When Shauli stepped out of the army and into the world of engineering, little did he know that his love for math and physics would catapult him into the tech stratosphere. Our latest episode features Shauli's riveting journey as he navigates from algorithms engineering to the forefront of cybersecurity and beyond. His experiences reveal how a mix of curiosity, a robust educational background, and seizing opportunities can shape a multifaceted career in technology and startup management. We uncover the critical moments that prompted Shauli to weave his technical expertise with an MBA, shaping him into the business-savvy leader he is today.
What does it take to stand out as a leader in the ever-evolving business landscape? Shauli and I dissect the fusion of an engineering mindset with the strategic foresight of an MBA, discussing how this powerful combination is essential for deciphering complex problems and steering towards success. We delve into the underestimated importance of soft skills and how international and consulting gigs can polish one's acumen for effective leadership. It's a candid exploration into the harmonic balance of technical prowess and emotional intelligence, and just how impactful this blend can be for those looking to leave their mark on the tech sector.
But it's not all management talk—our conversation turns to the technical labyrinth of securing Kubernetes workloads in the cloud. Shauli sheds light on the challenges in aligning security with DevOps practices and the pressing need for Kubernetes-native security tools. We even speculate on the future of cloud infrastructure, with an eye on service offerings that may eclipse architectural shifts as the main game-changers. Join us as we navigate these complex themes, aiming to unravel the knots of cloud security misconfigurations and seeking solutions that stand up to the unique demands of operations.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, charlie?
00:00:01
It's great to get you on the podcast.
00:00:03
You know, I think, that we've been planning this for quite a
00:00:06
while, but I'm really excited for our conversation today.
00:00:09
Speaker 2: Thank you, it's great to be here.
00:00:11
Speaker 1: Yeah, absolutely.
00:00:12
So.
00:00:13
You know I start everyone off with telling their background.
00:00:17
You know how you got into IT, what made you want to get into
00:00:20
cybersecurity overall.
00:00:21
You want to get into cybersecurity overall, and the
00:00:28
reason why I do that is because there's people that are
00:00:30
listening or watching on YouTube .
00:00:31
Of course, at this point you know that might be trying to
00:00:35
make that transition for themselves, and I feel like
00:00:39
hearing someone's story and maybe it lines up.
00:00:42
They can say, oh well, if he did it, I might be able to do
00:00:45
this thing too.
00:00:46
You know, I look back on my life earlier on Right and all I
00:00:51
ever needed was to see someone else do it.
00:00:55
It's like, oh well, if he could do it, maybe I can do this too.
00:00:58
So so where does that story start for you?
00:01:02
Speaker 2: Well, I think I've been in and out of IT or
00:01:06
engineering or technology, you know, in different worlds.
00:01:09
But, to be honest, like going to engineering for me was kind
00:01:15
of like the natural thing to do.
00:01:16
The fact that I'm today more of like a business and management
00:01:22
type person, you know, running a company is actually, you know,
00:01:26
for me the surprising part, like I would be, you know, if I
00:01:31
needed to guess when I was 16, where I'll be, you know, at 45,
00:01:35
I would probably say I'm going to be like an architect, like a,
00:01:38
like a, you know, technology architect, software architect or
00:01:42
engineer or something like that .
00:01:43
I was super good, like you know , in math and physics when I was
00:01:48
younger.
00:01:48
So, like natural, kind of like, um, I would say, path for
00:01:54
people you know, like me, especially especially in israel,
00:01:57
where you know software engineering is so popular, was
00:02:00
hey, you know, you finish your army service, you go to learn
00:02:03
engineering, software engineering that just what you
00:02:05
do, you know.
00:02:05
Uh, you finish your army service, you go to learn
00:02:06
engineering, software engineering, that's just what
00:02:07
you do, you know pretty much.
00:02:08
So I went into that and, you know, then I started working for
00:02:12
, you know, my first company After school.
00:02:16
I was an algorithms engineer.
00:02:17
I like I really like solving problems.
00:02:20
You know, for me, being a software engineer and algorithms
00:02:24
engineer was just almost like continuing the studies and
00:02:27
solving more riddles.
00:02:28
It was like a new algorithm is like a riddle for me and now you
00:02:31
can make it most effective.
00:02:33
I wrote a few patents under my name Back in the days I wasn't
00:02:38
in security, I was more in algorithms for video compression
00:02:42
and multimedia, and then I worked as an engineer for a few
00:02:46
years and then I moved to a security startup and, kind of
00:02:49
like got the hang of security and did some security software
00:02:52
development.
00:02:53
And then actually, you know, my path went sideways a little bit
00:02:59
when I actually went to do my MBA in the University of
00:03:04
Pennsylvania in the States and that took me to like another
00:03:08
path of you know.
00:03:09
I went into management, consulting and advisory and
00:03:12
stuff like that and actually what brought me back into
00:03:15
technology was, you know, being back in the startup scene.
00:03:19
You know, opening a startup, first joining a startup and then
00:03:22
opening a startup together with my co-founders.
00:03:28
Speaker 1: What made you want to go down the MBA route?
00:03:33
Speaker 2: It was a bit opportunistic, to be honest.
00:03:37
I was like back in the days I was a team leader in a software
00:03:41
company in Israel and a very good friend of mine we are still
00:03:45
good friend of mine, we are still good friends until today.
00:03:47
Unlike me, he was like we were together in like, doing like our
00:03:56
engineering degree together, and he knew he was going to go
00:03:57
down the business route.
00:03:58
So he was planning to go to do an MBA, you know, right after
00:04:02
school and he was planning his entire.
00:04:05
You know he's much more planned than I like his life, much more
00:04:08
planned than I.
00:04:09
I mean, he knew he was going to go to do an MBA in one of the
00:04:12
Ivy Leagues and I didn't even know what Ivy League means back
00:04:15
in the days.
00:04:16
And then the reason I went there is that he was there.
00:04:21
He was accepted to a school called Walton, which then I
00:04:26
joined him, and he called me one day.
00:04:30
You know we were in touch as a racial.
00:04:32
You know you, you got to apply.
00:04:34
You know you got to apply.
00:04:35
I know you.
00:04:36
You know you love studying, you love diversity.
00:04:39
You would love you know what's going on, what's going on.
00:04:42
You would love the level of education that these guys bring
00:04:47
to the table.
00:04:47
I really, really encourage you to do that.
00:04:50
That's how I kind of like started.
00:04:52
I said, okay, I will apply.
00:04:53
I wasn't really serious about it, to be honest.
00:04:56
I said, you know I'll apply and see what happens.
00:04:57
And then, when you start to apply to these programs, you
00:05:03
fall in love with them.
00:05:04
As you apply to them, you know, you kind of like start to
00:05:08
investigate them more and understand what's going on and
00:05:11
see how global and what type of education they're going to give
00:05:14
you.
00:05:14
So that's how I kind of like fell in love with it and then
00:05:18
became more and more invested and finally I went ahead and you
00:05:22
know, and studied there.
00:05:26
Speaker 1: Yeah, I've contemplated myself about
00:05:29
getting an MBA, but I'm not sure what I would do with it.
00:05:35
You know, and for me like to put in that kind of time and
00:05:38
effort, you know, into it, right , I want to see results, I want
00:05:42
to see roi on it and I'm not sure what I would do with that.
00:05:47
To, you know, create that roi.
00:05:49
But you know, I I totally relate when you say, you know,
00:05:54
someone else kind of told you to get into it and you know it
00:05:58
would, you know, expand you in different ways and whatnot.
00:06:02
Um, because I kind of went down that path with the PhD, where
00:06:08
I've been exploring it for years , really thinking about it Every
00:06:14
year.
00:06:14
It seemed I would reassess the ROI that I would get from it and
00:06:19
things like that.
00:06:20
If there was topics that I wanted to look into or anything
00:06:23
like that that you know, if there was topics that I wanted
00:06:28
to look into or anything like that.
00:06:29
And finally, you know, this past year I finally pulled the
00:06:30
trigger and and got into it right.
00:06:33
So and I mean it's, it's amazing that I, I guess I
00:06:39
finally decided to get into it right.
00:06:41
But now it's like, okay, I gotta, I got to do the work and
00:06:52
and that's the part that's the part that's like really hard, I
00:06:53
think, to estimate ahead of time , because you don't.
00:06:55
You don't know what you don't know.
00:06:56
And getting a PhD is completely different.
00:06:57
You know, you're not in a classroom every single day.
00:07:00
You're not having someone telling you hey, you need to
00:07:03
turn in this paper.
00:07:04
Hey, you need to turn in this paper, you need to turn in this
00:07:06
assignment or whatever it is.
00:07:08
It's literally like no, there's a body of work that you need to
00:07:11
turn in.
00:07:12
However long it takes you is how long it takes you.
00:07:15
You know it's like there's no path.
00:07:18
You know also, like you're figuring out how to do it along
00:07:22
the way.
00:07:23
Speaker 2: So, like you're figuring out how to do it along
00:07:25
the way Exactly, you know, I, you know, to be honest, I
00:07:26
contemplated about a PhD myself so many times in, you know, even
00:07:31
before I did the MBA and after I did the MBA, just because I
00:07:34
love studying so much.
00:07:36
But the PhD is like you know, it's you need like extreme
00:07:44
self-motivation, you know, in order to make it happen and to
00:07:45
do it well, because life happens to you as you do it.
00:07:49
You know, before we started recording, we talked a little
00:07:51
bit about kids and family, and then you have your work.
00:07:54
So, finding the time and the balance to actually do it, I
00:08:00
really respect the fact that you're up to it and, yeah, it
00:08:04
really, really, really requires a strong self-motivation.
00:08:09
Speaker 1: Yeah, you know, I approached it from two different
00:08:14
angles, right?
00:08:15
So you know, I'm someone that comes from very little right?
00:08:20
Like my family wasn't well off or anything like that.
00:08:23
I was the first in my family to go to college, um, you know all
00:08:27
all that sort of thing, right?
00:08:29
So when I look at my daughter and I say to myself, well, I
00:08:33
want to set a good example for her of what's possible, of, you
00:08:37
know, setting that bar as high as possible, I would say, set it
00:08:42
as high as possible, and if they aim for the bar right,
00:08:45
they'll land.
00:08:46
Even if they don't, you know, meet it right, they'll land
00:08:49
somewhere.
00:08:50
That is a good place, you know, yeah, um, and just showing you
00:08:55
know, her and my future kids.
00:08:57
You know what that looks like, what's what's possible, right?
00:09:00
Um, and same thing for my wife.
00:09:04
Like, my wife is finishing up her second master's degree, so
00:09:08
it's, it's, it's definitely like a part of us and who we are and
00:09:13
everything.
00:09:14
But then I also took it another step Right, because I'm always
00:09:18
looking for trends in cybersecurity.
00:09:20
You know what's coming five or 10 years down the road that
00:09:24
maybe I should prepare for right now.
00:09:26
And I did that with cloud security.
00:09:29
You know, obviously I didn't see the very beginning of cloud
00:09:31
security because I was, I was getting my bachelor's at the
00:09:34
time, it wasn't paying attention to it or anything like that,
00:09:37
but it wasn't.
00:09:38
It was nowhere near as big as what it is today, you know.
00:09:42
But I figured that there was a lot of potential to go that
00:09:45
route, because VMware was so big at the time and this basically
00:09:49
replaced it, and so I started going down the cloud security
00:09:53
path and here I am now, in a larger security area.
00:09:57
And so when I was looking at my PhD, I took that same approach
00:10:01
and started to dive into satellite security.
00:10:04
You know how to actually secure satellites in space?
00:10:07
How to, you know, protect them against incoming attacks?
00:10:11
How do you relay you know communications to them?
00:10:16
How would they be able to interact with communication
00:10:18
systems, all that sort of thing, uh, and so now you know, I'm
00:10:29
really pushing myself to to, I mean, I, I, I have a hard time
00:10:30
saying be an expert, but I guess the phd kind of gives you that
00:10:33
without you know anything else, but to really dive into this
00:10:36
thing and learn it, because there's so much that I don't
00:10:39
know.
00:10:39
Speaker 2: yeah you know, just investing the time yeah, you
00:10:44
know to, to learn a topic, and you know, eventually you just
00:10:48
know more about it than other people because you just spent
00:10:51
more time with it.
00:10:52
Right, it's just, you know the mathematics of time.
00:11:07
Speaker 1: Are there, you know, looking back now that you're,
00:11:09
you know, in charge of this company, right?
00:11:10
Were there any key skills, maybe two or three key skills
00:11:12
that you got from the MBA that really influence how you operate
00:11:17
today?
00:11:19
Speaker 2: Wow, I think.
00:11:21
So.
00:11:24
You know I was a very, very, you know, analytical person.
00:11:31
You know I was an engineer math , you know everything for me was
00:11:34
like.
00:11:35
You know I don't want to exaggerate by saying everything
00:11:38
for me was black and white, but you know what I mean.
00:11:40
I was a numbers type person.
00:11:41
You know what I mean.
00:11:42
I was a numbers type person and the, the soft skills that you
00:11:48
learn in in an MBA and and the variety of people that you meet,
00:11:57
I think are the key, you know, benefit that I got from it.
00:11:58
Um, also, you know, specifically for myself, it's not just about
00:12:01
the MBA, it's about also, you know, moving to to another
00:12:04
country MBA.
00:12:04
It's about also, you know, moving to another country with
00:12:06
your family.
00:12:07
So, just, you know, just the mere experience of you know,
00:12:11
moving to the United States, experiencing the culture,
00:12:14
experiencing, you know, the values and the work ethics and
00:12:20
how you know processes are done in a different country, you know
00:12:24
, gives me, gives you a lot of perspective and a lot of, you
00:12:27
know, new skills that you acquire.
00:12:29
And then, and then, quite frankly, frankly, you know, my
00:12:35
first job, you know, after the MBA, was in the Boston
00:12:38
Consulting Group, which for me was really an extension of the
00:12:41
MBA.
00:12:42
You continue learning and you know that companies you know I
00:12:46
don't want to promote them or anything, but they are so good
00:12:49
at building your capabilities.
00:12:51
You know giving you frameworks to analyze situations and you
00:12:56
know structure your presentations and and
00:12:59
communicate your thoughts and understand complex situations,
00:13:03
which I think you know gave gave me a lot of value into what I'm
00:13:07
doing today.
00:13:10
Speaker 1: Yeah, it must be very beneficial to come from that
00:13:15
engineering background, that engineering mindset, and go into
00:13:19
a business, because you can break apart problems and issues
00:13:23
in different ways than what you would be able to without it.
00:13:28
Know, at least in my opinion, um, because I'm just thinking
00:13:33
you know my day job, right?
00:13:35
I'm principal cloud security engineer, right?
00:13:38
So I'm breaking apart problems all day long, um, and finding,
00:13:42
you know, inconsistencies and, you know, directing people
00:13:46
towards the, the a new or a better solution, right?
00:13:53
That sounds a lot like what running a company is.
00:13:58
You're encountering with problems constantly and you have
00:14:01
to filter out the ones that you want to pay attention to, the
00:14:05
ones that will make or break your company.
00:14:08
Right, those are the ones that get your time.
00:14:10
But then you also have this back burner in your brain of
00:14:14
like, oh yeah, I also need to adjust these other 10 or 15
00:14:17
things.
00:14:18
Being able to do that and manage that is, I mean,
00:14:24
obviously it's extremely important for a company, but
00:14:27
it's always interesting to hear how people get that experience,
00:14:30
because everyone gets it differently, I feel how people
00:14:33
get that experience, because everyone gets it differently.
00:14:36
Speaker 2: I feel, yeah, I think you know, problem solving is
00:14:38
probably one of the key skills that any manager and leader
00:14:41
needs to have.
00:14:43
And as long as you're not, you know, as long as you have some
00:14:47
soft skills to go along with it because there are some great
00:14:50
problem solvers that are that have zero you know soft skills
00:14:55
or you know emotional intelligence, and that's a big
00:14:57
problem.
00:14:59
But once you have that combination, I think that's
00:15:02
where you know, you get to be very successful.
00:15:04
And you know, even in my life, you know, as I said, you know,
00:15:08
for example, when I was in in in a consulting company, right,
00:15:13
when I was in a consulting company, right, you see that the
00:15:17
engineers that come into that company, they become the best
00:15:22
consultants because they have that mindset and the recruiting
00:15:24
process basically filters out the fact that they will have,
00:15:27
you know, some emotional intelligence and capabilities,
00:15:30
so it makes them really, really good consultants.
00:15:33
I have to say that another type of persona there aren't many of
00:15:38
those because they usually stay .
00:15:41
They become doctors, but we had some people who came from
00:15:45
medicine school and that's also, you know, a very good indicator
00:15:49
and if you think about it like doctors are really engineers of
00:15:53
the body right, like they need to evaluate situations and see
00:15:57
signals and come up with solutions.
00:15:59
So they also are very good, you know, in problem solving in
00:16:04
general.
00:16:08
Speaker 1: Yeah, that is really fascinating.
00:16:11
You know, when people ask me how to get promoted, you're
00:16:18
already an engineer.
00:16:19
You're already a really smart, intelligent area.
00:16:23
How do you get promoted to management or architecture?
00:16:28
I always start with the soft skills, because the soft skills
00:16:31
is really what separates you from everyone else, right,
00:16:35
because everyone is used to that engineer.
00:16:38
That tech guy that's, you know, a little socially awkward,
00:16:42
isn't really used to talking to other people.
00:16:44
Everyone is used to that, right ?
00:16:46
So if you break that mold, you're immediately going to
00:16:49
stand out.
00:16:50
Even if you're breaking the mold in a controversial way or
00:16:52
maybe a poor way right In the beginning, you're still going to
00:16:53
stand out.
00:16:53
Even if you're breaking the mold in a controversial way or
00:16:55
maybe a poor way right in the beginning, you're still going to
00:16:57
stand out and hopefully you're standing out to the right people
00:17:00
in the right frame of view or frame of mind, right?
00:17:07
But soft skills are extremely important, especially today
00:17:12
where you know so many of us are remote.
00:17:15
You know the soft skills really pay dividends when you know
00:17:20
you're on a video call and you have to get across a point and
00:17:24
make sure that people are understanding and break it down
00:17:28
into a way that suits your audience.
00:17:30
That's probably actually the biggest thing that I see a lot
00:17:36
of people mess up on is not adjusting what you're saying to
00:17:41
the audience.
00:17:41
That is in the call.
00:17:42
You have to be able to maybe go just an inch below the surface,
00:17:51
right Like, hey, here's all this stuff.
00:17:53
None of it makes sense to you.
00:17:54
That's okay, because this is what it's really doing.
00:17:57
Give them that good overview so that they could take that slide
00:18:02
and put their own words on it and present it to their
00:18:06
management, right?
00:18:07
You have to think about it like that, and making that switch
00:18:10
over in your mind is typically a really difficult thing to do.
00:18:13
I have found, at least.
00:18:16
Speaker 2: Yeah, I completely agree.
00:18:18
You know the ability to simplify, you know technology.
00:18:22
Simplify solutions, even simplify problems, is something
00:18:26
which is super critical.
00:18:27
One of the biggest mistake we are doing everyone is doing, I
00:18:32
do it as well, right.
00:18:32
The biggest mistake we are doing everyone is doing, I do it
00:18:34
as well, right in communications is that we assume
00:18:38
that the other side is the same as us.
00:18:40
It's just easier to assume that you assume they have your
00:18:43
knowledge, they assume they have your kind of like history, and
00:18:55
it's really really hard to put yourself in the other side and
00:18:56
in the shoe of the other person, as they say, and then we assume
00:18:58
different things and the communication breaks and the
00:19:01
value is not communicated, and I think that's the biggest
00:19:07
mistake.
00:19:07
Marketers do that mistake all the time.
00:19:09
One of the first thing you need to understand as a marketer is
00:19:13
that you don't market yourself.
00:19:15
Need to understand, you know the other side.
00:19:17
Um, yeah, I think that's.
00:19:19
It is so natural, uh, to assume that and and and.
00:19:26
It's so easy to forget that.
00:19:28
You need to really think about who am I going to speak with you
00:19:31
.
00:19:31
You know what's their objectives.
00:19:33
You know what's their background, what do?
00:19:36
they want what they want to get out of the conversation.
00:19:39
You know what they need to do.
00:19:40
Yeah, it is just very hard to do.
00:19:43
It's not hard to do, it's easy to do if you think about it, but
00:19:47
it's very hard to focus on it and really, you know, actually
00:19:50
do it.
00:19:51
Everybody will say, do it right , but to actually do it in real
00:19:56
time in a conversation, it's not easy.
00:20:00
Speaker 1: Right, so let's dive into a little bit about your
00:20:06
company.
00:20:06
So what is the company that you're in charge of right now
00:20:11
and what's the problem that you're trying to solve with this
00:20:15
company, with your solution?
00:20:16
Speaker 2: Yeah, so my company, the company name is Armo and we
00:20:22
are a dedicated Kubernetes security company Kubernetes has
00:20:28
grown to be pretty much, you know, the de facto standard for,
00:20:31
you know infrastructure for cloud workloads.
00:20:34
And if we think about application protection platforms
00:20:40
, you know, if you think about what Gartner calls ASPM today
00:20:46
application security posture management or if you think about
00:20:49
CNAP cloud network application protection platform, there are a
00:20:53
lot of you know initials and a lot of different kind of like
00:20:56
words to say one key thing, which is you need to protect an
00:21:00
application running in the cloud and you need to protect the
00:21:04
cloud from the application running in the cloud.
00:21:07
And those applications will 90% be running on Kubernetes.
00:21:12
And that's why we believe that getting intimate with Kubernetes
00:21:18
, with the configurations of Kubernetes, the configurations
00:21:21
of the workloads in Kubernetes, getting all of the context of
00:21:25
what's happening in runtime, is crucial to securing workloads
00:21:30
running in Kubernetes.
00:21:31
And the main reason is that when you start to secure, you
00:21:34
know cloud and Kubernetes native environments, there is a you
00:21:38
know I remember I talked about it about a year ago Kubernetes
00:21:43
as itself.
00:21:44
Yes, it is super complicated and you know enormous and
00:21:50
exponential number of you know misconfigurations that can
00:21:53
happen.
00:21:54
But the main reason for the complexity of things running in
00:22:00
Kubernetes is not Kubernetes itself, it's the architecture
00:22:06
that it is enabling.
00:22:08
So once microservice-based architecture is possible, once
00:22:14
microservice-based architecture is possible, just the number of
00:22:19
software artifacts that are running in your cluster or in
00:22:21
your cloud is growing so exponentially, so
00:22:23
vulnerabilities are growing exponentially, the attack
00:22:25
surface is growing exponentially , the number of alerts is
00:22:28
growing exponentially.
00:22:29
So you have so much mess going on that you need a more
00:22:34
adaptable security solution.
00:22:36
And what we are trying to do in Armour is using that Kubernetes
00:22:41
context, that workload context, that runtime context, to adjust
00:22:45
the security based on what's happening in your environment.
00:22:49
So we will apply stronger hardening capabilities in places
00:22:53
where the risk is higher.
00:22:54
And we will apply stronger hardening capabilities in places
00:22:55
where the risk is higher and we will apply more detailed you
00:22:59
know runtime security.
00:23:01
We will tighten the security in places where we find the risk
00:23:05
based on the context of Kubernetes being higher.
00:23:08
And I think just the fact that you know we secure all the same
00:23:11
and all workloads are born equally.
00:23:14
It's no longer the case.
00:23:16
You need to prioritize, because if you don't, you just spread
00:23:20
the thing.
00:23:20
Speaker 1: Yeah, that is a really good point.
00:23:24
What you said is that Kubernetes is basically
00:23:26
everywhere now.
00:23:27
When I started to get into the cloud, it was kind of a niche
00:23:33
area.
00:23:33
Not very many people dove into it, not very many people
00:23:35
understood it.
00:23:35
When I started to get into the cloud, it was kind of a niche
00:23:36
area.
00:23:36
Not very many people dove into it, not very many people
00:23:39
understood it, but it's becoming almost like its own domain
00:23:45
within cloud security.
00:23:48
I was at a company where they were actively mig, you know,
00:23:52
migrating their infrastructure in AWS to Kubernetes instances,
00:23:59
and you know it was really challenging because our I mean,
00:24:05
I call it legacy but they're still top of the line our legacy
00:24:09
EDR.
00:24:10
Yeah, you know, of course they offer a solution to protect your
00:24:14
containers and whatnot, but when you put that agent on there
00:24:17
, it's so heavyweight and it's not coded properly.
00:24:21
You know to be running on such a lightweight infrastructure
00:24:25
that you end up spending two to three times more than what you
00:24:29
actually would have been spending, and that's a huge
00:24:30
thing because what you actually would have been spending.
00:24:32
And that's a huge thing because Kubernetes is so, I guess,
00:24:36
nimble, so easy to deploy.
00:24:38
You could spin up, you know, like if the cloud is easy to
00:24:44
spin up resources.
00:24:45
Kubernetes is like a factor of 10, right of how quickly you can
00:25:01
actually spin up resources and start eating up a budget, and so
00:25:02
if you extrapolate on it, you know you're spending a
00:25:03
significant amount of money eating up resources that you
00:25:04
really probably shouldn't be.
00:25:05
So I always found that interesting, you know.
00:25:09
Can we talk a little bit about the challenges of building a
00:25:14
security platform on Kubernetes or for containers?
00:25:20
Speaker 2: Yeah, well, I think you mentioned one of the most
00:25:23
critical aspects of it, which is scale and resource consumption.
00:25:29
You know when, when you take like legacy, I'll call it legacy
00:25:35
even though, as you said, it's top notch.
00:25:36
But if you take legacy type, you know solutions and agents
00:25:41
and deploy them, you know, in Kubernetes.
00:25:43
And then you know new pods spin up, new nodes may spin up, you
00:25:48
know, and you grow.
00:25:49
You know, horizontally, vertically, you know, in many
00:25:52
different ways.
00:25:53
First of all, the resource consumption and the cost for the
00:25:59
customer is getting super, super high and that's why I
00:26:01
think the first challenge that we have faced in building a
00:26:05
Kubernetes solution is okay, let's build it from the ground
00:26:08
up.
00:26:08
For Kubernetes, let's make sure when, for example, a pod is
00:26:15
duplicating itself, you don't duplicate your memory footprint
00:26:18
or your CPU and you're staying relatively lean.
00:26:21
Let's use Kubernetes native capabilities in order to do
00:26:27
security.
00:26:29
If Kubernetes provides network policy, you don't need another
00:26:33
agent to now run all of the network policy.
00:26:36
You don't need another sidecar and another sidecar.
00:26:40
You know sidecars.
00:26:41
I've seen companies that have, like I don't know, six or 10
00:26:44
different sidecars on every pod.
00:26:46
You know you spin up a pod, 10 other pods come up together.
00:26:50
So being very mindful that you're running like it's.
00:26:56
You know, on one hand, it's a limiting factor the fact that
00:27:02
you're running on Kubernetes.
00:27:03
You need to be as native as possible.
00:27:06
On the other side, it gives you a lot of capabilities and a lot
00:27:09
of native capabilities that, if you know to use them correctly,
00:27:12
makes you much more efficient.
00:27:14
Right.
00:27:35
Speaker 1: Hmm, yeah, how is that?
00:27:37
You know, how is that learning gap with Kubernetes, how time
00:27:40
and money and resources in Kubernetes?
00:27:42
You know they're probably not going to know it as well as you
00:27:46
or some of the experts at your company what it should actually
00:27:57
be.
00:27:57
You know doing how it should actually be designed, things
00:28:01
like that, because you know that's probably an important
00:28:04
part of what you do.
00:28:06
I would think, right, because you're you don't want to them.
00:28:24
Why you know this is valuable over something else, why it
00:28:25
works this way.
00:28:26
Right, why you wouldn't go with that top of the line EDR
00:28:30
solution that everyone has in their infrastructure, why you
00:28:33
wouldn't go with that module and why you would be going with
00:28:36
something you knowbuilt.
00:28:38
Have you run into situations like that where you guys are the
00:28:44
experts, so to speak, in the room and you kind of have to
00:28:48
educate your customers?
00:28:52
Speaker 2: Yes, and I have to say, over the last two years,
00:28:57
what we need to teach or work with our customers on have
00:29:02
changed, you know, dramatically.
00:29:04
And you know you're always or at least you should be always
00:29:08
ahead of your customers in terms of your knowledge and what
00:29:11
you're seeing, because you just see more in the market in that
00:29:16
specific field.
00:29:16
So if you think about, you know , three years ago, or even four
00:29:20
years ago, when we speak with customers about Kubernetes, I
00:29:26
always one of the biggest things that we always deal with is the
00:29:32
fact that Kubernetes has a joint ownership.
00:29:34
Kubernetes security has a joint ownership between a security
00:29:38
team and a DevOps team or platform team or SRE team.
00:29:41
You know the term itself is always changing, but if you
00:29:47
think about three or four years ago, we would speak with the
00:29:49
security teams about Kubernetes security and honestly, they
00:29:53
would be clueless, right?
00:29:55
They would say we don't know.
00:29:56
You know we know we have Kubernetes, the DevOps team is
00:30:01
running it, we give them some guidance and we scan images, but
00:30:06
they don't really know what's going on in there.
00:30:09
So that was the place back then .
00:30:13
It's just getting ownership.
00:30:15
Today we are in a place where our third leadership is much
00:30:20
more around.
00:30:20
How do security and DevOps team work together to secure
00:30:25
Kubernetes?
00:30:25
We see more and more DevSecOps roles in the company.
00:30:29
We see security engineers who know Kubernetes, but they will
00:30:32
never know it as well as the DevOps.
00:30:35
So one of the key things we need to help our customers is to
00:30:41
mitigate between a security requirement, which is a very
00:30:45
security-oriented thing, and then the remediation of that
00:30:48
within Kubernetes, which is a very DevOps thing, and we
00:31:02
actually invest a lot of time into creating features that will
00:31:03
, you know, cater to that specific gap feeling.
00:31:05
So, for example, you know just a nuance.
00:31:07
You know if our system gives an alert to the security team
00:31:11
about a misconfiguration that might be problematic in the
00:31:15
environment security-wise, we also issue the remediation
00:31:19
advice to the DevOps team to apply, and we built it based off
00:31:23
the Kubernetes context and the runtime context in a way that it
00:31:27
will not break the application.
00:31:28
So you know we are always you know.
00:31:32
I would say the main thing our platform needs to do is to
00:31:36
continuously shrink the attack surface, but in a way that the
00:31:41
DevOps feel confident to use, right, that doesn't break
00:31:44
applications, and I think that's the first of all.
00:31:47
I believe it's one of our key differentiators, but it's also,
00:31:50
I think, one of the biggest bridges that you need to build
00:31:53
between security and DevOps.
00:31:58
Speaker 1: Yeah, that relationship is so critical.
00:32:01
It's becoming more and more important to really build that
00:32:07
relationship between security and the developers and
00:32:11
operations, because these organizations, these
00:32:15
environments, are getting so large that it's no longer under
00:32:18
you know, one team or one manager, right, like there's
00:32:22
several different pieces at play , and that kind of ties into
00:32:26
what we were talking about before being that engineer being
00:32:29
able to, you know, break things down, have the soft skills to
00:32:32
be able to talk to, you know anyone in the room and ensure
00:32:36
that they understand.
00:32:37
You know, one of the I guess maybe one of the biggest
00:32:42
challenges that I have faced, even in recent years, is being
00:32:48
that security expert.
00:32:50
When we're talking about Kubernetes, right, without
00:32:54
really knowing Kubernetes and trying to get across you know
00:32:58
security standards to developers and saying, how do we achieve
00:33:03
it?
00:33:03
Because, from an engineering perspective, I put on my
00:33:07
engineering hat it's like, okay, well, let's learn Kubernetes.
00:33:11
How hard could it possibly be?
00:33:12
How long could it possibly take me?
00:33:14
Maybe a month or two.
00:33:17
And then you start getting into it and two months in, you feel
00:33:21
like you know nothing and it's like, okay, I seem to be
00:33:24
starting completely over in this area.
00:33:27
So I need to lean more on the knowledge of other people that
00:33:30
have been working with it every single day.
00:33:32
Yeah, and try to make these security I guess requirements
00:33:38
you know make sense to them, and try and reword it so that it
00:33:41
makes sense to them, so that they could translate it into
00:33:44
Kubernetes and say, oh, there's this whole, this whole other you
00:33:49
know management plane, right, that we haven't thought about
00:33:52
before.
00:33:53
But that does the thing that you're thinking of right, it's a
00:33:58
, it's a balance.
00:33:59
It's interesting how that conversation just tied together
00:34:02
with what we were talking about before with soft skills yeah,
00:34:06
completely, and it's, you know it's always.
00:34:10
Speaker 2: It's almost like um, um, you know there's this movie,
00:34:14
you know men's out, men are from somewhere and then women
00:34:17
are from marcelina.
00:34:18
So it it's simple.
00:34:19
Security and DevOps and if I need to kind of like pinpoint it
00:34:22
, you know security many times.
00:34:24
You know they speak a language of risk.
00:34:27
Right, they speak a language of you know posture, which is a
00:34:34
language that the engineers, the DevOps, they don't speak that
00:34:38
language.
00:34:38
They don't talk in terms of risk.
00:34:41
They talk in terms of you know configurations.
00:34:43
They talk in terms of you know engineering, right, they talk
00:34:50
about configuration.
00:34:52
They talk about you know software packages.
00:34:55
They talk about network IPs.
00:34:58
That's their language.
00:35:00
They talk about network IPs.
00:35:01
That's their language.
00:35:02
And what we see today is that security, they need to know
00:35:08
Kubernetes well enough to kind of like translate some of the
00:35:10
risk requirement and the risk terminology into technical terms
00:35:15
.
00:35:15
But also the developers on their side, they need to learn
00:35:20
the risk implications of different things and they need
00:35:22
to start thinking about risk as well.
00:35:24
I think that's what every platform that gives security for
00:35:28
Kubernetes will need to manage.
00:35:32
Basically.
00:35:36
Speaker 1: Yeah, and even recently, the past couple of
00:35:39
roles that I've had, it's been acting as that security bridge
00:35:43
to the rest of to translate, you know, these security components
00:36:02
into something that they understand so that we can, you
00:36:05
know, make progress.
00:36:06
It has been, I mean, it's interesting, it's probably the
00:36:10
evolution of an engineer, so to speak.
00:36:12
Right Is, you know, you go from being hands-on keyboard I'm
00:36:15
going to write this code and fix this problem and you know,
00:36:18
we're going to go through it like that, to being, you know,
00:36:21
the subject matter expert in an area and then translating it to
00:36:27
other, to other departments, right For them to actually do
00:36:30
that work.
00:36:31
And it's, uh, that that transition, I guess, has been
00:36:35
slightly difficult for me to to, I guess, stomach, right,
00:36:40
because I I still, I still want to get in there and I'm still
00:36:43
kind of paranoid because I'm not in the weeds like I used to be,
00:36:47
so to speak.
00:36:48
Speaker 2: It's not like man, is someone gonna like think I'm,
00:36:51
you know, useless and lay me off because I'm not in the weeds
00:36:54
like you know what I mean, like it's that yeah it's that mental
00:36:58
shift, you know yeah, you know, um, you know, I have to say you
00:37:02
know, another time in in my life at least, that I've went
00:37:06
through you know, uh, this type of like dissonance that you're
00:37:09
mentioning is, for example, just when you, you know, when you
00:37:13
move from being a developer to a team leader right, yes, you,
00:37:19
you know you just lose the capability or the capacity to
00:37:23
know every function that every developer writes and you need to
00:37:26
feel comfortable with giving guidance and being more of the
00:37:32
architectural oversight.
00:37:34
You're the security architectural oversight, right,
00:37:38
and I completely get it.
00:37:39
We're all in some ways maybe not all of us, but maybe you and
00:37:43
I are control freaks, right, we want to know that exactly
00:37:46
what's going on, and it's hard, but it goes again.
00:37:51
It goes to what we talked about before and I think you said it
00:37:54
right.
00:37:55
It goes to the soft skills into collaboration and working
00:37:58
together, communicating well, in order to feel comfortable with
00:38:02
this new situation.
00:38:07
Speaker 1: Yeah, absolutely so you know, if you look, you know
00:38:13
five, ten years out, right In technology.
00:38:15
That's extremely difficult to do to look ten years out.
00:38:19
It's probably really difficult to look five years out.
00:38:21
Where do you think cloud infrastructure as a whole is
00:38:28
going?
00:38:28
Because we have Kubernetes, but I wonder what that next
00:38:33
iteration of Kubernetes is.
00:38:35
Is it serverless, do you think?
00:38:40
Speaker 2: it's serverless, do you think?
00:38:41
Well, there are already some.
00:38:44
You know, there's Fargate or the I don't know Autopilot from
00:38:51
Google which are kind of like they're running containers, but
00:38:53
they are serverless.
00:38:54
I think that's.
00:38:54
The problem today is that it is very, very costly to go.
00:38:59
But also, you know, kubernetes makes it so much easier to
00:39:04
manage the server themselves.
00:39:06
Then it makes me think about okay, so if servers are so easy
00:39:11
to manage, why go serverless?
00:39:12
You know I try not to make predictions because everybody
00:39:22
that ever made predictions probably was wrong.
00:39:24
But one of the things that I'm seeing is that I think the cloud
00:39:31
as a cloud service is going to proliferate.
00:39:33
So we have Amazon, then we have Google, now we have Azure, we
00:39:36
have IBM.
00:39:36
I see companies starting to do their own cloud.
00:39:40
So what I suspect might happen is that the cloud technologies
00:39:46
will just be.
00:39:47
You know, in so many many places where you could utilize
00:39:52
cloud type technologies, companies are already doing that
00:39:54
.
00:39:54
You know Kubernetes is running on premise and companies are
00:39:58
doing like cloud native, but it's on bare metal in their own
00:40:00
environments.
00:40:01
It costs them less than going to Amazon if they're big enough.
00:40:04
So I actually think, you know, I don't think the big change
00:40:13
going forward will be in you know what servers we are using,
00:40:18
or the architecture of the server, or Kubernetes.
00:40:21
I think it's going to be about the type of services that you
00:40:25
can get from the cloud provider.
00:40:27
I think cloud providers will win and lose based on the ease
00:40:31
of their AI models that they provide via APIs and the
00:40:37
database services and how quick those are.
00:40:40
I think that's where the next battlefield is in.
00:40:46
Speaker 1: That's really fascinating, you know what
00:40:49
you're describing really eliminates a lot of the security
00:40:53
misconfiguration that goes on in the cloud.
00:41:03
In the cloud, you know, recently , right, I ran a report in the
00:41:05
environment and saw a bunch of public S3 buckets and you know
00:41:09
I'm sitting here like this is, you know, literally you know,
00:41:13
third or fourth time that I've had to go over this with.
00:41:17
You know all of my developer teams probably about 150
00:41:20
different people and you know I'm trying to figure out how to
00:41:25
like finally solve this problem so that you know we wouldn't
00:41:29
still encounter it, because my environment is a little bit
00:41:32
unique.
00:41:32
We have limitations around what we can implement from a
00:41:37
security perspective, which makes which makes these findings
00:41:42
a little bit more difficult.
00:41:43
But that that's really interesting because you know
00:41:48
what you're talking about is kind of a overarching control
00:41:52
plane that is running on the cloud and you just tell that
00:41:56
service, you know what you want to be using, what you want to do
00:41:59
, what you want to be using, what you want to do, what you
00:42:01
want to accomplish, and they figure out the most efficient
00:42:03
way to get it done for you and really leverage their own
00:42:08
internal skill sets to do that within whatever cloud provider
00:42:12
makes the most sense.
00:42:13
It's really interesting.
00:42:16
I haven't thought about it like that before.
00:42:19
Are you seeing that anywhere in the market right now?
00:42:23
Speaker 2: No, to be honest, like what we see, we do see.
00:42:25
You know multi-cloud environments and then everybody
00:42:29
is using multi-cloud.
00:42:30
They started to think about, you know, for example, security
00:42:33
wise.
00:42:34
You know, do we have like cross ?
00:42:35
You know cross-cloud communication and what's going
00:42:38
on there and can one attacker move from one environment to
00:42:43
another?
00:42:43
So we see a lot of that.
00:42:45
Also, you know I'm very much in the security domain, so I'm
00:42:50
mostly seeing, you know, the concerns of security in these
00:42:53
domains and less about the control plane, the applicative
00:42:55
control plane.
00:42:56
So it's hard to me, but I can say that we see more and more.
00:43:00
You know every big company is now having a multi-cloud
00:43:06
environment and an on-premise environment as well, and all of
00:43:09
that needs to be managed.
00:43:13
Speaker 1: Yeah, it's a really good point.
00:43:15
It'll be interesting to see where the space goes, you know,
00:43:19
in the near future, and I wonder if satellites will play a role
00:43:23
in it.
00:43:23
But you know, Shali, I really appreciate you coming on the
00:43:28
podcast.
00:43:29
I really enjoyed our conversation.
00:43:32
Speaker 2: Me too.
00:43:32
I really enjoyed it.
00:43:33
Thank you for having me.
00:43:34
It was a pleasure.
00:43:36
Speaker 1: Yeah, absolutely.
00:43:37
Well, you know, before I let you go, how about you tell my
00:43:40
audience where they could find you if they wanted to reach out,
00:43:42
where they could find your company if they want to learn
00:43:45
more?
00:43:46
Speaker 2: Yeah, so me, you know .
00:43:47
Just Google Shauli Rosen S-H-A-U-L-I-R-O-Z-N.
00:43:52
On LinkedIn I think I'm the only one, or at least I'm one of
00:43:57
the ones that will surely pop up my company, armo armosecio,
00:44:04
and also as important as my company is our open source
00:44:07
project, which we almost didn't get a chance to talk about at
00:44:11
all, which is called Cubescape, which is today one of the most
00:44:15
prominent open source projects for Kubernetes security out
00:44:18
there.
00:44:18
It's an official Linux Foundation CNCF project.
00:44:21
Hundreds of thousands of users, super successful and anyone who
00:44:27
will contribute or use that.
00:44:28
It's also a win for me and I really, really encourage you to
00:44:33
try it out.
00:44:35
Speaker 1: Yeah, absolutely.
00:44:36
We'll have to have you back on to talk more about that project.
00:44:41
Speaker 2: Yeah, we can do like 60 minutes on the open source
00:44:43
itself and we talked about how did they get into security and
00:44:48
how did they get to funding the company, how did they get into
00:44:52
open source, and the open source journey as a whole is a
00:44:55
fascinating journey on its own.
00:44:59
Speaker 1: Yeah, absolutely, we'll figure that out and make
00:45:02
that happen.
00:45:03
Speaker 2: Yeah.
00:45:04
Speaker 1: So thanks everyone.
00:45:05
I hope you enjoyed this episode .