):
critical.
Something like Ninjio, whichbasically creates small,
bite-sized cybersecuritytraining modules it's four
minutes modules and we actuallydo this every week, even within
our company that everybody hasto take the training, everybody
has to go through these fourminute modules, and we keep
(13:39):
repeating this week after weekafter week on small topics
phishing, sphere phishing orwhatever that might be but at
the end of the day, it basicallystarts recording into
everybody's brain that, hey,before I click the email, should
I really click this link?
Is the email coming from theright person?
These are some of the basicstuff which is not that
(14:05):
expensive to do.
It's where you actually start.
You don't need to spendmillions of dollars in building
a big strategic infrastructureto protect your environment.
So these basic stuff is where Iwould actually start for the
small businesses.
Don't share the passwords.
Create individual accounts forpeople, admin passwords.
(14:26):
Put it in a vault, right.
You don't need to buy a bigsolution for the vault.
Just take an open source keypass and store it there, right.
So these are all some of thethings that everybody should be
doing.
Speaker 2 (14:42):
You know.
Well said.
Tell us about your Fabulixsolution.
Well said.
Speaker 3 (14:46):
Tell us about your Fabulix solution.
So we started looking atFabulix somewhere around 2011.
And this is when everybody wastrying to move to the cloud.
We felt that cloud was a greatsolution for workloads that can
be moved to a centralizedlocation.
(15:07):
But there are still going to beworkloads that basically have
to stay on-prem, and theexamples that I can give you is
manufacturing, utilities, oiland gas, construction.
They need to have certainamounts of workloads that
basically needs to be behind thefirewall, in a segregated
(15:31):
environment, and you need to runthis particular piece of
infrastructure and you neededthe same cloud flexibility to
run the infrastructure.
But you wanted it behind thefirewall, not connected to the
external world.
So that's where the Fabricscomes in.
(15:51):
So we actually have built an HCIsolution which comes in
multiple flavors.
We actually have an edge.
So where we actually go anddeploy it in buildings which can
be shared with the tenantswithin the building, and then it
is connected to say, with thetenants within the building, and
(16:12):
then it is connected to say,the AWS or the Azure, if you
want to actually have a DR or abackup plan, or to our
centralized what we call it, thehub and the core, which is
again connected to the AWS orthe Azure for allowing you to
migrate workloads betweenon-prem and off-prem as you need
.
So that's where the Fablix comesin.
It's basically a suite ofproducts which consists of
(16:35):
hardware, software and it'sbasically our infrastructure
management platform.
It has its own ticketing system.
It has a cloud managementconsole.
It basically has an HCI stackwhere storage, compute network.
It comes in different flavors25 gig backplane, 100 gig
(16:58):
backplane, 400 gig backplane,depending on what you need and
we actually have our own carrierdivision which basically brings
the last mile connectivity intothe box.
So you basically write anSD-WAN network on the backplane
to connect your remote sitesinto your centralized hub.
So that's Fabrics in a nutshell.
Speaker 1 (17:19):
Wow, seems like you guys just literally just
capitalized on the huge needthat was out there.
And we kind of brought it alltogether.
Speaker 3 (17:29):
Yep, that's pretty much what we are trying to do
and we are actually getting verygood response from customers.
Now that the customers aretrying to segregate their
manufacturing plants because ofsome cyber events that happened
a few years ago with a lot ofcompanies in the IoT space, it's
(17:51):
basically bringing back theneed for some secure compute
environment behind the firewall,which is not connected to the
web.
Speaker 1 (18:01):
I'm curious for you to talk a little bit about your
external identities andgovernment, like your EIAG
platform, which is I mean I'mgoing to speak to a lot of our
audience here.
Speaker 3 (18:14):
So a lot of focus over the last couple of decades
was actually given to theinternal employee, contractor
type identities.
How do you manage the lifecycle?
How do you basically get theminto the system, give them
access whether it is birthrightaccess or eliminating them when
(18:37):
their attributes change, likewhen they move from one
department to the other?
How do we basically give themnew access to new applications
or remove access?
But there was a gap where youstill had a lot of vendors,
suppliers, distributors, whowould come in into your
(18:57):
environment or applicationsusing, potentially, their
accounts.
So if I'm a vendor who wants towork in a large company, the
large company would have toactually consider me and create
an account for me on theirinternal network and treat me
(19:19):
like an employee for allpractical purposes, and HR in
that company didn't want to dealwith my account because I was
not paid by a W-2 or a 1099.
So there was a need for thesetypes of accounts that need to
be managed and we saw, westarted seeing that the
customers were struggling withhow do we handle these accounts.
(19:42):
There were custom solutionsthat were being built.
Federations made it easier forthese applications to be plugged
in.
But then, once you werefederated these identities when
they went out of scope in theircompany, did not go out of scope
in the other side, because theother side never knew that these
(20:07):
people don't no longer work intheir source company.
So there was a lot of gaps inthe grc space.
So that's where the eieg comesin.
The eieg basically provides aframework for the customers to
be able to onboard, manage,recertify and off-board people
(20:30):
who are not part of yourorganization, who do not come in
directly using a W-2 or a 1099,but they are more of a B2B type
of relationships, who arecontrolled by contracts managed
by the business directly, not bythe IT, not by the HR.
So it basically tries toautomate all those things, tries
(20:53):
to integrate that into yourinternal identity platform, if
you have one, or else itintegrates into our identity
platform for provisioning,deprovisioning, into the targets
identity platform forprovisioning deprovisioning into
the targets.
Speaker 2 (21:10):
Wow, very cool.
Speaker 1 (21:11):
Sounds like a pretty awesome little solution.
Speaker 2 (21:13):
Yep, okay.
So what about CMMC?
Do you guys do anything withthe new cybersecurity maturity
model?
Speaker 3 (21:24):
certification for the defense industrial base.
We are working on putting asolution for the customers to
get to that.
We are not there yet.
Things are rapidly evolving inthat space.
From an IS Quiet perspective,we don't have a lot of customers
(21:45):
who are in the federal space.
We are more on the commercialside of the customer.
So for us from a focusperspective, that is not a
primary focus that we are in,but we have gotten pinged with a
few customers because of ourGo-On presence.
They are looking for thosesolutions.
(22:05):
So the CISO is actually workingon putting a solution together
for that okay are there certain?
Speaker 2 (22:14):
verticals that go ahead.
No, sorry, go ahead, I wasgoing to ask you if you had a, I
guess, pick top three verticalsof your specialty.
What would they be?
Speaker 3 (22:25):
um, we are very deep in pharma, healthcare sector.
I would say that's number one,two would be financial and
number three would bemanufacturing.
So we do a lot of the IT, otintegration, operational
(22:51):
technology, those types ofsystems.
So we have a pretty deepunderstanding of that.
So how do we marry the ITrequirements to the OT
requirements?
We do a lot of work around it.
Speaker 1 (23:04):
Okay awesome, something that sticks out to me,
and obviously I was doing alittle bit of homework before
you came on.
An interesting product that Ithink was very cool is Starwatch
.
I noticed you didn't mention it.
You didn't mention it when wefirst started talking, but I was
like why are you not talkingabout this?
Speaker 3 (23:27):
it is a product.
That's because, um, there aresome we are working through some
patent slash legal stuff aroundthe star watch platform.
It's not fully out yet that'sthe reason why I didn't want to
talk a whole lot about it, butbut since you brought it up.
Let me give you a little bit ofa flavor of what we are trying
(23:48):
to do with the platform.
Speaker 1 (23:49):
The cat is out of the bag.
Speaker 3 (23:51):
Yeah, cat's out of the bag.
Exactly Without going into thespecifics, that's a platform
that is going to bring thesystem health, system
performance and system securitydata all together and perform
(24:14):
analytics on the data correlatedbetween system performance,
health and security and dopredictive event analysis and do
predictive event analysis.
So what we are trying to get tois be able to predict certain
(24:36):
events that are going to happen,given certain data elements
that we are seeing combinedtogether with performance,
health of the system andsecurity.
So, for example, if we see thatthere are too many logon events
and the system performance haschanged, say, about 10% over the
(25:01):
last two hours, and we see thatthere are certain types of
event IDs that are gettinggendered I'm just getting a very
, very high level overview thenwe will be able to predict that
this potentially could becorrelating the event that there
is a lower performance eventsthat are specific to login ID
onto a database or onto adirectory server or something
(25:24):
like that.
Hey, is there something wronggoing on?
So we will be able to correlatethat based on oh, but this
event was exactly the thing thathappened yesterday.
Same thing was happened daybefore.
So we'll basically bring allthat data together and then give
you a score saying that, hey,the potential that this is an
(25:46):
event security event is 90%.
So you want to go take a lookat this.
Or we can actually say you knowwhat?
This is more of a network event.
So you have a performanceproblem, you have to increase
the memory or processor orwhatever.
So that's StarWatch.
So we are going to watchthrough, gather all the
(26:07):
analytics, and what we are goingto do is we are basically
creating pods across theinternet where we are going to
gather data based on what'shappening on the internet and be
able to say, hey, we saw thesetypes of events happening in one
part of the world and we sawthe same event happening after
(26:30):
two hours in this part of theworld.
So something is moving.
So we will be able to dopredictive analytics on.
Okay, some event is happening.
So can we actually protect thecustomers based on events that
are moving across the parts ofthe globe?
Moving across the parts of theglobe?
Speaker 1 (26:49):
Does it not only act as a forecasting model but also
like a threat detection andprevention, so like, let's just
say, for example, it does pickup on an odd event?
Does Starwatch, then what?
Communicate a message to thesystems administrators to say,
or does it actually put measuresin place to keep that event
from continuing to happen?
Speaker 3 (27:11):
So right now we are working on passive mechanisms
rather than aggressivemechanisms.
So basically, what we will dois, if we see certain events
happening, certain threatshappening, we are working.
Let me give one example withlike IPSs, where we can actually
change the policy to protectthe customer, or with firewalls
(27:34):
to protect the customer or tonotify, but what we are not
doing yet is to go and attackthe vector from where this event
is happening because of a lotof legal implications of that.
So it's more of a defensivemechanism, but predictive, not
(27:57):
an offensive mechanism.
So that's where we draw theline right now.
Speaker 2 (28:03):
So I guess what's different about your vision of
this solution?
Because I've seen solutionsthat exist like that today.
So what's different from yourperspective?
Speaker 3 (28:14):
So the goal of this would be to actually have
central solutions, centralintelligence created across
which can be shared between ourcustomers.
But I mean, there are thingsthat are already there that we
(28:40):
are leveraging, like threatdatabases and stuff like that,
and the idea would be to reducethe number of events that
actually happen before itactually happens.
That's our goal, that's wherewe want to be.
We want to be more of apredictive company than a
(29:02):
response post-incident responsecompany.
So that's pretty much where theStar Watch is going.
And what we are trying to do iswe are trying to not only
correlate just the securityevents.
We are trying to correlateperformance and system events
with the security events and tryto do correlation to see, hey,
(29:25):
when there is a security event,what type of performance hit do
the networks take, or what typeof performance hit do the
networks take, or what type ofperformance hit do the systems
take?
Can we actually correlate thedata to reduce the amount of
time of exposure of an event andrecovery of a breach?
So that's where Starwatch isgoing.
Speaker 2 (29:46):
So is one of the focal points forensic analysis
to maybe help with a breach wereto happen, or is it more on the
front end?
Yes, yes.
Speaker 3 (29:58):
And we are working on some.
I would say I don't want tothrow the word AI, as you have
seen that I have not actuallyused that word, but that's the
catchphrase of today butbasically, at the end of the day
, these are algorithms that needto be written and that's what
we are actually working on inthe backend.
Speaker 1 (30:18):
Obviously, during development of this product, you
guys are obviously probablyusing mass amounts of data,
ingesting tons of data, tocreate results.
So, yeah, I'm assuming, duringthat ingestion process, you guys
are probably seeing new typesof threats that maybe be that
(30:39):
maybe haven't you know existed,or maybe like new, uh, new types
of breaches, new types ofattacks.
Um, is there anythinginteresting that you guys have
seen during this ingestionprocess that you can speak about
?
Of course, I noticed you'rebiting your tongue a lot.
Speaker 3 (31:01):
So let me just keep it.
Yes, we see a bunch of stuffwhen, basically, we are coming
through a bunch of stuff, when,basically, we are coming through
A lot of new tactics and a lotof new, I would say, change in
(31:22):
the attack vectors themselves.
What is being attacked is alsochanging.
We are actually seeing it.
Just as an example, right, thevoice platform is actually being
now heavily used becauseeverybody is using MFA, so
everybody's going after MFA now,right?
So those types of changes aresome of them, space, because
(31:46):
most of the IoT unfortunately,the IoT devices and OT devices
that were built were built for apurpose of doing, not connected
to the internet, so they arecompletely open and these are
systems that controlmanufacturing, systems that were
(32:10):
built to perform certain thingsand it is not easy to just rip
and replace these things.
These are controlled, these arecertified and those are places
where we are actually seeing thethreats are moving to attack
those.
Because those are open, it'seasier I would call it Apple to
(32:34):
catch at the bottom of the tree,right?
So those things, we areactually seeing a lot in what we
see.
Of course, we strip out a lotof the specifics before we put
that into the model, because wedon't want customer data privacy
(32:54):
.
There's lots of other things,but yes, you are right, we are
seeing interesting stuff.
Speaker 1 (33:03):
Amazing and, as far as the evolution of
cybersecurity, this is somethingthat we always ask our guests
about.
We had a previous guest thattalked about oauth breaches, you
know, which is something likethat nobody really talks about.
We had another previous guestthat talked about the um, the
(33:25):
actual security infrastructureon on airplanes, which, again,
is something that nobody'stalking about.
So, in terms of the threatevolution within the next decade
, how do you see these breacheschanging?
Speaker 3 (33:45):
that I can actually bring up a topic about what just
happened to one of I can callmy friend.
Recently their car was stolenfrom a lot and the car was
stolen because they couldactually simulate the signals
(34:06):
that were coming between the carand the key fob and they could
basically coming between the carand the key fob and they could
basically break into the car.
Yeah, craig has that device.
Speaker 2 (34:17):
Craig was that you no , but, as you know, we are a
cybersecurity and pen testingcompany, so that is one of the
things that we help companieswith.
But go ahead.
Speaker 3 (34:31):
Yeah, so I think, with everything having some
digital component that isactually being built on and a
lot of it being used, whether itis Bluetooth or infra or any of
these um I would say near umdistance communication
(34:56):
mechanisms, which are a littlebit more open than, say, a wifi
or or or 5g, 6g, whatever youwant to call it Um, that is
going to be a lot of be a lot ofcyber events that are going to
happen here, because you aretalking about regular people who
(35:17):
probably don't have a lot oftech savvy.
It's day-to-day users, right,and it's easier to con that
system than, potentially, youand me.
I'm not saying that I'm nevergoing to get conned.
Probably there is going to be.
It also depends on humanemotions, what state of mind you
are in lots of things that goesin when someone is basically
(35:40):
getting hacked, but this type ofevents are actually going to
become a lot more prevalent inthe next couple of decades.
My worry is um self-drivingcars or self-driving modes of
transport.
(36:00):
What happens if a bad actortakes over?
Do we really need anything elseto cause havoc?
Speaker 1 (36:09):
so you saw, saw the Netflix show Me and Craig were
talking about it the Netflixmovie or whatever with Sandra
Bullock, where the self-drivingTesla you see that and they
hacked the.
You saw that.
Speaker 3 (36:20):
Yes, I did not see that movie, but I have seen some
horror trailers of that becauseI was involved in 2010, I think
, yeah, somewhere around 2010when we were actually trying to
integrate an application usingBluetooth to communicate with
(36:43):
the car and to be able to bringthings on the dashboard.
That was my first work withintegrating phones with the cars
.
So that time we were like, howdo we secure this communication?
Should we build a PKIcertificate based private keys?
(37:05):
We went through a lot of things, but then there was also ease
of use from a.
You cannot make it so techheavy that the end users cannot
use it.
So there's like a lot of giveand take that you actually have
to work through.
But yeah, that scares me.
Speaker 1 (37:24):
Something that scares me is obviously, like I
remember TVs, for example, usedto be like, um, you know, tvs,
for example, used to be likecrazy expensive.
Like you know, you used to beable to get like the nicest TV
for like 3000, $4,000.
And you're like, cool, I got aTV.
But now those same TVs, uh,like six or seven years ago,
eight years ago, are now like300, 400.
(37:44):
And so, you see, the cost toproduce technology is going down
.
So, in relatable to our industry, um, that, that technology, uh,
savings.
Right, if we whatever we'regoing to call it the the value
is, as the technology isevolving, it makes, uh, it makes
(38:06):
uh, access to hackers, likeaccess to hackers, like access
to equipment, access totechnology, more obtainable.
You know, like 20 years ago,like nobody would be able to get
into a car but the flipper, youknow you could buy it on.
I probably shouldn't have saidit out loud, but you know people
can buy it on Amazon, right,you know, and you know it's 150
bucks, or I think it's evencheaper than that, now 120.
(38:28):
You know, and you know it's 150bucks, or I think it's even
cheaper than that, now 120.
Speaker 3 (38:33):
Um, so this, this technology, is getting cheaper
and becoming more accessible,and then that's what scares me
so the other thing that I canactually um think of right now
is um, I know that quantumcomputing is still in its very
infancy stages, but it is not amyth anymore.
(38:56):
There are quantum computers thatare available and today's
encryption technology that wetake it for granted is going to
protect us most likely is goingto go away overnight when, at
some point in time, quantumcomputing becomes available to
(39:18):
the masses.
Right, and that's probably five,10 years, depending on how much
effort is being put in and howmuch money is pumped into that
system.
But it is going to becomeavailable one day or the other.
And what we walk with 4096-bitkeys today, which we feel are
one of the most secure and it'sgoing to take many years to
(39:41):
break is probably going tobecome many minutes to break,
become many minutes to break.
So post-quantum encryption isslowly starting to get a feet to
stand on and I think that'sgoing to be one of the most
critical things that at leastthe financial industry and the
(40:02):
industry which has a lot ofintellectual property to protect
is going to spend time andmoney on that.
They are not sure if I can usethe word naked stand naked on
the street on the day, when ithappens.
I think that's another thingthat scares me, because when
(40:23):
that day comes, and if you arenot ready, it's going to be a
problem.
Speaker 2 (40:28):
Yeah, I would agree with that too.
It's mind-boggling to me thatbanks still think that 128-bit
encryption is strong, and it'salso mind-boggling and
unsettling that why can't wejust keep increasing that
strength Because it's trivial todo, you know, typically in
(40:50):
situations to extend the bitlength, I mean, if the, like you
said earlier, you know theaverage user is really oblivious
to the rabbit holes that we godown.
But you know we put or at leastyou know people put a lot of
trust in these vendors that theykind of take that headache away
(41:11):
.
Right, but I think that thereneeds to be more pressure on the
vendors to take security moreseriously and hire companies
like us to do the testing ontheir products.
You know one of the big fearsthat I have is satellite
security and blockchain security, and you know you brought up
quantum computers.
You know one of the big fearsthat I have is satellite
security and blockchain security, and you know you brought up
quantum computers.
You know that obviously is abig issue.
(41:32):
So there's all these big issues, but but it it does boil down
to the people that are makingthese products and offering
these things to market.
Like the guy.
What was the guy's name?
Saggy or soggy?
Speaker 1 (41:45):
I mean.
I mean, what was the guy's?
Speaker 2 (41:46):
name, uh, saggy or soggy, oh yeah.
Yeah, I mean, I mean I'm scaredto fly right now.
I mean it's like, it's like soyou know, but but like the
everyday user doesn't see thestuff that we see and they're
not exposed to it like we are.
So you know, it's kind of likeout of sight, out of mind, I
guess I.
But but yeah, anyway, I guessguess my point is that I feel
(42:07):
like there should be constantelevation of security, not just
like, oh well, we'll just keep128 bits, we're a bank, we're
secure.
We've been this way for threedecades or whatever.
Yeah, almost three decades now.
Speaker 1 (42:22):
I think banks are some of the worst that we've
dealt with because they have somuch oversight right.
They're handling everybody'smoney right Mostly everybody's
money.
Speaker 2 (42:34):
Well, look at what happened with the bank that
hired us to do that huge test.
Yeah, yeah Scary.
Speaker 1 (42:43):
It's scary what I did .
Well, not just you yeah, yeah,what what what I went through uh
uncover yeah, what I wentthrough was very scary, um, but,
but as technology evolves too,like I was just thinking in my
mind, like by the year like 2100, like our kids will be able to
(43:05):
build their own satellites andlaunch them.
You know like, like lego buildsyour own satellite kit, you
know like, or you'll be able toget a quantum computer on on
amazon for 200, you know.
And yeah, sometimes it's scaryand depressing to think about
the future and I think about.
Speaker 3 (43:25):
yeah, about 50 years ago, 50, 60 years ago 8088 was
used to launch a satellite andnow we are walking with like
supercomputers for that age inour pockets these days, if you
compare right, um, yeah, it's.
It's like I remember that Istarted with a, the computer,
(43:52):
where I had to actually addextra math processing processor
and memory and I had to load.
I mean, I started with loadingthe DOS image from a floppy disk
five and a quarter floppy disk.
Dos image from a floppy diskfive and a quarter floppy disk,
right.
So, and and one point, when1.44 meg disks came in, it was
(44:13):
like revolutionary for me.
Whoa, I can store one and ahalf megs.
Speaker 1 (44:18):
Yep, I remember my dad used to have this real
estate company and this wasright when floppies evolved.
But the period before floppies,youies it goes to show you how
old I am.
But there was a big littlevinyl disc.
It was really flimsy.
It was the size of a recordthat would slide into the side
of the computer.
Yeah, that was.
(44:39):
How old have we?
Speaker 3 (44:42):
changed.
Speaker 2 (44:45):
Yeah, I grew up on the 8086.
8088, the quote-unquoteportable, first portable laptop
computer.
That was about 100 pounds andit was, uh, you know, green
screen and two, five and aquarter inch drives on it.
Speaker 1 (45:00):
Yeah, yeah yeah, I don't, I don't think we have
much yeah yeah.
I was just gonna say, we shouldprobably wrap up was there
anything that you feel like wedidn't touch on that um that
you'd like to to pass to ouraudience?
Speaker 3 (45:18):
no, just just from a cyber security point of view, I
would just say this first do thebasics before you start trying
to spend money.
It's a lot of times commonsense items that we actually do
and tend to forget could protectyou pretty well before you
don't need a lot of budget.
(45:38):
I'm not saying you don't needbudget, but start with the
basics.
Don't don't start with.
I want a flashy tools.
Tools will come and go.
Speaker 2 (45:49):
We like to say and also sorry, just want to
interject one thing off of whathe just said.
I think a lot of people makethings more complex than they
need it to be too.
I mean, back in the day, youknow admin system administrators
, you know it would behorrifying to allow the user
local administrative rightsright, and I feel like that kind
(46:11):
of got real slack, slack witheverything, slack with security,
slack with loaded code, all ofit.
My point is that back in the90s, you know, a system
administrator would only givethe user access to what they
absolutely needed to have accessto to do their work and nothing
more, and they could notinstall anything.
And I would say that that isnot normal nowadays or not
(46:33):
common, where I would say mostcompanies don't do that.
Most companies give most people, especially small businesses,
full access to everything and itcreates a nightmare for
security.
And I think it just all boilsdown to what I've said for many,
many years now it's a layeredapproach, multiple layers, not a
single system or hardware orwhatever to buy.
(46:56):
You have to do a layeredapproach, you have to train your
people and blend the people,process and technology together
and if you have a weak point,like we found with the bank, it
was a people issue.
They had plenty of money, theyhad plenty of budget, they had
good equipment, but they didn'thave the right people watching
it and configuring it properly,so they had gaps and exposures.
And if you don't do the thirdparty testing on you know your
(47:20):
systems across all of the abovepeople, process, technology and
the layers you're going to havegaps that you're not going to
realize and you're going to haveexposure.
And if you simplify yourenvironment, you simplify your
systems and you simplifyeverything and distill it down
to just what your people have tohave access to to do their job.
It makes everything easier andI do.
Speaker 1 (47:42):
Go ahead, please.
Speaker 3 (47:43):
Sorry.
I just want to add one morepoint to what you just mentioned
.
Ever since people startedmoving to cloud, especially on
the small business side mid-sizethe idea behind the cloud was
to make it easy, simple, right.
(48:04):
What has happened is thebusinesses.
It has made it simpleabsolutely.
What it has also done isanybody with a credit card a
company credit card can actuallygo and buy stuff off the cloud,
and it has created a lot ofshadow IT which ID doesn't know.
Something that you don't knowyou cannot protect.
(48:25):
That's one problem.
Id doesn't know Something thatyou don't know you cannot
protect.
That's one problem.
Number two is people think thatanything on the cloud is secure
by default.
Hey, it isn't the cloud, it'ssecure.
No, it's not.
It is secure from aninfrastructure perspective, from
(48:46):
a cloud provider perspective.
They have security measures,but if you are bringing a server
up in the cloud, you still needto follow your security best
practices to secure that server.
If you put an RDP port on theserver open and open it to the
internet and not put a firewallin front, it is going to get
(49:07):
hacked.
It's not an if it will.
So those are some of the thingsthat the small businesses think
, and it's not that they don'twant to do it, it's just that
they feel that it's just thehype that something was created,
that everything is secure bydefault, is not true something
(49:28):
was created.
Speaker 2 (49:28):
That everything is secure by default is not true.
Yeah, I think that's absolutelytrue.
I think people think that, ohwell, I'm with Microsoft or I'm
with Amazon and I'm secure, butthey don't realize that they
still need to have the sametalent and expertise to properly
configure that environment.
And one could argue that eventhey might need even more talent
and expertise because they havemore controls, more dials, more
setting, and we've been hiredto do forensics and
(49:50):
investigations for businessemail compromise and different
kinds of cases like that.
And they were using Office 365and they absolutely did not
properly secure it.
And the point here is that youhave all of these things at your
fingertips, that you have allof these things at your
fingertips and to your point,val you know could be other
people's fingertips that you maynot be aware of, that are
(50:11):
making these changes and you'renot aware of it or your team's
not aware of it.
And now you have exposure andyou have gaps.
So it's just, in my opinion,super important to have an
outsider, third party, trustedvendor do testing regularly to
show you and show the C-suite.
Hey, look, yeah, you guys aredoing a great job here, but you
might need to have someimprovement here in other places
(50:33):
.
Speaker 1 (50:34):
I think and this is a vast oversimplification, but
there's three questions you needto ask yourself from a
cybersecurity and forensicsperspective what data are you
collecting, how is that databeing transmitted, collecting,
how is that data beingtransmitted and where is that
data being stored.
And if you can look at thosethree things from a
(50:56):
magnification lens, or if youcould blow up how all that works
.
And if you can't do it, ofcourse you can reach out to any
of us.
But if you can answer, do it.
Of course you can reach out toany of us.
But if you can answer thosethree questions, then you are
going to be making steps tosecuring your business.
Alright, guys, I think we'rewrapping up here.
(51:21):
Reached our time cap here.
Thank you so much for theopportunity.
Speaker 3 (51:25):
It was good talking to both of you.
Thank you so much, we'll seeyou was good talking to both of
you, thank you so much.
Speaker 1 (51:29):
We will see you on the next one, I'm sure Sure.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.