Uncover the mysteries of IT, Scale, and Designing for Success with our special guest, Ganesh, a seasoned engineer, technologist, and entrepreneur. We take a deep dive into his venture into cybersecurity and his revelation of the potential harm that could be inflicted by those with similar knowledge. Together, we traverse the terrain of designing for scale, while sharing lessons learned along the way.
Venture with us as we discuss the hurdles faced by startups in their quest for the elusive product-market fit. With Ganesh's insights, we illuminate the journey, highlighting the importance of finding the right customer partner and the necessity for resilience in the face of adversity. We also delve into the concept of overnight success, providing a fresh perspective on the importance of persistence, even when the road gets tough.
As the episode evolves, we shift our focus to the challenges and perks of cloud-based applications. We share our insights on the distinct approach required for security in modern cloud-native applications, considering the scale, diversity, and rate of change organizations need to handle these security issues. Ganesh further enriches the conversation by sharing the evolution of his cloud security product and its significant improvements in usability and value in just 18 months. Join us for this enlightening conversation, as we wrap up discussing the rapidly changing nature of cloud solutions and how companies can stay updated.
LinkedIn: https://www.linkedin.com/in/ganesh-pai/
Website: https://www.uptycs.com/
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: I was going.
00:00:01
Ganesh, it's really good to finally have you on the podcast.
00:00:04
I feel like we've been trying to get this thing going for
00:00:08
quite a while now and I'm just really excited to finally have
00:00:12
you on.
00:00:13
Speaker 2: I appreciate the opportunity to be here.
00:00:15
Better late than never, so glad to get started.
00:00:20
Speaker 1: Yeah, I guess that's one way of looking at it.
00:00:22
You know it's.
00:00:23
It's just, it's interesting how your schedule can can play out,
00:00:29
you know, when it's a.
00:00:30
It's been a crazy year for me, that's for sure.
00:00:34
Speaker 2: I can only imagine.
00:00:35
Probably with the schedules that you run, it's probably
00:00:37
powerful the course, but yes, when it comes to reality it's a
00:00:40
different thing.
00:00:41
Speaker 1: Yeah, right.
00:00:42
So so, ganesh, you know I started everyone off was kind of
00:00:46
telling their background, right , talking about how they got an
00:00:51
IT.
00:00:52
What was it about IT that really piqued their interest,
00:00:55
that wanted them, that made them want to, you know, get into
00:01:00
this field, right, because this field isn't really for everyone.
00:01:03
But you know, I've done over 150 of these episodes and I
00:01:07
haven't heard the same background twice, right, like
00:01:09
I've talked to former opera singers, I've talked to, you
00:01:13
know, former physicists and somehow these people always find
00:01:18
their way into IT.
00:01:19
So what's your story?
00:01:21
Speaker 2: Yeah, I don't know whether I'm going to be as
00:01:23
exciting as others, but let me do my best.
00:01:26
So I started with a couple of different things, but one way to
00:01:33
give you a little bit of my background, if I were to
00:01:35
summarize it in the shortest possible way, I'm an engineer by
00:01:40
training, as in.
00:01:42
That's what I went to school for.
00:01:44
A technologist by vocation that's what I did for the first
00:01:48
majority of my career and arguably an entrepreneur by
00:01:53
choice.
00:01:53
What that really means is when I come to an edge, I jump first
00:01:59
and pray real hard that I can find sure, but I've been
00:02:02
incredibly fortunate to be in the company of the right people
00:02:06
at the right time, right.
00:02:07
So that's what has sort of led to the success in terms of
00:02:12
venturing and being an entrepreneur.
00:02:13
I'm happy to give you more background on what's been built
00:02:18
up to where upticks is today, but on myself, that's how I
00:02:23
characterize yes.
00:02:23
Speaker 1: Yeah, it's a really interesting.
00:02:29
I feel like it's an interesting question to start off with to
00:02:33
kind of get the feel for how the guests got started and whatnot.
00:02:41
Speaker 2: I can give you a lot more color on that, just to
00:02:45
elaborate.
00:02:46
So, in terms of interest in IT, of course it is due to the
00:02:53
training as an engineer and the curiosity then took me to be a
00:02:58
software engineer and technologist through majority of
00:03:01
my career.
00:03:01
But in terms of the venture itself has applied to core
00:03:08
cybersecurity.
00:03:09
Me and the core funding team here at upticks we come from a
00:03:14
background of having scale, and by scale I mean enterprise scale
00:03:21
, as in building things for large operators like AT&T and
00:03:25
Comcasts of the world.
00:03:26
We built primarily technologies which enabled these large
00:03:31
operators to make revenue through the tooling that we
00:03:35
provided as entrepreneurs from the past.
00:03:39
However, the revelation, at least, which piqued the interest
00:03:42
to get into cybersecurity at large, was a peripheral
00:03:47
understanding that with the knowledge that we possess, which
00:03:50
we were using only for constructive purposes, if
00:03:53
someone had a different, maybe malicious or a different intent,
00:03:58
but with the same knowledge that we did, they could
00:04:01
definitely cause a lot of harm and as you see what's happening
00:04:05
around us.
00:04:06
So that's what prompted us to start thinking can we make a
00:04:10
difference, to be on the defenders with the knowledge
00:04:13
that we possess, having a good understanding that those who
00:04:16
have a similar skill, but with the offensive mindset or the
00:04:20
malicious mindset, could do other things, and this happened
00:04:24
when we were at the prior venture that we did and we were
00:04:27
acquired by Akamai, and some of what we saw in terms of debug
00:04:32
and diagnostics then led us to the belief that maybe the
00:04:35
visibility that we encountered in the past, maybe that can be
00:04:40
made available for cyber, and that's how the venture was
00:04:44
formally conceived around eight years ago.
00:04:46
We took money and operationalized the venture by
00:04:49
capitalizing it in the summer of 2016 and seven years on, here
00:04:55
we are.
00:04:58
Speaker 1: So that's really interesting.
00:04:59
You always hear about these big tech companies and the scale
00:05:10
that they're operating on, and I read an article maybe it wasn't
00:05:17
an article, it was just a random post that talked about
00:05:21
how Google can't really purchase products to manage their
00:05:28
environment.
00:05:29
But I have to actually create it, because the scale is so
00:05:32
significant that very, very few other products on the market
00:05:38
would even come close to being able to manage the scale.
00:05:40
And then, when you factor in the features and functionality
00:05:44
that they may want, they don't want to rely on a third party
00:05:47
vendor for that.
00:05:49
Can we talk a little bit about what it's like to design for
00:05:52
that scale?
00:05:52
Because there's not that many people in big tech, right,
00:05:57
there's several thousand engineers and whatnot, right,
00:06:00
but not everyone comes from that background.
00:06:02
And so, for even someone like myself, the largest company that
00:06:07
I've worked for is about 650 employees.
00:06:10
It's a global company, and even when we start talking about
00:06:17
Amazon scale, I can't even fathom it.
00:06:21
I can't even picture it, right.
00:06:23
So what is that like?
00:06:24
Trying to solve that problem?
00:06:29
Speaker 2: Yeah, that is a great question and where, if I were
00:06:33
to share my own experience, to tie it back anecdotally, what I
00:06:38
can reflect upon is the fact that scale produces a different
00:06:43
kind of challenge than what you might encounter otherwise, and,
00:06:49
in the context of what the learnings were, they were not
00:06:52
necessarily tied to cybersecurity, but they were
00:06:56
tied to visibility and observability.
00:06:59
For a different reason it was predominantly for debug and
00:07:04
diagnostics.
00:07:06
When you're operating a very large distributed systems, no
00:07:10
matter what the application is, you need to have intense amount
00:07:15
of visibility such that you can quickly diagnose in case things
00:07:19
are trending in the long direction.
00:07:21
And all of that is tied these days into site reliability and
00:07:25
other engineering.
00:07:26
But the premise of why you might deduce that something is
00:07:31
not working is based on what's otherwise called as a paradigm
00:07:36
of observability.
00:07:37
So what scale teaches you is that you can't do things in a
00:07:42
onesie-toesie way, but you need to look at a distributed system
00:07:46
as a corpus of large system which is constantly streaming
00:07:51
some sort of a telemetry to you, and you need the ability to
00:07:55
apply analytics based on that streaming data and quickly
00:07:59
figure out where exactly are the signals which are noteworthy,
00:08:03
because clearly you can't pay attention to everything.
00:08:06
That means you need means to extract what's worth paying
00:08:10
attention to.
00:08:11
So these were some of the deep learnings which heavily
00:08:13
influenced us to say, can this paradigm be applied in the realm
00:08:18
of cybersecurity?
00:08:19
Because, due to the proliferation of cloud at large
00:08:22
scale, can you start deducing what's wrong in the systems by
00:08:26
observing their behavior, by doing so from outside in, by
00:08:30
collecting telemetry from them and applying streaming
00:08:33
techniques.
00:08:33
So that was in some ways a lesson that we had the good
00:08:39
fortune of learning in a different edges and domain, but
00:08:43
the luxury of applying it to cybersecurity in this current
00:08:46
venture.
00:08:47
Hope that made sense.
00:08:48
I'll pause here, happy to zoom in and double click, but hope
00:08:51
I've shared an anecdote which is relevant to what you were
00:08:54
asking for.
00:08:56
Speaker 1: Yeah, I think that makes sense.
00:08:57
I wonder.
00:09:00
So I think that this poses a unique challenge.
00:09:05
So when you're starting a company, when you're creating a
00:09:09
product, you want to it's human nature, you want to take in
00:09:15
every single customer that you possibly can to get them your
00:09:19
product to not only benefits them, it benefits you.
00:09:22
When you're when we're talking about creating a product that
00:09:27
has to scale like that and you're early on, you know, in
00:09:31
your development process and the lifetime of that company, do
00:09:36
you think that it is also important for you to choose the
00:09:40
right customers as like, as a side note from the customer
00:09:44
choosing you?
00:09:46
The reason why I asked that is because I actually used to work
00:09:49
for a company.
00:09:50
It was very small, you know, they had been around for I don't
00:09:54
know, maybe 15 years, something like that, but they were still.
00:09:56
I mean, it felt like it was a start-up and we had certain
00:10:01
customers that had been around for forever that were just so
00:10:05
resilient to any issue our product would encounter right in
00:10:11
their environment, no matter how sensitive their environment
00:10:13
was or whatnot.
00:10:14
It was like they were used to it.
00:10:16
They knew that we would get it resolved and they knew that they
00:10:20
had a reporter in a certain way and like they just understood,
00:10:24
right, like this is a part of the game.
00:10:26
And then we had other customers that were extraordinarily
00:10:29
difficult to deal with if they encountered a brand new you know
00:10:33
bug or an issue with a brand new version.
00:10:35
And so I can only imagine, right, because there's only so
00:10:40
much that you can design for without without having a problem
00:10:44
in front of you, right?
00:10:45
So I think it poses a unique situation where you have to have
00:10:53
a customer that's understanding like hey, you know, we're
00:10:56
starting out, we think we're doing something special here.
00:10:59
If you can hang in there through a couple iterations of
00:11:03
these bugs and whatnot, like we'll get there.
00:11:05
Is that something that you've experienced?
00:11:07
Is that something that you learned?
00:11:10
Or am I completely out there and off base?
00:11:14
Speaker 2: Now, I think that's the I don't want to say.
00:11:16
In some ways it's the very nature of progressing through
00:11:21
the journey of a startup, because when you start off you
00:11:25
can do two things you can figure out if there is a little wedge
00:11:29
or tooling, go really deep, or you can arguably take the
00:11:33
approach that we did we built a general purpose platform but in
00:11:37
both cases, in the initial phases of the venture, where
00:11:43
you're iterating for that initial product market fit, you
00:11:48
clearly go through the phase where there's a combination of
00:11:51
ideation that you bring to the table which gets a customer
00:11:55
excited, so much so that they are willing to partner with you
00:11:59
and arguably go through that phase of trial by fire in
00:12:04
production, because they see in you the promise, that a pain
00:12:09
that they felt they've not been sufficiently able to solve it
00:12:12
any other way, which is why they are willing to invest in you
00:12:17
and your venture and arguably go through that process.
00:12:21
And I'd say that we were fortunate that while we had our
00:12:26
own here of challenges, our customers saw sufficient value
00:12:30
to persist with us.
00:12:32
And of course, it took a few years to get them to like really
00:12:37
large and I'm talking about 150 plus server environments
00:12:42
where we've been fortunate to get operationalized, but it
00:12:45
didn't happen overnight.
00:12:46
We had to prove and we had to persist and we had to do
00:12:50
everything that you just outlined, because, at the end of
00:12:53
the day, it's not that, while we had a vision and the product
00:12:55
work for most part, making sure that it fits in an enterprise
00:13:00
environment where there's a lot of diversity and that diversity
00:13:03
introduces pain and challenges is what one had to encounter and
00:13:06
overcome, and we were fortunate to do so.
00:13:12
Speaker 1: Yeah, it's a.
00:13:13
You know it's an interesting way to live a life.
00:13:18
Right is running a startup and all the different stresses that
00:13:23
come with that.
00:13:23
You know it's an interesting way even to start your career.
00:13:28
You know, like for me, right, I started out as a startup and
00:13:33
being able to, or having to, wear several different hats, you
00:13:39
know, all on the same phone call, right and taking a problem
00:13:44
and owning it all the way from start to finish, not being able
00:13:47
to escalate it.
00:13:48
It's like, you know, no, I am the escalation point, like they
00:13:52
call the right number, unfortunately, and I'm the
00:13:55
person that has to take this thing from.
00:13:57
You know, 8am until 4pm.
00:13:59
You know it's always interesting to hear about
00:14:05
everyone's journey in the startup phase because it's
00:14:09
different but similar in a lot of interesting ways.
00:14:14
Speaker 2: Yes, you know, I have a very simple philosophy around
00:14:17
this, and others might disagree .
00:14:19
The bottom line, I think, is there is no shortcuts when you
00:14:24
jump on your journey to get to a successful point.
00:14:27
And if you were to imagine X and Y axis and Y is like you
00:14:31
know how much time it takes to be successful on the other axis,
00:14:37
then you realize that there are no shortcuts.
00:14:39
It's guaranteed to take time to be successful, at least
00:14:44
statistically.
00:14:44
I think that's accurate.
00:14:46
The only other thing which is really important is that the
00:14:50
journey to go to the top is going to be jagged.
00:14:53
It's never a smooth line, right , and that's your point.
00:14:56
It always takes time and it's always bumpy, but if you're able
00:15:00
to endure the ride in the company of the right team, I
00:15:03
think it makes the biggest difference.
00:15:08
Speaker 1: Yeah, you bring up a really good point.
00:15:11
You know that there are no overnight successes in this
00:15:16
world, that's for sure.
00:15:18
And I think that that kind of that hit me when I watched this
00:15:22
interview from Kevin Hart I think Oprah might have been
00:15:26
interviewing him or something and they said oh, you know,
00:15:29
you're an overnight success.
00:15:30
Like how does it feel?
00:15:31
And he goes overnight.
00:15:33
That was 12 years of hard work, of people booing me off the
00:15:38
stage, of people, you know, not knowing my name, me not being
00:15:42
able to, like, feed myself for several days, Like that.
00:15:47
That was a long time.
00:15:49
That was 12 years of being not giving up and that really
00:15:54
resonates with me, right, because in the current society
00:15:58
and how everything is, you see, it's like you see it all right
00:16:02
in front of you immediately, right?
00:16:04
So now you, you're matching up your life with this other
00:16:08
person's life and they were probably in it for 10, 12, 15
00:16:12
years, right, and you're saying, well, I'll never get there.
00:16:15
That's not for me.
00:16:17
But in all actuality, is that person that spent the 15 years
00:16:21
doing that to master it.
00:16:22
They just didn't give up.
00:16:24
You know that that's the only thing.
00:16:26
Like, they had their disappointments, they had their
00:16:28
failures.
00:16:28
They just didn't give up.
00:16:30
They kept going, and I think that that is that's a key skill
00:16:35
in life overall, right, but it's a key skill that you must have
00:16:41
to really be successful in anything that you choose to.
00:16:44
Would you agree with that?
00:16:46
Speaker 2: Yes, absolutely, and I can give you some anecdotes
00:16:50
based on my own experience, because, in our seven years of
00:16:55
existence, to build the first core part and do the validation,
00:16:59
it was roughly an overnight success of five and a half years
00:17:05
in the making.
00:17:06
Because in the business of cybersecurity, we are today a
00:17:11
provider of two things.
00:17:13
If you have your technology, from the laptop to the cloud, if
00:17:19
the cliché is software is eating the world, the question
00:17:22
is where is it produced, how is it operationalized and why does
00:17:26
it end up being a crown jewel of an organization?
00:17:29
At the venture that we are, we specialized in securing that arc
00:17:35
of productivity.
00:17:35
We arguably made a case five years ago to come up with this
00:17:41
approach of using a paradigm of observability which probably was
00:17:46
not well understood or well received.
00:17:48
Of course, we had to build the platform at scale to validate
00:17:52
that.
00:17:53
Now, of course, we have a really nice word which our marketing
00:17:56
team has put together, which is called a shifting up.
00:17:59
But what really entailed was looking at all these things
00:18:03
which are a part of going through that cycle of building
00:18:07
your crown jewels.
00:18:08
How do you observe the laptop, the SaaS services, the cloud
00:18:13
infrastructure and then draw conclusion is something going
00:18:17
wrong.
00:18:17
How can we use the same data to establish trust and all of that
00:18:20
.
00:18:20
And that took us time and, with one specific asset, to secure
00:18:27
and build it.
00:18:28
It took that overnight success and it took that long and now we
00:18:34
are in a position to reap the benefits of this shift up
00:18:38
approach, and we see a lot of parallels.
00:18:41
Of course, when we were doing it, we were thinking who else
00:18:43
might have done something like this, and we saw the likes of
00:18:46
SAP and the likes of Salesforce and others do it, and we were
00:18:51
able to connect the dots that it took them a fair bit of time to
00:18:55
get to where they are, because this observability approach,
00:19:00
built on a platform, is not something which happens
00:19:03
overnight.
00:19:04
But, to your point, you have to be persistent and it takes that
00:19:08
much time to be successful.
00:19:12
Speaker 1: Yeah, it's an interesting journey.
00:19:15
So we talked about designing a product for scalability for
00:19:24
extremely large environments.
00:19:25
I would assume that that really significantly impacted how you
00:19:32
designed upticks, the upticks platform.
00:19:34
Right, because it's a cloud first solution to provide
00:19:39
visibility into the you know, your multi-cloud, your single
00:19:42
cloud environment.
00:19:44
What's the difference, in your mind at least?
00:19:48
What's the difference between a cloud first product and a
00:19:53
product that you know legacy on-prem, that was rehashed into
00:19:59
a cloud solution?
00:20:01
Me, from the engineer perspective, there's a gigantic
00:20:05
difference, right?
00:20:07
Those other legacy solutions.
00:20:08
They typically can't scale very well.
00:20:10
They're typically very configuration heavy.
00:20:13
You could spend months configuring those tools to do
00:20:18
very simple operations across all three of the clouds.
00:20:21
In that valuable time that you would have had, you would have
00:20:25
had a cloud first product that would step in and would have
00:20:30
done it in 30 minutes and you'd be up and running, right, yeah,
00:20:34
so from an engineering perspective, there's a huge
00:20:37
difference.
00:20:37
But from your perspective, from where you're sitting, right,
00:20:43
what's the difference that separates the two kind of rules
00:20:46
of thought?
00:20:49
Speaker 2: Yeah, so the there are two dimensions.
00:20:52
One, scale, of course, is the easy word to use, but the real
00:20:55
question is in the modern environment, why does scale
00:21:01
matter?
00:21:01
Scale, of course, is the part in terms of your ability to
00:21:05
cover a wide spectrum and go for large environments, but in
00:21:11
addition to scale, there is a big part is the diversity of the
00:21:15
environment and the rate of change in the environment too.
00:21:19
If I were to characterize the problem statement to then
00:21:23
highlight the reasons for why a cloud native approach makes a
00:21:29
difference, if you're to look at what a prototypical user who
00:21:35
might want to work with optics and what challenges they might
00:21:38
face, their work might look like something along these lines
00:21:41
right In the organization, their users might either be
00:21:46
interacting with SaaS services because they work off a laptop,
00:21:51
they have a Wi-Fi and they connect to Google, or they
00:21:54
connect to like GitHub or do something.
00:21:56
But the engineers they assert their identity with the identity
00:22:00
provider, like OCTA, they connect to something like GitHub
00:22:02
to like, do the source code, check in checkouts, they develop
00:22:06
the crown jewels, then they push it into some kind of build
00:22:10
pipeline and then they operationalize their tech by
00:22:12
storing the artifacts, the builds that they've generated
00:22:16
and pushing it into one of the clouds, and they might use
00:22:18
modern environment like Kubernetes to containerize and
00:22:21
package.
00:22:23
Now, of course, there is the scale part of all these, each
00:22:27
one being at large scale if you're a large organization, but
00:22:31
there is the diversity of various things that you need to
00:22:34
account for.
00:22:34
Then the other part to account for is the rate of change.
00:22:38
With the way the modern world is, to make sure that you are
00:22:42
able to instantly adapt and provide new features.
00:22:45
There is constant software which is being built and it's
00:22:50
being operationalized such that changes happen within a few days
00:22:54
in some cases or, worst case, weeks, as opposed to like months
00:22:57
of release cycle in the past, which is historical data center
00:23:01
centric, on-prem approaches, because it is a lot harder to
00:23:04
like, operationalize tech and a lot harder to debug and if they
00:23:08
were mistake, you can't really push things out.
00:23:12
Now the scale, the diversity, the rate of change introduces
00:23:18
various different problems when it comes to both security and
00:23:21
understanding.
00:23:22
If things go wrong and the way you have to tackle this becomes
00:23:26
a different problem statement, especially in the context of
00:23:29
cloud native applications and how you secure them.
00:23:32
And to secure that then you have to be as purpose built as
00:23:37
the applications itself, because it needs a new paradigm and
00:23:40
that's where we've been fortunate to build a platform to
00:23:44
make a difference.
00:23:45
I'll pause here I can dig in further on this because this is
00:23:49
a topic that I'm extremely passionate about but hopefully
00:23:51
that gives you some color and perspective on the problem
00:23:55
statement itself.
00:23:55
Thank you.
00:23:57
Speaker 1: Yeah, absolutely.
00:23:58
I feel like you know, I have seen it where in a few cases,
00:24:04
you even have to explain almost like what the cloud is to some
00:24:09
people, of how, you know, updates can happen daily, right,
00:24:14
and not impact you at all, and you not even notice that there's
00:24:17
an update.
00:24:18
It's like, well, do you use Gmail?
00:24:19
You know, and if you use Gmail, that thing is updated probably
00:24:23
every week and you've never noticed as a single update.
00:24:27
I have you, you know, I was working at a place and I was
00:24:32
trying to get rid of the legacy ping identity solution because
00:24:36
it was on-prem, it just wasn't going to work for us in the
00:24:39
cloud, wanted to move to another SSO solution that was cloud
00:24:45
based, you know, and the principal engineer that was
00:24:51
going to, you know, own the technology was very confused as
00:24:55
to how they could update their product so often.
00:24:57
And I'm sitting here like how does this guy of all people, how
00:25:02
does he not understand how this works?
00:25:04
You know, and it's interesting that in 2023, we still have to,
00:25:10
you know, kind of describe that and go into that a bit.
00:25:13
Is that something that you have also seen or have?
00:25:16
You know?
00:25:17
99.9% of customers, you know, moved on and they're not dealing
00:25:23
with that legacy thought pattern anymore.
00:25:26
Speaker 2: I think they have moved on.
00:25:27
They're not dealing with the legacy thought pattern, but they
00:25:31
do have a lot of residual legacy in large environment
00:25:36
because their digital transformation journey is not
00:25:39
complete.
00:25:39
Well, I think people certainly have an appreciation, the
00:25:44
reality which sometimes grounds them as the diversity of their
00:25:48
resources.
00:25:49
You know as easy as it is to think that you might have the
00:25:53
latest version of Red Hat or the bounty in the cloud that you
00:25:57
can take advantage of, what they're left with is you know,
00:26:01
12 or 13 years ago there was Red Hat 5.
00:26:03
It was running on a dual core machine with 8 gig RAM.
00:26:07
It's running something which is machine critical, engine rating
00:26:10
, a lot of money, and they're aware that it needs to be moved.
00:26:14
But you know, business reasons prevent them from moving it
00:26:17
right.
00:26:17
So that one consideration.
00:26:19
I also want to make an observation, if I may, based on
00:26:22
your first comment about availability of Gmail and other
00:26:26
applications.
00:26:26
Most people probably take it for granted because the rate at
00:26:31
which, or the frequency with which, they access their
00:26:33
Facebook and Google these things probably are far more reliable
00:26:37
than the banks that they dealt with from a digital perspective.
00:26:40
Right, because it's downtime implications to these providers
00:26:44
are far more bigger than if a bank is down.
00:26:46
You might go to another ATM or you might wait, but if you're
00:26:49
not getting your email or your messages, you're not able to see
00:26:52
your Instagram or whatever else .
00:26:54
I think that there's going to be a bigger outage, right?
00:26:56
So outrage, rather so.
00:26:57
I feel that you know the reasons why are different, but
00:27:03
the reliability of these applications, thanks to cloud
00:27:07
and SaaS, is just incredible.
00:27:10
Speaker 1: Hmm, yeah, you put it a really, a really good way.
00:27:14
So, you know, can we talk a bit about upticks and how the
00:27:19
platform takes in the different signals from the cloud and then
00:27:24
provides intelligence around it.
00:27:26
What's the basis that it provides this intelligence?
00:27:29
And before you dive into this right, Because this could go on
00:27:34
forever I just wanted to mention I saw the product for the very
00:27:38
first time at RSA it might have been 2021 or 2022.
00:27:46
And it was a rough product, you know.
00:27:48
I'll be honest, it was rough.
00:27:50
You could see that it had, you know, good bones, good
00:27:53
infrastructure there, that something special was actually
00:27:56
coming.
00:27:56
And then this past year, when I went to Blackhead and Defcon,
00:28:02
you know, I got to see the product again.
00:28:04
It looked like a totally different product, right, it
00:28:06
looked amazing.
00:28:08
To be completely honest with you, it looked really great Very
00:28:11
intuitive product, great UI.
00:28:13
I understood what was going on, you know, right from the start.
00:28:17
I didn't need anyone to explain it to me, even though your team
00:28:20
did a fantastic job of walking me through it, and so you know,
00:28:25
I just wanted to point that out of how, just in, you know, a
00:28:27
year, 18 months, right, like your product, made a significant
00:28:32
leap in usability and, you know , in the value that it actually
00:28:38
provides to an environment.
00:28:39
And again, this episode isn't even sponsored by you guys.
00:28:42
I just enjoy the product.
00:28:45
Speaker 2: Thank you, and that's much appreciated.
00:28:47
And I'll tie it back to what I said earlier.
00:28:50
You caught us probably in the four years of the five and a
00:28:54
half years it took to actually get to where we want to be at
00:28:57
scale.
00:28:58
It's a great observation and a very candid one, which I
00:29:03
sincerely appreciate, because I think it's factually accurate To
00:29:09
dig in a little bit deeper to understand why that's the case.
00:29:14
We arguably chose a completely different approach to building a
00:29:19
product and what problem we want to solve, for Our thought
00:29:24
process was to provide security using the observability paradigm
00:29:29
.
00:29:29
Now, what that meant was you know, you know.
00:29:32
We of course, have a really nice way to outline it, we call
00:29:36
it as shift up security, but the basic tenets and principles
00:29:40
were that if there are a set of attack surfaces for which you
00:29:44
want to provide security coverage, at the end of the day
00:29:48
you provide security coverage to reduce risk for any
00:29:51
organization, and risk stems from either vulnerabilities and
00:29:56
misconfigurations or genuinely threats which are behavioral in
00:30:00
nature, because the misconfigurations or
00:30:03
vulnerabilities that you have have been exploited by someone
00:30:07
and they are posing a threat to the organization.
00:30:09
And to understand what this risk reduction means across a
00:30:16
set of asset categories, we chose arguably harder route to
00:30:21
market then, which is to say that we will build an
00:30:26
abstraction using a series of sensors and connectors which
00:30:30
will provide us with in-depth telemetry, and we will apply
00:30:35
analytics on that telemetry while it is in flight as well as
00:30:39
on a historical basis, so that we can build the necessary
00:30:42
security controls towards reducing the risk.
00:30:45
Now, to realize that vision, of course, we had to build these
00:30:51
sensors and connectors using a structured manner which
00:30:54
transmitted the telemetry, for example, for XDR and endpoint.
00:30:58
We do so from runtime environments, from the cloud.
00:31:01
We do both agent and agentless, but we connect to it such that
00:31:05
it sends the data to us.
00:31:06
So the question is how do we scale, ingest the data, apply
00:31:10
analytics to extract signals so that those signals then, in turn
00:31:14
, can be used both for establishing trust, as in
00:31:17
compliance, and auditing, and all that as well as doing threat
00:31:20
detection.
00:31:20
And you probably caught us at a point where the infrastructure
00:31:25
was built to ingest the data in a scalable manner, but we
00:31:31
perhaps were lacking the ease and the simplicity that's
00:31:35
required by most organizations, who are bootstrapped in terms of
00:31:40
their time to draw conclusions and with the ability to build
00:31:46
that platform in a scalable manner.
00:31:47
What's been happening in the last couple years is our ability
00:31:52
to extract insights on top of the platform, and those insights
00:31:56
are the ones which translate directly into the CNAP, cwpp all
00:32:01
the analysts have really nice acronym soup for that and we
00:32:04
provide coverage because that translates into security
00:32:07
controls, and thank you for sharing this.
00:32:11
Where you probably next encountered us is that we then
00:32:16
were able to actually show the promise of that telemetry by
00:32:18
generating actionable insights, and I appreciate you sharing
00:32:23
that.
00:32:24
It was self evident for you when you saw it yourself right.
00:32:26
So that's a tribute to our product team and our marketing
00:32:29
team that they're in a position to make that happen.
00:32:31
But hopefully that gives you an anecdotal journey tying back to
00:32:35
your two points of observation and where we were along in our
00:32:39
journey.
00:32:40
I'll pause you for a second, if I can zoom in on anything else.
00:32:42
Yeah, absolutely.
00:32:47
Speaker 1: You bring up a really good point right is presenting
00:32:50
actionable information and actionable intelligence to the
00:32:57
engineer, to the end user, to actually resolve issues within
00:32:59
the environment, and that's actually a huge area of the
00:33:07
cloud and cloud security solutions that matters a lot
00:33:12
more, I would say, regardless of the environment size.
00:33:14
About a year, year and a half ago, I was POC'ing a CSPM
00:33:18
solution and the deciding factor for me was ease of use, right?
00:33:23
How quickly can I get this thing stood up?
00:33:25
How quickly is it going to give me information that I can
00:33:29
actually act on?
00:33:30
And how can I take that information and take that
00:33:34
information and take that information and actually act on?
00:33:36
And how can I take that information and maybe even
00:33:40
resolve it straight from this console, right?
00:33:43
Rather than going into AWS or Azure and then GCP to resolve
00:33:47
these three critical items, can I do it all straight from this
00:33:51
platform or whatnot?
00:33:51
Right?
00:33:52
And that was absolutely a criteria that I had to keep in
00:33:56
mind, because our team at that time was a team of two,
00:34:00
including myself.
00:34:01
We didn't have the time to really sift through 1 alerts
00:34:08
a day and choose the five that were the ones that I needed to
00:34:12
pay attention to and design a plan around how to resolve them.
00:34:16
It's like, no, I kind of need this solution to do 99% of that,
00:34:21
and then I do the 1% and verify that that's what I actually
00:34:24
want to do in the environment.
00:34:28
I point that out because it's like that shift in mentality
00:34:32
almost, and even at a larger organization that I'm at right
00:34:36
now, that still matters a significant amount because I'm
00:34:40
doing other things.
00:34:41
I have 30 other things going on that I can't spend my entire
00:34:47
day in this one console.
00:34:48
I have an hour, two hours maybe , to get this information, make
00:34:54
adjustments in the environment, vocalize it out, make changes in
00:34:58
the processes and then move on.
00:34:59
It's just a fast pace evolving area, I feel.
00:35:05
Is that what you've noticed as well?
00:35:08
Speaker 2: Yes, very much so, To your point about CSPM and its
00:35:14
implications and threat detection on the other side.
00:35:18
Virtually in all cases and this, of course, took us time,
00:35:21
because when you do a platform-centric approach, it
00:35:24
takes time to build everything, but in both scenarios you want
00:35:29
to quickly surface something which is insightful, and perhaps
00:35:33
this is what you're alluding to Context is the king, because if
00:35:36
there is something noteworthy which is to be investigated, the
00:35:40
context reduces the necessary time and it reduces dwell time
00:35:45
and it makes a big difference because then you know that there
00:35:48
is something noteworthy that you're going to act upon, based
00:35:51
on the efficacy and the quality of the context which is provided
00:35:55
to you.
00:35:57
Our observation has been along those lines in terms of which
00:36:00
has been the lead up to our product improvements, whether it
00:36:03
is for CSPM and the context around agent less, where you can
00:36:09
provide a lot of visibility, which is static in nature, to
00:36:13
the agent-based approach, where you can actually do behavioral
00:36:16
detection.
00:36:17
How do you provide that in a rich way, not just your own way,
00:36:22
but you align it with something like MITRE, which allows an
00:36:26
organization who's read something and they have some
00:36:29
approach to understand.
00:36:30
This is how threat actors might behave and when you use that
00:36:34
paradigm to lay things out, it's a lot more easier for us to
00:36:37
digest.
00:36:37
Yes, a long-winded way of telling you that I'm 100%
00:36:41
aligned with what you said, irrespective of the size of the
00:36:44
team, as to how quickly one has to surface the context and
00:36:47
provide ease of use.
00:36:50
Speaker 1: Yes, it's really valuable when you present the
00:36:54
information in a way that relates to a framework or a
00:36:59
standard, like MITRE that you mentioned, because sometimes
00:37:04
with these changes that you need to make within the environment,
00:37:06
you need the proof, you need the actual evidence saying, hey,
00:37:11
this is the actual control that we are failing.
00:37:15
This is why this is how we resolve it From the engineering
00:37:19
perspective.
00:37:20
It makes me look really great, at least to my management team,
00:37:24
when I can go to another, let's say, infrastructure guy or a
00:37:27
network guy or a developer and say, hey, this is exactly what
00:37:30
we need to do, why we need to do it and everything like that.
00:37:34
Historically, that would take a couple of days to put that
00:37:38
information together because I have to pull all this
00:37:40
information from so many different resources and check it
00:37:44
and triple check it.
00:37:45
But you know, if you have a solution that's doing that for
00:37:49
you and you can just take it and literally send it off to
00:37:52
someone, that saves me a whole lot of headache.
00:37:56
And I always appreciate it when products you know take in to
00:38:00
account the end user and what that end user has to go through
00:38:04
on a day to day basis, and you know it's like, how do, I make
00:38:09
their day easier.
00:38:10
You know, that's always, at least from my perspective that's
00:38:13
always appreciated, it's always noticed and it provides a lot
00:38:18
more value than you know any other solutions out there, in my
00:38:22
opinion.
00:38:23
Speaker 2: Now you bring up a great point.
00:38:24
I mean, if I were to just give three simple examples to your
00:38:30
observation, what we've seen where we've had great resonances
00:38:35
one, you know, simply in the context of the visualization of
00:38:39
the CSPM and all that if there's ever a conversation between the
00:38:43
security team and the development team, you can use
00:38:46
something like a security graph or attack path to have a
00:38:49
conversation.
00:38:49
Look, this is what a visual thing about where the
00:38:54
misconfigurations which could lead to a whole exist, and it's
00:38:57
an easy conversation between the security operations and the
00:39:00
developers of the DevOps team so that they can fix it.
00:39:03
Second, if you are any good site organization, you're in the
00:39:07
context of a compliance and audit, the auditory activities
00:39:10
simply to establish value to the auditor, to say, okay, here's
00:39:14
the audit tail which tells you that this control is not there.
00:39:16
And now it's there.
00:39:17
And all of that data makes a big difference.
00:39:20
And third, of course, is genuinely on the cyber side.
00:39:23
Now, whether it's detection and response or post factor or
00:39:26
speculative hunt, if you have the depth of telemetry and the
00:39:30
data, not only can you surface a few things which are aligned,
00:39:34
but that's the part where, if things are trending in the wrong
00:39:37
direction because, god forbid, something has really gone wrong
00:39:39
in your organization.
00:39:40
At least you can dwell, reduce the dwell time by knowing and
00:39:44
scoping what was the lead up.
00:39:45
And where we've been fortunate is that the intersection of
00:39:50
these three use cases for a bunch of different asset
00:39:53
categories, which, of course, gartner likes to characterize as
00:39:57
XDR and CNAP.
00:39:58
These are words, but both in terms of workloads and endpoints
00:40:02
, we've been able to make a big difference.
00:40:04
It certainly took time, but we are at that point where these
00:40:09
three examples to just to back up what you said we've been very
00:40:14
fortunate to really easily address where the ease of use to
00:40:18
make this happen.
00:40:23
Speaker 1: With it being a cloud solution and natively, I guess.
00:40:30
The cloud providers are very fast moving and they're always
00:40:34
revolutionizing and adding new services and just everything you
00:40:39
can imagine they're adding behind the scenes.
00:40:42
How does the company in your position stay up to speed with
00:40:48
all the different changes that are coming?
00:40:49
I think last year AWS added something like 27 new services.
00:40:55
I couldn't believe it because I feel like maybe I'm legacy
00:40:59
cloud where I'm still stuck within Kubernetes and EC2 and S3
00:41:05
buckets.
00:41:06
How does someone in your position say okay, we're going
00:41:10
to consume these new services, we're going to figure out the
00:41:13
security posture items around them and then we'll be able to
00:41:16
provide insights?
00:41:17
It sounds like that's a whole other company to be quite honest
00:41:22
.
00:41:23
It's not just a team, that's a company.
00:41:27
Speaker 2: That's a great question, by the way.
00:41:28
Here is where investment upfront, when it comes to
00:41:34
prudent architectural and technology choices even if that
00:41:38
meant that we had to do extra development to accommodate this
00:41:42
has made a difference for us.
00:41:43
To put that into perspective, here is how we see these things
00:41:48
at a fundamental level.
00:41:49
If you take an operating system , whether it is Linux, windows
00:41:55
or Mac, you can characterize it in three dimensions.
00:41:59
One is to say what is the configuration of this machine
00:42:03
telling you?
00:42:03
Because that tells you about the inventory compliance things
00:42:07
which are very prescriptive in nature.
00:42:09
Second, every operating system has a conduit to tap into the
00:42:13
behavioral changes the system is going through, as by a proxy of
00:42:17
system calls.
00:42:18
By observing that you can draw conclusion what is the impact of
00:42:22
the behavioral changes after you know what the inventory is?
00:42:25
The third part is every operating system today tells you
00:42:29
about the ins and outs and flows.
00:42:32
If you say things can be broken into these three dimensions of
00:42:35
configuration, behavioral change , detection through your audit
00:42:39
trail and all of that, and Cisco activity trail and the flow law
00:42:44
and in and out cloud is exactly like that in some sense.
00:42:49
It does not matter whether it is the AWS, gcp or Azure, they
00:42:54
all have configuration information, they all have audit
00:42:57
trail and they all have flow logs.
00:42:58
Even if you take it to the next level of a SaaS service like
00:43:03
GitHub or Octa, their behavior is similar and to your point.
00:43:07
If they start adding more SaaS services as a part of the cloud
00:43:11
offering, that's just more of something which is in a similar
00:43:16
paradigm which can be broken down into the new service coming
00:43:19
in.
00:43:19
Does it have its configured state where I can tell you what
00:43:22
its security posture looks like?
00:43:24
Does it have a behavioral trail where I can tell you those
00:43:28
changes?
00:43:28
Are they going to result in something wrong?
00:43:30
In and out the flow logs related to that?
00:43:34
Does it tell you where things are being accessed which are
00:43:36
inadvertently and whether there is some kind of outlier activity
00:43:39
?
00:43:40
The abstraction that we've built around these three and a very
00:43:46
structured approach using ETL-free pipelines took us a bit
00:43:50
of a time to build this IP, as what has been the fundamental
00:43:54
difference in our ability to absorb the rate of change of
00:43:58
Cloud Service providers providing new things.
00:44:00
Clearly it took us a time, but we feel very well equipped to
00:44:04
handle that.
00:44:05
I know it was a bit long-winded but I'm happy to delve in
00:44:08
further, but you touched upon something which is key to our IP
00:44:13
and where we've been able to really take advantage of some of
00:44:18
the design choices that we made as an engineering organization.
00:44:23
Speaker 1: Yeah, absolutely, ganesh.
00:44:24
I feel like we almost need another episode together to dive
00:44:30
into this more.
00:44:31
But before I let you go, I want to get this one last question
00:44:37
in when do you see the upticks platform going in the next few
00:44:41
years?
00:44:42
As we're thinking of the Cloud and how the Cloud is expanding
00:44:49
and growing, revolutionizing how everyone does IT, where do you
00:44:53
see upticks going along with the Cloud providers as well?
00:44:58
Speaker 2: Great question For us it's to really secure that arc
00:45:03
of productivity.
00:45:05
But, as you can imagine, security practitioners secure
00:45:10
things because they follow either transformation or IT and
00:45:15
engineering choices made, which is to say that a CTO makes a
00:45:19
choice of how to operationalize something in the Cloud.
00:45:22
A CIO might make a choice of something in the Cloud or
00:45:26
services which people pick.
00:45:27
So where we are heading is as the result of this ongoing
00:45:33
digital transformation and more.
00:45:34
If the endpoint is a means to access a service, whether it is
00:45:39
for creativity and production of software, or it is because from
00:45:44
the endpoint people access SaaS services, much like how if they
00:45:47
build something and pushing something to the Cloud.
00:45:49
So that trifecta or quad-fecta I call it, of endpoint, cloud
00:45:57
and containers to second as a part of the thing, and SaaS
00:46:00
services is what we plan to secure the infrastructure that
00:46:04
we've built.
00:46:04
Along the lines of what I said, the ability to ingest
00:46:08
configuration change, trail activity from these services and
00:46:11
the flow logs is going to board really well for us.
00:46:13
That we feel is in line with the transformation which is
00:46:17
happening.
00:46:18
Our goal is to observe and secure this pipeline from the
00:46:22
laptop to the Cloud and the services which people interact
00:46:25
with from their laptops.
00:46:30
Speaker 1: Yeah, it's a really interesting place.
00:46:32
Me personally, I'm really excited to see how your solution
00:46:37
and other solutions like yours will be growing and changing.
00:46:42
From the podcasting perspective , I get to see it from almost
00:46:48
like an outsider's point of view , while still having that inside
00:46:52
knowledge, almost, so it's a fascinating area that's just
00:46:57
always growing.
00:46:58
So, ganesh, right before I let you go, can you let my audience
00:47:04
know where they could find you if they wanted to reach out to
00:47:07
you, where they could find upticks, if they wanted to learn
00:47:09
more about the platform, about your solution?
00:47:13
Speaker 2: Yes, thank you for this opportunity.
00:47:15
So, to your listeners, we are on the worldwide web as everyone
00:47:21
else's.
00:47:21
Uptickscom is where you'll be able to find a lot of
00:47:25
information about us.
00:47:26
Feel free to reach out to us on Twitter.
00:47:29
Our handle is at Upticks, same as the case on LinkedIn If you
00:47:33
search, you'll be able to find us, but we have a tremendous
00:47:38
resource library on our website, which is, I don't want to say,
00:47:42
independent of what we do, but it's a very rich learning thing
00:47:46
and hopefully, while you're there, you might be interested
00:47:48
in what we have to offer as a product company too, which is to
00:47:52
secure things from the laptop to the cloud, and we call it as
00:47:55
a unified XDR and CNAP platform.
00:47:59
Our approach is what we characterize as shifting up.
00:48:02
I'll pause here, and I appreciate the opportunity for
00:48:05
me to outline this.
00:48:06
Thank you, joe.
00:48:08
Speaker 1: Yeah, absolutely, and I really appreciate you coming
00:48:12
on and I hope everyone listening enjoyed this episode.
00:48:16
Speaker 2: Thank you for the opportunity.
00:48:17
I really enjoyed the conversation.