April 27, 2025 • 48 mins
In this episode, Joe sits down with John Carse, Field CISO at SquareX, to dive into the often-overlooked world of browser security and the evolving landscape of cybersecurity. Recorded despite a 12-hour time difference (Singapore to the US!), John shares:
The Browser Security Gap: Why 85% of user time in browsers is a growing risk for SaaS and cloud environments .
SquareX’s Solution: How SquareX acts as an EDR for browsers, detecting and responding to threats like polymorphic extensions .
Career Journey: From early IT days to field CISO, John reveals how foundational IT skills (help desk, field services) make better cyber professionals .
Real-World Insights: Lessons from working with the US Navy and the importance of understanding IT systems for effective cybersecurity .
Check Your Browser Security: Visit SquareX Browser Security to assess your controls.
Learn More About SquareX: Explore their solution at sqrx.com.
Connect with John: Find him on X @JohnCarse
Chapters
00:00 Introduction and Time Zone Challenges
02:54 John Carse's Journey into IT
06:05 Transitioning to Cybersecurity
08:46 The Importance of Customer Service in IT
11:36 Formative Experiences in Help Desk and Field Services
14:35 Understanding IT Systems for Cybersecurity
23:51 The Interplay Between IT Skills and Cybersecurity
24:41 The Role of Security Engineers in IT
28:43 Understanding the Complexity of Cybersecurity
29:33 Exploring the Field CISO Role
32:55 The Browser as a Security Frontier
42:07 Challenges in SaaS Security
46:20 The Importance of Browser Security Awareness
Subscribe for more cybersecurity insights and career tips! Share your thoughts in the comments—how are you securing your browser?
PodMatch Automatically Matches Ideal Podcast Guests and Hosts For Interviews
Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.
Listen on: Apple Podcasts Spotify
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
How's it going, john?
It's great to get you on thepodcast.
I know me and your company havebeen trying to do this thing
since, probably like last summer.
I might even be being generouswith that, but I'm real excited
to get you on and hear aboutyour story.
Speaker 2 (00:18):
Great Thanks for having me, joe.
I didn't know it was taking solong to get us online.
So glad to be here.
Glad to be here, yeah.
Speaker 1 (00:28):
At first it was like the time difference, right,
Because they're based out ofSingapore, I believe it's.
I mean, it's almost like a 24hour time difference.
It is.
It's pretty crazy.
Speaker 2 (00:41):
Yeah, it's like.
It's like past 1am in themorning right now.
Speaker 1 (00:50):
So yeah, it's like 12 or 13 hours different, so it
does feel like it is and feelslike it's on the other side of
the world.
Yeah, yeah, it's.
Um.
It's interesting whenever,whenever I'm doing a podcast
with someone you know that faraway, like I've done podcasts
with people in Israel and uh, Imean I did a podcast with
someone in Israel that was likeactively getting bombed, you
know, and he's like, oh, I mayhave to, like, you know, drop
(01:11):
out.
You know, I don't know if youhear the sirens.
I'm like dude, let's justreschedule, I don't need you on
a podcast like actively gettingbombed or something.
Speaker 2 (01:21):
So that's, that's pretty intense.
I lived in the Middle Eastbefore, so I kind of uh, I kind
of understand the feeling.
You know there's uh, someamount of unrest that happens,
like where I was all the time.
So you know, if you're not, ifyou're not going to live your
life, then it's going to those.
Those things are going to getin your way.
(01:42):
So we've got to feel.
Got to feel for those folks.
Speaker 1 (01:46):
Yeah, I mean it's challenging.
It's like they didn't ask forit and people were born into it.
It's like they're born almostinto an active war zone without
having any say about it, whichis true for a lot of different
parts of the world and whatnot,and it's an unfortunate reality.
(02:09):
I think I heard someone saythat like you won the lottery
just by being born in America,right?
Like I mean that's.
Speaker 2 (02:18):
I was going to say something very similar, right,
and there's a very, very similarkind of sentiment there's great
places to live and mosteverywhere, there's bad places
to be.
But yeah, being in the US,we're somewhat lucky.
I think that there are, ofcourse, things that we would
like to have better in theUnited States.
Speaker 1 (02:47):
But in a lot of ways we don't have the same
challenges as other countries dofor sure.
Yeah, that's a really goodpoint.
You know, john.
I want to hear about how yougot into IT.
You know where that journeystarts for you and what made you
.
You know, once you got into IT,what made you want to like make
the pivot into security in IT.
What made you want?
Speaker 2 (03:05):
to make the pivot into security.
Yeah, I started my IT workreally kind of early.
I got involved with computersvery early on, when I was maybe
14 years old or so, and actuallya little bit younger, because I
didn't have my own computer butI had friends that were on the
(03:26):
street around me that did havecomputers.
So for a couple of years, youknow, I kind of hung out with
those kids and played on theircomputers and we did lots of
little things together for acouple of years before I got my
own computer in 84.
And it was.
It was a completely differentworld than today's world.
I mean, everything that we hadwe didn't have Google and we
(03:47):
didn't have a lot of computerbooks.
We had some magazines and whichwere hard to find.
We didn't have the internet sowe couldn't just go look stuff
up.
So we did a lot of like, justlike sometimes even just hunting
and pecking, like what thecommand keys were that you could
, you know, use to make anapplication work, because the
documentation wasn't that greateither for a lot of the
(04:09):
applications that we were using.
And but you know, I foundmyself that I was really in love
with computers and love doingthings with computers as I kind
of went into school you know,finished up high school, came
out of high school, needed to dowork and I had a couple of
friends that were doing IT workand consulting kind of work in
(04:30):
the Houston Texas area and so Idid that for a few years before
really getting my first real job.
You know where someone where Iwas an employee which was at
Apple in 93 in Austin doing justhelp desk stuff and you know
I'd already been working onApple computers for a few years
(04:50):
already and loved it.
But at some point in time Ikind of got unenamored with
always having to use a mouse andwanted to automate things and
do things.
So I got into.
Really people were telling me Ithought I was going to get into
like Novell networks kind ofstuff and people probably don't
remember Novell but someonepushed me to Windows NT and so I
(05:11):
went towards Windows NT as welland got my certifications there
and spent a lot of time doingwork on Windows systems and
building Windows environmentsand the old pre-Windows 2000
active directory days.
Eventually I got into Linux andwas doing a lot of work in
system management systems likeenterprise management systems to
(05:35):
do distributed monitoring,configuration management, event
correlation kind of work basedon both Unix and Windows
environments and that gets mearound to like 95, 96.
And was a consultant at IBMafter that.
So I was building enterprisesystems for a group called
Enterprise Services forMicrosoft Technologies and I
(05:56):
thought I had the perfect job.
I thought it was great.
And then in 2003, I starteddoing some work for the US Navy
as a contractor for theiroverseas networks OCONUS Naval
Network and that was really thekind of first experience I had
with cyber right.
But up till that time I haddone Windows, linux, mac work.
(06:22):
I had done work with networkingequipment.
I had a lot of IT experiencekind of getting into before I
started working with the Navy.
I mean so I'd been doingcomputer stuff from 89
professionally to 2003.
So I had a lot of time that I'dbeen in the IT industry doing
lots of works all over the place.
But in 2003, I started doingwork with the US Navy and as we
(06:46):
were building these systems togo into this Navy network, they
required that I secure it andharden it and make sure that it
would conform to some you knowspecification, just a STIG kind
of specifications.
And that was really the firsttime I had gotten into security
at all was just as part of thatwork, and I remember thinking I
(07:11):
don't know what this is right,what is this security stuff?
And that's how I got into cyber.
But before that IT I'd donework with firewalls and IPSs and
all sorts of well, not IPSs somuch, but VPNs more, because it
was part of like a managedsolution, right, doing VPNs
across different things, butthat kind of system integration
(07:35):
work before getting into cyberinsecurity to some degree, it's
because you know you're you'renot always going to be in a
situation where you know you'refriendly with the other person
on the on the other end of thephone, right.
Speaker 1 (07:52):
I mean you're going to be in a difficult situation
where someone's yelling at you,you know about something that
you don't know, that you didn'tdo, you know and you have to be
able to work through it, like Iremember.
I remember when I first startedafter college.
You know I would, I would geton these calls and you know
people would be yelling at meand whatnot, and after the calls
(08:13):
, like I'd have to go take awalk around the block, right,
just to just to like kind ofmake it through the day, right,
and I was dealing with someanxiety at the time and
everything you know.
So it was just like, man, Idon't know if I can make it
through this, you know, but Ireally stuck with it and I
started to eventually, you know,really figure it out right and
(08:35):
that kind of being in that sortof customer support type role.
Really I feel like it can either, you know, jade you towards,
you know, dealing with customers, or jade you in some other ways
, or you know it can either youknow jade you towards, you know
dealing with customers or jadeyou in some other ways, or you
know it can really open youreyes to what good customer
service actually looks like.
You know and what that standardis what you should be expecting
(08:59):
when you pick up the phone andcall someone, and you know.
I'll give you an example.
Right, I was calling my wife'sstudent loan company about her
student loans and there's allthese services out there that
will advise you on your studentloans and how to pay them off
quickly and this and that right,it costs anywhere from like 500
(09:21):
to 1500 bucks for a 30, 45minute session with these people
to tell you you know how tolike, what to do and everything
Right.
Almost common sense stuff thatthey're telling you, yeah, and
you know, and that's the thingtoo right.
It's like, okay, well, what'sthe value that I don't know from
online, you know.
And so before making that callor whatever, I decided to get on
(09:47):
the call on the phone with youknow the actual company, and the
person who picked up the phonegave me like more than enough
information than what I everwould have gotten with that
consulting company.
Right, and not to not to putthem under the bus or anything
like that.
I mean, I didn't name them,obviously, but I told her.
I was like you know, you didn'tjust save me you know X amount
(10:10):
of money on the monthly payment,you just saved me like a
thousand dollars of paying thesepeople to tell me exactly what
you just told me and I neverwould have known it.
You know, because student loansare like they're actually pretty
complicated, Because studentloans are actually pretty
complicated and it's difficultto understand for anyone, I
think, and I was impressed.
(10:31):
But had I not gone throughbeing bad at customer service?
I mean, just honestly, I waspretty bad starting out.
I'm sure everyone is,Absolutely.
If I didn't go through that, Iwouldn't have known what good
customer service is, I wouldn'thave been able to identify that
and, you know, provide thepositive feedback or whatnot.
Speaker 2 (10:53):
Yeah, and I would say that I think that I learned a
lot.
So two of my early positionswere in help desk, right where I
was on a help desk at Apple,you know.
So I was getting a lot ofcustomer calls every day.
I think that was a really goodformative experience and I'll
explain that in a second.
And then a second one was fieldservices.
Just doing field IT work wasanother really formative
(11:17):
experience as well.
Again, dealing with customers Onthe help desk side, you know we
didn't when I was at Apple in93, on the help desk side, you
know we didn't when I was atApple in 93, we didn't have a
lot of we definitely didn't havefor support calls, you know, at
a customer, at a consumerenvironment.
We didn't have like remotecontrol tools to help us see
(11:40):
what the user was doing.
So we had to in some waysmanage the customer experience
from a.
You know they're frustrated,you're trying to walk them back
off a cliff and kind of engagein the conversation and then
also, you know being really kindof understanding like how the
system works, how the technologyyou're working with works, so
(12:02):
that you can say you know, go,this is like flashback stuff,
it's like go to the topleft-hand corner that's where
the Apple logo is Apple icon,click there, go to this place
and having to drive them and say, well, what do you see there?
And then getting thatinformation from them, and then
go to the next place and youknow, as we're kind of like
troubleshooting their problemand trying to understand what's
(12:23):
happening so that we could thentell them remove this extension
or do this or do that, and that,you know, really had to kind of
like put for me and how it'srelated to my cyber career, is
that really had to had me kindof understanding.
You know how to troubleshoot inmy head, right, you know, it's
like understanding, like whatthe pieces and parts are that
(12:44):
were in play.
Is this a network problem?
Is it a operating systemproblem?
Is it an application problem?
Is it, you know, something else?
What is the problem that we'reexperiencing?
And then just trying to liketalk through this just on a
one-to-one basis with someonewho may or may not have the same
experiences that you have.
(13:04):
I mean, often they did not haveany experience with actually
how their computer worked, andso I think that really played.
You know, when you get into likeincident response scenarios.
That is an incredible talent tohave right.
So, like you know, it's likegetting into incident response
and you're in with a bunch offolks that may have never talked
(13:26):
to each other before you know.
You got the application guy,the networking guy, the database
guy, and those people havenever been on a call at the same
time just because of howbureaucracy works in enterprises
and then you're getting theminto an incident call.
Being able to kind of likemaneuver around those different
people's experiences is a greatskill to have right, and being
(13:46):
able to do it in a way that youcan focus that partner on the
call into a specific place andjust manage it is a great skill
to have.
The other one is just fieldservices, just dealing with you
know people at their desks andbeing able to see what they're
doing, and that's also reallygood because you see lots of
(14:12):
ways of working, just kind ofrunning around to people's desks
, systems so that people wouldhave a consistent experience
dealing with inconsistencies andpoor quality with systems that
are being rolled out.
You also start getting thefeeling, like you know, what we
need to be consistent which isalso incredibly useful in cyber
(14:34):
is just consistent applicationof your controls.
In my case, it wasn't aboutcontrols, it was about how do we
make a consistent experiencefor that IT system to be
deployed so that our users arehaving a consistent experience.
And as a field services person,you go out from system to
system to system and you startseeing that, wow, this root
(14:56):
cause is, this wasn't setcorrectly.
Why wasn't that set correctly?
Right, and then you're fixingapplications, but a lot of that
is also very useful with respectto cyber as well.
Right, because it's, you know,understanding an IT system and
how it works and howapplications kind of
interoperate with each other'sin the network and your security
(15:17):
controls.
That's something that I've hadexperience with too.
Speaker 1 (15:28):
And a lot of, I don't know, a lot of people try to
shortcut that.
You know Absolutely, it's likeman, no, you really do need to.
You know, cut your teeth overthere and do this and go through
it, right, and you know, likeyou said, right, troubleshooting
back.
Then you're basically, you know, walking people through
(15:49):
something that you have in yourhead, someone that may not be
technical at all.
And I remember, you know, maybea year into that help desk job,
I started to take over thefederal and the military clients
at this company and I mean meanthe first thing with them is
that they can't send youscreenshots, they're not sending
you logs, they're not sendingyou anything and the person that
(16:12):
they put on that phone isintentionally unaware of
everything about thatapplication, the server,
everything.
So if anything goes, it issolely on you, right, like
there's no in between on it.
Yes, it's interesting becauseyou know that's like a double or
(16:33):
triple blind troubleshootingright when you're getting this
problem.
That could be a very uniqueproblem, something you've never
encountered before, somethingthat no one at your company has
ever encountered before, and youhave to, you know, get the
valid or the relevantinformation over the phone from
(16:53):
this person, you know, like, onetime I had him go into a log
file, right, and I said, hey,you know, go to the bottom and
read me what that says.
Right, hey, you know, go to thebottom and read me what that
says.
Right, read me like the lastlog message.
He starts reading me the entirepage from top to bottom, like,
(17:14):
hey, man, like you need to, likelisten to me, right, you need
to go to the bottom, tell me thetopics and all that sort of
stuff.
I had to, like, you know,eventually go on site and give
them some pretty in-depthtraining, because it's like, hey
, when we're on the call, thisis what I'm expecting for you to
provide to me.
If you don't do this, I can'tdo anything for you.
(17:43):
Into the mix, right is going onsite, because at these federal
agencies and whatnot, I mean, Iwas only allowed to bring in a
paper and pen, you know, andsometimes they didn't even let
me bring in the pen, right, likeyou know, it was just the
craziest situation, because youdon't have any resources around
you, even though you're on site.
So you're basically doing thesame thing.
You know that you would on thephone and you can't touch a
(18:06):
keyboard because you're notcleared, can't touch a mouse
right, and you're walkingthrough that same person that
doesn't know anything at all.
You know of this applicationthat was built on this Linux
server.
He doesn't know Linux, hedoesn't know the application, he
doesn't know anything about it.
You know.
And so if you tell him it'srunning right, he just takes
(18:30):
your word for it.
And then you have someone elsebe like is this running right?
And if they say no, you know,then you're, you're, the jig is
up, you got to go fix it.
You know, like there's no line,there's validation with
everything.
Speaker 2 (18:44):
With the flashing light behind you that says that
everyone knows there's anuncleared person in the space.
Speaker 1 (18:49):
Oh my gosh, yeah, they'd have to announce it.
You know, like they'reannouncing it as we're walking
down these aisles, it takes likefive, ten minutes to walk from
one end of the aisle to theother end of the aisle, you know
, because it's such a massivebuilding.
And you know, because it's sucha massive building and you know
they'd have to announce anuncleared person entering.
Uncleared person entering.
I'm like geez man, it's almostlike insulting.
Speaker 2 (19:11):
Just clear me.
I know this feeling too, yeah,yeah, but yeah, I think, like
you know, definitely, it, Ithink you know today, with the
perception and I and I don myexperience, as you know, hiring
people is that sometimes theyjust don't.
(19:45):
They just don't, they don'tunderstand the underlying
technology or how it relates tothe incident that they're
looking at.
And I don't necessarily meanthat it's a, you know, million
dollar incident or multimilliondollar incident.
Just that detection thatthey're looking at, right, just
that detection that they'relooking at right now, that alert
that they're looking at rightnow how is it related to the
(20:05):
system?
It seems like there isdefinitely a gap in
understanding about how ITsystems work and, when it's all
said and done, from acybersecurity perspective, we're
defending IT systemsperspective.
We're defending IT systems,right?
So, understanding how thenetwork works, how information
flows, how applications work,what the operating system has,
(20:29):
what its involvement is, thosethings, putting those pieces
together, understanding like howthey work, is incredibly useful
, right?
So, you know, because you know,a lot of times when we have new
people that join the team thatare just out of college, they
may have some understanding ofIT from a, from a book, smart
(20:50):
point of view, but they oftendon't have the necessary
networking chops and systemchops that they need to
understand how very these verycomplex systems that we have
today work.
And I think there's some basicpatterns that you should be able
to tell and just take thesebasic patterns and kind of put
them around and then you canmaybe troubleshoot a problem,
(21:13):
whether that problem is an ITproblem or a cybersecurity
incident.
They're just different.
The outcome that we're tryingto achieve in that diagnosis and
the analysis and theinvestigation.
They may have differentoutcomes that we're trying to
achieve, which might beavailability, bring that system
back up.
That's kind of the IT use cases, but it could also be did we
(21:35):
lose control of data?
Was there a data breach inplace?
We just have different outcomesthat we're looking for
diagnosing, but the underlyingdata and systems are the same.
And again, having thatexperience or that understanding
of how those systems work Ithink plays a lot makes you a
(21:56):
better cyber person, whetheryou're doing security
engineering or incident responseor you're on the SOC or you're
doing vulnerability management.
I think all of those things weas cyber people are affecting IT
systems.
How do we make sure that weunderstand, just like in the
help desk context.
How do we understand ourcustomer, whether that customer
(22:17):
is an end user who just got hitby a phishing attack or it's an
IT person who's scared aboutpatching their systems.
We kind of need to understandwhat their point of view is and
what their experience is andkind of lead them in the
direction if we actually want toachieve the security outcomes
that we want to have.
Whatever those are but I do Idefinitely think that you know,
(22:39):
having good IT skills will makeyou a better cyber person.
Speaker 1 (22:47):
Yeah, yeah, absolutely.
I mean you really need to havethat foundational knowledge,
right?
I have a friend that's you knowa good security engineer can
step into the role of you, roleof a system admin, network
engineer, whatever it might be,and it may be a little bit tough
(23:08):
at first to do the work andwhatnot, to get used to
everything, but typicallythey'll eventually pretty
quickly be able to pick it upand excel with it.
And that alludes to you reallyneed to understand what's going
on, what's being used.
Why does this process run onthis server?
(23:29):
Do we need it?
Is it expected to run?
Is the OS running it?
What's the kernel look like?
What's the BIOS look like?
All these different things.
It all matters, right, and thesecurity professional is the one
that's tying it all together.
The systems guy may notunderstand where he's.
Deploying this in the networkmatters right, and the
(23:51):
networking guy understands okay,there's a difference between
these two networks.
I don't really know what thereal difference is, why it
matters to security and securitysays no, you have to deploy
this system in this networkbecause of all of these controls
that we have around it, becauseof what it's doing in our
network and how it's doing itright, like we need to
(24:14):
potentially sequester this thingoff to an extent where the rest
of the network doesn't needthat kind of security, right,
the rest of the network needs tooperate maybe a little bit
faster than this part and allthose different things.
Context matters, right.
Yeah, they all come together,right, but it's that security
person that really is the onethat knows it and understands it
(24:36):
.
Speaker 2 (24:37):
And I 100% agree, ends it, and I 100% agree.
I think that one of the mostcomplicated jobs that we have in
IT is probably thecybersecurity practitioner,
whereas you might have, like yousaid, you might have IT people
that are really good atdatabases and you might have IT
people that are really good atWindows or really good at Linux
operating systems or networkingor whatever.
(24:59):
They have these areas that theycan focus on, and developers are
typically working on anapplication with a feature set
and they understand theirapplication, and I think that
cyber people typically have toknow how that system works next
to this system, next to thissystem, next to this systems,
and they're dealing with Windowsand Linux and different
(25:24):
versions of Windows and Linux,different database systems,
different web servers, differentapplication servers and all of
these things are mixed up in abig melting pot of your
enterprise IT systems that allwork individually but they have
to work together.
But the cyber folks have to knowabout everything.
(25:46):
They need to know how all of itworks and they need to
understand the context of it, asopposed to, like when I was,
you know, at some of these bigenterprises, we would have folks
that their only job was toinstall the operating system on
a virtual machine, then theticket would go to the next
person that their job was toinstall Oracle on this virtual
(26:11):
machine after the operatingsystem was installed.
And that's great from adatabase person's point of view.
But when those systems cometogether, both the business
context, the data context andthe technology context need to
kind of come together and as acybersecurity practitioner it's
a daunting set of requirementsthat you need to understand as
(26:35):
you kind of progress in yourcareer.
So it's complicated.
It's definitely a complicatedset of roles.
Speaker 1 (26:42):
Yeah, that's very true.
Well, you know, currentlyyou're a field CISO, right?
So not, I feel like not a lotof people may know what a field
CISO is or what that's like.
Can you tell me a little bitabout that?
So I'm still learning.
Speaker 2 (26:55):
What a field CISO is too.
So I'm still learning what afield CISO is too.
So this is the first time I'vehad this role.
What I feel like the role is is, you know, partially a mentor
or advisor kind of role I have.
It feels like I'm trying tohelp, you know customers
(27:18):
understand how a product fitsinto their defense and depth
strategy.
There may be things thatthey're worried about right now,
but there are probably otheradjacencies that are also useful
right that they may not bethinking about right now but
they're going to be thinkingabout in a few months.
But also how this tool, onetool set fits into the rest of
(27:38):
their defensive strategy and youknow those kinds of things.
So it's like kind ofunderstanding the technology,
understanding their use casesthat they're trying to protect
from right now because there'susually something that's
important to them and kind ofhelping advise on that front.
In some ways it's a productrole, where I am taking feedback
from a customer about somethingthat works or doesn't work and
(28:01):
bringing it back to the engineerso that they can understand how
this feature should rank intheir product roadmap.
So there's some amount of thatas well, and it's also a certain
amount of evangelism and justtalking to people about.
You know our product sets andhow it, you know what kind of,
and for me you know it'ssomewhat the feel felt found.
You know you know how did youknow our product sets and and
(28:21):
how it, you know what kind of,and then for me, you know
somewhat the feel felt found.
You know, you know how did it,you know how do you feel about
it.
And then you know what I felt.
You know what I found, because Idid something and it could be
just gaps in my experience, likein my experience, you know, I
thought that certain things werecovered well, you know, I had
that illusion that, hey, this isactually working pretty well.
But then I learned that youknow, just because of use cases
(28:49):
that we were having, how my DLPwas either working or not
working, or it worked in thisway and not in these other areas
, and one of the classic ones isjust Windows versus Mac or
Windows versus Linux it's a lotof times the technology that
we're using works really well inWindows, but its effectiveness
in Linux or Mac environments isalmost nil right.
(29:12):
It almost doesn't work.
And being able to discern thatwas, you know, is again having
the background in Linux andWindows and Macs, I kind of
understand, like what it is thatI need to be looking at.
But again I, having thebackground in Linux and Windows
and Macs, I kind of understandwhat it is that I need to be
looking at.
But again, I was under theillusion that certain things
were being covered pretty well,but when I looked into it I
found that they weren't, and soI had to kind of come up with
(29:34):
ways of circumventing those gapsand those controls as they're
implemented on Windows or onLinux or Mac systems that I
didn't anticipate At Squarex.
That's one of the things thatI'm kind of interested in is how
the evolution of the browserand evolution of SaaS and cloud,
how that's kind of impacted,you know, our ability to
(29:57):
maintain the confidentiality ofdata everywhere we go, and it's
surprising how many people areworking in browsers today.
So I think that for me that's avery interesting topic, just
because of my recent experiencesand somewhat of the gaps that I
thought that I was living under.
Speaker 1 (30:17):
Well, tell me about SquareX.
Speaker 2 (30:31):
What's the problem, right, and how are you guys
solving it today?
And we are the browser as aplatform somewhat predominates
most of our work today, meaninglike you and I are in this
(30:53):
podcast, in this studio, andwe're in a browser and somehow
it's recording us and videoingus, and it's just an incredible
lot of power that's in thisbrowser today that we didn't
have in the mid-90s and early2000s.
And so the problem is like sowho's monitoring the browser?
Like who's making sure that thebrowser is working like it's
supposed to?
I mean, we thought it had asandbox and everything else, and
now we have extensionsubsystems that are creating
(31:17):
threat and grief for us.
And that's cool.
That's one thing that'shappening on the endpoint, but
the bigger problem, I think, isthat we have so many SaaS apps
that we're going to that areways of spreading data around,
and then how do we manage theconfidentiality and prevent the
loss of data into places that wedid not intend to when there
(31:38):
are so many web applicationsthat are delivered via SaaS
today, and that's not new.
But I think the confluence ofcloud and the availability of
SaaS apps, the complexity of thebrowser, kind of coming
together, I don't think mostpeople are thinking about how
big of a problem that actuallyis, what that attack surface
(32:00):
actually looks like, and thenhow do they detect problems, how
do they mitigate them, how dothey prevent those things from
happening in the first place?
How does that happen in thebrowser?
We are really good at doing iton an endpoint, you know, with
our EDR solutions and someamount of steering that we have
with SASE and SWG products, butnow we're dealing with
everything steering to one ofthe cloud environments, because
(32:22):
all the SaaS applications aredelivered to cloud environments.
How do we know that that'swhere we want to put our data
within that application and thatour users are doing what we
expect them to do in thoseapplications, when the only
interface to that is the browser?
And I think that's the problem.
The solution is having the rightamount of detective controls in
(32:45):
place so that you can watcheverything that's happening in
the browser, whether that'sWebSocket communications, gprc
communications, changes to theDOM, the injections of
JavaScript into the application,the code that you're looking,
looking at extension whatinformation, what rights does
that extension want to have inyour application, your browser,
(33:08):
and what OAuth controls thatapplications and SaaS apps are
asking you for?
There's so many things thathappen in the browser, and the
solution is we need betterdetection and threat response in
the browser, and so that's whatSquarex does browser detection
and response to.
So it's very much like edr foryour browser.
Speaker 1 (33:30):
That's interesting.
I wonder why that space hasn'tseemed to take off like it
probably should have.
I heard grumblings, but ithasn't risen to the same level
as CrowdStrike with EDR orwhatever it might be right.
(34:01):
Maybe that is kind of like anew I don't want to call it a
new frontier for cybersecurity,but it's a new layer that people
haven't thought about before,because typically they're
thinking about oh okay, with thesas app, I need to secure it
via data encryption and strongauthentication and whatever else
(34:22):
, right?
Well, no one really thoughtabout the abstraction layer back
of how are people actuallyconnecting to the sas app?
Well, what, what, if?
What, if something lives inthat browser that even the end
user doesn't know about Exactlyand you know it's being
exploited that way.
It's probably a really good waythat, like if nation states
(34:43):
were to, you know, attack peopleor attack an entity or whatever
it might be, I mean that wouldbe a really good way of doing it
, because no one is looking atthe browser, right?
No one's even thinking about itLike I downloaded it from
Google Chrome.
Way of doing it.
Because no one is looking atthe browser, right?
No one's even thinking about itLike I downloaded it from
Google Chrome.
It's up to date, you know, onits thousandth update of the
year.
What else?
Speaker 2 (35:03):
do you want me to do?
You know?
Yeah, I mean, even if you lookat like just a stick hardening
for Chrome, it says keep thebrowser up to date, make sure
your extensions are up to date,and that's you know,
architecturally, I think that'sprobably correct, right, keep it
up to date.
You don't want to lose controlof your browser with respect to
a Chrome vulnerability thatallows you to do remote code
executions in the browserenvironment.
(35:24):
But on the extensions, it'seven extension updates, just
like application updates on aWindows, on a normal Windows
device, I can install thisversion of Acrobat, then the
next version of Acrobat, thenthe next version of Acrobat, and
they always havevulnerabilities.
There's always something thatcan be that applications have
some vulnerability to.
They're just known or not known, and maybe it's different
(35:46):
levels of severity, but we'realways introducing
vulnerabilities into ourenvironment, and that's just the
reality of working in, you know, trying to secure systems or
harden systems.
However, the number ofapplications, the extension, the
extensions, you know I thinkthere's right now over 140,000
extensions that are available onthe Chrome Web Store
(36:07):
marketplace, and that's justthem.
And then Firefox has anextension system and Safari has
a plugin system as well, andthose applications need to be
vetted, complex, to even vetapplications that are going on
your desktop, much lesssomething that's just happening
inside the process shell of yourbrowser.
So I think that the managementof that you know is important
(36:30):
and, like I said, hardening andcontrolling you know what
extensions that folks should orshould not be using, that's
great.
But as soon as I install anextension that's having some
other problem, like a supplyside attack or they lost control
of their extension and then thevendor has code that's being
placed into their extension thatthey did not.
(36:51):
They did not, that an attackerput in there that they don't
expect to be in the environment,those introduced
vulnerabilities into it, kind oflike SolarWinds you know, where
they kind of lost control oftheir code base and now it's
being deployed everywhere.
You know, you find out you havethe same kind of problems in the
extension space as well.
But there's also a prettyactive marketplace for
(37:13):
extensions, also right, meaningthat extensions do get bought
and sold by different people toyou know inside that space.
Then losing control to someonethat you don't know, a developer
that you don't trust or anattacker that's going to, and
these problems aren't new.
I mean, I think the earliestone that, like the top of my
(37:38):
mind, is like 2015,.
Right, and I'm sure they goback further those managing that
, I think, is complicated.
But again, you also have thesame problems with the SaaS apps
as well, where you can give toomuch rights to a particular
SaaS app and by doing that youlose control of your data, your
systems or your integrationsbetween different systems as
(38:02):
well.
So it's a lot of complexity, alot of very complex environment,
a lot of opportunities forthreat actors to take advantage
of the browser and then getcontrol of the data sprawl that
we have in SaaS environments,whether they're business-led IT,
shadow SaaS or central IT-led,it doesn't really matter.
Lots of use of SaaS apps today.
Speaker 1 (38:27):
That's interesting.
Do you see more adoption ofthis in one sector of the market
over another?
Is there anything like that?
I would think that somefinancial institutions, like
large banks or whatnot, theywould want something like that
For sure.
Obviously the federalgovernment and the military, you
know they would want that sortof technology.
Speaker 2 (38:50):
Yeah, they do.
They do, but I think we've beenconditioned to worry about the
endpoint and applications andnetwork steering, right Meaning
we used to have proxy serversall over the place.
We used to have IDSs all overthe place and we're protecting
office environments with ourdata centers, which were two
closed systems that we couldconnect and we knew and keep
(39:11):
people out of the ones that wedon't want to right.
That we could connect and weknew and keep people out of the
ones that we don't want to right.
That system was way lesscomplicated than what we have
today, which is the big issue.
I think one of the earlierquestions was why aren't people
thinking about this?
Well, again, I think it's amatter of education.
There was a time when peopledidn't think we needed EDR tools
(39:34):
either, that we thoughtantivirus was enough.
Now there's a lot of EDRvendors and they're all pretty
effective in the Windows space,and then it looks like how do
you want to protect Linux andstuff?
Again, it becomes morecomplicated.
But we've been conditioned tothink that we have data centers
and we have office environmentsand we need to protect that kind
(39:56):
of world, Whereas the world'sreally shifted out from
underneath us.
So I don't think there's beenenough education or
understanding of the threatsthat are inherent in cloud
running SaaS products and thenaccessing all those SaaS
products via a browser.
I don't think that's reallybeen.
I think that's kind of newthinking, new ways of it's.
(40:19):
A new way of it's, a differentparadigm that I don't think
people are putting too muchfocus on because it doesn't work
with our traditional ITeducation.
Right, it's our traditional ITeducation has been here's a
network, this is a firewall,this is a host, this is a node,
and we design a system to beself-enclosed, and that's just
(40:42):
not how we operate today.
There's environments today thatdon't have.
They just have open Wi-Fi orthey may have MFA enabled
connections to their Wi-Fi atwork, but then there is no,
there's no.
It might as well just be aguest network, right, Because
there is no connectivity withother systems on the environment
(41:05):
or access to those hosts andservers, because all those are
in the cloud behind, you know,an AWS console, right?
We have lots of environmentsthat are just working out of
WeWork, not something that wehad 20 years ago.
All of our current, I think,training is around traditional
IT practices versus remoteworkers, SaaS apps and where
(41:31):
we're actually working, which isin the browser.
I think one of the interestingstatistics on that is that like
85% of user time is spent in abrowser today.
That's an incredible amount oftime to be spending in an
application that you don'treally have a lot of visibility
on.
Speaker 1 (41:48):
Yeah, that makes a lot of sense.
I never I guess I never reallythought about it like that.
You know, and even with all theeducation that we have, we
never really talk about browsersecurity.
You just assume you knowGoogle's doing their job, right,
and it's.
We'll probably end on thispoint, right, because we're
running out of time here quickly.
(42:09):
When I was working at a companythat was creating an application
, they had to deploy anapplication on Google Play Store
and the Apple App Store and wewere talking about the timelines
and the developer said, oh, Icould put it on Google Play
Store ready to download forpeople by the end of the day.
It's not a big deal.
(42:29):
They don't even check what's init.
Right, you just check all theseboxes and you're good With
Apple.
It's going to be like a two,three month process.
That's right.
Right, because they're going topen test the app, they're going
to really check it andeverything else like that.
Right, and sure enough.
I mean it was probably four orfive months even to get it on
the Apple app store, and that'sprobably something similar, you
(42:52):
know, with browsers, right, If Iwanted to get an extension, I
bet you know there's not like avery robust team at Google you
would think that there would be,but I'm sure there's not a very
robust team at Google reallyreviewing these extensions which
can really increase or decreasethe security of your browser
overall, which really puts therest of the data and everything
(43:16):
else that you're accessing andusing it for all at risk, which
that would be really frustratingfor me, because I'm over here
using a password manager with anextension in my browser, right,
and it makes me think thateverything is all secure while
you know, lo and behold, theremight be a malicious extension
intercepting all of my verylengthy passwords that I don't
even know.
Speaker 2 (43:36):
Yeah, you should look at the polymorphic extension
webinar that I did, where wewent through that exact where we
had an extension that was usedfor marketing that we changed to
actually change the icon forour extension to the 1Password
extension and then startedpopping up hey, you've logged
(44:01):
out, ask you for your credentialinformation, and then
re-enabled the extension andchanged our icon back.
We call it polymorphicextension, where we then capture
those credentials from thatuser and then we're able to go
anywhere that user can go toright, because now we have
access to their vaults, becausewe have their security key and
everything else that we need.
(44:21):
But a user would totally notsee that happening.
It would be incrediblytransparent for them to see it.
I mean it's happening.
They wouldn't know.
It's somewhat of a scary, scarything, but exactly that.
And so I don't think Idefinitely wouldn't say that
Google's not doing a good job.
Right, I think they're doing alot of things, but just like
when you know they have a lot ofautomated processes to kind of
(44:43):
get through that, becausethere's lots and lots of
extensions that are beingpublished or updated et cetera,
and they they have, they havegood skills you know good people
skills to get that stuff done.
I think that the problem is thatyou know this then becomes an
(45:05):
enterprise or user problembecause the system's working as
designed.
In the polymorphic extensionand the browser sync jacking
attacks that we did research onand we posted about, the system
is doing exactly what it'ssupposed to do.
You know the problem is howmuch what it's supposed to do.
You know the problem is howmuch rights are you providing to
that extension?
What subsystems are youallowing them to have access to?
And if you don't knoweverything, or even how the
combinations and permutations ofall those rights kind of work
(45:26):
together, it's easy to get lostthere and make a decision that
you didn't intend to make, whichresults in you losing control
of your password manager or yourcredentials or whatnot.
So it's a threat there andthere's a threat there.
Speaker 1 (45:45):
Yeah, it's interesting.
It's definitely something thatyou don't typically think about.
Really Well, john, we're at thetop of our time here, but and I
really enjoyed our conversation, but before I let you go, how
about you tell my audience youknow where they could find you
if they wanted to reach out andconnect and where they could
find SquareX if they wanted tolearn more about the company and
(46:06):
the solution?
Speaker 2 (46:08):
Yeah, so you can find me on x at John Kars
J-O-H-N-C-A-R-S-E.
You can also find SquareX atS-Q-R-X dot com.
So SquareX dot com, and take alook at our browser dot security
site as well, because it'llallow you to check your browser
and how well it works.
Do you have the right kind ofcontrols in your browser?
(46:29):
If you're an enterprisecustomer, and we also have a
consumer plugin that can helpyou out as well.
So that's on the Chrome WebStore as well, if you want to
check that out kind oforganically.
Speaker 1 (46:40):
Awesome.
Well, thanks, john, and thankseveryone for watching or
listening to this episode.
Hope everyone enjoyed it.
Speaker 2 (46:47):
Thanks, joe, good to meet you.
Speaker 1 (46:49):
Yeah, absolutely Good to meet you too.
Thanks everyone.
How's it going, john?
It's great to get you on thepodcast.
I know me and your company havebeen trying to do this thing
since, probably like last summer.
I might even be being generouswith that, but I'm real excited
to get you on and hear aboutyour story.
Speaker 2 (00:18):
Great Thanks for having me, joe.
I didn't know it was taking solong to get us online.
So glad to be here.
Glad to be here, yeah.
Speaker 1 (00:28):
At first it was like the time difference, right,
Because they're based out ofSingapore, I believe it's.
I mean, it's almost like a 24hour time difference.
It is.
It's pretty crazy.
Speaker 2 (00:41):
Yeah, it's like.
It's like past 1am in themorning right now.
Speaker 1 (00:50):
So yeah, it's like 12 or 13 hours different, so it
does feel like it is and feelslike it's on the other side of
the world.
Yeah, yeah, it's.
Um.
It's interesting whenever,whenever I'm doing a podcast
with someone you know that faraway, like I've done podcasts
with people in Israel and uh, Imean I did a podcast with
someone in Israel that was likeactively getting bombed, you
know, and he's like, oh, I mayhave to, like, you know, drop
(01:11):
out.
You know, I don't know if youhear the sirens.
I'm like dude, let's justreschedule, I don't need you on
a podcast like actively gettingbombed or something.
Speaker 2 (01:21):
So that's, that's pretty intense.
I lived in the Middle Eastbefore, so I kind of uh, I kind
of understand the feeling.
You know there's uh, someamount of unrest that happens,
like where I was all the time.
So you know, if you're not, ifyou're not going to live your
life, then it's going to those.
Those things are going to getin your way.
(01:42):
So we've got to feel.
Got to feel for those folks.
Speaker 1 (01:46):
Yeah, I mean it's challenging.
It's like they didn't ask forit and people were born into it.
It's like they're born almostinto an active war zone without
having any say about it, whichis true for a lot of different
parts of the world and whatnot,and it's an unfortunate reality.
(02:09):
I think I heard someone saythat like you won the lottery
just by being born in America,right?
Like I mean that's.
Speaker 2 (02:18):
I was going to say something very similar, right,
and there's a very, very similarkind of sentiment there's great
places to live and mosteverywhere, there's bad places
to be.
But yeah, being in the US,we're somewhat lucky.
I think that there are, ofcourse, things that we would
like to have better in theUnited States.
Speaker 1 (02:47):
But in a lot of ways we don't have the same
challenges as other countries dofor sure.
Yeah, that's a really goodpoint.
You know, john.
I want to hear about how yougot into IT.
You know where that journeystarts for you and what made you
.
You know, once you got into IT,what made you want to like make
the pivot into security in IT.
What made you want?
Speaker 2 (03:05):
to make the pivot into security.
Yeah, I started my IT workreally kind of early.
I got involved with computersvery early on, when I was maybe
14 years old or so, and actuallya little bit younger, because I
didn't have my own computer butI had friends that were on the
(03:26):
street around me that did havecomputers.
So for a couple of years, youknow, I kind of hung out with
those kids and played on theircomputers and we did lots of
little things together for acouple of years before I got my
own computer in 84.
And it was.
It was a completely differentworld than today's world.
I mean, everything that we hadwe didn't have Google and we
(03:47):
didn't have a lot of computerbooks.
We had some magazines and whichwere hard to find.
We didn't have the internet sowe couldn't just go look stuff
up.
So we did a lot of like, justlike sometimes even just hunting
and pecking, like what thecommand keys were that you could
, you know, use to make anapplication work, because the
documentation wasn't that greateither for a lot of the
(04:09):
applications that we were using.
And but you know, I foundmyself that I was really in love
with computers and love doingthings with computers as I kind
of went into school you know,finished up high school, came
out of high school, needed to dowork and I had a couple of
friends that were doing IT workand consulting kind of work in
(04:30):
the Houston Texas area and so Idid that for a few years before
really getting my first real job.
You know where someone where Iwas an employee which was at
Apple in 93 in Austin doing justhelp desk stuff and you know
I'd already been working onApple computers for a few years
(04:50):
already and loved it.
But at some point in time Ikind of got unenamored with
always having to use a mouse andwanted to automate things and
do things.
So I got into.
Really people were telling me Ithought I was going to get into
like Novell networks kind ofstuff and people probably don't
remember Novell but someonepushed me to Windows NT and so I
(05:11):
went towards Windows NT as welland got my certifications there
and spent a lot of time doingwork on Windows systems and
building Windows environmentsand the old pre-Windows 2000
active directory days.
Eventually I got into Linux andwas doing a lot of work in
system management systems likeenterprise management systems to
(05:35):
do distributed monitoring,configuration management, event
correlation kind of work basedon both Unix and Windows
environments and that gets mearound to like 95, 96.
And was a consultant at IBMafter that.
So I was building enterprisesystems for a group called
Enterprise Services forMicrosoft Technologies and I
(05:56):
thought I had the perfect job.
I thought it was great.
And then in 2003, I starteddoing some work for the US Navy
as a contractor for theiroverseas networks OCONUS Naval
Network and that was really thekind of first experience I had
with cyber right.
But up till that time I haddone Windows, linux, mac work.
(06:22):
I had done work with networkingequipment.
I had a lot of IT experiencekind of getting into before I
started working with the Navy.
I mean so I'd been doingcomputer stuff from 89
professionally to 2003.
So I had a lot of time that I'dbeen in the IT industry doing
lots of works all over the place.
But in 2003, I started doingwork with the US Navy and as we
(06:46):
were building these systems togo into this Navy network, they
required that I secure it andharden it and make sure that it
would conform to some you knowspecification, just a STIG kind
of specifications.
And that was really the firsttime I had gotten into security
at all was just as part of thatwork, and I remember thinking I
(07:11):
don't know what this is right,what is this security stuff?
And that's how I got into cyber.
But before that IT I'd donework with firewalls and IPSs and
all sorts of well, not IPSs somuch, but VPNs more, because it
was part of like a managedsolution, right, doing VPNs
across different things, butthat kind of system integration
(07:35):
work before getting into cyberinsecurity to some degree, it's
because you know you're you'renot always going to be in a
situation where you know you'refriendly with the other person
on the on the other end of thephone, right.
Speaker 1 (07:52):
I mean you're going to be in a difficult situation
where someone's yelling at you,you know about something that
you don't know, that you didn'tdo, you know and you have to be
able to work through it, like Iremember.
I remember when I first startedafter college.
You know I would, I would geton these calls and you know
people would be yelling at meand whatnot, and after the calls
(08:13):
, like I'd have to go take awalk around the block, right,
just to just to like kind ofmake it through the day, right,
and I was dealing with someanxiety at the time and
everything you know.
So it was just like, man, Idon't know if I can make it
through this, you know, but Ireally stuck with it and I
started to eventually, you know,really figure it out right and
(08:35):
that kind of being in that sortof customer support type role.
Really I feel like it can either, you know, jade you towards,
you know, dealing with customers, or jade you in some other ways
, or you know it can either youknow jade you towards, you know
dealing with customers or jadeyou in some other ways, or you
know it can really open youreyes to what good customer
service actually looks like.
You know and what that standardis what you should be expecting
(08:59):
when you pick up the phone andcall someone, and you know.
I'll give you an example.
Right, I was calling my wife'sstudent loan company about her
student loans and there's allthese services out there that
will advise you on your studentloans and how to pay them off
quickly and this and that right,it costs anywhere from like 500
(09:21):
to 1500 bucks for a 30, 45minute session with these people
to tell you you know how tolike, what to do and everything
Right.
Almost common sense stuff thatthey're telling you, yeah, and
you know, and that's the thingtoo right.
It's like, okay, well, what'sthe value that I don't know from
online, you know.
And so before making that callor whatever, I decided to get on
(09:47):
the call on the phone with youknow the actual company, and the
person who picked up the phonegave me like more than enough
information than what I everwould have gotten with that
consulting company.
Right, and not to not to putthem under the bus or anything
like that.
I mean, I didn't name them,obviously, but I told her.
I was like you know, you didn'tjust save me you know X amount
(10:10):
of money on the monthly payment,you just saved me like a
thousand dollars of paying thesepeople to tell me exactly what
you just told me and I neverwould have known it.
You know, because student loansare like they're actually pretty
complicated, Because studentloans are actually pretty
complicated and it's difficultto understand for anyone, I
think, and I was impressed.
(10:31):
But had I not gone throughbeing bad at customer service?
I mean, just honestly, I waspretty bad starting out.
I'm sure everyone is,Absolutely.
If I didn't go through that, Iwouldn't have known what good
customer service is, I wouldn'thave been able to identify that
and, you know, provide thepositive feedback or whatnot.
Speaker 2 (10:53):
Yeah, and I would say that I think that I learned a
lot.
So two of my early positionswere in help desk, right where I
was on a help desk at Apple,you know.
So I was getting a lot ofcustomer calls every day.
I think that was a really goodformative experience and I'll
explain that in a second.
And then a second one was fieldservices.
Just doing field IT work wasanother really formative
(11:17):
experience as well.
Again, dealing with customers Onthe help desk side, you know we
didn't when I was at Apple in93, on the help desk side, you
know we didn't when I was atApple in 93, we didn't have a
lot of we definitely didn't havefor support calls, you know, at
a customer, at a consumerenvironment.
We didn't have like remotecontrol tools to help us see
(11:40):
what the user was doing.
So we had to in some waysmanage the customer experience
from a.
You know they're frustrated,you're trying to walk them back
off a cliff and kind of engagein the conversation and then
also, you know being really kindof understanding like how the
system works, how the technologyyou're working with works, so
(12:02):
that you can say you know, go,this is like flashback stuff,
it's like go to the topleft-hand corner that's where
the Apple logo is Apple icon,click there, go to this place
and having to drive them and say, well, what do you see there?
And then getting thatinformation from them, and then
go to the next place and youknow, as we're kind of like
troubleshooting their problemand trying to understand what's
(12:23):
happening so that we could thentell them remove this extension
or do this or do that, and that,you know, really had to kind of
like put for me and how it'srelated to my cyber career, is
that really had to had me kindof understanding.
You know how to troubleshoot inmy head, right, you know, it's
like understanding, like whatthe pieces and parts are that
(12:44):
were in play.
Is this a network problem?
Is it a operating systemproblem?
Is it an application problem?
Is it, you know, something else?
What is the problem that we'reexperiencing?
And then just trying to liketalk through this just on a
one-to-one basis with someonewho may or may not have the same
experiences that you have.
(13:04):
I mean, often they did not haveany experience with actually
how their computer worked, andso I think that really played.
You know, when you get into likeincident response scenarios.
That is an incredible talent tohave right.
So, like you know, it's likegetting into incident response
and you're in with a bunch offolks that may have never talked
(13:26):
to each other before you know.
You got the application guy,the networking guy, the database
guy, and those people havenever been on a call at the same
time just because of howbureaucracy works in enterprises
and then you're getting theminto an incident call.
Being able to kind of likemaneuver around those different
people's experiences is a greatskill to have right, and being
(13:46):
able to do it in a way that youcan focus that partner on the
call into a specific place andjust manage it is a great skill
to have.
The other one is just fieldservices, just dealing with you
know people at their desks andbeing able to see what they're
doing, and that's also reallygood because you see lots of
(14:12):
ways of working, just kind ofrunning around to people's desks
, systems so that people wouldhave a consistent experience
dealing with inconsistencies andpoor quality with systems that
are being rolled out.
You also start getting thefeeling, like you know, what we
need to be consistent which isalso incredibly useful in cyber
(14:34):
is just consistent applicationof your controls.
In my case, it wasn't aboutcontrols, it was about how do we
make a consistent experiencefor that IT system to be
deployed so that our users arehaving a consistent experience.
And as a field services person,you go out from system to
system to system and you startseeing that, wow, this root
(14:56):
cause is, this wasn't setcorrectly.
Why wasn't that set correctly?
Right, and then you're fixingapplications, but a lot of that
is also very useful with respectto cyber as well.
Right, because it's, you know,understanding an IT system and
how it works and howapplications kind of
interoperate with each other'sin the network and your security
(15:17):
controls.
That's something that I've hadexperience with too.
Speaker 1 (15:28):
And a lot of, I don't know, a lot of people try to
shortcut that.
You know Absolutely, it's likeman, no, you really do need to.
You know, cut your teeth overthere and do this and go through
it, right, and you know, likeyou said, right, troubleshooting
back.
Then you're basically, you know, walking people through
(15:49):
something that you have in yourhead, someone that may not be
technical at all.
And I remember, you know, maybea year into that help desk job,
I started to take over thefederal and the military clients
at this company and I mean meanthe first thing with them is
that they can't send youscreenshots, they're not sending
you logs, they're not sendingyou anything and the person that
(16:12):
they put on that phone isintentionally unaware of
everything about thatapplication, the server,
everything.
So if anything goes, it issolely on you, right, like
there's no in between on it.
Yes, it's interesting becauseyou know that's like a double or
(16:33):
triple blind troubleshootingright when you're getting this
problem.
That could be a very uniqueproblem, something you've never
encountered before, somethingthat no one at your company has
ever encountered before, and youhave to, you know, get the
valid or the relevantinformation over the phone from
(16:53):
this person, you know, like, onetime I had him go into a log
file, right, and I said, hey,you know, go to the bottom and
read me what that says.
Right, hey, you know, go to thebottom and read me what that
says.
Right, read me like the lastlog message.
He starts reading me the entirepage from top to bottom, like,
(17:14):
hey, man, like you need to, likelisten to me, right, you need
to go to the bottom, tell me thetopics and all that sort of
stuff.
I had to, like, you know,eventually go on site and give
them some pretty in-depthtraining, because it's like, hey
, when we're on the call, thisis what I'm expecting for you to
provide to me.
If you don't do this, I can'tdo anything for you.
(17:43):
Into the mix, right is going onsite, because at these federal
agencies and whatnot, I mean, Iwas only allowed to bring in a
paper and pen, you know, andsometimes they didn't even let
me bring in the pen, right, likeyou know, it was just the
craziest situation, because youdon't have any resources around
you, even though you're on site.
So you're basically doing thesame thing.
You know that you would on thephone and you can't touch a
(18:06):
keyboard because you're notcleared, can't touch a mouse
right, and you're walkingthrough that same person that
doesn't know anything at all.
You know of this applicationthat was built on this Linux
server.
He doesn't know Linux, hedoesn't know the application, he
doesn't know anything about it.
You know.
And so if you tell him it'srunning right, he just takes
(18:30):
your word for it.
And then you have someone elsebe like is this running right?
And if they say no, you know,then you're, you're, the jig is
up, you got to go fix it.
You know, like there's no line,there's validation with
everything.
Speaker 2 (18:44):
With the flashing light behind you that says that
everyone knows there's anuncleared person in the space.
Speaker 1 (18:49):
Oh my gosh, yeah, they'd have to announce it.
You know, like they'reannouncing it as we're walking
down these aisles, it takes likefive, ten minutes to walk from
one end of the aisle to theother end of the aisle, you know
, because it's such a massivebuilding.
And you know, because it's sucha massive building and you know
they'd have to announce anuncleared person entering.
Uncleared person entering.
I'm like geez man, it's almostlike insulting.
Speaker 2 (19:11):
Just clear me.
I know this feeling too, yeah,yeah, but yeah, I think, like
you know, definitely, it, Ithink you know today, with the
perception and I and I don myexperience, as you know, hiring
people is that sometimes theyjust don't.
(19:45):
They just don't, they don'tunderstand the underlying
technology or how it relates tothe incident that they're
looking at.
And I don't necessarily meanthat it's a, you know, million
dollar incident or multimilliondollar incident.
Just that detection thatthey're looking at, right, just
that detection that they'relooking at right now, that alert
that they're looking at rightnow how is it related to the
(20:05):
system?
It seems like there isdefinitely a gap in
understanding about how ITsystems work and, when it's all
said and done, from acybersecurity perspective, we're
defending IT systemsperspective.
We're defending IT systems,right?
So, understanding how thenetwork works, how information
flows, how applications work,what the operating system has,
(20:29):
what its involvement is, thosethings, putting those pieces
together, understanding like howthey work, is incredibly useful
, right?
So, you know, because you know,a lot of times when we have new
people that join the team thatare just out of college, they
may have some understanding ofIT from a, from a book, smart
(20:50):
point of view, but they oftendon't have the necessary
networking chops and systemchops that they need to
understand how very these verycomplex systems that we have
today work.
And I think there's some basicpatterns that you should be able
to tell and just take thesebasic patterns and kind of put
them around and then you canmaybe troubleshoot a problem,
(21:13):
whether that problem is an ITproblem or a cybersecurity
incident.
They're just different.
The outcome that we're tryingto achieve in that diagnosis and
the analysis and theinvestigation.
They may have differentoutcomes that we're trying to
achieve, which might beavailability, bring that system
back up.
That's kind of the IT use cases, but it could also be did we
(21:35):
lose control of data?
Was there a data breach inplace?
We just have different outcomesthat we're looking for
diagnosing, but the underlyingdata and systems are the same.
And again, having thatexperience or that understanding
of how those systems work Ithink plays a lot makes you a
(21:56):
better cyber person, whetheryou're doing security
engineering or incident responseor you're on the SOC or you're
doing vulnerability management.
I think all of those things weas cyber people are affecting IT
systems.
How do we make sure that weunderstand, just like in the
help desk context.
How do we understand ourcustomer, whether that customer
(22:17):
is an end user who just got hitby a phishing attack or it's an
IT person who's scared aboutpatching their systems.
We kind of need to understandwhat their point of view is and
what their experience is andkind of lead them in the
direction if we actually want toachieve the security outcomes
that we want to have.
Whatever those are but I do Idefinitely think that you know,
(22:39):
having good IT skills will makeyou a better cyber person.
Speaker 1 (22:47):
Yeah, yeah, absolutely.
I mean you really need to havethat foundational knowledge,
right?
I have a friend that's you knowa good security engineer can
step into the role of you, roleof a system admin, network
engineer, whatever it might be,and it may be a little bit tough
(23:08):
at first to do the work andwhatnot, to get used to
everything, but typicallythey'll eventually pretty
quickly be able to pick it upand excel with it.
And that alludes to you reallyneed to understand what's going
on, what's being used.
Why does this process run onthis server?
(23:29):
Do we need it?
Is it expected to run?
Is the OS running it?
What's the kernel look like?
What's the BIOS look like?
All these different things.
It all matters, right, and thesecurity professional is the one
that's tying it all together.
The systems guy may notunderstand where he's.
Deploying this in the networkmatters right, and the
(23:51):
networking guy understands okay,there's a difference between
these two networks.
I don't really know what thereal difference is, why it
matters to security and securitysays no, you have to deploy
this system in this networkbecause of all of these controls
that we have around it, becauseof what it's doing in our
network and how it's doing itright, like we need to
(24:14):
potentially sequester this thingoff to an extent where the rest
of the network doesn't needthat kind of security, right,
the rest of the network needs tooperate maybe a little bit
faster than this part and allthose different things.
Context matters, right.
Yeah, they all come together,right, but it's that security
person that really is the onethat knows it and understands it
(24:36):
.
Speaker 2 (24:37):
And I 100% agree, ends it, and I 100% agree.
I think that one of the mostcomplicated jobs that we have in
IT is probably thecybersecurity practitioner,
whereas you might have, like yousaid, you might have IT people
that are really good atdatabases and you might have IT
people that are really good atWindows or really good at Linux
operating systems or networkingor whatever.
(24:59):
They have these areas that theycan focus on, and developers are
typically working on anapplication with a feature set
and they understand theirapplication, and I think that
cyber people typically have toknow how that system works next
to this system, next to thissystem, next to this systems,
and they're dealing with Windowsand Linux and different
(25:24):
versions of Windows and Linux,different database systems,
different web servers, differentapplication servers and all of
these things are mixed up in abig melting pot of your
enterprise IT systems that allwork individually but they have
to work together.
But the cyber folks have to knowabout everything.
(25:46):
They need to know how all of itworks and they need to
understand the context of it, asopposed to, like when I was,
you know, at some of these bigenterprises, we would have folks
that their only job was toinstall the operating system on
a virtual machine, then theticket would go to the next
person that their job was toinstall Oracle on this virtual
(26:11):
machine after the operatingsystem was installed.
And that's great from adatabase person's point of view.
But when those systems cometogether, both the business
context, the data context andthe technology context need to
kind of come together and as acybersecurity practitioner it's
a daunting set of requirementsthat you need to understand as
(26:35):
you kind of progress in yourcareer.
So it's complicated.
It's definitely a complicatedset of roles.
Speaker 1 (26:42):
Yeah, that's very true.
Well, you know, currentlyyou're a field CISO, right?
So not, I feel like not a lotof people may know what a field
CISO is or what that's like.
Can you tell me a little bitabout that?
So I'm still learning.
Speaker 2 (26:55):
What a field CISO is too.
So I'm still learning what afield CISO is too.
So this is the first time I'vehad this role.
What I feel like the role is is, you know, partially a mentor
or advisor kind of role I have.
It feels like I'm trying tohelp, you know customers
(27:18):
understand how a product fitsinto their defense and depth
strategy.
There may be things thatthey're worried about right now,
but there are probably otheradjacencies that are also useful
right that they may not bethinking about right now but
they're going to be thinkingabout in a few months.
But also how this tool, onetool set fits into the rest of
(27:38):
their defensive strategy and youknow those kinds of things.
So it's like kind ofunderstanding the technology,
understanding their use casesthat they're trying to protect
from right now because there'susually something that's
important to them and kind ofhelping advise on that front.
In some ways it's a productrole, where I am taking feedback
from a customer about somethingthat works or doesn't work and
(28:01):
bringing it back to the engineerso that they can understand how
this feature should rank intheir product roadmap.
So there's some amount of thatas well, and it's also a certain
amount of evangelism and justtalking to people about.
You know our product sets andhow it, you know what kind of,
and for me you know it'ssomewhat the feel felt found.
You know you know how did youknow our product sets and and
(28:21):
how it, you know what kind of,and then for me, you know
somewhat the feel felt found.
You know, you know how did it,you know how do you feel about
it.
And then you know what I felt.
You know what I found, because Idid something and it could be
just gaps in my experience, likein my experience, you know, I
thought that certain things werecovered well, you know, I had
that illusion that, hey, this isactually working pretty well.
But then I learned that youknow, just because of use cases
(28:49):
that we were having, how my DLPwas either working or not
working, or it worked in thisway and not in these other areas
, and one of the classic ones isjust Windows versus Mac or
Windows versus Linux it's a lotof times the technology that
we're using works really well inWindows, but its effectiveness
in Linux or Mac environments isalmost nil right.
(29:12):
It almost doesn't work.
And being able to discern thatwas, you know, is again having
the background in Linux andWindows and Macs, I kind of
understand, like what it is thatI need to be looking at.
But again I, having thebackground in Linux and Windows
and Macs, I kind of understandwhat it is that I need to be
looking at.
But again, I was under theillusion that certain things
were being covered pretty well,but when I looked into it I
found that they weren't, and soI had to kind of come up with
(29:34):
ways of circumventing those gapsand those controls as they're
implemented on Windows or onLinux or Mac systems that I
didn't anticipate At Squarex.
That's one of the things thatI'm kind of interested in is how
the evolution of the browserand evolution of SaaS and cloud,
how that's kind of impacted,you know, our ability to
(29:57):
maintain the confidentiality ofdata everywhere we go, and it's
surprising how many people areworking in browsers today.
So I think that for me that's avery interesting topic, just
because of my recent experiencesand somewhat of the gaps that I
thought that I was living under.
Speaker 1 (30:17):
Well, tell me about SquareX.
Speaker 2 (30:31):
What's the problem, right, and how are you guys
solving it today?
And we are the browser as aplatform somewhat predominates
most of our work today, meaninglike you and I are in this
(30:53):
podcast, in this studio, andwe're in a browser and somehow
it's recording us and videoingus, and it's just an incredible
lot of power that's in thisbrowser today that we didn't
have in the mid-90s and early2000s.
And so the problem is like sowho's monitoring the browser?
Like who's making sure that thebrowser is working like it's
supposed to?
I mean, we thought it had asandbox and everything else, and
now we have extensionsubsystems that are creating
(31:17):
threat and grief for us.
And that's cool.
That's one thing that'shappening on the endpoint, but
the bigger problem, I think, isthat we have so many SaaS apps
that we're going to that areways of spreading data around,
and then how do we manage theconfidentiality and prevent the
loss of data into places that wedid not intend to when there
(31:38):
are so many web applicationsthat are delivered via SaaS
today, and that's not new.
But I think the confluence ofcloud and the availability of
SaaS apps, the complexity of thebrowser, kind of coming
together, I don't think mostpeople are thinking about how
big of a problem that actuallyis, what that attack surface
(32:00):
actually looks like, and thenhow do they detect problems, how
do they mitigate them, how dothey prevent those things from
happening in the first place?
How does that happen in thebrowser?
We are really good at doing iton an endpoint, you know, with
our EDR solutions and someamount of steering that we have
with SASE and SWG products, butnow we're dealing with
everything steering to one ofthe cloud environments, because
(32:22):
all the SaaS applications aredelivered to cloud environments.
How do we know that that'swhere we want to put our data
within that application and thatour users are doing what we
expect them to do in thoseapplications, when the only
interface to that is the browser?
And I think that's the problem.
The solution is having the rightamount of detective controls in
(32:45):
place so that you can watcheverything that's happening in
the browser, whether that'sWebSocket communications, gprc
communications, changes to theDOM, the injections of
JavaScript into the application,the code that you're looking,
looking at extension whatinformation, what rights does
that extension want to have inyour application, your browser,
(33:08):
and what OAuth controls thatapplications and SaaS apps are
asking you for?
There's so many things thathappen in the browser, and the
solution is we need betterdetection and threat response in
the browser, and so that's whatSquarex does browser detection
and response to.
So it's very much like edr foryour browser.
Speaker 1 (33:30):
That's interesting.
I wonder why that space hasn'tseemed to take off like it
probably should have.
I heard grumblings, but ithasn't risen to the same level
as CrowdStrike with EDR orwhatever it might be right.
(34:01):
Maybe that is kind of like anew I don't want to call it a
new frontier for cybersecurity,but it's a new layer that people
haven't thought about before,because typically they're
thinking about oh okay, with thesas app, I need to secure it
via data encryption and strongauthentication and whatever else
(34:22):
, right?
Well, no one really thoughtabout the abstraction layer back
of how are people actuallyconnecting to the sas app?
Well, what, what, if?
What, if something lives inthat browser that even the end
user doesn't know about Exactlyand you know it's being
exploited that way.
It's probably a really good waythat, like if nation states
(34:43):
were to, you know, attack peopleor attack an entity or whatever
it might be, I mean that wouldbe a really good way of doing it
, because no one is looking atthe browser, right?
No one's even thinking about itLike I downloaded it from
Google Chrome.
Way of doing it.
Because no one is looking atthe browser, right?
No one's even thinking about itLike I downloaded it from
Google Chrome.
It's up to date, you know, onits thousandth update of the
year.
What else?
Speaker 2 (35:03):
do you want me to do?
You know?
Yeah, I mean, even if you lookat like just a stick hardening
for Chrome, it says keep thebrowser up to date, make sure
your extensions are up to date,and that's you know,
architecturally, I think that'sprobably correct, right, keep it
up to date.
You don't want to lose controlof your browser with respect to
a Chrome vulnerability thatallows you to do remote code
executions in the browserenvironment.
(35:24):
But on the extensions, it'seven extension updates, just
like application updates on aWindows, on a normal Windows
device, I can install thisversion of Acrobat, then the
next version of Acrobat, thenthe next version of Acrobat, and
they always havevulnerabilities.
There's always something thatcan be that applications have
some vulnerability to.
They're just known or not known, and maybe it's different
(35:46):
levels of severity, but we'realways introducing
vulnerabilities into ourenvironment, and that's just the
reality of working in, you know, trying to secure systems or
harden systems.
However, the number ofapplications, the extension, the
extensions, you know I thinkthere's right now over 140,000
extensions that are available onthe Chrome Web Store
(36:07):
marketplace, and that's justthem.
And then Firefox has anextension system and Safari has
a plugin system as well, andthose applications need to be
vetted, complex, to even vetapplications that are going on
your desktop, much lesssomething that's just happening
inside the process shell of yourbrowser.
So I think that the managementof that you know is important
(36:30):
and, like I said, hardening andcontrolling you know what
extensions that folks should orshould not be using, that's
great.
But as soon as I install anextension that's having some
other problem, like a supplyside attack or they lost control
of their extension and then thevendor has code that's being
placed into their extension thatthey did not.
(36:51):
They did not, that an attackerput in there that they don't
expect to be in the environment,those introduced
vulnerabilities into it, kind oflike SolarWinds you know, where
they kind of lost control oftheir code base and now it's
being deployed everywhere.
You know, you find out you havethe same kind of problems in the
extension space as well.
But there's also a prettyactive marketplace for
(37:13):
extensions, also right, meaningthat extensions do get bought
and sold by different people toyou know inside that space.
Then losing control to someonethat you don't know, a developer
that you don't trust or anattacker that's going to, and
these problems aren't new.
I mean, I think the earliestone that, like the top of my
(37:38):
mind, is like 2015,.
Right, and I'm sure they goback further those managing that
, I think, is complicated.
But again, you also have thesame problems with the SaaS apps
as well, where you can give toomuch rights to a particular
SaaS app and by doing that youlose control of your data, your
systems or your integrationsbetween different systems as
(38:02):
well.
So it's a lot of complexity, alot of very complex environment,
a lot of opportunities forthreat actors to take advantage
of the browser and then getcontrol of the data sprawl that
we have in SaaS environments,whether they're business-led IT,
shadow SaaS or central IT-led,it doesn't really matter.
Lots of use of SaaS apps today.
Speaker 1 (38:27):
That's interesting.
Do you see more adoption ofthis in one sector of the market
over another?
Is there anything like that?
I would think that somefinancial institutions, like
large banks or whatnot, theywould want something like that
For sure.
Obviously the federalgovernment and the military, you
know they would want that sortof technology.
Speaker 2 (38:50):
Yeah, they do.
They do, but I think we've beenconditioned to worry about the
endpoint and applications andnetwork steering, right Meaning
we used to have proxy serversall over the place.
We used to have IDSs all overthe place and we're protecting
office environments with ourdata centers, which were two
closed systems that we couldconnect and we knew and keep
(39:11):
people out of the ones that wedon't want to right.
That we could connect and weknew and keep people out of the
ones that we don't want to right.
That system was way lesscomplicated than what we have
today, which is the big issue.
I think one of the earlierquestions was why aren't people
thinking about this?
Well, again, I think it's amatter of education.
There was a time when peopledidn't think we needed EDR tools
(39:34):
either, that we thoughtantivirus was enough.
Now there's a lot of EDRvendors and they're all pretty
effective in the Windows space,and then it looks like how do
you want to protect Linux andstuff?
Again, it becomes morecomplicated.
But we've been conditioned tothink that we have data centers
and we have office environmentsand we need to protect that kind
(39:56):
of world, Whereas the world'sreally shifted out from
underneath us.
So I don't think there's beenenough education or
understanding of the threatsthat are inherent in cloud
running SaaS products and thenaccessing all those SaaS
products via a browser.
I don't think that's reallybeen.
I think that's kind of newthinking, new ways of it's.
(40:19):
A new way of it's, a differentparadigm that I don't think
people are putting too muchfocus on because it doesn't work
with our traditional ITeducation.
Right, it's our traditional ITeducation has been here's a
network, this is a firewall,this is a host, this is a node,
and we design a system to beself-enclosed, and that's just
(40:42):
not how we operate today.
There's environments today thatdon't have.
They just have open Wi-Fi orthey may have MFA enabled
connections to their Wi-Fi atwork, but then there is no,
there's no.
It might as well just be aguest network, right, Because
there is no connectivity withother systems on the environment
(41:05):
or access to those hosts andservers, because all those are
in the cloud behind, you know,an AWS console, right?
We have lots of environmentsthat are just working out of
WeWork, not something that wehad 20 years ago.
All of our current, I think,training is around traditional
IT practices versus remoteworkers, SaaS apps and where
(41:31):
we're actually working, which isin the browser.
I think one of the interestingstatistics on that is that like
85% of user time is spent in abrowser today.
That's an incredible amount oftime to be spending in an
application that you don'treally have a lot of visibility
on.
Speaker 1 (41:48):
Yeah, that makes a lot of sense.
I never I guess I never reallythought about it like that.
You know, and even with all theeducation that we have, we
never really talk about browsersecurity.
You just assume you knowGoogle's doing their job, right,
and it's.
We'll probably end on thispoint, right, because we're
running out of time here quickly.
(42:09):
When I was working at a companythat was creating an application
, they had to deploy anapplication on Google Play Store
and the Apple App Store and wewere talking about the timelines
and the developer said, oh, Icould put it on Google Play
Store ready to download forpeople by the end of the day.
It's not a big deal.
(42:29):
They don't even check what's init.
Right, you just check all theseboxes and you're good With
Apple.
It's going to be like a two,three month process.
That's right.
Right, because they're going topen test the app, they're going
to really check it andeverything else like that.
Right, and sure enough.
I mean it was probably four orfive months even to get it on
the Apple app store, and that'sprobably something similar, you
(42:52):
know, with browsers, right, If Iwanted to get an extension, I
bet you know there's not like avery robust team at Google you
would think that there would be,but I'm sure there's not a very
robust team at Google reallyreviewing these extensions which
can really increase or decreasethe security of your browser
overall, which really puts therest of the data and everything
(43:16):
else that you're accessing andusing it for all at risk, which
that would be really frustratingfor me, because I'm over here
using a password manager with anextension in my browser, right,
and it makes me think thateverything is all secure while
you know, lo and behold, theremight be a malicious extension
intercepting all of my verylengthy passwords that I don't
even know.
Speaker 2 (43:36):
Yeah, you should look at the polymorphic extension
webinar that I did, where wewent through that exact where we
had an extension that was usedfor marketing that we changed to
actually change the icon forour extension to the 1Password
extension and then startedpopping up hey, you've logged
(44:01):
out, ask you for your credentialinformation, and then
re-enabled the extension andchanged our icon back.
We call it polymorphicextension, where we then capture
those credentials from thatuser and then we're able to go
anywhere that user can go toright, because now we have
access to their vaults, becausewe have their security key and
everything else that we need.
(44:21):
But a user would totally notsee that happening.
It would be incrediblytransparent for them to see it.
I mean it's happening.
They wouldn't know.
It's somewhat of a scary, scarything, but exactly that.
And so I don't think Idefinitely wouldn't say that
Google's not doing a good job.
Right, I think they're doing alot of things, but just like
when you know they have a lot ofautomated processes to kind of
(44:43):
get through that, becausethere's lots and lots of
extensions that are beingpublished or updated et cetera,
and they they have, they havegood skills you know good people
skills to get that stuff done.
I think that the problem is thatyou know this then becomes an
(45:05):
enterprise or user problembecause the system's working as
designed.
In the polymorphic extensionand the browser sync jacking
attacks that we did research onand we posted about, the system
is doing exactly what it'ssupposed to do.
You know the problem is howmuch what it's supposed to do.
You know the problem is howmuch rights are you providing to
that extension?
What subsystems are youallowing them to have access to?
And if you don't knoweverything, or even how the
combinations and permutations ofall those rights kind of work
(45:26):
together, it's easy to get lostthere and make a decision that
you didn't intend to make, whichresults in you losing control
of your password manager or yourcredentials or whatnot.
So it's a threat there andthere's a threat there.
Speaker 1 (45:45):
Yeah, it's interesting.
It's definitely something thatyou don't typically think about.
Really Well, john, we're at thetop of our time here, but and I
really enjoyed our conversation, but before I let you go, how
about you tell my audience youknow where they could find you
if they wanted to reach out andconnect and where they could
find SquareX if they wanted tolearn more about the company and
(46:06):
the solution?
Speaker 2 (46:08):
Yeah, so you can find me on x at John Kars
J-O-H-N-C-A-R-S-E.
You can also find SquareX atS-Q-R-X dot com.
So SquareX dot com, and take alook at our browser dot security
site as well, because it'llallow you to check your browser
and how well it works.
Do you have the right kind ofcontrols in your browser?
(46:29):
If you're an enterprisecustomer, and we also have a
consumer plugin that can helpyou out as well.
So that's on the Chrome WebStore as well, if you want to
check that out kind oforganically.
Speaker 1 (46:40):
Awesome.
Well, thanks, john, and thankseveryone for watching or
listening to this episode.
Hope everyone enjoyed it.
Speaker 2 (46:47):
Thanks, joe, good to meet you.
Speaker 1 (46:49):
Yeah, absolutely Good to meet you too.
Thanks everyone.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.