Ready to uncover the mysteries of cybersecurity and IT? Today, we are joined by Martin Roesch, CEO of Netography, a self-taught cybersecurity expert who delved into this recession-proof industry. He shares his trials and triumphs, his unique approach to learning, and his insights into the balance between product usability and the industry's penchant for buying solutions rather than building them from scratch. We also chat about the deployment challenges of Web Application Firewalls (WAFs) and how Martin has navigated these waters.
As we traverse the development of intrusion detection systems, we spotlight the rise of Snort - the late 90s darling of open-source intrusion detection. Martin unpacks the intricacies of product sophistication versus user-friendliness and why it's paramount to create products that cater to users across the spectrum. From novices to experts, a user-friendly product can be a game-changer, especially in the cybersecurity realm.
Our discussion widens to network scattering and the security implications in multi-cloud environments. We consider how top review platforms present cloud-native solutions, unravelling their functionalities across multiple clouds and on-premises landscapes. The conversation takes a turn towards addressing the gaps in network infrastructure and how looking at an entire enterprise network as a single entity can be beneficial. We also dive into the world of Netography, the first platform to seamlessly stitch data sources together, and how it deals with alert fatigue. Lastly, we discuss the future of cybersecurity - the promise of cloud-based solutions, real-time monitoring, and how compromise detection approaches can potentially level the playing field for businesses of all sizes. Join us on this fascinating journey through the world of cybersecurity.
LinkedIn: https://www.linkedin.com/in/maroesch/
Website: https://netography.com/demo/
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, martin?
00:00:00
It's really good to finally have you on the podcast here.
00:00:04
I feel like we've been trying to schedule this thing for quite
00:00:08
a long time, but having a new baby at home can really change
00:00:13
things for you in ways that are significant, that you don't
00:00:17
expect.
00:00:19
Speaker 2: Yeah, that's for sure .
00:00:20
I've had a few and definitely throw curve balls for sure.
00:00:24
But it's good to be here next, for having me on and being
00:00:27
patient with getting things scheduled.
00:00:29
Speaker 1: Yeah, absolutely.
00:00:30
Well, I appreciate your patience as well.
00:00:32
So talk to me a bit about how you got started going into
00:00:40
cybersecurity or just IT overall .
00:00:42
Right, what made you think that this area was a good idea, that
00:00:48
this was something that you wanted to do?
00:00:50
Did you see the opportunity, or was it like a comfortable
00:00:56
transition, potentially?
00:01:00
Speaker 2: Well, that's a big story, let's see.
00:01:02
So to get into my background getting into IT we have to go
00:01:07
all the way back to the 90s.
00:01:08
So I got my computer engineering degree from Clarkson
00:01:13
University back in 92.
00:01:16
And I kind of went out and started working as a software
00:01:23
engineer for a while and eventually I ended up moving to
00:01:27
Maryland and getting a job with a defense contractor working on.
00:01:32
Information security is what we call it at the time.
00:01:34
Cybersecurity is what we call it now.
00:01:37
But back in the mid 90s this is like 96 or so if you wanted to
00:01:42
learn cybersecurity you had to teach yourself.
00:01:44
There were no college courses, there was no secondary learning
00:01:48
or very little out there to go pick it up.
00:01:51
So a lot of what you did was there were a few books out.
00:01:56
Certainly a lot of them talked about cryptography and things
00:02:00
like that as a means to securing data, but if you want to learn
00:02:04
about hacking and exploits and security tools, you basically
00:02:10
had to read source code.
00:02:11
In hot cases there were text files out there and there was
00:02:16
frac and stuff like that, not the industry, the hacker zines
00:02:22
and basically the way that I taught myself was working in my
00:02:27
day job and also writing my own tools, since I am a software guy
00:02:32
.
00:02:33
I started writing little scanners and firewalls and
00:02:38
sniffers and things like that and eventually I decided to be a
00:02:43
fun project to do with Bidra write my own cross platform
00:02:48
sniffer.
00:02:48
That came to be called SCART and it turned into a lot more
00:02:51
than that.
00:02:51
But the whole career path of getting into and deciding that
00:02:55
cybersecurity was the field that I wanted to go into was really
00:03:00
back in the early days.
00:03:01
So I was working as a government contractor for here
00:03:07
in central Maryland and that usually means one of the very
00:03:09
few places that you're working for and one day the customer
00:03:13
came in and it was a team from the shop that we were doing our
00:03:17
contracting with to check over our work and do some stuff.
00:03:21
And these guys rolled in and this was 1996.
00:03:24
And these guys were like the kings of the internet.
00:03:26
They knew the protocols, they knew how everything worked, they
00:03:28
knew how I'll plug together, they knew secure from not secure
00:03:31
, things like that.
00:03:33
And I was just super impressed with them and I was like that's
00:03:36
what I want to focus on, that's what I want to do.
00:03:38
And the thing in the back of my mind was that when I came out
00:03:42
of college in the early 90s, there was a recession on the
00:03:46
cold war.
00:03:46
It ended, so there was this peace dividend and all of these
00:03:51
people got flushed out of the defense industry.
00:03:53
So there are lots of very experienced engineers out there
00:03:57
that you're competing for jobs with and things like that.
00:03:59
So it was a rough time back then and I also wasn't the world's
00:04:03
greatest student, so that certainly didn't help and I saw
00:04:08
cybersecurity is just.
00:04:09
It was this, it was something that people are always going to
00:04:13
need.
00:04:13
And the kind of the flippant way that I talk about it now is
00:04:16
that cybersecurity is like plumbing Everybody always needs
00:04:20
it, it's never going away and the pipes are always leaking.
00:04:23
So it's a great field to go into, because I figured it was
00:04:27
pretty recession proof, which turned out to be the case in
00:04:30
2001 and 2008.
00:04:31
And even more recently, the cybersecurity industry has been
00:04:35
on the rise for really 25 plus years that I've been involved
00:04:40
with it.
00:04:40
But, yeah, it's a great field.
00:04:42
It's really interesting.
00:04:43
It's always on the move, there's always new stuff.
00:04:45
It's not a solvable problem, but there are really fascinating
00:04:51
approaches to problem solving that you can apply to it.
00:04:55
There's constant curve balls.
00:04:56
So, yeah, it's fascinating field.
00:05:01
Speaker 1: Yeah, that's definitely for sure, and you
00:05:05
have a lot there that I want to dive into.
00:05:08
Recently you talk about there's always like curve balls and
00:05:16
learning curves with cybersecurity and everything.
00:05:19
Recently I had to go through a cloud WAF POC and I didn't
00:05:25
realize deploying a WAF in a week is extraordinarily
00:05:31
difficult, just to get it in front of the app that you want
00:05:35
to test.
00:05:35
And that's a learning curve, right.
00:05:40
You're not going to know that unless you do it or you have
00:05:43
someone on the team that's done it before.
00:05:45
It's like oh no, you need this amount of time.
00:05:47
It's a, I mean, it's a whole other beast, right, like you
00:05:53
could spend your entire career doing only WAFs.
00:05:57
You could spend your whole career doing only network
00:06:00
detection and threat detection, whatever it might be right.
00:06:03
That's what drew me to it as well.
00:06:06
You know the never ending flow of information that you could
00:06:10
dive into.
00:06:12
When you were working for the Defense Department or agency,
00:06:18
whatever, were you in a situation where they were
00:06:26
requiring you to create your own solutions for problems?
00:06:32
The reason why I say that right is because the industry is kind
00:06:37
of built around go buy another solution, right.
00:06:41
Go buy some other solution to fix this problem.
00:06:43
And recently in my career, I met someone that had literally
00:06:49
just gotten out of the Navy's like cyber warfare division and
00:06:55
he was talking about like we were, we were literally
00:07:00
discussing buying a CSPM and what CSPM works and everything
00:07:05
like that, and his idea was to just build it himself.
00:07:11
And I'm over here, you know that just like blew me away, like
00:07:16
what are you talking about?
00:07:17
Man, we're like I'm not building that thing, you know,
00:07:21
and like you shouldn't be building that thing.
00:07:23
Like why, why are we doing this ?
00:07:25
You know, and you know, diving into his experience a little bit
00:07:29
, he's like well, you know, they give you no budget and they
00:07:32
give you a stack of papers that has problems in it and they say
00:07:35
figure it out.
00:07:35
You know, like there's nothing else to give you a terminal and
00:07:39
like that's it.
00:07:40
You know, was that a similar experience for you?
00:07:44
Or was there?
00:07:45
Was there a bit more hands?
00:07:48
Hands on trying to trying to do the solution route?
00:07:51
Maybe, maybe that didn't work right.
00:07:53
That's my thought process with it.
00:07:57
Speaker 2: Yeah, they typically came in with their own.
00:08:00
So it was a mix of using commercial stuff and their own
00:08:05
tools.
00:08:05
Back in those days I was pretty young, I was in my 20s, and I
00:08:10
was very frequently just working on problems that I was given,
00:08:15
and sometimes we were writing software, sometimes we were
00:08:18
setting up a configuring system, sometimes we were getting
00:08:22
commercial stuff running or sometimes we were using open
00:08:25
source technology as well, even back then.
00:08:27
And yeah, it really kind of depended on what problem we were
00:08:31
trying to solve, how fast we were trying to solve it and
00:08:34
things like that.
00:08:34
So I did do creative work, building building technology for
00:08:40
customers.
00:08:40
That was kind of suspect but it was like here's the solution.
00:08:45
We want to go build it.
00:08:46
So I did stuff like that.
00:08:48
But I also did stuff like you know, here's the, here's the
00:08:51
component tree that we've developed and we need to add
00:08:54
this to it or tie these things together or whatever.
00:08:56
So yeah, it was a bit of a bit of everything.
00:08:58
But yeah, you know the well, you know, the funny thing about
00:09:02
it is that, especially in the early days, you know you don't
00:09:07
know any better than to do something like go write your own
00:09:09
CSPM or go write your own intrusion detection system
00:09:12
because you know you're kind of.
00:09:15
You haven't been exposed to the budgets of the vendor ecosystem
00:09:20
, the budget required of the vendor ecosystem to get things
00:09:22
going.
00:09:22
You've been just making things go on your own by tying things
00:09:28
together and building glue or building original technology.
00:09:32
I think that's the Especially when we're young, we just don't
00:09:38
know any better.
00:09:39
The hard part of a CSPM is not building the actual engine that
00:09:43
does CSPM.
00:09:44
All the content is required to drive it, all the checks and
00:09:48
what they mean, and all configuration guidance and the
00:09:50
CVE mapping and the wider attack mapping and all the other stuff
00:09:53
that you've got to do to make it an actual useful tool, which
00:09:56
is a lot less about building the tool, a lot more about building
00:09:59
all the knowledge infrastructure around it that
00:10:01
makes it go.
00:10:01
Same thing with intrusion detection systems.
00:10:03
I mean I was just developing snorters, kind of a fun thing to
00:10:05
do on rainy days, weekends, and then all these people showed up
00:10:09
and all of a sudden this thing snowballed overnight into this
00:10:12
huge thing.
00:10:13
But if I had known when I was getting myself into you, I would
00:10:16
have been like this is not.
00:10:18
How could I possibly do something like that?
00:10:19
So I mean, there's always kind of that there might be a better
00:10:23
way to do it than it's being done by the whizzes and orcas of
00:10:26
the world.
00:10:26
So I wouldn't discourage anybody from trying.
00:10:29
But maybe it's better that you don't know what you're getting
00:10:31
yourself into, because you never try it, otherwise that's where
00:10:34
everything comes from.
00:10:36
Speaker 1: Right when you were creating Snort.
00:10:39
What was the problem that you were trying to resolve with
00:10:46
creating that, and was it simpler or more difficult than
00:10:53
what you expected starting out?
00:10:57
Speaker 2: So I was trying to solve for a few problems.
00:10:59
One I was teaching myself coding.
00:11:02
I wrote, and still write, a little bit when I write it all
00:11:08
in C for the most part, and so C is a deep language it's very
00:11:13
tricky to do right.
00:11:15
So I was teaching myself to be a better C programmer.
00:11:18
I was also teaching myself how to write cross-platform sniffers
00:11:21
.
00:11:21
So I'd written Linux specific sniffers and SunOS specific
00:11:26
sniffers or Solaris specific sniffers In the past.
00:11:30
But I wanted to write something that was cross-platform.
00:11:32
So I was also teaching myself how to use the PCAP and things
00:11:35
like that.
00:11:35
So there was all that.
00:11:36
But the goal that I was going for was wouldn't it be fun if I
00:11:39
could monitor my home network while I'm at work for the day
00:11:42
and see if anybody's knocking on the door?
00:11:43
So I would leave it running and at that point Snort was a
00:11:48
sniffer with a packet logger and I would come home and have the
00:11:52
Snort directory structure of here's all the IP addresses that
00:11:55
talk to you, here's all the port numbers.
00:11:57
You can look at the packet doms and see.
00:11:59
You know, just visually see port scanners and people trying
00:12:02
to prove forest passwords and stuff like that.
00:12:05
That was pretty entertaining.
00:12:07
But after I released it to open source about a month after I
00:12:11
started writing it and the 25th anniversary of the first release
00:12:15
to Snort is this December it very quickly, like I said, it
00:12:20
snowballed.
00:12:20
People started asking for features and stuff like that.
00:12:23
So it wasn't super hard to write the fundamentals of it.
00:12:30
It didn't really get hard until I started SourceFire and then
00:12:34
it needed to have enterprise features, it needed to have
00:12:37
anti-vasion technology and stuff like that and all of a sudden I
00:12:39
really had to start, you know, taking it from being this very
00:12:42
kind of simplistic packet processing pipeline with simple
00:12:45
pattern matching to being a much more sophisticated animal.
00:12:48
And that took a lot of doing, but I was very motivated because
00:12:53
I was trying to make money At that point.
00:12:57
Speaker 1: Yeah, that is.
00:12:58
I mean, that's really interesting, you know, like
00:13:02
creating an open source project that you know everyone knows.
00:13:06
You know everyone knows what Snort is, what to use it for,
00:13:11
right, that sort of thing in cybersecurity at least, and it's
00:13:18
really interesting.
00:13:19
You know, how did people find your solution or Snort?
00:13:25
How did they find Snort back then?
00:13:27
Right, like it probably wasn't easy.
00:13:30
What did you find?
00:13:33
Like potentially a forum that all the hackers trafficked, you
00:13:38
know frequently.
00:13:40
You know and post about it on there, like how did people find
00:13:44
it?
00:13:45
Speaker 2: Yeah, so back then there were actually very few
00:13:50
tool sites out there where kind of everybody hung out.
00:13:53
So you know, if you want to talk about it in kind of modern
00:13:56
language, we would call it a watering hole attack, right.
00:13:58
So you find out.
00:13:58
You know, the site that Snort debuted on was Packstorm.
00:14:02
So packstormcom was run by a guy named Ken Williams.
00:14:05
I think it's still out there but it's under.
00:14:08
You know, it's changed hands several times since then because
00:14:10
it has been 25 years, and so that was like the premier tool
00:14:16
site.
00:14:16
It wasn't just defensive tools, it was also exploits and things
00:14:19
like that.
00:14:20
So like when an exploit came out, very frequently you'd be
00:14:22
able to find it on Packstorm.
00:14:25
So I decided and there were a few others, like Technotronic
00:14:29
that was run by Kirby Kuhl, and there were a few other tool
00:14:33
sites like that.
00:14:34
But anyway, I contacted Ken Williams and I said, hey, I got
00:14:36
this new Sniffer I worked, called Snort.
00:14:38
Would you post it?
00:14:38
You know, would you put it up on the site?
00:14:40
Sure thing, send it in.
00:14:42
And you know, got a couple of emails and then I did another
00:14:44
release and I got a couple more, and that's kind of how it went.
00:14:47
But Snort was kind of fascinating because it was very
00:14:50
much a tool for its time at the time because the only other
00:14:54
intrusion detection technology out there were commercial ones,
00:14:57
from like Wheel Group and ISS and things like that.
00:15:00
They cost a lot of money.
00:15:01
So if you wanted to do the intrusion detection function,
00:15:05
there were really no other answers at that time.
00:15:09
There were some other contemporary open source
00:15:12
intrusion detection systems, but Snort kind of captured the easy
00:15:17
enough for anybody to use, you know, but deep enough for people
00:15:22
to get sophisticated with, especially as time marched on
00:15:25
and it grew in sophistication.
00:15:27
So yeah, it was like it was the it's product market fit it's
00:15:33
what we would say now.
00:15:33
It's product market fit was exceptional for its time and you
00:15:37
know, let those product-led growth kind of motion was what
00:15:40
we would call it now.
00:15:41
That was really incredible.
00:15:43
But yeah, you know, there were a surprisingly few sites in the
00:15:49
late 90s where kind of everybody hung out, all the tools were
00:15:53
and stuff like that and that's how it got started.
00:15:55
There was no greater marketing than just putting it up on
00:15:58
PacketStorm and Technotronic and a few other sites and it just
00:16:02
took off Wow.
00:16:05
Speaker 1: Yeah, you bring up a really good point.
00:16:08
You know, the product is a balance between anyone being
00:16:14
able to use it and then diving as deep as they want to go Right
00:16:18
.
00:16:18
That's a I guess that's a problem that some products that
00:16:24
I've seen have had recently.
00:16:26
Right when it's, either it's not deep enough or it's not
00:16:30
simple enough for anyone to pick it up.
00:16:32
It's a really fine balance between that, you know, and it
00:16:38
always seems like the people that have been doing it for 20,
00:16:41
25 years are the ones that you know understand that.
00:16:45
So, like, even if they step into a product right that is
00:16:49
struggling in that area, they can navigate it and kind of
00:16:52
untangle it, I guess.
00:16:55
Speaker 2: Yeah, I think it's funny.
00:16:57
So my career in computers started when I was 17, working
00:17:01
at a retail computer store.
00:17:02
I was a service technician and this is in the late 80s and the
00:17:11
interesting thing is there's this big movement in the
00:17:13
computer industry back then for PCs to deliver a great out of
00:17:19
box experience.
00:17:19
So this was like early, early attempts at low friction
00:17:23
deployments, low friction selling stuff like that.
00:17:26
So when you got your consumer PC you'd open up the box, all
00:17:29
the cables would be labeled and stuff like that, so it was
00:17:31
simple, and the color code of the connectors, so it'd be
00:17:33
simple to plug this thing in and get it going.
00:17:35
Because a lot of people had trouble with that and you know I
00:17:39
think that always kind of that's always in the back of my
00:17:42
mind.
00:17:42
You know an entography, my current company.
00:17:45
The thing is, you know it's easy to get started with but it's
00:17:48
also very deep.
00:17:49
Snort was kind of the same way very simple rule language that
00:17:54
was in there and you could do a lot with the rules and you get
00:17:57
more sophisticated, especially as we added stuff like regular
00:18:00
expressions and things like that .
00:18:01
But it also was an extensible engine.
00:18:03
So if you could write C it had all sorts of API interfaces in
00:18:07
it where you could extend the program.
00:18:08
You could add in your own detection logic, you could add
00:18:10
in your own output mechanisms to talk to databases or you know
00:18:14
whatever you wanted to and things like that.
00:18:16
So there were many levels to the system, but the most cursory
00:18:20
level you can still be productive with almost
00:18:22
immediately, and that was the whole goal from out of the box
00:18:25
and up and running in 15 minutes , is what I, what the mantra was
00:18:28
at SourceFire.
00:18:29
But even with Snort I want to be able to go from tar ball to
00:18:33
running Snort instance in five minutes.
00:18:35
And that was kind of the you know always my, my guiding thing
00:18:39
in the back of my mind when I was developing the packages and
00:18:42
things like that.
00:18:45
Speaker 1: Yeah, I feel like that is.
00:18:47
That's a stat or a thought process that is still rare to
00:18:55
come across, right Of being able to download it and run it and
00:18:59
be up and running within five minutes.
00:19:01
You know that's that is not something that is seen very
00:19:06
often, right, as someone that has led at various POCs across
00:19:10
different domains of security, like this recent, this recent
00:19:15
POC that I did with the Cloud WAF there was one solution that,
00:19:20
within you know, two hours, right, we were up and running.
00:19:23
It was still two hours, but it wasn't the 10 days that I needed
00:19:29
for the other solutions.
00:19:31
You know, and that's absolutely something that matters,
00:19:34
especially when you know you talk about, like a disaster
00:19:40
recovery scenario and someone else that doesn't know the tool,
00:19:44
someone that didn't buy it or take part in the POC, even has
00:19:48
to run it.
00:19:48
You know they have to know how to do it and they have to be
00:19:52
able to figure it out.
00:19:54
I feel like, personally, all of that has to be taken into
00:19:57
account when you're when you're purchasing the right technology.
00:20:00
You know it's an interesting problem.
00:20:03
So, you know, I'm really I'm fascinated by by your current
00:20:11
company and I want to dive into it.
00:20:14
So tell me a bit more about what you're doing now.
00:20:18
What's the company called all that stuff?
00:20:21
Speaker 2: Sure, so company called netography.
00:20:23
We're a network defense platform.
00:20:25
So this is something new under the Sun.
00:20:27
It's not NDR, it's not sim, it's not XDR, it's it's its own
00:20:32
thing.
00:20:33
And the fundamental problem that we're trying to solve is that,
00:20:39
especially since the end of the pandemic, networks have
00:20:41
scattered.
00:20:41
So everybody went home and you know, march of 2020, and they
00:20:45
were told, hey, just get your job done with them back in two
00:20:47
weeks.
00:20:47
And you know, turn into six weeks.
00:20:48
And that turned into six months and people just got their jobs
00:20:51
done.
00:20:51
They scattered their enterprise networks to the forewinds,
00:20:54
basically.
00:20:54
So, also, we have this huge cadre of work from home people.
00:20:57
We've got all this cloud infrastructure that was just
00:21:00
kind of thrown up, as you know, as needed by whoever needed it,
00:21:03
wherever they needed it, for whatever they needed it for.
00:21:06
And now we're kind of trying to get our hands around it as a,
00:21:10
as an IT industry, and it's really difficult to just answer
00:21:14
fundamental questions of what have I got?
00:21:16
What is it doing, what's happening to it, how's it
00:21:18
changing, being able to do so systemically across this
00:21:23
multi-cloud plus on-prem world that most enterprises are in
00:21:28
today?
00:21:28
And you know, the funny thing is is I kind of saw this problem
00:21:31
coming a long, long time ago, and it's also compounded by
00:21:37
encryption and now zero trust, which is basically Based on this
00:21:41
foundation of let's encrypt everything and then we'll give
00:21:44
permissive access to whatever you need, based on your
00:21:46
credentials and stuff like that.
00:21:48
Well, all that stuff works great until it doesn't.
00:21:50
And you know and we've merely been blinding all the ways that
00:21:55
we used to keep tabs on things for the last Call it five to
00:22:00
eight years.
00:22:01
So what the top reviews is doing is we have a cloud Platform.
00:22:06
So it is a Cloud native platform that can take data in
00:22:12
from your infrastructure and tell you what's going on, what
00:22:15
you've got, what it's doing, what's happening to it.
00:22:17
But we're doing it in a way where you don't have to deploy a
00:22:21
bunch of technology to make it work.
00:22:22
We don't have appliances, we don't have agents, and we work
00:22:26
the same across any cloud environment that you've got.
00:22:29
Well, the five big ones anyway, so I'd be more oracle, in case
00:22:32
you're wondering what the other two are plus GCP, aws and Azure
00:22:35
and On-prem all under one roof.
00:22:38
So we have one UI, we have one language that describes good and
00:22:41
bad and what we're looking for and things like that.
00:22:44
So it enables us to do compromise detection, threat
00:22:47
hunting.
00:22:47
We do governance with it because the way this thing is
00:22:50
built, we can see the configuration drift happening in
00:22:52
real time because see when things are not behaving as they
00:22:56
should.
00:22:56
I can just do straight-up discovery and mapping with it,
00:22:59
and it's also surprisingly good at picking up DDoS attacks and
00:23:02
things like that.
00:23:03
So it's a really different approach from what's coming for.
00:23:07
You know, obviously snorkels a deep packet inspection system,
00:23:10
and I started becoming concerned with kind of the future of DPI
00:23:12
back in probably 2008, 2009, when all of a sudden our
00:23:16
encryption started to turn in with a more and more of a thing.
00:23:18
And here we are, you know, 15 years later, and now, like
00:23:22
network encryption is blinding DPI very systemically.
00:23:25
It's hard to get a DPI Sensor where you need it, especially in
00:23:30
the cloud, because the clouds not friendly to doing deep
00:23:32
packet inspection.
00:23:33
Nobody likes appliances anymore .
00:23:34
It's a terrible model, has huge life cycle management, curation
00:23:38
Costs associated with it, not to mention what it's telling you
00:23:42
is hey, I saw a bunch of things which could be attacks.
00:23:44
Please figure out which ones are attacks.
00:23:46
So what we've done in a tography is like really change the, the
00:23:50
game and the equation to give you something that's super low,
00:23:53
friction, right.
00:23:53
So this is all the way back to.
00:23:55
You know the early days of start.
00:23:56
My experience as a technician in the early PC industry of you
00:24:01
know, from out of box stop and up and running as quickly as
00:24:04
possible.
00:24:04
You know time to install matters being frictionless
00:24:08
matters so, and letting you see things instantly about your
00:24:12
environment, like you don't even have to configure our stuff.
00:24:14
Well, as soon as you plug in the data sources, it will start
00:24:18
telling you stuff about your network that are very hard to
00:24:20
see otherwise, without you even have to configure it.
00:24:23
And then, once you start configuring it, it just gets
00:24:25
richer and richer of what it can tell you.
00:24:27
It's got a language in it so you can extend it.
00:24:29
So you know the easy stuff is easy.
00:24:30
The hard stuff is possible.
00:24:32
It's all API driven so you can plug it into your infrastructure
00:24:36
and extend it and things like that.
00:24:37
So this is a new way of doing network security that is built
00:24:41
on Really leveraging your existing infrastructure.
00:24:45
So we take flow data out of your on-prem infrastructure and flow
00:24:49
logs out of your cloud infrastructure as a real-time
00:24:52
data source for the activities that are occurring in the
00:24:55
environment.
00:24:55
But we also pull context out of your environments as well.
00:24:58
So we can pull context out of your EDR like a crowd strike.
00:25:01
We can pull context out of your VPCs in the cloud we can get it
00:25:04
from Axiomus or Wiz or you know , working on extending and
00:25:08
integrating all across the board so you can look at your network
00:25:12
traffic and activities that are occurring not just in terms of
00:25:15
show me all my database servers, show me all my executives and
00:25:18
what they're connecting to, but you can also do things like, say
00:25:20
, show me all of my traffic that is occurring to devices with
00:25:26
CVSS scores above 7.5 that are responding to the public
00:25:30
internet.
00:25:31
So like it's really a Super powerful way of understanding
00:25:37
your network environment and being able to look for, you know
00:25:39
, attack some compromises as well, as you know, just provide
00:25:43
you with kind of fundamental governance capabilities, which,
00:25:46
once again, are hard to do with scan, report tools like
00:25:50
vulnerability management or even CSPM tools hmm, wow, there is a
00:25:56
, there's a significant amount there, right, and I feel like,
00:26:04
okay, so I have two, two major questions.
00:26:09
Speaker 1: How do you build a product that is Working great
00:26:14
for the cloud as well as on-prem , right?
00:26:16
Like?
00:26:16
I feel like that is designing for two completely separate
00:26:21
things and that's a.
00:26:23
That's a gap that's hard to bridge, you know.
00:26:26
So how did, how did you accomplish doing that?
00:26:30
Speaker 2: Well, I'm just the CEO so I didn't have to.
00:26:31
But the guys who did do it, they saw the same, the same
00:26:36
problems that I did.
00:26:36
You know, if you have, if you have a bifurcated Security
00:26:39
platform where I treat on-prem differently than I treat the
00:26:42
cloud, I mean the cloud.
00:26:43
You know.
00:26:44
The joke is the cloud is somebody else's computer but
00:26:46
really the cloud is somebody else's Linux computer and you
00:26:49
don't really own the network.
00:26:50
But there is a network and you need to understand how it's
00:26:52
being utilized and you can really see what's going on by
00:26:56
Observing it properly.
00:26:57
And then you've got the on-prem world.
00:26:58
If I have two different technology stacks for looking at
00:27:01
both of those things differently, you know you're
00:27:03
gonna have gaps between them gaps and capabilities gaps,
00:27:05
invisibility Gaps and understanding Probably have
00:27:09
different teams running the tools.
00:27:11
Like you've got just this ever-expanding pile problems
00:27:15
because you're treating them as different things.
00:27:17
Your enterprise network is a composite of all of its
00:27:20
components and you need to treat it that way and that's what
00:27:23
this Platform is really designed to do treat your network as a
00:27:26
composite of all its parts instead of this part is
00:27:29
different than that part.
00:27:29
Well, if you're gonna do that, you have to understand okay,
00:27:33
what are the?
00:27:33
What are the fundamental Data types that I can pull out of
00:27:37
here that will show me the information that I need so that
00:27:39
I can treat these as Different aspects of the same thing?
00:27:42
Well, it's, it's flow data.
00:27:43
It's other.
00:27:46
There's other data types out there, like you know DNS or HTTP
00:27:48
logs, potentially, or you know whatever that aren't in the
00:27:52
product right now, but you know, obviously we're aware of, as
00:27:55
well as the context that you need to have.
00:27:57
You've got all these platforms out there that know all sorts of
00:28:00
things about kind of their area , where it's CSPM knows about
00:28:02
the configuration, vulnerability , state of cloud workloads.
00:28:07
Or, you know, a vulnerability management system does the same
00:28:08
thing about what's happening on prem, or like an axionist, which
00:28:13
is or axonious Sorry, it's more of a CMDB sort of platform, or
00:28:20
an EDR, like a crowdstrike, which you know has very granular
00:28:23
data about the systems that it's installed on, but isn't
00:28:25
installed on everything in every other.
00:28:26
So, like being able to weave that picture together and then
00:28:32
show the activities that are occurring on it is extremely
00:28:35
powerful and, like you know, it takes a little bit of
00:28:38
imagination.
00:28:38
But you know this.
00:28:41
This problem has been steering us in the face as an industry
00:28:43
for at least a decade and Natography is the first company
00:28:46
that's come along.
00:28:46
It's really Sympathizing this, this picture based on all these
00:28:52
data sources and then giving you one way to analyze it and
00:28:55
instrument it and treat it as your enterprise network, not as
00:29:01
that's cloud a, that's cloud b and this is my legacy on-prem
00:29:04
stuff.
00:29:09
Speaker 1: I would assume a solution like this does a really
00:29:10
good job of detecting Kind of rogue cloud accounts, right?
00:29:15
If, if you have a developer that you know determines, right,
00:29:21
that they want to use their company card to start an account
00:29:23
with GCP or something like that , when you're predominantly in
00:29:25
AWS, that would probably be something that would be pretty
00:29:31
easy for you to detect, right?
00:29:32
Yep, absolutely.
00:29:32
Yeah, I have a pain point with that because, you know, I
00:29:39
started at a company a couple years ago and they told me, oh
00:29:41
yeah, 100% AWS, there's nothing anywhere else.
00:29:43
We have 0365, but that's it.
00:29:47
Okay, you know.
00:29:51
And then I slowly started to find out, through the grapevine
00:29:53
of people you know mistakenly saying it, that we're in Azure.
00:30:01
And then, oh, randomly, oh, we're also in GCP, we're using
00:30:03
this other thing in GCP.
00:30:04
It's like guys, this is a problem, like security didn't
00:30:08
know this.
00:30:13
Speaker 2: Well, and it's not just that this is like and
00:30:18
you're never going to see it Like unless somebody tells you
00:30:20
about it like the old way that we would do things with DPI
00:30:24
systems is probably not going to find it either, Because D-Pack
00:30:27
inspection systems are primarily focused on what.
00:30:30
They're focused on finding threats that are active in the
00:30:32
network environment and they're looking north-south almost
00:30:35
exclusively and they're only looking for attacks.
00:30:37
So they're not even going to characterize the kind of the
00:30:42
connecto sphere I guess I'll just coin a word right now the
00:30:46
connected biome of your actual enterprise network, because they
00:30:49
have no ability to observe it.
00:30:50
It's outside the scope of their application, Whereas an
00:30:54
approach like what we're doing in that photography will show
00:30:57
you north-south, east-west doesn't really matter.
00:30:58
We can instrument any part of your network.
00:31:00
And oh, by the way, the other cool thing about it is that as
00:31:03
soon as you become aware that, oh, we got stuff in GCP, you can
00:31:07
shake information about what deployment you've got in GCP out
00:31:10
of the people who are doing it and you can deploy because we
00:31:13
are cloud-based.
00:31:14
You can deploy now, like right now.
00:31:18
Speaker 1: You don't have to deploy to plants.
00:31:19
Speaker 2: You don't have to get a workload up and running or
00:31:21
anything like that.
00:31:21
You guys turn on Flow over there and give me your VPC
00:31:25
context, we'll import it into the Netography and we'll see
00:31:27
what's going on.
00:31:28
Boom, and then you've got all of a sudden visibility into it
00:31:31
and you can start seeing what's actually there and you can start
00:31:34
instrumenting how you actually want to protect it and govern it
00:31:36
.
00:31:39
Speaker 1: Yeah, I feel like that's a huge pain point,
00:31:41
especially with the pandemic and everyone working from home.
00:31:44
There's no longer that oversight that used to be
00:31:51
present, and so then you can have a situation where employees
00:31:56
are starting to spin up and use other technologies and other
00:32:01
platforms to accomplish their job that the company didn't even
00:32:05
know about it, or whatnot.
00:32:06
One of the areas that I would imagine would be a difficult
00:32:14
area to master, especially with a product like this, is alert
00:32:19
fatigue and avoiding it and making sure that you're
00:32:23
providing the end user only what they need to make the proper
00:32:28
decision in an environment and showing them what they should be
00:32:32
paying attention to.
00:32:32
How do you address that within your system and within your
00:32:36
solution, because I would imagine having all of this data
00:32:41
and doing all of the logic and the matrixes behind it.
00:32:46
I would assume that that is a difficult challenge to go
00:32:52
through.
00:32:54
Speaker 2: Yes, OK, so now you're going to get some
00:32:56
orthodoxy here.
00:32:57
So let's talk about threat detection and compromise
00:33:02
detection, because this is the difference by degree.
00:33:06
So I obviously am one of the people who's primarily
00:33:08
responsible for the threat detection game, as it's been
00:33:12
done for the last 25 years, Like I established, a fairly iconic
00:33:16
piece of software that is one of the foundational elements of
00:33:21
event generation for detecting security incidents in an
00:33:24
environment.
00:33:25
Here's the problem with the approach and this is my analysis
00:33:30
of how we're doing with this approach after 25 years of doing
00:33:35
it.
00:33:36
The problem is that storage can detect hundreds of thousands of
00:33:40
things now and there's tons and tons and tons of rules for it,
00:33:45
and the issue is that if you don't configure your rule set
00:33:50
appropriately, you're going to get a lot of noise.
00:33:52
Even if you do configure a rule set properly, you're still
00:33:56
going to get a lot of noise the vast majority of things that it
00:33:58
detects, because we don't have the granularity to do a host by
00:34:02
host configuration of what storage should detect on a
00:34:06
device by device basis.
00:34:08
We're just going to look generally for the things we
00:34:10
think could be problems.
00:34:11
We're going to get an event load out of that and then we're
00:34:14
going to sift through that event load.
00:34:15
We're going to contextualize each and every event that's in
00:34:18
there for the stuff that I care about.
00:34:19
And then, of the stuff that I care about, I'm going to try to
00:34:24
figure out what well, what most of those events that I actually
00:34:27
care about were actually compromises.
00:34:29
Am I going to look for anything beyond compromises?
00:34:31
In most enterprises you're not.
00:34:32
You're just going to say I've turned 10 events into 10
00:34:36
events of interest.
00:34:37
I'm going to look at those 10 events of interest.
00:34:39
Oh, none of them actually affected anything.
00:34:41
Today, Guess, I don't care.
00:34:43
And tomorrow, none.
00:34:44
The day after that, none the day after that.
00:34:47
Oh, there's one.
00:34:48
Oh, I did get compromised.
00:34:49
Let's kick off our IR playbook and we are going to image that
00:34:52
machine, reformat it and get it back in service, and we're going
00:34:56
to take that image and run it through our forensics and our IR
00:34:58
process and figure out what's going on.
00:34:59
And that's what people do.
00:35:02
So what's the flaw with that?
00:35:03
Well, I did all of this stuff.
00:35:06
I curated all these rules, I got these snort sensors up and
00:35:09
running, I got them tuned and figured and performance working
00:35:12
at the rate that I want them to, and I swapped out.
00:35:15
Every three to five years.
00:35:16
I swapped out the hardware platform that they're on because
00:35:18
I have to, because either the vendor that I got from is
00:35:22
forcing me to because it's the end of life, or I need a fast
00:35:26
machine because I'm pumping more bandwidth now, or whatever.
00:35:28
So I did all that stuff so I could deal with tens of
00:35:32
thousands of false positives, no matter the source fire.
00:35:35
We invented whole new technologies to get rid of false
00:35:37
positives.
00:35:38
We're good at it.
00:35:39
We get rid of, give you 95% data reduction, not without too
00:35:43
much effort, but you're still dealing with 5% of 10 or
00:35:47
100, trying to figure out which one of these are the ones
00:35:50
that I care about.
00:35:50
And, at the end of the day, the outcome that you're actually
00:35:56
going for is I would like to know when I've actually been
00:35:58
compromised so I can kick off my IR playbook and get back to
00:36:01
business.
00:36:01
So we do that.
00:36:03
We have been doing that for 25 years, or what if I just said
00:36:07
hey, actually nobody cares about threat detection, Everybody
00:36:11
cares about compromised detection.
00:36:12
That's the outcome that you actually want.
00:36:14
Well, what we built in an autography is actually more of a
00:36:17
compromised detector than a threat detector, because what
00:36:22
we've come to understand now that we have a lot more great
00:36:24
here and we're no longer.
00:36:25
Time is actually a factor now.
00:36:28
Is that?
00:36:28
What if I only tell you about the stuff that was compromised?
00:36:31
By being able to essentially suss that out by looking at the
00:36:34
activities and behaviors of the devices and the environment
00:36:37
establishing because I'm a metadata driven platform that
00:36:40
knows a lot of context about the environment I can establish
00:36:42
where are my trust boundaries, what are my functional,
00:36:45
behavioral, operational envelopes that I operate within,
00:36:48
and then I can essentially observe the entire network and
00:36:51
all of it, not just north-south traffic but east-west traffic,
00:36:54
the stuff in the cloud, everything and look for stuff
00:36:57
essentially going off the rails and tell you with a very high
00:36:59
degree of accuracy hey, this thing has been compromised.
00:37:03
That's probably the bet that we're making.
00:37:07
This is the thesis in the topography is that's probably
00:37:09
what people actually want.
00:37:10
The outcome that people want is compromise detection so they
00:37:13
can kick off their IR playbook.
00:37:14
I've been reading blog post after blog post.
00:37:17
Kevin Mandia just talked about it.
00:37:18
Essentially it's all the subtext of all these things.
00:37:21
Coinbase just did a three-parter on how they're
00:37:23
making detection response scale.
00:37:25
All of it was we take this raw event load, we contextualize it
00:37:28
and marry up context with it.
00:37:29
When we figure out what the actual compromise is, we have
00:37:32
the contextual information associated with the event.
00:37:34
That was the compromise.
00:37:35
We can respond more quickly so we can kick off our IR playbook.
00:37:39
You see it over and over again that's the outcome that people
00:37:42
actually want from all this analytics, this massive
00:37:44
analytics infrastructure that we've deployed for really 30
00:37:48
years.
00:37:48
Finally, people are getting to the point where it's like, hey,
00:37:51
actually I don't care about every SQL slammer attack that is
00:37:56
still out there in the background radiation of the
00:37:59
internet.
00:37:59
I only care about the stuff that I could actually be
00:38:01
affected by, Because when I generate an event I know this is
00:38:04
very long drawn out explanation when I generate an event and it
00:38:07
goes into my event processing pipeline, it ends up in front of
00:38:10
either my level one guy in the SOC or my very small team.
00:38:14
It's going to be hours at least before that person sees that
00:38:18
event.
00:38:18
The difference between detecting the attack when it
00:38:21
happened and detecting that this machine has gone off the rails
00:38:23
and is in fact, compromised from a temporal standpoint again
00:38:28
doesn't really matter.
00:38:28
You're going to get the same outcome at the operator level.
00:38:32
That's what we're going after with this approach is hey, let's
00:38:35
just tell them about compromises.
00:38:36
Let's not worry about defining every attack, because we're not
00:38:38
doing lever layer seven inspection anyway.
00:38:40
I can't do layer seven inspection the way that we're
00:38:43
doing things.
00:38:44
Now there might be stuff that I can do down the road, looking
00:38:47
at things like DNS and HTTP and stuff like that.
00:38:50
That might give us deeper capabilities to find more
00:38:52
fine-grained attacks.
00:38:53
But fundamentally, what I really want to tell you about is
00:38:58
when things have gone obviously off the rails.
00:39:02
That's something that is doable with the approach that we've
00:39:05
taken here.
00:39:05
What it frees you up from is all this curation and life cycle
00:39:09
management, signature management, false positive
00:39:11
rejection all this crap that we've been doing since I was a
00:39:14
kid.
00:39:14
If we do this right and we are definitely seeing a lot of
00:39:21
success with our approach so far that's where we think that
00:39:25
we're going to make a big difference.
00:39:30
Speaker 1: Yeah, it's a totally different way of thinking about
00:39:34
this problem and how it should be addressed.
00:39:37
I worked with I think it was a XDR or something like that,
00:39:44
whatever coin term they had.
00:39:46
It was the most inundating tool I've ever experienced before,
00:39:56
especially when we deployed it and we have 5 alerts in
00:40:02
there.
00:40:03
My manager is like oh well, each one needs to be justified,
00:40:09
for we're a financial institution.
00:40:11
We have to have a justification behind all of it.
00:40:14
I'm sitting here like how am I going to make justification for
00:40:18
5 alerts this 5 alerts today?
00:40:22
This isn't even 5 over a year.
00:40:28
That was the most frustrating thing I've ever experienced,
00:40:31
because now I'm spending 100% of my time on this.
00:40:36
I'm not even able to do good enough quality of work on it
00:40:43
that I'm comfortable with, because I have to put my name
00:40:46
out there saying oh yeah, this is a benign alert, this doesn't
00:40:54
matter.
00:40:54
This is why it's false, positive, whatever it is.
00:40:57
I don't even have the time to do the research myself to go
00:41:02
into it, even in the data that they claim that they have within
00:41:07
their platform.
00:41:08
It was just such a headache.
00:41:11
Speaker 2: Yeah, it's insanity.
00:41:12
There's whole sectors of the security industry that are all
00:41:21
about oh, got alert fatigue, we can help.
00:41:22
Nobody's just saying why do we have all these alerts?
00:41:26
We can't look at the, despite the fact that we can do high
00:41:32
fidelity detections, we can't actually make a high fidelity
00:41:35
determination that you should care.
00:41:37
You have to have either a human being look at that, or maybe
00:41:40
you can have an AI look at it, or do some contextualization so
00:41:44
you can reject all the stuff that can't possibly be a problem
00:41:47
.
00:41:47
But beyond that, you just have to ask yourself the question.
00:41:55
The ha ha, maybe not funny thing is that all the way back to the
00:41:59
early days of start, I used to tell people don't run all the
00:42:02
rules.
00:42:02
For God's sake, do not run all the rules.
00:42:04
What you need to do is you need to run the rules for things you
00:42:07
could possibly be affected by and then write rules for stuff
00:42:11
that should never happen in your environment.
00:42:12
That's how you should run.
00:42:13
Snort.
00:42:14
Everybody would look at me and they're like oh, that sounds
00:42:16
great, marty, and nobody did it, because it's a pain in the butt
00:42:21
.
00:42:21
You have to stand top, fit and understand the things that
00:42:27
should never happen, and it gets harder and harder as the
00:42:30
network gets bigger and bigger.
00:42:31
Well, we've essentially turned the problem on.
00:42:33
Us Hadn't said look, look, how scattered these networks are.
00:42:36
I coined an acronym for what modern networks are.
00:42:38
I call them deed environments.
00:42:39
They're dispersed, ephemeral, encrypted and diverse.
00:42:42
This is what represents modern network environments, and
00:42:49
snort's still out there.
00:42:50
It's still doing a great job.
00:42:51
If you want to defend the crown jewels of snort, that's
00:42:52
probably a good idea.
00:42:53
But for broad capability across your entire deed environment,
00:42:58
your entire dispersed, ephemeral , encrypted, diverse,
00:43:01
multi-cloud plus on-prem network with a work from home workforce
00:43:05
, you're nuts if you even try.
00:43:12
So I'm a software developer, software engineer guy, but I did
00:43:18
five and a half years as chief architect at Cisco and for
00:43:21
security and things like that.
00:43:22
Coming up with an architecture that will work across all this
00:43:27
stuff is something that I had to do.
00:43:31
That I do now, and the team in the photography the actual
00:43:36
co-founders of the company came to the same conclusions that I
00:43:38
did, without talking to me which is why I'm working here Because
00:43:41
I was like we have the same idea, let's go.
00:43:44
And they actually built it.
00:43:46
I just did a whiteboard exercise.
00:43:52
This is the only way, from what I understand, and I've been
00:43:55
doing this for a while.
00:43:56
This is the only way to attack this problem Skellibly,
00:43:59
scaleably, across.
00:44:01
Take all comers and things like that.
00:44:03
This is the only way.
00:44:04
If you're going to do it, this is the only way that you can do
00:44:06
it.
00:44:06
We'll get more sophisticated and more data searches as time
00:44:09
goes on and things like that, but you can't do it.
00:44:13
The old way, the smart way, isn't going to get you where you
00:44:17
want to go anymore, and if you start looking at the outcomes
00:44:20
that people are actually trying to get to and things like that,
00:44:22
you start to say, hey, wait a second.
00:44:24
We should really rethink the problem that we're trying to
00:44:25
solve and how we solve it.
00:44:28
Speaker 1: Yeah, it's a really good point.
00:44:29
It's, I feel like.
00:44:32
I feel like that's a problem, that obviously it needs to be
00:44:38
solved, but it can only be solved by the people that have
00:44:43
done it for that long.
00:44:45
You have to have the experience with it.
00:44:47
You have to be able to say, oh, this is a bad workflow here.
00:44:52
Like this doesn't make sense for 99% of the organizations out
00:44:56
there.
00:44:56
And finding that new way to work, especially with the cloud
00:45:02
and how dispersed networks are, it sounds like that is, honestly
00:45:08
, it's probably the only path forward that we have, and I'm
00:45:14
sure in 20 years we'll look back and be like, oh, we have this
00:45:18
other brand new thing that allows us to prioritize things
00:45:24
differently, but that's 20, 25, 30 years away.
00:45:29
If we're talking about the modern day cloud and how it
00:45:35
works, especially with on-prem connections and whatnot, that is
00:45:42
the only way to go forward with it.
00:45:46
Speaker 2: Yeah, architecturally , in a lot of ways, the way that
00:45:50
this thing works is it's modeled on the way that EDR
00:45:54
works.
00:45:54
So EDRs if you understand how EDRs really do their thing they
00:45:58
collect metadata about what's occurring on a device, they ship
00:46:01
it up to a cloud backend.
00:46:02
They do their magic on the cloud backend, then they send
00:46:05
back to terminations, to the agents that are on the devices.
00:46:08
We're doing something kind of conceptually similar where we're
00:46:12
taking the data coming out of the infrastructure itself no
00:46:16
agents deployed or anything like that, no sensors, no agents, no
00:46:20
hardware and bringing it all to a cloud backend doing analysis,
00:46:24
and then we can respond to our APIs through whatever your local
00:46:28
native infrastructure is to be able to respond to attacks or
00:46:32
whatever else that you care to respond to.
00:46:34
And the cool thing about it is that, much like an intrusion
00:46:37
detection and prevention engine, our system works in real time.
00:46:40
It is not a store and query system like a Splunk or an XDR
00:46:44
or a lot of the technologies almost all the technologies that
00:46:46
are out there we, I think, almost uniquely, do what we do
00:46:51
in real time.
00:46:52
We can look back we have look back capabilities and stuff like
00:46:54
that but we're actually as data arrives, we analyze it, run it
00:46:58
through our processes and our models and things like that.
00:47:01
If we see something happening, we can actually respond as it's
00:47:04
happening too, which is once again architecturally like.
00:47:07
I'm a person who thinks about things for a long time before I
00:47:11
execute on them.
00:47:11
In fact, I thought about this for 10 years before somebody
00:47:14
else executed on it, and then it would come to be the CEO, which
00:47:17
was great, but the Sometimes there really is only one kind of
00:47:27
given the technology of the day , one way to go about it, and,
00:47:30
from my opinion, this is it.
00:47:36
Speaker 1: Yeah, being able to alert, you know, while an attack
00:47:41
is going on or while a compromise is going on.
00:47:44
I mean that's really critical, right, Like it's a.
00:47:50
You know it's probably a stupid statement saying that it's
00:47:54
critical because it's obvious, but it's not obvious of how many
00:47:59
solutions out there.
00:48:01
You know that even claim that they can do this and, you know,
00:48:06
fall short.
00:48:07
And there's many companies that have been compromised for, you
00:48:11
know, significant amounts of time.
00:48:13
The average compromise isn't detected for like six months or
00:48:17
something like that.
00:48:19
You know, and that's with all of the modern day technology that
00:48:21
we have.
00:48:22
And you know this is the same for large companies and small
00:48:28
companies.
00:48:28
You know, like they have 300 people on their security team
00:48:32
and then companies with, you know, three people on their
00:48:34
security team.
00:48:35
They're experiencing the same thing.
00:48:37
So it sounds like this solution is really like leveling the
00:48:41
playing field in a way, right, because it's, you know, one.
00:48:46
You don't need to be a network expert to dive into this thing.
00:48:49
At least it doesn't sound like it.
00:48:52
It works across all the platforms and it allows you that
00:48:59
if you're curious, you can dive into, you know, a certain
00:49:03
request or whatever it might be more, and find out the details
00:49:07
about it.
00:49:07
That's a really interesting solution that you have there.
00:49:13
Speaker 2: Thanks, yeah, it's, you know it's.
00:49:16
We believe obviously, or we wouldn't be doing this, we
00:49:21
believe it's a game changer, but it is.
00:49:23
You know time is a factor, obviously, in every attack and
00:49:28
the interesting thing, you know so there are, to your point,
00:49:31
there are advantageously few technologies that are able to
00:49:34
actually detect and respond in real time.
00:49:37
So EDRs one, ips and NGFW are another, and there's not really
00:49:40
a whole lot else out there.
00:49:41
So the very, very sharp end of the spear, technologies like
00:49:44
those are kind of it.
00:49:48
I guess WAF is to, for example, to, you know, get back to the
00:49:51
plane.
00:49:51
But the next level down.
00:49:54
But and the thing to understand is that you know EDRs run in
00:49:57
block mode all the time.
00:49:58
It's very natural.
00:49:58
But like most IPS, detection logic does not run in block mode
00:50:03
.
00:50:03
You know, we saw kind of 80, 20 , even at the sourcefire days,
00:50:08
when we were the premier intrusion prevention platform
00:50:12
out there, only about 20% of our customers actually ran our
00:50:17
stuff in.
00:50:18
So you know the the fascinating thing about it is that the the
00:50:25
next step is essentially getting into an eventing pipeline where
00:50:29
, you know, an analyst looks at it and decides if it's
00:50:30
compromised or not and then does something about it.
00:50:32
But in between, that is the ability to recognize something
00:50:37
going off the rails in real time and signal out to your
00:50:39
infrastructure to do something about it.
00:50:41
So it isn't quite you know at the point of attack, like you'd
00:50:44
have with an EDR and NGFW, but it's you know, as soon as
00:50:48
compromise is recognized, we can respond, which is like is
00:50:51
pretty cool.
00:50:53
And we also have the ability to respond to things like
00:50:55
governance issues.
00:50:56
So, for example, if I see configuration drift happen, say
00:50:59
you've got like Wiz and Wiz figures out hey, dev and Proud
00:51:03
are talking to each other in your cloud app.
00:51:06
You need to fix that.
00:51:07
And then you go do it.
00:51:08
And then you know push comes out of staging and all of a
00:51:10
sudden Dev and Proud are talking to each other.
00:51:12
A Wiz style CSPM is.
00:51:14
We're not going to see that till the next scan cycle.
00:51:16
We see it as it happens, we see it in real time.
00:51:18
But we can even signal back to Wiz and say hey, by the way, you
00:51:22
know this just happens, so you might want to take a look at it
00:51:24
and make a determination.
00:51:25
Or we can signal to their you know the operations team and say
00:51:28
, hey, we just saw this and this is contrary to your
00:51:31
configuration directors.
00:51:31
Hmm.
00:51:34
Speaker 1: Man, well, I feel like we could talk for another
00:51:37
two hours easily, you know, but unfortunately, you know, due to
00:51:42
time, we have to cut it a little short.
00:51:43
I guess not short, but we have to, you know, delay our
00:51:49
conversation, right?
00:51:50
But, martin, you know, before, before I let you go, why don't
00:51:55
you tell my audience, you know, where they could find you, where
00:51:57
they could find your company and all that good information if
00:52:01
they wanted to, you know, find out more about your solution.
00:52:04
I'll put all the links in the description of this episode, of
00:52:06
course.
00:52:07
Speaker 2: Yeah, absolutely, natigraphycom.
00:52:09
That's where I am these days and that's you know.
00:52:14
If you take a look at the website and start digging into
00:52:16
it, you'll see what we're up to and what we're useful for.
00:52:19
If you want to get a demo, we're always happy to demo for
00:52:21
people and you know there's a lot that you can look at on the
00:52:26
site and if you're looking at the site and you're looking at
00:52:28
the screenshots, asking yourself , wow, does it really look that
00:52:30
good?
00:52:31
It does look that good.
00:52:31
Our GUI is awesome and it's also composable, so you can
00:52:35
actually make your own dashboards and things like that.
00:52:38
So, yeah, it's an extremely powerful system.
00:52:40
But, natigraphycom, please check it out.
00:52:45
Speaker 1: Awesome.
00:52:45
Well, thanks everyone.
00:52:46
I hope you enjoyed this episode .