December 9, 2024 • 50 mins
Ever wondered how a military intelligence background could transform a career in cybersecurity? Meet Daniel Schechter, our guest who began his journey in the Israeli Defense Forces' elite Unit 8200, and now navigates the fast-paced world of IT security. Daniel’s story is one of transition and growth, illustrating how skills honed in intelligence work can be leveraged to tackle the challenges of modern cybersecurity. Through his personal anecdotes, Daniel offers a glimpse into the real-time, analytical capabilities that cyber technology brings to intelligence and how this shapes operations today.
For those curious about a cybersecurity career, this episode is a treasure trove of insights. We promise to take you through the steep learning curves and the passion required to thrive in this ever-evolving field. With stories that range from military parallels to reflections shared with my wife, who also works in computer security, we paint a vivid picture of the vast responsibilities and exhilarating potential within the cybersecurity landscape. It’s a field where continuous learning isn't just an asset; it’s a necessity.
As the digital world shifts towards cloud-based solutions, we tackle the intricate challenges this brings to IT security. From understanding cloud security roles to enhancing product security with AI, our conversation uncovers the critical need for diverse expertise to manage these advances. We explore building collaborative relationships between developers and security teams, emphasizing the essential role of communication and mutual respect in addressing vulnerabilities. Whether you're a seasoned professional or a newcomer, this episode offers a comprehensive view of the cybersecurity realm's dynamic nature.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
How's it going, daniel?
It's great to get you on thepodcast.
You know, I think that we'vebeen planning this thing, I want
to say, since like June orsomething.
At this point, I mean,primarily, my schedule has just
been garbage, you know, likeit's one thing after another,
right Like the kid gets sick oneweek, derails me for two weeks
and then something comes up.
It's always something.
It's always an eventful time inmy life, I guess.
Speaker 2 (00:26):
No, always something, it's always an eventful time in
my life, I guess.
No, I'd say so.
I, I hope, I, I hope your kidwill get better soon.
But I'm very happy that we, youknow, we stick, we stick into
running after each other.
I'm really, really glad that wehave, you know, a chance to
talk yeah, yeah, absolutely.
Speaker 1 (00:37):
You know, you know, daniel, I, I, I always start
people off with telling whatmade them want to get into IT,
what made them want to get intosecurity.
And the reason why I starteveryone off there is because
there's a lot of people that arelistening that maybe they're
trying to figure out.
Is IT even possible for me?
(00:57):
You know, like, is this arealistic goal?
Should I actually spend time init?
Should I actually spend time init?
And I feel that hearingeveryone's story right, hearing
everyone's background withgetting into it or developing
that interest, is always reallyhelpful, because I remember when
I was getting in, all I wantedto hear was someone else came
(01:17):
from my same background that didit right.
Because once you hear that, itkind of like unlocks your brain.
Speaker 2 (01:36):
It's like, oh, this is possible, right.
So where did that start for youand the Israeli Defense Forces?
And I was very, very happy tojoin the intelligence.
Actually, another technologicalside in the beginning I
actually joined a bit more kindof was a forward-deployed
intelligence type of thing, andI think when you are doing
(01:59):
intelligence in the 2010, and Iwould assume other people did
some service and relate to thisyou understand that cyber is a
very, very big part of whatintelligence is in modern times.
And for me, as a person that wasalways rechasing impact.
I felt like you know, I heardall of these stories about
people that said, look, I hadthis great idea.
(02:19):
I woke up in the morning, Iwent to my computer in the
evening, I got all of thosethings and I was like, oh, I
want to do it as well, and so Idecided to try and cross the
river and to a unit called 8200,which is the second unit of
(02:39):
8200.
And I was there in the cybersector and actually, despite
being already an officer, Istarted from scratch, you know,
from researcher, team leader andforward.
So this was my path into cyberand technology.
Speaker 1 (03:00):
So when you were on the intelligence side.
Would that be like theequivalent to an officer in
America's intelligence services?
Yeah, okay, okay, so that Imean that that tells me you know
things of like what I can askand whatnot.
Right, like I've had formerlike CIA officers on and I mean
(03:23):
my audience, you know, they cango back and listen to those
episodes Like there was likefive questions where I asked him
.
He's like, yeah, I can't, Ican't say that, right, but but
that's so, that's reallyinteresting.
So when you were in that role,you saw the impact of technology
, you know, on your role whenyou were in it, you know, in
that 2010 timeframe, right frame, right, did you, did you see
(03:47):
the role potentiallytransforming into, like, hey,
I'm like, at some point I'm parthacker and part officer, right,
like, was there?
Was there a transformationthere going on?
I imagine that there could be.
Right, because I'm thinking ofI'm obviously I'm not asking you
to speak about any of this, Idon't expect you to even know
anything about it, right, butI'm personally I'm thinking
(04:07):
about Stuxnet in terms of, okay,like now it's like kind of
blending, almost right, becausewe're finding out that you know
one of the methods that theycould have potentially gotten
the USB drive in was throughlike the water system, and then,
you know, someone on the insidepulled it out and put it into a
(04:28):
server or whatnot.
I mean, that's all conjecture,right, it's all assumptions,
right, but, like to me from acybersecurity professional, it
sounds like, okay, you havesomeone that has some knowledge
that is a little bit beyond justlike the physical aspect of
being an officer, right, and sowas that present.
(04:49):
And then is that kind of whatsparked that interest of, oh, I
want to go, I want to go more onthe cyber side, right, I want
to go, maybe, to the people thatare creating this stuff and
whatnot.
Speaker 2 (04:59):
So does that make sense?
No, it is.
I can't talk about know,stocked it, or anything because
I didn't know.
I wish, I wish I would knewmore, I wish I, you know, I knew
more about it, and but I thinkwhen it comes to to this, at
least for me, it's always about,you know, those experiences
where, essentially, you'reyou're sitting in a room and
trying to make a decision fromthe other side of the room I'm
(05:21):
not talking, you know, I'm notlike you.
We're always taking it in ourheads to spec a lot, even like,
you know, you're trying to dolike a defense mission on, you
know, like a counter-terror typeof mission, and I think that
2010 has really shifted the waytowards understanding how much
(05:42):
impact does this, you know,cyber has, both in the ability
of the real-time aspects of itas well as the ability to really
understand deeply things thatare, you know, really, really
hard.
I think that the last few yearskind of showed us and I think
in Israel specifically that itcannot go by itself.
It should always be as part ofthe overall, I would say
(06:04):
methodologies itself, and itshould always be as part of the
overall, I would say, andmethodologies.
But at least for me.
I was like how come there issuch an important part of my job
that I don't really understandthat and and it is for me like
this, alongside the fact that Isaw the impact and I saw the
enthusiasm and I and I also sawthe opportunity to actually make
(06:27):
a difference.
I think one of the amazingthings about cyber is that and I
always remember when I talkedabout it when I changed is that
you know, sometimes in order todo like complex, like
intelligence mission, you need,like big teams and, like you
know, months of preparation,like physical complexities and
with cyber, you still needhighly trained, very, very, very
(06:49):
successful people and a lot ofpreparation.
But essentially one of my bestexperiences, I remember I had
one of my soldiers when I wasalready a team leader.
She was like I have this idea,let's try this out.
And from a no-go to a wow, wedid it in less than 24 hours
with two people in a room.
This was like a crazy dreamcome true and for me at least,
(07:12):
it was part of the ability tocreate an impact.
Now, from the defender side,I'm saying that I think it's
also part of the challenge,because we're living in a world
where the number of people thatare capable of doing those
things is just crazy.
Speaker 1 (07:25):
Yeah, you know, the number of people that are
capable of doing those things isjust crazy.
Yeah.
Yeah, that's, you know, that'sfascinating.
There's a lot of like rabbitholes that we could go down with
what you just said, but I thinkit's really important, though,
to have purpose in your work,you know, to be like, hey, this
matters.
Right, those people may noteven realize that it matters,
but it matters, and I think thatthat was one of the things that
(07:48):
kind of opened my eyes tocybersecurity.
Right, because a littlebackground right, I got my
bachelor's degree in criminaljustice.
I wanted to go into the federalgovernment.
I wanted to go and be thatofficer that's like in the, you
know, a dark hole on the earth,just trying to, you know, make
the world a better place.
Right, like, I really wanted todo that.
(08:08):
I really wanted to have thatimpact.
I figured I probably wouldn'tmake it past the age of 40.
I probably wouldn't have afamily or whatever.
Right, because I was, I wasfully sold into this thing, and
during the you know the theinterview process right, it's a
two-year process you know, I'min help desk and someone at that
company was like, hey, youshould think about, you know
(08:30):
cybersecurity, like why don'tyou go pick up the Security Plus
book and see if it interestsyou, right?
And so I've told this storybefore.
But you know, I picked it upand I couldn't put it down.
And so, just to be sure, Ipicked up a Network Plus book
and that thing would only put meto sleep.
I mean, it wouldn't matterwhere I was, how well rested I
(08:51):
was or anything like that.
I would be at work and I wouldwake up 30 minutes later and my
boss would be like Joe, what thehell are you doing?
I'm like I'm sorry, man, Ican't be reading this book at
work.
It just puts me to sleep, youknow.
But that was the thing thatkind of caught my attention.
And then I started to realize,oh, I can, like I can, spend a
lifetime in these differentdomains of security, right, like
(09:14):
a light passion of mine.
Right that I'm starting to getback into a little bit, probably
because my PhD is forcing me to.
Is wireless security right?
So the wireless security isforcing me to?
Is wireless security right?
So the wireless security, likethe hacking side of it, came
very easy to me in in my masters.
Right, like that, because itwas.
It was a very hands-on program,so like you're not just talking
(09:35):
about oh yeah, this is why youknow wpa is bad or web is bad.
It's like no, I'm in, I'm inthe lab, like I'm manipulating
these tokens and I'm doing itmyself, right, like I understand
it very well, which is morethan I can say from malware,
reverse engineering that was.
That was like extraordinarilydifficult.
(09:55):
That was like the only class Igot a b or a c and you know,
during my whole program and Iwas so mad because I spent so
much time on it and still suck.
But like this is a field, know,where you can have a lot of
impact in other people's lives,even if it's just your own
companies.
You know, your own employees,data, whatnot, right, which
(10:18):
really isn't isn't even the caseanymore, I don't think, because
if you're a company, youprobably have someone else's
data to some extent, but I, Idon't.
I don't mean to ramble right,but like finding that purpose, I
think is critical and itdefinitely helped me quite a bit
.
Speaker 2 (10:35):
Well, totally, and I think that one of the things
that I experienced because ofthe transition and I think I
wouldn't seem you like youexperience and I think that
implicitly you kind of said it'slike I think that if you don't
come with this there is a lot ofstruggle in the beginning
because it's such a big worldNow, even now within the company
.
So we build the company likethe company we develop.
(10:57):
Of course most of our workersare people that came from the
same units and kind of didsecurity for a long time.
But when we started onboardingother people that you know came
from the same units and kind ofyou know, did security for long,
but when we start onboardingother people, you start seeing
what richness of a world thereis when it comes to security.
And I think that for many peoplewhen it's like their first step
in also for myself I remember,and my wife is also like in
(11:19):
computer security, and Iremember like I sat with her in
the beginning just to understand, like the basics, because there
is like a, there is a bar, likeyou know, the barrier to
entries still so high.
But I think, going back to whatyou said, I think that, if you
really like I think the securityis not a profession for people
that doesn't love to learn butif you are enthusiastic about
(11:41):
learning, if you areenthusiastic about like
technology and about innovation,I think you just find yourself
once you cross the bar, once youare you know, start like you
know, you start mentioning likeWPA and other like other
encryption things, but you knowunderneath it's like okay,
understanding how you know RF isworking and understand how you
(12:01):
know encryption is working, somany things that encapsulate
like those two words that youmentioned there.
And I think that once you crossthe bar and start understanding
the concept and I was verylucky for my wife to be there
for me and but to be there forme but it's just such a big
world, it's such a crazy world,it's such an impactful world.
Speaker 1 (12:22):
Yeah, yeah, that's a really good point.
You know, like when you'regetting started, that bar is
actually high, but once you getinto it you realize, man, that
was like that was nothing, right.
I was a couple of years ago.
This episode actually neverreleased because the government
stepped in and basicallyinformed me in other ways like,
(12:45):
hey, this episode probablyshouldn't go live, right, and
I'm not someone to have thegovernment show up at my door
and so, yeah, I prefer to havemy freedom, right.
So, but I was talking to acyber warfare developer for the
US military, and so this guythis guy, you know gets a target
package, figures out you knowhow to hack it in the way to
(13:09):
provide an officer or thegovernment, just overall, right
with the intelligence thatthey're looking for, the
government, just overall, right,with the intelligence that
they're looking for, you know.
They give the guy the targetand they say we want this in the
end, and he figures out how toget it.
And one of the things I askedhim was have you ever, like,
been handed a target packagethat you just couldn't figure
(13:30):
out?
You know how to hack the cellphone, how to hack the laptop,
whatever it is, you know.
Did you, did you ever, you know, reach a dead end?
And he actually said no.
He said literally like, if you,as long as you're creative, you
know, and you have the righttools in front of you and you
have the right training, there'sliterally nothing you can't do.
And so I I dove into thetraining a little bit with him
(13:54):
again, like this episode, youknow it was like it was a
situation where it's like, okay,I know, you know just from my
prior experience that youdefinitely cannot be talking
about any of this shit.
You know I'll probably edit outthat bad word, I'm sorry, but
you know you probably can't betalking about any of this stuff.
And so I figured, while I'meven talking to the guy, this is
never going to go.
(14:15):
But he was talking about thetraining that he goes through,
right, just to be in that role,and it's like a two, two and a
half year training, which isinteresting to me because I, you
know again, right, like I'mvery into like the special
forces and intelligence side ofthings.
I've learned everything that Ican about that area.
You know, you look at, likespecial forces, forces training,
(14:35):
those guys are training for twoand a half years minimum, like
two and a half years just to gettheir foot in the door, to be
like, yeah, I'm a navy seal,yeah, I'm a green beret or
ranger or whatever.
It might be right, and it'sinteresting to see that
translate over to the cyberworld.
Right, because what he wastelling me is like you know, you
(14:56):
, you know coding languages sowell that you're dreaming in
code like you're.
You're, you're literallydreaming in code and you're
figuring out new ways.
You have tests every two hours,every single day of the week,
seven days a week.
You know like there's there'sliterally no breaks.
Every once in a while you get,you know, a day off.
(15:16):
You know just to like recoupand whatnot.
But to be so immersed in thatworld is really I mean, it's
fascinating.
You're not going to get thatanywhere else.
You know, like I work from home, right, Sometimes it's
difficult for me to fullyimmerse myself into that world,
(15:37):
even though I have all of theliberty to you know, research
and study whatever I want.
But to be at that level to knowit so well, it's like the back
of your hand, you know.
And that doesn't even describeit properly, in my opinion.
Speaker 2 (15:52):
Yeah, no.
I think one of the things I'mseeing and here I can talk about
myself, I can talk about myco-founder, itai, and most of
our teams.
They are crazy good people.
Some of them started this whenthey were like and one of our
architects was like you know, hetold me like he got into
security because he wanted toget some more coins in one of
(16:14):
the first games he played.
He wanted to get some morecoins in one of the you know one
of the first games he playedand oh, okay, so let's, let's
find how to uh, create, you knowlike, generate a key.
Let's find out and then like,from here to what he is today,
which is probably one of thebest, first best researchers I
know, and and we have some ofthem there.
But I think that, like, likeyou mentioned, and I think it
goes to every craft, I would sayI think every, every craft and
(16:37):
it can go away from even likeit's always about muscle memory
and intuition and they are bothfunctions of a lot of experience
.
Because intuition, essentially,people think that intuition is
something that you just have ornot have and, of course, some
people just have a better.
Probably they're wired maybe ina better, probably, like
(16:57):
they're wired, maybe in a betterway to understand certain
things.
But essentially, all right.
I instant tell that likeintuition is a matter of like.
How much?
How much time you tried itbefore?
And and I think that we'reseeing just going back to
security and others, just like,you know, you have to do it
again and again, and again andagain and again, until you know,
built up in the muscle memorybut also in the intuition.
(17:22):
I think that the part of theso-called like challenge when it
comes to security, unlike maybeother crafts, is that the
muscle memory might be deceivingsometimes.
Because, going back to this,you know we're living in a world
where the pace of change is so,so you know.
So we are in applicationsecurity and I think that
applications, or productsecurity today, and I think
(17:44):
product security practitioners,you know they're living in a
world where technologies arechanging so quickly that their
basic intuition is a key.
Basic intuition is a key, butthey always have to be in this
position of like.
But maybe something new hashappened, maybe something new
has changed.
So I need to go with myintuition because this will, you
(18:06):
know, 80%.
But I always need to beopen-minded.
And we actually see, I'm verylucky some of our customers,
some of the products we'reworking with, the best security
practitioner I know are the onesthat on the one side, have like
immense intuition and immenseyou know opinion about how
things should be, but on theother side, extremely
(18:29):
open-minded and eager to learn.
Speaker 1 (18:30):
I see it also from our team, like engineering side
or developer side, as well asthe customer and because the
world is changing it's aninteresting problem, right,
because technology is changingso quickly, but it's like it's
changing at an increasing rate,like it's not changing at the
same rate that it used to.
(18:51):
You know, 10 years ago, when Igot in, when I got got into
security right, I had alreadybeen in IT for maybe five years
before that.
Right, I loosely say thatbecause it was like a help desk
college role, right, you know,when I was getting in, even just
10 years ago, it was verydifferent, right, cloud security
wasn't a thing.
That wasn't, that was not afield.
(19:12):
That was.
That was we don't need securityin the cloud, the cloud takes
care of all of it.
That was we don't need securityin the cloud, the cloud takes
care of all of it.
That was that mentality.
Right, I mean, that was 100% ofthat mentality.
And now cloud security isgetting to such a scale, right,
where, just 10 years later now,we're kind of venturing down the
path of, oh, I need a cloudsecurity IAM person, I need a
(19:36):
cloud security network person,you know, like, I need someone
that does the infrastructureside of cloud security.
And I think companies areslowly waking up to that,
because right now, typicallycompanies are like, oh, I just
need one cloud security guy andhe'll do it all, and I'm sitting
here like to do everything thatI do.
(19:57):
Do you basically have to be adeveloper, an infrastructure guy
, a help desk guy, a network guy?
I mean, you are an entire itteam all in one.
And, god forbid, my cso is out,because now I'm also the acting
cso over the cloud.
It's like.
It's like, man, this is uh, thisis a lot, yeah, no, I tell you,
(20:18):
yeah sorry yeah, I mean, well,I'm just saying, like you, look
at other industries right over10 years, it doesn't change that
much, you know, like, arguablyit really doesn't, but it seems
like we're going at a pacethat's like a breakneck pace and
ai, you know, is only, it'sonly making it faster, right?
(20:38):
So we're already at a deficitin talent in the world to fill
these roles, we're already notable to fill these roles.
But it's only going to expand,it's only going to grow
significantly.
Yeah, no, I talked about.
Speaker 2 (20:52):
You know, I remember going back to.
You know we are reallyexperiencing kind of the changes
in product security andapplication security.
And I remember, you know, goingback to your days, even you
know, back then, when youthought about application
security was okay, you know, mydevelopers need to, I need to
provide them something to scantheir code.
But, like you know, mydevelopers need to scan their
(21:14):
code.
I put some web applicationfirewall.
You know I'm, you know, but theconcept was okay, let's let's
talk firewalls, let's talk youknow, layer three problems.
Okay, it's a layer seven issue,but but it was and and to be
honest, like for many years itwas okay because you know you
had like one one entry point.
You know, like you had like admz on our everything going in,
(21:40):
going out, like it was very kindof, you know, gathered.
The amount of languages wassomehow like not even languages
like okay, authentication, soeach and every developer like
built their own stuff.
And you know there was not somuch like third-party
integration into theapplications and stuff and now
and also then it was alreadyhard but it was somehow
(22:02):
manageable, I would say, and I'mtalking now with like with
people you know, like productsecurity and application
security and essentially, youknow we're living in a world
where they have to understandand and said you know, they come
in.
One of their developers tellsthem look, we can't really fix
it all, help us understand whatit is.
Now they need to understandexactly, in the language of this
(22:28):
specific thing, why thisspecific code is allowing an
attacker to do something.
Now they go back to thedeveloper.
The developer tells them yeah,I understand, but you know the
Kubernetes configuration doesn'treally allow this to happen.
So they now need to understandKubernetes for real.
Yeah, but I understand about theinfrastructure, but the AWS
configuration I understand, butthis doesn't really allow this
(22:48):
to pass.
Okay, but we have a Cloudflareconfiguration, but the CDN, but
the gateway configuration, it'slike it's so hard.
You need to understandeverything, not to mention the
fact that you need to now knowit on, not only on your thing,
but on the, on the open source,all the third-party applications
you have, all the first-partycode you have, and essentially,
(23:08):
the amount of people, like yousaid, like the amount of people
that are taking care of theproblem, maybe double itself.
The amount of problems and theamount of issues probably
potentially grow over time yeah,yeah, that that is a.
Speaker 1 (23:23):
That's a really good point, you know, because, like
even just 10 years ago, right,like the idea was throw a waft
in front of your apps and you'regood to go right, it was okay.
Speaker 2 (23:32):
To be honest, I remember from the other side
this was a very good solutionback then.
Speaker 1 (23:37):
Yeah, yeah, there was no worry about like code
scanning.
I mean there was, you knowstuff out there for code
scanning, but people, literallythe mentality was, well, if I
got a WAF in front of it, whatdoes that matter?
You know, the WAF should becatching everything you know.
And that wasn't a terriblementality.
(23:57):
I remember being told, hey, youneed to deploy imperva WAFs to,
you know, our environment, andjust dreading going through the
configuration of it andeverything else like that, you
know, and I kind of like I, Itried to like dodge that project
.
And now now I'm over here likedeploying a aws waft, you know,
(24:19):
to the entire environment, likeover 140 accounts in aws, and I
mean it's, it's everything thatI dreaded, you know, 10 years
ago.
It's, it's, uh, it is not funand it's.
The technology is evolving soquickly that we almost have,
like fringe, you know, startuptechnology companies that are
(24:43):
the ones that are able to createthe product to actually adapt
with how quickly theseenvironments are changing.
And you know, I remember when Iwas doing the RFP for the WAF
project that I'm doing right nowwas doing the RFP for the WAF
project that I'm doing right nowthere was only one solution
that we looked at.
We looked at 15 differentsolutions.
(25:04):
There was only one solutionthat was actually able to scale
with the size of the environmentthat we needed and the
diversity of the environment,right.
Because it was like oh oh, wehave stuff in containers, we
have stuff serverless functions,we have functions as a service,
we have all of this stuff right.
And there was literally onlyone vendor and they were brand
(25:25):
new.
They were like a two, three yearold company and I think that's
unfortunately.
That's why we kind of like passon, because when you go, when
you're a two or three year oldcompany and you go into a
hundred year old companyenvironment, people are a little
bit nervous.
Right Me.
I'm like, hey, give me them,you know, because I know that
they work, I know that they dogood work.
(25:47):
You know, give me that solutionbecause I know it'll work
perfectly fine for ourenvironment.
But people get hesitant.
You know, when it's a, a, whenit's that difference, you know,
in, in, in life, right, they'relike well, we don't know if this
company is going to be aroundin five years, we don't know if
they're going to be bought bysomeone or you know, whatever it
might be.
And I'm just sitting over herelike, well, why don't we buy?
Speaker 2 (26:09):
them.
Now I think that they, I thinkthat you had a very like like
recapping what I.
I think that probably one ofthe biggest challenges today in
security is just velocity, Likepure, just velocity, pure.
And I think, like you mentioned, you know, velocity is always a
game.
Startups were always, I wouldsay, better to handle velocity,
(26:30):
because their velocity is likeyou know you can get into
physics.
But you know, as our own startupI didn't even like to present,
but right now I'm kind of theco-founder, ceo of Mego Security
, which we are trying to addressthe exact problems of the
application and the privatesecurity I mentioned.
But putting this aside for asecond, maybe I'll talk about it
(26:51):
more later but for us, goingback to the, it's all about
velocity Because technologychanges, like the amount of
changes that happen.
Technology changes in bothsides, by the way, because the
amount of technology yourengineer is using is just going
wide and the amount ofthird-party interdependency, the
(27:15):
so-called like within your ownsystem, is going wide.
We just spoke of authenticationbefore.
I think right now, like eventry to imagine, even in your
environment, how many differentcomponents are actually touching
authentication and how many ofthem are actually in your
control today.
It's crazy, like crazy, tounderstand the difference.
(27:36):
Ten years ago, one team, oneplace dates like probably you
have an IDP, your gateway isdoing some things, your cloud is
doing some things, you havemicroservice here, you have a
microservice there.
There you have an old legacysystem.
So crazy, and I think thebottom line is that with the
velocity creates a lot ofopportunities to the other
(27:56):
people that knows how to handlevelocity, which is attacker,
especially because attackersreally like velocity.
Because it's not only that theamount of technologically is
going wide, but also the amountof you mentioned AI.
The amount of code is justgoing crazy, like the amount of
code being generated, the amountof permits being done a month,
the amount of new API you'rereleasing, like it's so, so, so
(28:19):
hard to manage yeah, yeah, there, there's a.
Speaker 1 (28:24):
There's someone on my team that I mean you just look
at the amount of commits that hemade and he's not a developer,
right, he's not a developer.
And last month he made over 100commits to, uh, to just my code
base and just just the thingthat I own.
And I'm sitting here like youknow how, how, how in the world
(28:45):
do we keep up, right, like, isthere, is there a good, you know
solution for it?
Like, how does migo do it?
Right, like how, how do youenable security teams to stay up
to date, you know, kind of ontop of what's going on in the
environment?
Because you know, to be honest,there's times when I don't even
(29:06):
know what's going on on theoutside world, right, like I
don't even know what'sdeveloping, what's coming or
anything like that, because I'mspending so much time in my own
environment I don't even know,like, how to prep for the future
, right, so how do you maybeaddress that right?
How do you make it easier forthat internal environment
(29:26):
knowledge so that people can,you know, kind of adjust and
catch up?
Speaker 2 (29:30):
I guess at this point , yeah, no, and, as you said
before, I think it's essentiallyit's a learning game
essentially.
And then the question is kindof how do I manage to focus my
learning on the right places andknow what I need to learn like
right?
These are, like always, twoquestions and I think that, at
least for us, we said let'slearn ourselves outside of the
(29:51):
security world how other peopletry to address this problem,
because velocity and is not onlya problem of security, it's
also a problem of IT, it's alsoa problem of you know developers
.
It's a problem for many peopleand I think that the last few
years actually created a realrevolution in the way that
people are thinking aboutmonitoring and keeping up with
(30:12):
what's happening in the world ofobservability monitoring and
keeping up with what's happeningin the world of observability.
So what we said going back andwe are kind of focusing on you
know the world of how do we helpyou kind of stay on top of
those you know changes.
So we said okay, actually forperformance, like if something
will break down in performance,you're probably going to know
about it, maybe not as security,but your DevOps, your SREs,
(30:35):
somebody have a tool somewhereto help you.
Maybe you don't have fullcoverage, maybe you don't have
everywhere, but observabilityreally changed the way we're
thinking about just environments, not security per se.
So we said, okay, this is oneplace we really want to learn
from.
And the second thing I thinkwith the revolution of AI, it's
(30:56):
more about okay, how can I?
Because you know people thinksometimes AI is like this magic
wand that you can say, okay,let's put AI done.
But we said, if you actuallycombine AI and the ability to
utilize AI for anomaly detectionand NLMs or any other
generative AI for automation ofso-called basic reasoning
(31:17):
processes, you can actually,with the right data set, you can
actually reduce by much theability to at least, I would say
, triage and take action.
And at least for us, we saidokay.
So these are the tworevolutions that should lead,
the way that we're thinkingabout security, like
observability and AI, and theway that we did it is we say how
can we take observability andthe data you have, as well as
(31:38):
kind of other data that we cancreate, in order to really help
you tell a story from a securityperspective?
So, like your DevOps aretelling you know a story about.
You know, this is how much youknow, this is the, you know, the
request time.
This is the problem here.
This is the problem there.
How can we tell a story In theworld of security?
This story is probably going tobe around.
(32:00):
Essentially, I'm sending arequest from the internet.
Where does it end?
What does it allow?
Where does it start?
Where does it end?
What permission, what data?
Essentially, it encapsulatesother words that we spoke about
maybe before, but like lessradius exposure.
But essentially it's all aboutfrom an application or product
(32:23):
standpoint, I'm sending arequest.
What fiscal, what data query itallows me to do?
Essentially and in the past,monolith application was an
easier problem, but easierproblem in a world of
distributed application is it'salmost impossible problem.
But thank God for observabilityand for amazing projects, like
you know, opentelemetry, or to,like you know, other things that
(32:45):
we're utilizing ElasticProfiler and like other tools
that are, you know, becomingindustry standard, in order to
really kind of do what we calldeep tracing, essentially
Distributed tracing alongside,like deep application profiling,
and this allows us toessentially help you see your
application and then utilize allof those that, I think, in
(33:05):
order to start asking questionsabout them.
Because, going back to thecommits, out of those, like you
said hundreds of commits.
You probably care only aboutthose who actually change
something in exposure, somethingin data access or maybe
something, or introducing a newrisk or violating a policy that
you didn't really want to have.
Speaker 1 (33:24):
That's interesting.
So you're kind of approachingit almost from like the reverse
side.
You're saying well, what dopeople care about the most,
right from different changes andcommits and whatnot?
And then we'll providevisibility around that to give
them the ability to respond, andwe'll also provide some sort of
(33:45):
enhanced you know capabilitywith AI to respond quickly.
Is that?
Does that kind of sum it upcorrectly?
Speaker 2 (33:53):
Yeah, I think that the world that we want to live
in, going back to this, is aworld where you know, in order
to give control back to securitypeople, in order to be on top
of this, the expertise, goingback to the intuition, will
always be with people.
I think that we're seeing thatAI can take you so far, at least
for now, right, and then thequestion is how can we help you
(34:15):
better enforce the things thatyou want to know about and
better act on them?
To start being asked, becausetoday, when it comes to product
security and other stuff, wejust kind of talked about you
know, tracing, but then, if youare actually introducing into
this, you mentioned, like, howdo I know about how things are
happening in the world?
So, okay, now I know about myapplication, how every
transaction starts from theinternet where it ends.
(34:35):
Now another question is okay,so how is that actually a factor
in my application, like, not my?
So this is where the threatintel feed and where the
vulnerability feed comes in.
To overlay with this, to say,okay, so now I understand that
from all of the differentattacks, all the different
vulnerabilities that are in theworld, this is where I'm
(34:55):
actually, you know so involvedto an attack and for that.
And then, like, the flow thatwe want to create is a flow
where you know those productsecurity teams can actually do
like, can actually live in aworld where you know those
product security teams canactually do like, can actually
live in a world where you knowsomething new has happened.
I get a notification on thiscan automatically, because I
have this visibility canautomatically identify okay,
(35:17):
it's great that I have this50,000 times in my code.
But really, really, you know,when we look at it and how your
application actually behaves,when we're kind of taking all of
the production content from allof the different tools you have
, when we're kind of analyzinghow your application actually
works, it's really exploitablein like three, four places.
And of these four places, thethings like and this is how an
(35:37):
attacker will exploit it, andhere we're actually utilizing AI
to emulate how it's going tolook like.
And then like, all of the,provide me a proof to the
developer, provide me a proof.
So it's really done like dude,this is tracing, you know it
from your SRE like address itlike a production issue, go fix
it, but on the other side, wecan tell you look, if you change
(35:59):
, going back to your big likeWAF project, because your WAF
might not be configured rightnow in a way that allows you to
stop it because they are, maybe,you know, be configured right
now in a way that allows you tostop it because they are, maybe,
you know, because you now needto go for triggers.
So the other side is okay, wealready know how it is.
We already know we have a WAF,let's help you just like.
So, on the one side, let's helpyou open a, you know, a Jira
(36:21):
ticket or whatever you want aticketing for the developers and
open an SLA to like okay, thisis a cool thing.
But on the other side, you know, like Joe, this is the WAF
configuration you need to makeright now in order to buy
yourself those 12 hours untilthe end.
And, at least for us, this ishow we believe that the future
of product security should be,where the entire so-called
(36:43):
middle manual work is beingautomated to allow you to
redefine what you want to focuson and to make sure that your
actions are being done bydevelopers until you have the
ability to actually understandhow to mitigate it in the
meantime.
Speaker 1 (37:04):
Yeah, that's really fascinating.
Yeah, that's really fascinating.
It does take the termapplication security and it
turns it into somethingcompletely different, like you
say, product security, becausethat's a more holistic view.
Maybe the number one thing whenI'm dealing with developers is
them understanding the actualcontext of what I'm talking
(37:27):
about.
Right, I say cross-sitescripting risk or cross-site
scripting vulnerability, and ifthey know what cross-site
scripting is, they still don'tunderstand what I'm saying.
Right, I barely know whatcross-site scripting is Like.
Every once in a while I got tolook it up to refresh my memory,
you know.
But that's really fascinatingthat it provides that proof,
(37:49):
because the number one thingthat I'm always asked well,
where's the proof?
Right, this doesn't even happenin our environment.
No one even comes to ourapplication and does this.
Why are we putting in the workto do it?
What's the proof?
We don't even know if this is areal thing.
And their I mean their firstquestion to me always is well,
can you even pull this off?
(38:09):
You know what I'm sitting herelike?
Well, technically I can't.
I can't even have like thatkind of VM in our environment.
My CISO literally won't let mebecause he thinks I'm just going
to blow up the world if I havesomething like that in the
environment, you know, and sothat becomes a very sticky point
for me, you know, and so thatbecomes a very sticky point for
me, you know.
And then it also like on thereverse side, right, it comes to
(38:33):
mind, you know, maybe a couplemonths ago I had 150 developers
on the call at the same time,which was very odd for me,
because when they set it up andthen they invited me to it, you
know, and I'm like, okay, theremust be something like really
wrong going on.
Right, and they're trying toget me to put in an exception
for something and they weren'texplaining it properly, right,
(38:55):
and they were intentionally notdoing it properly because they
wanted me to put in an exception, thinking it was one thing when
it was actually another,because they didn't want to
spend the next two months, youknow, working on this thing to
to really iron it out and makeit right.
And after like 30, 35 minutesof me questioning them, you know
(39:17):
, I finally got to the truth ofthem essentially wanting to
bypass the WAF, that I've justspent two years of my life
trying to get deployed androlled out and configured and
everything else like that.
You know.
But in that situation I thinkabout it from from like both
sides, right, we're showing thevalidity of this attack and then
(39:37):
we would also be able to showthe validity of that
configuration change, saying,hey, I can't, I can't make this
configuration change or I can'tallow this in the environment
because it's going to do X, yand Z.
If I wouldn't have spent the 30minutes going through those
questions and being used tobeing badgered by different
people to get something throughright, if I wasn't used to that
(40:02):
sort of thing, I would have justmade the exception, not thought
anything about it.
I would have figured, hey,they're the about it.
I would have figured, hey,they're the experts, they're the
devs, they know about the code,they know about these apps.
I don't know about these apps,I don't know about the code.
You know I'm at a disadvantagebut I knew better to keep on
asking.
But it sounds like, from fromyour solutions perspective, I
could have probably just pulledit up and seen it.
(40:24):
You know, right there, right,like, if I make this change,
what would that be?
And it kind of just likefilters through, and I would be
able to at least have thatknowledge in a more quick, you
know, available way to me, whichis, I mean honestly, that's
critical right, because assecurity people, you're always
called in at the last minute.
Okay, like, like, right whensomething needs to get done.
(40:45):
You're called in at the lastminute and you're expected to
understand this very complexproblem.
You know and I feel like yoursolution may provide that
guidance that we're lackingalmost.
Speaker 2 (40:58):
And I think it goes back to your intuition, because,
going back to what you said,you know your personality and
your intuition probably allowedyou to to to identify this issue
right, because I would, I wouldknow and, knowing a lot of
security personas, you know it's.
It's not easy to sit in frontof 100, like probably probably
(41:18):
the the most expensive meetingof this year in your company,
you know.
So it's like, you know, sittingin a room and asking them
questions for 30 minutes and weall know we are developers you
have no patience for thosepeople, you have no patience
with security when those pointsin time come.
And then it becomes this gameof attestations of like let's
(41:41):
hypothesize this, so maybe letme understand this, but in our
code it's not really like thisand for, at least for us, it
came to a realization that youknow it.
Like even the best teams and itsounds like you have like the
fact that they called you inmeans that you have very good
relationship with them.
But even the teams with thebest relationship today have no
(42:04):
common ground to even talk aboutwhat's true.
And I think, going back to this,like even before we kind of.
This is why it's so importantfor us to kind of and kind of
waste.
This is where we believe thatthe observability, but really
deep observability, and like theability to take the same data
but to take it into securitycontext, is so important,
because what we believe in islike the such a conversation
(42:27):
should go like look guys, let'sopen this.
Wherever it is, doesn't reallymatter.
It doesn't matter if you say weprovide it in mingo, but like,
let's put it aside, but from acouncil perspective, let's open
this, let's have thisconversation.
You, you can show me like okay,if we're doing this, you know
how, how things will change.
Okay, you understand that rightnow you are open a direct path
(42:49):
from the internet to like a PII,right, so you understand that
I'm not able to do an exceptionof this.
So, and it's like the entireconversation changed.
Now you might say somethinglike okay, so maybe let's
enforce something different,otherwise, maybe let's do this,
maybe.
But it allows us to think of aplace where, going back to this,
(43:09):
we start talking evidence, westart talking knowledge, because
I think that we can't acceptthat even the most amazing
product security team, mostamazing security teams, 20
people, whatever many people whohandle so many changes, and
it's not only this, like youmentioned, it's like all the new
code and it's being pushed, allthe updates are being pushed.
(43:32):
You know there is a feature thatrequires a configuration issue,
but you're still being calledto this because, and like, who's
being called now?
Maybe it's not the app securitybeing called, maybe it's the
cloud security engineer.
That doesn't have the contextbecause it does, because it's
such a complex problem and thetruth is so slippery.
We have to start talking moreevident, because I think that
the siloed approach today isreally putting into, it's really
(43:55):
creating like an unnecessaryyeah, that's a really good point
.
Speaker 1 (44:01):
I think you also bring up a really good point
about the relationship rightthat must exist.
For me to even get invited tothat call right and it's.
It's interesting.
I don't I don't even thinkabout it that much because I do
it kind of, you know, likeinnately, as soon as I get into
a role I'm I'm meeting as manypeople as I possibly can.
But, like you know, I I reallydid take the time to build those
(44:27):
relationships with thosedevelopers.
I mean, I went completely outof the way most of the time just
to talk with them.
You know, send them Uber Eatsgift cards, github gift cards,
you know, or not GitHub, grubhub, you know, just to like show,
like, hey, you know, I'macknowledging you.
Speaker 2 (44:48):
I see you yeah.
Speaker 1 (44:50):
Your work really matters to me, right, and now,
you know, now they give me thetime of the day, right, like, if
I need 30 minutes with them,they give it to me.
There's no issues with otherpeople, with just about everyone
else.
And I am slowly finding outthey're like man, I can't get a
hold of these devs.
I'm like what?
(45:11):
Like I'll go text him right now.
He'll respond to me at fiveminutes, you know.
And it's true, right, andpeople are like kind of blown
away about how that's possible.
But it all starts with thatrelationship, you know, and then
a technology, a strongtechnology like yours, comes in
and it gives you all thatknowledge, all that you know,
(45:32):
all that insight that you need,that maybe that dev is a little
bit nervous about telling you.
You know, like, that's, it's uh, maybe they don't know.
Speaker 2 (45:40):
You know, like, I think you know today, today
comes back to think, essentially, think security, and security
and engineering is is like twosides of the same.
You know, same partnership,right, but but I think that
today, when it comes to this andyou mentioned like multiple
things, but I think that youknow, being engineers ourselves,
(46:01):
this is we highly evaluate thepeople that actually know what
they're talking about.
Always, I think that the numberone when it comes to
technological mindset, ifsomebody sounds like they're
talking they don't know whatthey talk about, they lose
credibility very quickly.
And I think that the secondthing is that you know you
really want to get something outof this when it comes to, like,
(46:23):
learning something new, knowingsomething new.
So, going back to this, youknow, when you talk to them
about success, they learnsomething new about it comes to
learning something new, knowingsomething new.
So, going back to this, whenyou talk to them about XSS, they
learn something new about it.
They gain something from thisconversation.
And I think, going back to theinitial problem, I think that
today we are almost sending alot of like.
I'm hearing this you know,somebody got like 10,000
vulnerabilities.
He automatically calls securityof like okay, what do I do with
(46:46):
all of this?
I, he automatically callssecurity of like okay, what do I
do with all of this?
I don't know.
And then security is kind of islosing credibility because what
can I do with this?
So, you know, some people, froma personality perspective, can
create those relationships, butfor some of them, we're living
in a world today where we haveto find a way.
Going back to this and kind ofhow we envision this is to say
look, I checked this for you.
(47:06):
Going back to this, this is theproof.
We already managed to recreateit.
Can you pull it yourself?
Yeah, I already managed to.
I haven't pulled to recreate it.
Go check it yourself if youwant, but I already checked it
for you.
This is what you need to do and,by the way, I'm going to buy
you 12 hours.
I'm doing some mitigation, I'mgoing to approve it with my,
(47:33):
with my bot.
I'm going to buy 24 hours bydoing this and this and that,
but you know it's just a patch,you need to fix it right.
And if it's for us, this allowsyou to say, like you know, to
end such a thing with like, noguide, like first engineering
you.
You did great 24 hours from thefirst minute we saw this is a
real problem.
Until you fix it, you areamazing.
Let's celebrate this second.
You know.
You know that you can count onme to buy the time and make you
look like the hero in the end ofthis, and I think that today
it's like we're just not builtin a way to do this type of a
(47:59):
win-win situations and we wantto create this win-win situation
yeah, yeah, that's a reallygood, that's a really good point
that you bring up that.
Speaker 1 (48:08):
I I feel like we could keep talking for another
hour or two, right.
Speaker 2 (48:12):
Let's do it another time it was fun.
Speaker 1 (48:14):
Yeah, yeah, it went by quick.
You know well.
Daniel, I really do appreciateyou coming on.
I think it was a fantasticconversation.
I definitely want to have youback on.
Speaker 2 (48:23):
Same here.
It was great.
And I think, going back to whatyou said, it doesn't matter
where where people start.
I think, like both of us, youkind of mentioned where you
started.
Speaker 1 (48:30):
I think that, for everybody listening, I think if
you are passionate about justlearning and colleges, like,
don't be hesitant to get intosecurity, like the bar is high
to get in, but the outcome is,you know, it's amazing yeah,
yeah, absolutely well, daniel,before I let you go, you know
how about you tell my audiencewhere they can find your company
if they wanted to learn moreabout your solution and whatnot,
(48:52):
and maybe where they can findyou if they wanted to connect.
Speaker 2 (49:11):
And we will love to you know, speak with any one of
you on going back to kind of howwe can help you kind of reshape
and rethink about the way we'redoing cloud security today.
And you can find us on LinkedIn, on web, on Twitter or XNOW and
you can, you know, of course,send me direct LinkedIn messages
.
I'm trying to be as responsiveas I can.
Really really love to meeteverybody.
Speaker 1 (49:26):
Yeah, absolutely Well , awesome, you know.
Thanks everyone.
I hope you enjoyed this episodeas much as I did.
It was great having you on,daniel, and I really do
appreciate you know you stickingwith me there and still coming
on.
Speaker 2 (49:41):
No, of course, I'm really looking forward to
hopefully continuing it, becauseI felt like there are so much
more things we can talk about.
Speaker 1 (49:47):
Yeah, yeah, absolutely Well, thanks everyone
.
I hope you enjoyed this episode.
All right, Bye.
Thanks so much.
How's it going, daniel?
It's great to get you on thepodcast.
You know, I think that we'vebeen planning this thing, I want
to say, since like June orsomething.
At this point, I mean,primarily, my schedule has just
been garbage, you know, likeit's one thing after another,
right Like the kid gets sick oneweek, derails me for two weeks
and then something comes up.
It's always something.
It's always an eventful time inmy life, I guess.
Speaker 2 (00:26):
No, always something, it's always an eventful time in
my life, I guess.
No, I'd say so.
I, I hope, I, I hope your kidwill get better soon.
But I'm very happy that we, youknow, we stick, we stick into
running after each other.
I'm really, really glad that wehave, you know, a chance to
talk yeah, yeah, absolutely.
Speaker 1 (00:37):
You know, you know, daniel, I, I, I always start
people off with telling whatmade them want to get into IT,
what made them want to get intosecurity.
And the reason why I starteveryone off there is because
there's a lot of people that arelistening that maybe they're
trying to figure out.
Is IT even possible for me?
(00:57):
You know, like, is this arealistic goal?
Should I actually spend time init?
Should I actually spend time init?
And I feel that hearingeveryone's story right, hearing
everyone's background withgetting into it or developing
that interest, is always reallyhelpful, because I remember when
I was getting in, all I wantedto hear was someone else came
(01:17):
from my same background that didit right.
Because once you hear that, itkind of like unlocks your brain.
Speaker 2 (01:36):
It's like, oh, this is possible, right.
So where did that start for youand the Israeli Defense Forces?
And I was very, very happy tojoin the intelligence.
Actually, another technologicalside in the beginning I
actually joined a bit more kindof was a forward-deployed
intelligence type of thing, andI think when you are doing
(01:59):
intelligence in the 2010, and Iwould assume other people did
some service and relate to thisyou understand that cyber is a
very, very big part of whatintelligence is in modern times.
And for me, as a person that wasalways rechasing impact.
I felt like you know, I heardall of these stories about
people that said, look, I hadthis great idea.
(02:19):
I woke up in the morning, Iwent to my computer in the
evening, I got all of thosethings and I was like, oh, I
want to do it as well, and so Idecided to try and cross the
river and to a unit called 8200,which is the second unit of
(02:39):
8200.
And I was there in the cybersector and actually, despite
being already an officer, Istarted from scratch, you know,
from researcher, team leader andforward.
So this was my path into cyberand technology.
Speaker 1 (03:00):
So when you were on the intelligence side.
Would that be like theequivalent to an officer in
America's intelligence services?
Yeah, okay, okay, so that Imean that that tells me you know
things of like what I can askand whatnot.
Right, like I've had formerlike CIA officers on and I mean
(03:23):
my audience, you know, they cango back and listen to those
episodes Like there was likefive questions where I asked him
.
He's like, yeah, I can't, Ican't say that, right, but but
that's so, that's reallyinteresting.
So when you were in that role,you saw the impact of technology
, you know, on your role whenyou were in it, you know, in
that 2010 timeframe, right frame, right, did you, did you see
(03:47):
the role potentiallytransforming into, like, hey,
I'm like, at some point I'm parthacker and part officer, right,
like, was there?
Was there a transformationthere going on?
I imagine that there could be.
Right, because I'm thinking ofI'm obviously I'm not asking you
to speak about any of this, Idon't expect you to even know
anything about it, right, butI'm personally I'm thinking
(04:07):
about Stuxnet in terms of, okay,like now it's like kind of
blending, almost right, becausewe're finding out that you know
one of the methods that theycould have potentially gotten
the USB drive in was throughlike the water system, and then,
you know, someone on the insidepulled it out and put it into a
(04:28):
server or whatnot.
I mean, that's all conjecture,right, it's all assumptions,
right, but, like to me from acybersecurity professional, it
sounds like, okay, you havesomeone that has some knowledge
that is a little bit beyond justlike the physical aspect of
being an officer, right, and sowas that present.
(04:49):
And then is that kind of whatsparked that interest of, oh, I
want to go, I want to go more onthe cyber side, right, I want
to go, maybe, to the people thatare creating this stuff and
whatnot.
Speaker 2 (04:59):
So does that make sense?
No, it is.
I can't talk about know,stocked it, or anything because
I didn't know.
I wish, I wish I would knewmore, I wish I, you know, I knew
more about it, and but I thinkwhen it comes to to this, at
least for me, it's always about,you know, those experiences
where, essentially, you'reyou're sitting in a room and
trying to make a decision fromthe other side of the room I'm
(05:21):
not talking, you know, I'm notlike you.
We're always taking it in ourheads to spec a lot, even like,
you know, you're trying to dolike a defense mission on, you
know, like a counter-terror typeof mission, and I think that
2010 has really shifted the waytowards understanding how much
(05:42):
impact does this, you know,cyber has, both in the ability
of the real-time aspects of itas well as the ability to really
understand deeply things thatare, you know, really, really
hard.
I think that the last few yearskind of showed us and I think
in Israel specifically that itcannot go by itself.
It should always be as part ofthe overall, I would say
(06:04):
methodologies itself, and itshould always be as part of the
overall, I would say, andmethodologies.
But at least for me.
I was like how come there issuch an important part of my job
that I don't really understandthat and and it is for me like
this, alongside the fact that Isaw the impact and I saw the
enthusiasm and I and I also sawthe opportunity to actually make
(06:27):
a difference.
I think one of the amazingthings about cyber is that and I
always remember when I talkedabout it when I changed is that
you know, sometimes in order todo like complex, like
intelligence mission, you need,like big teams and, like you
know, months of preparation,like physical complexities and
with cyber, you still needhighly trained, very, very, very
(06:49):
successful people and a lot ofpreparation.
But essentially one of my bestexperiences, I remember I had
one of my soldiers when I wasalready a team leader.
She was like I have this idea,let's try this out.
And from a no-go to a wow, wedid it in less than 24 hours
with two people in a room.
This was like a crazy dreamcome true and for me at least,
(07:12):
it was part of the ability tocreate an impact.
Now, from the defender side,I'm saying that I think it's
also part of the challenge,because we're living in a world
where the number of people thatare capable of doing those
things is just crazy.
Speaker 1 (07:25):
Yeah, you know, the number of people that are
capable of doing those things isjust crazy.
Yeah.
Yeah, that's, you know, that'sfascinating.
There's a lot of like rabbitholes that we could go down with
what you just said, but I thinkit's really important, though,
to have purpose in your work,you know, to be like, hey, this
matters.
Right, those people may noteven realize that it matters,
but it matters, and I think thatthat was one of the things that
(07:48):
kind of opened my eyes tocybersecurity.
Right, because a littlebackground right, I got my
bachelor's degree in criminaljustice.
I wanted to go into the federalgovernment.
I wanted to go and be thatofficer that's like in the, you
know, a dark hole on the earth,just trying to, you know, make
the world a better place.
Right, like, I really wanted todo that.
(08:08):
I really wanted to have thatimpact.
I figured I probably wouldn'tmake it past the age of 40.
I probably wouldn't have afamily or whatever.
Right, because I was, I wasfully sold into this thing, and
during the you know the theinterview process right, it's a
two-year process you know, I'min help desk and someone at that
company was like, hey, youshould think about, you know
(08:30):
cybersecurity, like why don'tyou go pick up the Security Plus
book and see if it interestsyou, right?
And so I've told this storybefore.
But you know, I picked it upand I couldn't put it down.
And so, just to be sure, Ipicked up a Network Plus book
and that thing would only put meto sleep.
I mean, it wouldn't matterwhere I was, how well rested I
(08:51):
was or anything like that.
I would be at work and I wouldwake up 30 minutes later and my
boss would be like Joe, what thehell are you doing?
I'm like I'm sorry, man, Ican't be reading this book at
work.
It just puts me to sleep, youknow.
But that was the thing thatkind of caught my attention.
And then I started to realize,oh, I can, like I can, spend a
lifetime in these differentdomains of security, right, like
(09:14):
a light passion of mine.
Right that I'm starting to getback into a little bit, probably
because my PhD is forcing me to.
Is wireless security right?
So the wireless security isforcing me to?
Is wireless security right?
So the wireless security, likethe hacking side of it, came
very easy to me in in my masters.
Right, like that, because itwas.
It was a very hands-on program,so like you're not just talking
(09:35):
about oh yeah, this is why youknow wpa is bad or web is bad.
It's like no, I'm in, I'm inthe lab, like I'm manipulating
these tokens and I'm doing itmyself, right, like I understand
it very well, which is morethan I can say from malware,
reverse engineering that was.
That was like extraordinarilydifficult.
(09:55):
That was like the only class Igot a b or a c and you know,
during my whole program and Iwas so mad because I spent so
much time on it and still suck.
But like this is a field, know,where you can have a lot of
impact in other people's lives,even if it's just your own
companies.
You know, your own employees,data, whatnot, right, which
(10:18):
really isn't isn't even the caseanymore, I don't think, because
if you're a company, youprobably have someone else's
data to some extent, but I, Idon't.
I don't mean to ramble right,but like finding that purpose, I
think is critical and itdefinitely helped me quite a bit
.
Speaker 2 (10:35):
Well, totally, and I think that one of the things
that I experienced because ofthe transition and I think I
wouldn't seem you like youexperience and I think that
implicitly you kind of said it'slike I think that if you don't
come with this there is a lot ofstruggle in the beginning
because it's such a big worldNow, even now within the company
.
So we build the company likethe company we develop.
(10:57):
Of course most of our workersare people that came from the
same units and kind of didsecurity for a long time.
But when we started onboardingother people that you know came
from the same units and kind ofyou know, did security for long,
but when we start onboardingother people, you start seeing
what richness of a world thereis when it comes to security.
And I think that for many peoplewhen it's like their first step
in also for myself I remember,and my wife is also like in
(11:19):
computer security, and Iremember like I sat with her in
the beginning just to understand, like the basics, because there
is like a, there is a bar, likeyou know, the barrier to
entries still so high.
But I think, going back to whatyou said, I think that, if you
really like I think the securityis not a profession for people
that doesn't love to learn butif you are enthusiastic about
(11:41):
learning, if you areenthusiastic about like
technology and about innovation,I think you just find yourself
once you cross the bar, once youare you know, start like you
know, you start mentioning likeWPA and other like other
encryption things, but you knowunderneath it's like okay,
understanding how you know RF isworking and understand how you
(12:01):
know encryption is working, somany things that encapsulate
like those two words that youmentioned there.
And I think that once you crossthe bar and start understanding
the concept and I was verylucky for my wife to be there
for me and but to be there forme but it's just such a big
world, it's such a crazy world,it's such an impactful world.
Speaker 1 (12:22):
Yeah, yeah, that's a really good point.
You know, like when you'regetting started, that bar is
actually high, but once you getinto it you realize, man, that
was like that was nothing, right.
I was a couple of years ago.
This episode actually neverreleased because the government
stepped in and basicallyinformed me in other ways like,
(12:45):
hey, this episode probablyshouldn't go live, right, and
I'm not someone to have thegovernment show up at my door
and so, yeah, I prefer to havemy freedom, right.
So, but I was talking to acyber warfare developer for the
US military, and so this guythis guy, you know gets a target
package, figures out you knowhow to hack it in the way to
(13:09):
provide an officer or thegovernment, just overall, right
with the intelligence thatthey're looking for, the
government, just overall, right,with the intelligence that
they're looking for, you know.
They give the guy the targetand they say we want this in the
end, and he figures out how toget it.
And one of the things I askedhim was have you ever, like,
been handed a target packagethat you just couldn't figure
(13:30):
out?
You know how to hack the cellphone, how to hack the laptop,
whatever it is, you know.
Did you, did you ever, you know, reach a dead end?
And he actually said no.
He said literally like, if you,as long as you're creative, you
know, and you have the righttools in front of you and you
have the right training, there'sliterally nothing you can't do.
And so I I dove into thetraining a little bit with him
(13:54):
again, like this episode, youknow it was like it was a
situation where it's like, okay,I know, you know just from my
prior experience that youdefinitely cannot be talking
about any of this shit.
You know I'll probably edit outthat bad word, I'm sorry, but
you know you probably can't betalking about any of this stuff.
And so I figured, while I'meven talking to the guy, this is
never going to go.
(14:15):
But he was talking about thetraining that he goes through,
right, just to be in that role,and it's like a two, two and a
half year training, which isinteresting to me because I, you
know again, right, like I'mvery into like the special
forces and intelligence side ofthings.
I've learned everything that Ican about that area.
You know, you look at, likespecial forces, forces training,
(14:35):
those guys are training for twoand a half years minimum, like
two and a half years just to gettheir foot in the door, to be
like, yeah, I'm a navy seal,yeah, I'm a green beret or
ranger or whatever.
It might be right, and it'sinteresting to see that
translate over to the cyberworld.
Right, because what he wastelling me is like you know, you
(14:56):
, you know coding languages sowell that you're dreaming in
code like you're.
You're, you're literallydreaming in code and you're
figuring out new ways.
You have tests every two hours,every single day of the week,
seven days a week.
You know like there's there'sliterally no breaks.
Every once in a while you get,you know, a day off.
(15:16):
You know just to like recoupand whatnot.
But to be so immersed in thatworld is really I mean, it's
fascinating.
You're not going to get thatanywhere else.
You know, like I work from home, right, Sometimes it's
difficult for me to fullyimmerse myself into that world,
(15:37):
even though I have all of theliberty to you know, research
and study whatever I want.
But to be at that level to knowit so well, it's like the back
of your hand, you know.
And that doesn't even describeit properly, in my opinion.
Speaker 2 (15:52):
Yeah, no.
I think one of the things I'mseeing and here I can talk about
myself, I can talk about myco-founder, itai, and most of
our teams.
They are crazy good people.
Some of them started this whenthey were like and one of our
architects was like you know, hetold me like he got into
security because he wanted toget some more coins in one of
(16:14):
the first games he played.
He wanted to get some morecoins in one of the you know one
of the first games he playedand oh, okay, so let's, let's
find how to uh, create, you knowlike, generate a key.
Let's find out and then like,from here to what he is today,
which is probably one of thebest, first best researchers I
know, and and we have some ofthem there.
But I think that, like, likeyou mentioned, and I think it
goes to every craft, I would sayI think every, every craft and
(16:37):
it can go away from even likeit's always about muscle memory
and intuition and they are bothfunctions of a lot of experience
.
Because intuition, essentially,people think that intuition is
something that you just have ornot have and, of course, some
people just have a better.
Probably they're wired maybe ina better, probably, like
(16:57):
they're wired, maybe in a betterway to understand certain
things.
But essentially, all right.
I instant tell that likeintuition is a matter of like.
How much?
How much time you tried itbefore?
And and I think that we'reseeing just going back to
security and others, just like,you know, you have to do it
again and again, and again andagain and again, until you know,
built up in the muscle memorybut also in the intuition.
(17:22):
I think that the part of theso-called like challenge when it
comes to security, unlike maybeother crafts, is that the
muscle memory might be deceivingsometimes.
Because, going back to this,you know we're living in a world
where the pace of change is so,so you know.
So we are in applicationsecurity and I think that
applications, or productsecurity today, and I think
(17:44):
product security practitioners,you know they're living in a
world where technologies arechanging so quickly that their
basic intuition is a key.
Basic intuition is a key, butthey always have to be in this
position of like.
But maybe something new hashappened, maybe something new
has changed.
So I need to go with myintuition because this will, you
(18:06):
know, 80%.
But I always need to beopen-minded.
And we actually see, I'm verylucky some of our customers,
some of the products we'reworking with, the best security
practitioner I know are the onesthat on the one side, have like
immense intuition and immenseyou know opinion about how
things should be, but on theother side, extremely
(18:29):
open-minded and eager to learn.
Speaker 1 (18:30):
I see it also from our team, like engineering side
or developer side, as well asthe customer and because the
world is changing it's aninteresting problem, right,
because technology is changingso quickly, but it's like it's
changing at an increasing rate,like it's not changing at the
same rate that it used to.
(18:51):
You know, 10 years ago, when Igot in, when I got got into
security right, I had alreadybeen in IT for maybe five years
before that.
Right, I loosely say thatbecause it was like a help desk
college role, right, you know,when I was getting in, even just
10 years ago, it was verydifferent, right, cloud security
wasn't a thing.
That wasn't, that was not afield.
(19:12):
That was.
That was we don't need securityin the cloud, the cloud takes
care of all of it.
That was we don't need securityin the cloud, the cloud takes
care of all of it.
That was that mentality.
Right, I mean, that was 100% ofthat mentality.
And now cloud security isgetting to such a scale, right,
where, just 10 years later now,we're kind of venturing down the
path of, oh, I need a cloudsecurity IAM person, I need a
(19:36):
cloud security network person,you know, like, I need someone
that does the infrastructureside of cloud security.
And I think companies areslowly waking up to that,
because right now, typicallycompanies are like, oh, I just
need one cloud security guy andhe'll do it all, and I'm sitting
here like to do everything thatI do.
(19:57):
Do you basically have to be adeveloper, an infrastructure guy
, a help desk guy, a network guy?
I mean, you are an entire itteam all in one.
And, god forbid, my cso is out,because now I'm also the acting
cso over the cloud.
It's like.
It's like, man, this is uh, thisis a lot, yeah, no, I tell you,
(20:18):
yeah sorry yeah, I mean, well,I'm just saying, like you, look
at other industries right over10 years, it doesn't change that
much, you know, like, arguablyit really doesn't, but it seems
like we're going at a pacethat's like a breakneck pace and
ai, you know, is only, it'sonly making it faster, right?
(20:38):
So we're already at a deficitin talent in the world to fill
these roles, we're already notable to fill these roles.
But it's only going to expand,it's only going to grow
significantly.
Yeah, no, I talked about.
Speaker 2 (20:52):
You know, I remember going back to.
You know we are reallyexperiencing kind of the changes
in product security andapplication security.
And I remember, you know, goingback to your days, even you
know, back then, when youthought about application
security was okay, you know, mydevelopers need to, I need to
provide them something to scantheir code.
But, like you know, mydevelopers need to scan their
(21:14):
code.
I put some web applicationfirewall.
You know I'm, you know, but theconcept was okay, let's let's
talk firewalls, let's talk youknow, layer three problems.
Okay, it's a layer seven issue,but but it was and and to be
honest, like for many years itwas okay because you know you
had like one one entry point.
You know, like you had like admz on our everything going in,
(21:40):
going out, like it was very kindof, you know, gathered.
The amount of languages wassomehow like not even languages
like okay, authentication, soeach and every developer like
built their own stuff.
And you know there was not somuch like third-party
integration into theapplications and stuff and now
and also then it was alreadyhard but it was somehow
(22:02):
manageable, I would say, and I'mtalking now with like with
people you know, like productsecurity and application
security and essentially, youknow we're living in a world
where they have to understandand and said you know, they come
in.
One of their developers tellsthem look, we can't really fix
it all, help us understand whatit is.
Now they need to understandexactly, in the language of this
(22:28):
specific thing, why thisspecific code is allowing an
attacker to do something.
Now they go back to thedeveloper.
The developer tells them yeah,I understand, but you know the
Kubernetes configuration doesn'treally allow this to happen.
So they now need to understandKubernetes for real.
Yeah, but I understand about theinfrastructure, but the AWS
configuration I understand, butthis doesn't really allow this
(22:48):
to pass.
Okay, but we have a Cloudflareconfiguration, but the CDN, but
the gateway configuration, it'slike it's so hard.
You need to understandeverything, not to mention the
fact that you need to now knowit on, not only on your thing,
but on the, on the open source,all the third-party applications
you have, all the first-partycode you have, and essentially,
(23:08):
the amount of people, like yousaid, like the amount of people
that are taking care of theproblem, maybe double itself.
The amount of problems and theamount of issues probably
potentially grow over time yeah,yeah, that that is a.
Speaker 1 (23:23):
That's a really good point, you know, because, like
even just 10 years ago, right,like the idea was throw a waft
in front of your apps and you'regood to go right, it was okay.
Speaker 2 (23:32):
To be honest, I remember from the other side
this was a very good solutionback then.
Speaker 1 (23:37):
Yeah, yeah, there was no worry about like code
scanning.
I mean there was, you knowstuff out there for code
scanning, but people, literallythe mentality was, well, if I
got a WAF in front of it, whatdoes that matter?
You know, the WAF should becatching everything you know.
And that wasn't a terriblementality.
(23:57):
I remember being told, hey, youneed to deploy imperva WAFs to,
you know, our environment, andjust dreading going through the
configuration of it andeverything else like that, you
know, and I kind of like I, Itried to like dodge that project
.
And now now I'm over here likedeploying a aws waft, you know,
(24:19):
to the entire environment, likeover 140 accounts in aws, and I
mean it's, it's everything thatI dreaded, you know, 10 years
ago.
It's, it's, uh, it is not funand it's.
The technology is evolving soquickly that we almost have,
like fringe, you know, startuptechnology companies that are
(24:43):
the ones that are able to createthe product to actually adapt
with how quickly theseenvironments are changing.
And you know, I remember when Iwas doing the RFP for the WAF
project that I'm doing right nowwas doing the RFP for the WAF
project that I'm doing right nowthere was only one solution
that we looked at.
We looked at 15 differentsolutions.
(25:04):
There was only one solutionthat was actually able to scale
with the size of the environmentthat we needed and the
diversity of the environment,right.
Because it was like oh oh, wehave stuff in containers, we
have stuff serverless functions,we have functions as a service,
we have all of this stuff right.
And there was literally onlyone vendor and they were brand
(25:25):
new.
They were like a two, three yearold company and I think that's
unfortunately.
That's why we kind of like passon, because when you go, when
you're a two or three year oldcompany and you go into a
hundred year old companyenvironment, people are a little
bit nervous.
Right Me.
I'm like, hey, give me them,you know, because I know that
they work, I know that they dogood work.
(25:47):
You know, give me that solutionbecause I know it'll work
perfectly fine for ourenvironment.
But people get hesitant.
You know, when it's a, a, whenit's that difference, you know,
in, in, in life, right, they'relike well, we don't know if this
company is going to be aroundin five years, we don't know if
they're going to be bought bysomeone or you know, whatever it
might be.
And I'm just sitting over herelike, well, why don't we buy?
Speaker 2 (26:09):
them.
Now I think that they, I thinkthat you had a very like like
recapping what I.
I think that probably one ofthe biggest challenges today in
security is just velocity, Likepure, just velocity, pure.
And I think, like you mentioned, you know, velocity is always a
game.
Startups were always, I wouldsay, better to handle velocity,
(26:30):
because their velocity is likeyou know you can get into
physics.
But you know, as our own startupI didn't even like to present,
but right now I'm kind of theco-founder, ceo of Mego Security
, which we are trying to addressthe exact problems of the
application and the privatesecurity I mentioned.
But putting this aside for asecond, maybe I'll talk about it
(26:51):
more later but for us, goingback to the, it's all about
velocity Because technologychanges, like the amount of
changes that happen.
Technology changes in bothsides, by the way, because the
amount of technology yourengineer is using is just going
wide and the amount ofthird-party interdependency, the
(27:15):
so-called like within your ownsystem, is going wide.
We just spoke of authenticationbefore.
I think right now, like eventry to imagine, even in your
environment, how many differentcomponents are actually touching
authentication and how many ofthem are actually in your
control today.
It's crazy, like crazy, tounderstand the difference.
(27:36):
Ten years ago, one team, oneplace dates like probably you
have an IDP, your gateway isdoing some things, your cloud is
doing some things, you havemicroservice here, you have a
microservice there.
There you have an old legacysystem.
So crazy, and I think thebottom line is that with the
velocity creates a lot ofopportunities to the other
(27:56):
people that knows how to handlevelocity, which is attacker,
especially because attackersreally like velocity.
Because it's not only that theamount of technologically is
going wide, but also the amountof you mentioned AI.
The amount of code is justgoing crazy, like the amount of
code being generated, the amountof permits being done a month,
the amount of new API you'rereleasing, like it's so, so, so
(28:19):
hard to manage yeah, yeah, there, there's a.
Speaker 1 (28:24):
There's someone on my team that I mean you just look
at the amount of commits that hemade and he's not a developer,
right, he's not a developer.
And last month he made over 100commits to, uh, to just my code
base and just just the thingthat I own.
And I'm sitting here like youknow how, how, how in the world
(28:45):
do we keep up, right, like, isthere, is there a good, you know
solution for it?
Like, how does migo do it?
Right, like how, how do youenable security teams to stay up
to date, you know, kind of ontop of what's going on in the
environment?
Because you know, to be honest,there's times when I don't even
(29:06):
know what's going on on theoutside world, right, like I
don't even know what'sdeveloping, what's coming or
anything like that, because I'mspending so much time in my own
environment I don't even know,like, how to prep for the future
, right, so how do you maybeaddress that right?
How do you make it easier forthat internal environment
(29:26):
knowledge so that people can,you know, kind of adjust and
catch up?
Speaker 2 (29:30):
I guess at this point , yeah, no, and, as you said
before, I think it's essentiallyit's a learning game
essentially.
And then the question is kindof how do I manage to focus my
learning on the right places andknow what I need to learn like
right?
These are, like always, twoquestions and I think that, at
least for us, we said let'slearn ourselves outside of the
(29:51):
security world how other peopletry to address this problem,
because velocity and is not onlya problem of security, it's
also a problem of IT, it's alsoa problem of you know developers
.
It's a problem for many peopleand I think that the last few
years actually created a realrevolution in the way that
people are thinking aboutmonitoring and keeping up with
(30:12):
what's happening in the world ofobservability monitoring and
keeping up with what's happeningin the world of observability.
So what we said going back andwe are kind of focusing on you
know the world of how do we helpyou kind of stay on top of
those you know changes.
So we said okay, actually forperformance, like if something
will break down in performance,you're probably going to know
about it, maybe not as security,but your DevOps, your SREs,
(30:35):
somebody have a tool somewhereto help you.
Maybe you don't have fullcoverage, maybe you don't have
everywhere, but observabilityreally changed the way we're
thinking about just environments, not security per se.
So we said, okay, this is oneplace we really want to learn
from.
And the second thing I thinkwith the revolution of AI, it's
(30:56):
more about okay, how can I?
Because you know people thinksometimes AI is like this magic
wand that you can say, okay,let's put AI done.
But we said, if you actuallycombine AI and the ability to
utilize AI for anomaly detectionand NLMs or any other
generative AI for automation ofso-called basic reasoning
(31:17):
processes, you can actually,with the right data set, you can
actually reduce by much theability to at least, I would say
, triage and take action.
And at least for us, we saidokay.
So these are the tworevolutions that should lead,
the way that we're thinkingabout security, like
observability and AI, and theway that we did it is we say how
can we take observability andthe data you have, as well as
(31:38):
kind of other data that we cancreate, in order to really help
you tell a story from a securityperspective?
So, like your DevOps aretelling you know a story about.
You know, this is how much youknow, this is the, you know, the
request time.
This is the problem here.
This is the problem there.
How can we tell a story In theworld of security?
This story is probably going tobe around.
(32:00):
Essentially, I'm sending arequest from the internet.
Where does it end?
What does it allow?
Where does it start?
Where does it end?
What permission, what data?
Essentially, it encapsulatesother words that we spoke about
maybe before, but like lessradius exposure.
But essentially it's all aboutfrom an application or product
(32:23):
standpoint, I'm sending arequest.
What fiscal, what data query itallows me to do?
Essentially and in the past,monolith application was an
easier problem, but easierproblem in a world of
distributed application is it'salmost impossible problem.
But thank God for observabilityand for amazing projects, like
you know, opentelemetry, or to,like you know, other things that
(32:45):
we're utilizing ElasticProfiler and like other tools
that are, you know, becomingindustry standard, in order to
really kind of do what we calldeep tracing, essentially
Distributed tracing alongside,like deep application profiling,
and this allows us toessentially help you see your
application and then utilize allof those that, I think, in
(33:05):
order to start asking questionsabout them.
Because, going back to thecommits, out of those, like you
said hundreds of commits.
You probably care only aboutthose who actually change
something in exposure, somethingin data access or maybe
something, or introducing a newrisk or violating a policy that
you didn't really want to have.
Speaker 1 (33:24):
That's interesting.
So you're kind of approachingit almost from like the reverse
side.
You're saying well, what dopeople care about the most,
right from different changes andcommits and whatnot?
And then we'll providevisibility around that to give
them the ability to respond, andwe'll also provide some sort of
(33:45):
enhanced you know capabilitywith AI to respond quickly.
Is that?
Does that kind of sum it upcorrectly?
Speaker 2 (33:53):
Yeah, I think that the world that we want to live
in, going back to this, is aworld where you know, in order
to give control back to securitypeople, in order to be on top
of this, the expertise, goingback to the intuition, will
always be with people.
I think that we're seeing thatAI can take you so far, at least
for now, right, and then thequestion is how can we help you
(34:15):
better enforce the things thatyou want to know about and
better act on them?
To start being asked, becausetoday, when it comes to product
security and other stuff, wejust kind of talked about you
know, tracing, but then, if youare actually introducing into
this, you mentioned, like, howdo I know about how things are
happening in the world?
So, okay, now I know about myapplication, how every
transaction starts from theinternet where it ends.
(34:35):
Now another question is okay,so how is that actually a factor
in my application, like, not my?
So this is where the threatintel feed and where the
vulnerability feed comes in.
To overlay with this, to say,okay, so now I understand that
from all of the differentattacks, all the different
vulnerabilities that are in theworld, this is where I'm
(34:55):
actually, you know so involvedto an attack and for that.
And then, like, the flow thatwe want to create is a flow
where you know those productsecurity teams can actually do
like, can actually live in aworld where you know those
product security teams canactually do like, can actually
live in a world where you knowsomething new has happened.
I get a notification on thiscan automatically, because I
have this visibility canautomatically identify okay,
(35:17):
it's great that I have this50,000 times in my code.
But really, really, you know,when we look at it and how your
application actually behaves,when we're kind of taking all of
the production content from allof the different tools you have
, when we're kind of analyzinghow your application actually
works, it's really exploitablein like three, four places.
And of these four places, thethings like and this is how an
(35:37):
attacker will exploit it, andhere we're actually utilizing AI
to emulate how it's going tolook like.
And then like, all of the,provide me a proof to the
developer, provide me a proof.
So it's really done like dude,this is tracing, you know it
from your SRE like address itlike a production issue, go fix
it, but on the other side, wecan tell you look, if you change
(35:59):
, going back to your big likeWAF project, because your WAF
might not be configured rightnow in a way that allows you to
stop it because they are, maybe,you know, be configured right
now in a way that allows you tostop it because they are, maybe,
you know, because you now needto go for triggers.
So the other side is okay, wealready know how it is.
We already know we have a WAF,let's help you just like.
So, on the one side, let's helpyou open a, you know, a Jira
(36:21):
ticket or whatever you want aticketing for the developers and
open an SLA to like okay, thisis a cool thing.
But on the other side, you know, like Joe, this is the WAF
configuration you need to makeright now in order to buy
yourself those 12 hours untilthe end.
And, at least for us, this ishow we believe that the future
of product security should be,where the entire so-called
(36:43):
middle manual work is beingautomated to allow you to
redefine what you want to focuson and to make sure that your
actions are being done bydevelopers until you have the
ability to actually understandhow to mitigate it in the
meantime.
Speaker 1 (37:04):
Yeah, that's really fascinating.
Yeah, that's really fascinating.
It does take the termapplication security and it
turns it into somethingcompletely different, like you
say, product security, becausethat's a more holistic view.
Maybe the number one thing whenI'm dealing with developers is
them understanding the actualcontext of what I'm talking
(37:27):
about.
Right, I say cross-sitescripting risk or cross-site
scripting vulnerability, and ifthey know what cross-site
scripting is, they still don'tunderstand what I'm saying.
Right, I barely know whatcross-site scripting is Like.
Every once in a while I got tolook it up to refresh my memory,
you know.
But that's really fascinatingthat it provides that proof,
(37:49):
because the number one thingthat I'm always asked well,
where's the proof?
Right, this doesn't even happenin our environment.
No one even comes to ourapplication and does this.
Why are we putting in the workto do it?
What's the proof?
We don't even know if this is areal thing.
And their I mean their firstquestion to me always is well,
can you even pull this off?
(38:09):
You know what I'm sitting herelike?
Well, technically I can't.
I can't even have like thatkind of VM in our environment.
My CISO literally won't let mebecause he thinks I'm just going
to blow up the world if I havesomething like that in the
environment, you know, and sothat becomes a very sticky point
for me, you know, and so thatbecomes a very sticky point for
me, you know.
And then it also like on thereverse side, right, it comes to
(38:33):
mind, you know, maybe a couplemonths ago I had 150 developers
on the call at the same time,which was very odd for me,
because when they set it up andthen they invited me to it, you
know, and I'm like, okay, theremust be something like really
wrong going on.
Right, and they're trying toget me to put in an exception
for something and they weren'texplaining it properly, right,
(38:55):
and they were intentionally notdoing it properly because they
wanted me to put in an exception, thinking it was one thing when
it was actually another,because they didn't want to
spend the next two months, youknow, working on this thing to
to really iron it out and makeit right.
And after like 30, 35 minutesof me questioning them, you know
(39:17):
, I finally got to the truth ofthem essentially wanting to
bypass the WAF, that I've justspent two years of my life
trying to get deployed androlled out and configured and
everything else like that.
You know.
But in that situation I thinkabout it from from like both
sides, right, we're showing thevalidity of this attack and then
(39:37):
we would also be able to showthe validity of that
configuration change, saying,hey, I can't, I can't make this
configuration change or I can'tallow this in the environment
because it's going to do X, yand Z.
If I wouldn't have spent the 30minutes going through those
questions and being used tobeing badgered by different
people to get something throughright, if I wasn't used to that
(40:02):
sort of thing, I would have justmade the exception, not thought
anything about it.
I would have figured, hey,they're the about it.
I would have figured, hey,they're the experts, they're the
devs, they know about the code,they know about these apps.
I don't know about these apps,I don't know about the code.
You know I'm at a disadvantagebut I knew better to keep on
asking.
But it sounds like, from fromyour solutions perspective, I
could have probably just pulledit up and seen it.
(40:24):
You know, right there, right,like, if I make this change,
what would that be?
And it kind of just likefilters through, and I would be
able to at least have thatknowledge in a more quick, you
know, available way to me, whichis, I mean honestly, that's
critical right, because assecurity people, you're always
called in at the last minute.
Okay, like, like, right whensomething needs to get done.
(40:45):
You're called in at the lastminute and you're expected to
understand this very complexproblem.
You know and I feel like yoursolution may provide that
guidance that we're lackingalmost.
Speaker 2 (40:58):
And I think it goes back to your intuition, because,
going back to what you said,you know your personality and
your intuition probably allowedyou to to to identify this issue
right, because I would, I wouldknow and, knowing a lot of
security personas, you know it's.
It's not easy to sit in frontof 100, like probably probably
(41:18):
the the most expensive meetingof this year in your company,
you know.
So it's like, you know, sittingin a room and asking them
questions for 30 minutes and weall know we are developers you
have no patience for thosepeople, you have no patience
with security when those pointsin time come.
And then it becomes this gameof attestations of like let's
(41:41):
hypothesize this, so maybe letme understand this, but in our
code it's not really like thisand for, at least for us, it
came to a realization that youknow it.
Like even the best teams and itsounds like you have like the
fact that they called you inmeans that you have very good
relationship with them.
But even the teams with thebest relationship today have no
(42:04):
common ground to even talk aboutwhat's true.
And I think, going back to this,like even before we kind of.
This is why it's so importantfor us to kind of and kind of
waste.
This is where we believe thatthe observability, but really
deep observability, and like theability to take the same data
but to take it into securitycontext, is so important,
because what we believe in islike the such a conversation
(42:27):
should go like look guys, let'sopen this.
Wherever it is, doesn't reallymatter.
It doesn't matter if you say weprovide it in mingo, but like,
let's put it aside, but from acouncil perspective, let's open
this, let's have thisconversation.
You, you can show me like okay,if we're doing this, you know
how, how things will change.
Okay, you understand that rightnow you are open a direct path
(42:49):
from the internet to like a PII,right, so you understand that
I'm not able to do an exceptionof this.
So, and it's like the entireconversation changed.
Now you might say somethinglike okay, so maybe let's
enforce something different,otherwise, maybe let's do this,
maybe.
But it allows us to think of aplace where, going back to this,
(43:09):
we start talking evidence, westart talking knowledge, because
I think that we can't acceptthat even the most amazing
product security team, mostamazing security teams, 20
people, whatever many people whohandle so many changes, and
it's not only this, like youmentioned, it's like all the new
code and it's being pushed, allthe updates are being pushed.
(43:32):
You know there is a feature thatrequires a configuration issue,
but you're still being calledto this because, and like, who's
being called now?
Maybe it's not the app securitybeing called, maybe it's the
cloud security engineer.
That doesn't have the contextbecause it does, because it's
such a complex problem and thetruth is so slippery.
We have to start talking moreevident, because I think that
the siloed approach today isreally putting into, it's really
(43:55):
creating like an unnecessaryyeah, that's a really good point
.
Speaker 1 (44:01):
I think you also bring up a really good point
about the relationship rightthat must exist.
For me to even get invited tothat call right and it's.
It's interesting.
I don't I don't even thinkabout it that much because I do
it kind of, you know, likeinnately, as soon as I get into
a role I'm I'm meeting as manypeople as I possibly can.
But, like you know, I I reallydid take the time to build those
(44:27):
relationships with thosedevelopers.
I mean, I went completely outof the way most of the time just
to talk with them.
You know, send them Uber Eatsgift cards, github gift cards,
you know, or not GitHub, grubhub, you know, just to like show,
like, hey, you know, I'macknowledging you.
Speaker 2 (44:48):
I see you yeah.
Speaker 1 (44:50):
Your work really matters to me, right, and now,
you know, now they give me thetime of the day, right, like, if
I need 30 minutes with them,they give it to me.
There's no issues with otherpeople, with just about everyone
else.
And I am slowly finding outthey're like man, I can't get a
hold of these devs.
I'm like what?
(45:11):
Like I'll go text him right now.
He'll respond to me at fiveminutes, you know.
And it's true, right, andpeople are like kind of blown
away about how that's possible.
But it all starts with thatrelationship, you know, and then
a technology, a strongtechnology like yours, comes in
and it gives you all thatknowledge, all that you know,
(45:32):
all that insight that you need,that maybe that dev is a little
bit nervous about telling you.
You know, like, that's, it's uh, maybe they don't know.
Speaker 2 (45:40):
You know, like, I think you know today, today
comes back to think, essentially, think security, and security
and engineering is is like twosides of the same.
You know, same partnership,right, but but I think that
today, when it comes to this andyou mentioned like multiple
things, but I think that youknow, being engineers ourselves,
(46:01):
this is we highly evaluate thepeople that actually know what
they're talking about.
Always, I think that the numberone when it comes to
technological mindset, ifsomebody sounds like they're
talking they don't know whatthey talk about, they lose
credibility very quickly.
And I think that the secondthing is that you know you
really want to get something outof this when it comes to, like,
(46:23):
learning something new, knowingsomething new.
So, going back to this, youknow, when you talk to them
about success, they learnsomething new about it comes to
learning something new, knowingsomething new.
So, going back to this, whenyou talk to them about XSS, they
learn something new about it.
They gain something from thisconversation.
And I think, going back to theinitial problem, I think that
today we are almost sending alot of like.
I'm hearing this you know,somebody got like 10,000
vulnerabilities.
He automatically calls securityof like okay, what do I do with
(46:46):
all of this?
I, he automatically callssecurity of like okay, what do I
do with all of this?
I don't know.
And then security is kind of islosing credibility because what
can I do with this?
So, you know, some people, froma personality perspective, can
create those relationships, butfor some of them, we're living
in a world today where we haveto find a way.
Going back to this and kind ofhow we envision this is to say
look, I checked this for you.
(47:06):
Going back to this, this is theproof.
We already managed to recreateit.
Can you pull it yourself?
Yeah, I already managed to.
I haven't pulled to recreate it.
Go check it yourself if youwant, but I already checked it
for you.
This is what you need to do and,by the way, I'm going to buy
you 12 hours.
I'm doing some mitigation, I'mgoing to approve it with my,
(47:33):
with my bot.
I'm going to buy 24 hours bydoing this and this and that,
but you know it's just a patch,you need to fix it right.
And if it's for us, this allowsyou to say, like you know, to
end such a thing with like, noguide, like first engineering
you.
You did great 24 hours from thefirst minute we saw this is a
real problem.
Until you fix it, you areamazing.
Let's celebrate this second.
You know.
You know that you can count onme to buy the time and make you
look like the hero in the end ofthis, and I think that today
it's like we're just not builtin a way to do this type of a
(47:59):
win-win situations and we wantto create this win-win situation
yeah, yeah, that's a reallygood, that's a really good point
that you bring up that.
Speaker 1 (48:08):
I I feel like we could keep talking for another
hour or two, right.
Speaker 2 (48:12):
Let's do it another time it was fun.
Speaker 1 (48:14):
Yeah, yeah, it went by quick.
You know well.
Daniel, I really do appreciateyou coming on.
I think it was a fantasticconversation.
I definitely want to have youback on.
Speaker 2 (48:23):
Same here.
It was great.
And I think, going back to whatyou said, it doesn't matter
where where people start.
I think, like both of us, youkind of mentioned where you
started.
Speaker 1 (48:30):
I think that, for everybody listening, I think if
you are passionate about justlearning and colleges, like,
don't be hesitant to get intosecurity, like the bar is high
to get in, but the outcome is,you know, it's amazing yeah,
yeah, absolutely well, daniel,before I let you go, you know
how about you tell my audiencewhere they can find your company
if they wanted to learn moreabout your solution and whatnot,
(48:52):
and maybe where they can findyou if they wanted to connect.
Speaker 2 (49:11):
And we will love to you know, speak with any one of
you on going back to kind of howwe can help you kind of reshape
and rethink about the way we'redoing cloud security today.
And you can find us on LinkedIn, on web, on Twitter or XNOW and
you can, you know, of course,send me direct LinkedIn messages
.
I'm trying to be as responsiveas I can.
Really really love to meeteverybody.
Speaker 1 (49:26):
Yeah, absolutely Well , awesome, you know.
Thanks everyone.
I hope you enjoyed this episodeas much as I did.
It was great having you on,daniel, and I really do
appreciate you know you stickingwith me there and still coming
on.
Speaker 2 (49:41):
No, of course, I'm really looking forward to
hopefully continuing it, becauseI felt like there are so much
more things we can talk about.
Speaker 1 (49:47):
Yeah, yeah, absolutely Well, thanks everyone
.
I hope you enjoyed this episode.
All right, Bye.
Thanks so much.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!