Unraveling Network Security in a Multi-Cloud World with the Founder of SNORT

1 00:00:00
Speaker 1: How's it going, martin?

00:00:00
It's really good to finally have you on the podcast here.

00:00:04
I feel like we've been trying to schedule this thing for quite

00:00:08
a long time, but having a new baby at home can really change

00:00:13
things for you in ways that are significant, that you don't

00:00:17
expect.

00:00:19
Speaker 2: Yeah, that's for sure .

00:00:20
I've had a few and definitely throw curve balls for sure.

00:00:24
But it's good to be here next, for having me on and being

00:00:27
patient with getting things scheduled.

00:00:29
Speaker 1: Yeah, absolutely.

00:00:30
Well, I appreciate your patience as well.

00:00:32
So talk to me a bit about how you got started going into

00:00:40
cybersecurity or just IT overall .

00:00:42
Right, what made you think that this area was a good idea, that

00:00:48
this was something that you wanted to do?

00:00:50
Did you see the opportunity, or was it like a comfortable

00:00:56
transition, potentially?

00:01:00
Speaker 2: Well, that's a big story, let's see.

00:01:02
So to get into my background getting into IT we have to go

00:01:07
all the way back to the 90s.

00:01:08
So I got my computer engineering degree from Clarkson

00:01:13
University back in 92.

00:01:16
And I kind of went out and started working as a software

00:01:23
engineer for a while and eventually I ended up moving to

00:01:27
Maryland and getting a job with a defense contractor working on.

00:01:32
Information security is what we call it at the time.

00:01:34
Cybersecurity is what we call it now.

00:01:37
But back in the mid 90s this is like 96 or so if you wanted to

00:01:42
learn cybersecurity you had to teach yourself.

00:01:44
There were no college courses, there was no secondary learning

00:01:48
or very little out there to go pick it up.

00:01:51
So a lot of what you did was there were a few books out.

00:01:56
Certainly a lot of them talked about cryptography and things

00:02:00
like that as a means to securing data, but if you want to learn

00:02:04
about hacking and exploits and security tools, you basically

00:02:10
had to read source code.

00:02:11
In hot cases there were text files out there and there was

00:02:16
frac and stuff like that, not the industry, the hacker zines

00:02:22
and basically the way that I taught myself was working in my

00:02:27
day job and also writing my own tools, since I am a software guy

00:02:32
.

00:02:33
I started writing little scanners and firewalls and

00:02:38
sniffers and things like that and eventually I decided to be a

00:02:43
fun project to do with Bidra write my own cross platform

00:02:48
sniffer.

00:02:48
That came to be called SCART and it turned into a lot more

00:02:51
than that.

00:02:51
But the whole career path of getting into and deciding that

00:02:55
cybersecurity was the field that I wanted to go into was really

00:03:00
back in the early days.

00:03:01
So I was working as a government contractor for here

00:03:07
in central Maryland and that usually means one of the very

00:03:09
few places that you're working for and one day the customer

00:03:13
came in and it was a team from the shop that we were doing our

00:03:17
contracting with to check over our work and do some stuff.

00:03:21
And these guys rolled in and this was 1996.

00:03:24
And these guys were like the kings of the internet.

00:03:26
They knew the protocols, they knew how everything worked, they

00:03:28
knew how I'll plug together, they knew secure from not secure

00:03:31
, things like that.

00:03:33
And I was just super impressed with them and I was like that's

00:03:36
what I want to focus on, that's what I want to do.

00:03:38
And the thing in the back of my mind was that when I came out

00:03:42
of college in the early 90s, there was a recession on the

00:03:46
cold war.

00:03:46
It ended, so there was this peace dividend and all of these

00:03:51
people got flushed out of the defense industry.

00:03:53
So there are lots of very experienced engineers out there

00:03:57
that you're competing for jobs with and things like that.

00:03:59
So it was a rough time back then and I also wasn't the world's

00:04:03
greatest student, so that certainly didn't help and I saw

00:04:08
cybersecurity is just.

00:04:09
It was this, it was something that people are always going to

00:04:13
need.

00:04:13
And the kind of the flippant way that I talk about it now is

00:04:16
that cybersecurity is like plumbing Everybody always needs

00:04:20
it, it's never going away and the pipes are always leaking.

00:04:23
So it's a great field to go into, because I figured it was

00:04:27
pretty recession proof, which turned out to be the case in

00:04:30
2001 and 2008.

00:04:31
And even more recently, the cybersecurity industry has been

00:04:35
on the rise for really 25 plus years that I've been involved

00:04:40
with it.

00:04:40
But, yeah, it's a great field.

00:04:42
It's really interesting.

00:04:43
It's always on the move, there's always new stuff.

00:04:45
It's not a solvable problem, but there are really fascinating

00:04:51
approaches to problem solving that you can apply to it.

00:04:55
There's constant curve balls.

00:04:56
So, yeah, it's fascinating field.

00:05:01
Speaker 1: Yeah, that's definitely for sure, and you

00:05:05
have a lot there that I want to dive into.

00:05:08
Recently you talk about there's always like curve balls and

00:05:16
learning curves with cybersecurity and everything.

00:05:19
Recently I had to go through a cloud WAF POC and I didn't

00:05:25
realize deploying a WAF in a week is extraordinarily

00:05:31
difficult, just to get it in front of the app that you want

00:05:35
to test.

00:05:35
And that's a learning curve, right.

00:05:40
You're not going to know that unless you do it or you have

00:05:43
someone on the team that's done it before.

00:05:45
It's like oh no, you need this amount of time.

00:05:47
It's a, I mean, it's a whole other beast, right, like you

00:05:53
could spend your entire career doing only WAFs.

00:05:57
You could spend your whole career doing only network

00:06:00
detection and threat detection, whatever it might be right.

00:06:03
That's what drew me to it as well.

00:06:06
You know the never ending flow of information that you could

00:06:10
dive into.

00:06:12
When you were working for the Defense Department or agency,

00:06:18
whatever, were you in a situation where they were

00:06:26
requiring you to create your own solutions for problems?

00:06:32
The reason why I say that right is because the industry is kind

00:06:37
of built around go buy another solution, right.

00:06:41
Go buy some other solution to fix this problem.

00:06:43
And recently in my career, I met someone that had literally

00:06:49
just gotten out of the Navy's like cyber warfare division and

00:06:55
he was talking about like we were, we were literally

00:07:00
discussing buying a CSPM and what CSPM works and everything

00:07:05
like that, and his idea was to just build it himself.

00:07:11
And I'm over here, you know that just like blew me away, like

00:07:16
what are you talking about?

00:07:17
Man, we're like I'm not building that thing, you know,

00:07:21
and like you shouldn't be building that thing.

00:07:23
Like why, why are we doing this ?

00:07:25
You know, and you know, diving into his experience a little bit

00:07:29
, he's like well, you know, they give you no budget and they

00:07:32
give you a stack of papers that has problems in it and they say

00:07:35
figure it out.

00:07:35
You know, like there's nothing else to give you a terminal and

00:07:39
like that's it.

00:07:40
You know, was that a similar experience for you?

00:07:44
Or was there?

00:07:45
Was there a bit more hands?

00:07:48
Hands on trying to trying to do the solution route?

00:07:51
Maybe, maybe that didn't work right.

00:07:53
That's my thought process with it.

00:07:57
Speaker 2: Yeah, they typically came in with their own.

00:08:00
So it was a mix of using commercial stuff and their own

00:08:05
tools.

00:08:05
Back in those days I was pretty young, I was in my 20s, and I

00:08:10
was very frequently just working on problems that I was given,

00:08:15
and sometimes we were writing software, sometimes we were

00:08:18
setting up a configuring system, sometimes we were getting

00:08:22
commercial stuff running or sometimes we were using open

00:08:25
source technology as well, even back then.

00:08:27
And yeah, it really kind of depended on what problem we were

00:08:31
trying to solve, how fast we were trying to solve it and

00:08:34
things like that.

00:08:34
So I did do creative work, building building technology for

00:08:40
customers.

00:08:40
That was kind of suspect but it was like here's the solution.

00:08:45
We want to go build it.

00:08:46
So I did stuff like that.

00:08:48
But I also did stuff like you know, here's the, here's the

00:08:51
component tree that we've developed and we need to add

00:08:54
this to it or tie these things together or whatever.

00:08:56
So yeah, it was a bit of a bit of everything.

00:08:58
But yeah, you know the well, you know, the funny thing about

00:09:02
it is that, especially in the early days, you know you don't

00:09:07
know any better than to do something like go write your own

00:09:09
CSPM or go write your own intrusion detection system

00:09:12
because you know you're kind of.

00:09:15
You haven't been exposed to the budgets of the vendor ecosystem

00:09:20
, the budget required of the vendor ecosystem to get things

00:09:22
going.

00:09:22
You've been just making things go on your own by tying things

00:09:28
together and building glue or building original technology.

00:09:32
I think that's the Especially when we're young, we just don't

00:09:38
know any better.

00:09:39
The hard part of a CSPM is not building the actual engine that

00:09:43
does CSPM.

00:09:44
All the content is required to drive it, all the checks and

00:09:48
what they mean, and all configuration guidance and the

00:09:50
CVE mapping and the wider attack mapping and all the other stuff

00:09:53
that you've got to do to make it an actual useful tool, which

00:09:56
is a lot less about building the tool, a lot more about building

00:09:59
all the knowledge infrastructure around it that

00:10:01
makes it go.

00:10:01
Same thing with intrusion detection systems.

00:10:03
I mean I was just developing snorters, kind of a fun thing to

00:10:05
do on rainy days, weekends, and then all these people showed up

00:10:09
and all of a sudden this thing snowballed overnight into this

00:10:12
huge thing.

00:10:13
But if I had known when I was getting myself into you, I would

00:10:16
have been like this is not.

00:10:18
How could I possibly do something like that?

00:10:19
So I mean, there's always kind of that there might be a better

00:10:23
way to do it than it's being done by the whizzes and orcas of

00:10:26
the world.

00:10:26
So I wouldn't discourage anybody from trying.

00:10:29
But maybe it's better that you don't know what you're getting

00:10:31
yourself into, because you never try it, otherwise that's where

00:10:34
everything comes from.

00:10:36
Speaker 1: Right when you were creating Snort.

00:10:39
What was the problem that you were trying to resolve with

00:10:46
creating that, and was it simpler or more difficult than

00:10:53
what you expected starting out?

00:10:57
Speaker 2: So I was trying to solve for a few problems.

00:10:59
One I was teaching myself coding.

00:11:02
I wrote, and still write, a little bit when I write it all

00:11:08
in C for the most part, and so C is a deep language it's very

00:11:13
tricky to do right.

00:11:15
So I was teaching myself to be a better C programmer.

00:11:18
I was also teaching myself how to write cross-platform sniffers

00:11:21
.

00:11:21
So I'd written Linux specific sniffers and SunOS specific

00:11:26
sniffers or Solaris specific sniffers In the past.

00:11:30
But I wanted to write something that was cross-platform.

00:11:32
So I was also teaching myself how to use the PCAP and things

00:11:35
like that.

00:11:35
So there was all that.

00:11:36
But the goal that I was going for was wouldn't it be fun if I

00:11:39
could monitor my home network while I'm at work for the day

00:11:42
and see if anybody's knocking on the door?

00:11:43
So I would leave it running and at that point Snort was a

00:11:48
sniffer with a packet logger and I would come home and have the

00:11:52
Snort directory structure of here's all the IP addresses that

00:11:55
talk to you, here's all the port numbers.

00:11:57
You can look at the packet doms and see.

00:11:59
You know, just visually see port scanners and people trying

00:12:02
to prove forest passwords and stuff like that.

00:12:05
That was pretty entertaining.

00:12:07
But after I released it to open source about a month after I

00:12:11
started writing it and the 25th anniversary of the first release

00:12:15
to Snort is this December it very quickly, like I said, it

00:12:20
snowballed.

00:12:20
People started asking for features and stuff like that.

00:12:23
So it wasn't super hard to write the fundamentals of it.

00:12:30
It didn't really get hard until I started SourceFire and then

00:12:34
it needed to have enterprise features, it needed to have

00:12:37
anti-vasion technology and stuff like that and all of a sudden I

00:12:39
really had to start, you know, taking it from being this very

00:12:42
kind of simplistic packet processing pipeline with simple

00:12:45
pattern matching to being a much more sophisticated animal.

00:12:48
And that took a lot of doing, but I was very motivated because

00:12:53
I was trying to make money At that point.

00:12:57
Speaker 1: Yeah, that is.

00:12:58
I mean, that's really interesting, you know, like

00:13:02
creating an open source project that you know everyone knows.

00:13:06
You know everyone knows what Snort is, what to use it for,

00:13:11
right, that sort of thing in cybersecurity at least, and it's

00:13:18
really interesting.

00:13:19
You know, how did people find your solution or Snort?

00:13:25
How did they find Snort back then?

00:13:27
Right, like it probably wasn't easy.

00:13:30
What did you find?

00:13:33
Like potentially a forum that all the hackers trafficked, you

00:13:38
know frequently.

00:13:40
You know and post about it on there, like how did people find

00:13:44
it?

00:13:45
Speaker 2: Yeah, so back then there were actually very few

00:13:50
tool sites out there where kind of everybody hung out.

00:13:53
So you know, if you want to talk about it in kind of modern

00:13:56
language, we would call it a watering hole attack, right.

00:13:58
So you find out.

00:13:58
You know, the site that Snort debuted on was Packstorm.

00:14:02
So packstormcom was run by a guy named Ken Williams.

00:14:05
I think it's still out there but it's under.

00:14:08
You know, it's changed hands several times since then because

00:14:10
it has been 25 years, and so that was like the premier tool

00:14:16
site.

00:14:16
It wasn't just defensive tools, it was also exploits and things

00:14:19
like that.

00:14:20
So like when an exploit came out, very frequently you'd be

00:14:22
able to find it on Packstorm.

00:14:25
So I decided and there were a few others, like Technotronic

00:14:29
that was run by Kirby Kuhl, and there were a few other tool

00:14:33
sites like that.

00:14:34
But anyway, I contacted Ken Williams and I said, hey, I got

00:14:36
this new Sniffer I worked, called Snort.

00:14:38
Would you post it?

00:14:38
You know, would you put it up on the site?

00:14:40
Sure thing, send it in.

00:14:42
And you know, got a couple of emails and then I did another

00:14:44
release and I got a couple more, and that's kind of how it went.

00:14:47
But Snort was kind of fascinating because it was very

00:14:50
much a tool for its time at the time because the only other

00:14:54
intrusion detection technology out there were commercial ones,

00:14:57
from like Wheel Group and ISS and things like that.

00:15:00
They cost a lot of money.

00:15:01
So if you wanted to do the intrusion detection function,

00:15:05
there were really no other answers at that time.

00:15:09
There were some other contemporary open source

00:15:12
intrusion detection systems, but Snort kind of captured the easy

00:15:17
enough for anybody to use, you know, but deep enough for people

00:15:22
to get sophisticated with, especially as time marched on

00:15:25
and it grew in sophistication.

00:15:27
So yeah, it was like it was the it's product market fit it's

00:15:33
what we would say now.

00:15:33
It's product market fit was exceptional for its time and you

00:15:37
know, let those product-led growth kind of motion was what

00:15:40
we would call it now.

00:15:41
That was really incredible.

00:15:43
But yeah, you know, there were a surprisingly few sites in the

00:15:49
late 90s where kind of everybody hung out, all the tools were

00:15:53
and stuff like that and that's how it got started.

00:15:55
There was no greater marketing than just putting it up on

00:15:58
PacketStorm and Technotronic and a few other sites and it just

00:16:02
took off Wow.

00:16:05
Speaker 1: Yeah, you bring up a really good point.

00:16:08
You know, the product is a balance between anyone being

00:16:14
able to use it and then diving as deep as they want to go Right

00:16:18
.

00:16:18
That's a I guess that's a problem that some products that

00:16:24
I've seen have had recently.

00:16:26
Right when it's, either it's not deep enough or it's not

00:16:30
simple enough for anyone to pick it up.

00:16:32
It's a really fine balance between that, you know, and it

00:16:38
always seems like the people that have been doing it for 20,

00:16:41
25 years are the ones that you know understand that.

00:16:45
So, like, even if they step into a product right that is

00:16:49
struggling in that area, they can navigate it and kind of

00:16:52
untangle it, I guess.

00:16:55
Speaker 2: Yeah, I think it's funny.

00:16:57
So my career in computers started when I was 17, working

00:17:01
at a retail computer store.

00:17:02
I was a service technician and this is in the late 80s and the

00:17:11
interesting thing is there's this big movement in the

00:17:13
computer industry back then for PCs to deliver a great out of

00:17:19
box experience.

00:17:19
So this was like early, early attempts at low friction

00:17:23
deployments, low friction selling stuff like that.

00:17:26
So when you got your consumer PC you'd open up the box, all

00:17:29
the cables would be labeled and stuff like that, so it was

00:17:31
simple, and the color code of the connectors, so it'd be

00:17:33
simple to plug this thing in and get it going.

00:17:35
Because a lot of people had trouble with that and you know I

00:17:39
think that always kind of that's always in the back of my

00:17:42
mind.

00:17:42
You know an entography, my current company.

00:17:45
The thing is, you know it's easy to get started with but it's

00:17:48
also very deep.

00:17:49
Snort was kind of the same way very simple rule language that

00:17:54
was in there and you could do a lot with the rules and you get

00:17:57
more sophisticated, especially as we added stuff like regular

00:18:00
expressions and things like that .

00:18:01
But it also was an extensible engine.

00:18:03
So if you could write C it had all sorts of API interfaces in

00:18:07
it where you could extend the program.

00:18:08
You could add in your own detection logic, you could add

00:18:10
in your own output mechanisms to talk to databases or you know

00:18:14
whatever you wanted to and things like that.

00:18:16
So there were many levels to the system, but the most cursory

00:18:20
level you can still be productive with almost

00:18:22
immediately, and that was the whole goal from out of the box

00:18:25
and up and running in 15 minutes , is what I, what the mantra was

00:18:28
at SourceFire.

00:18:29
But even with Snort I want to be able to go from tar ball to

00:18:33
running Snort instance in five minutes.

00:18:35
And that was kind of the you know always my, my guiding thing

00:18:39
in the back of my mind when I was developing the packages and

00:18:42
things like that.

00:18:45
Speaker 1: Yeah, I feel like that is.

00:18:47
That's a stat or a thought process that is still rare to

00:18:55
come across, right Of being able to download it and run it and

00:18:59
be up and running within five minutes.

00:19:01
You know that's that is not something that is seen very

00:19:06
often, right, as someone that has led at various POCs across

00:19:10
different domains of security, like this recent, this recent

00:19:15
POC that I did with the Cloud WAF there was one solution that,

00:19:20
within you know, two hours, right, we were up and running.

00:19:23
It was still two hours, but it wasn't the 10 days that I needed

00:19:29
for the other solutions.

00:19:31
You know, and that's absolutely something that matters,

00:19:34
especially when you know you talk about, like a disaster

00:19:40
recovery scenario and someone else that doesn't know the tool,

00:19:44
someone that didn't buy it or take part in the POC, even has

00:19:48
to run it.

00:19:48
You know they have to know how to do it and they have to be

00:19:52
able to figure it out.

00:19:54
I feel like, personally, all of that has to be taken into

00:19:57
account when you're when you're purchasing the right technology.

00:20:00
You know it's an interesting problem.

00:20:03
So, you know, I'm really I'm fascinated by by your current

00:20:11
company and I want to dive into it.

00:20:14
So tell me a bit more about what you're doing now.

00:20:18
What's the company called all that stuff?

00:20:21
Speaker 2: Sure, so company called netography.

00:20:23
We're a network defense platform.

00:20:25
So this is something new under the Sun.

00:20:27
It's not NDR, it's not sim, it's not XDR, it's it's its own

00:20:32
thing.

00:20:33
And the fundamental problem that we're trying to solve is that,

00:20:39
especially since the end of the pandemic, networks have

00:20:41
scattered.

00:20:41
So everybody went home and you know, march of 2020, and they

00:20:45
were told, hey, just get your job done with them back in two

00:20:47
weeks.

00:20:47
And you know, turn into six weeks.

00:20:48
And that turned into six months and people just got their jobs

00:20:51
done.

00:20:51
They scattered their enterprise networks to the forewinds,

00:20:54
basically.

00:20:54
So, also, we have this huge cadre of work from home people.

00:20:57
We've got all this cloud infrastructure that was just

00:21:00
kind of thrown up, as you know, as needed by whoever needed it,

00:21:03
wherever they needed it, for whatever they needed it for.

00:21:06
And now we're kind of trying to get our hands around it as a,

00:21:10
as an IT industry, and it's really difficult to just answer

00:21:14
fundamental questions of what have I got?

00:21:16
What is it doing, what's happening to it, how's it

00:21:18
changing, being able to do so systemically across this

00:21:23
multi-cloud plus on-prem world that most enterprises are in

00:21:28
today?

00:21:28
And you know, the funny thing is is I kind of saw this problem

00:21:31
coming a long, long time ago, and it's also compounded by

00:21:37
encryption and now zero trust, which is basically Based on this

00:21:41
foundation of let's encrypt everything and then we'll give

00:21:44
permissive access to whatever you need, based on your

00:21:46
credentials and stuff like that.

00:21:48
Well, all that stuff works great until it doesn't.

00:21:50
And you know and we've merely been blinding all the ways that

00:21:55
we used to keep tabs on things for the last Call it five to

00:22:00
eight years.

00:22:01
So what the top reviews is doing is we have a cloud Platform.

00:22:06
So it is a Cloud native platform that can take data in

00:22:12
from your infrastructure and tell you what's going on, what

00:22:15
you've got, what it's doing, what's happening to it.

00:22:17
But we're doing it in a way where you don't have to deploy a

00:22:21
bunch of technology to make it work.

00:22:22
We don't have appliances, we don't have agents, and we work

00:22:26
the same across any cloud environment that you've got.

00:22:29
Well, the five big ones anyway, so I'd be more oracle, in case

00:22:32
you're wondering what the other two are plus GCP, aws and Azure

00:22:35
and On-prem all under one roof.

00:22:38
So we have one UI, we have one language that describes good and

00:22:41
bad and what we're looking for and things like that.

00:22:44
So it enables us to do compromise detection, threat

00:22:47
hunting.

00:22:47
We do governance with it because the way this thing is

00:22:50
built, we can see the configuration drift happening in

00:22:52
real time because see when things are not behaving as they

00:22:56
should.

00:22:56
I can just do straight-up discovery and mapping with it,

00:22:59
and it's also surprisingly good at picking up DDoS attacks and

00:23:02
things like that.

00:23:03
So it's a really different approach from what's coming for.

00:23:07
You know, obviously snorkels a deep packet inspection system,

00:23:10
and I started becoming concerned with kind of the future of DPI

00:23:12
back in probably 2008, 2009, when all of a sudden our

00:23:16
encryption started to turn in with a more and more of a thing.

00:23:18
And here we are, you know, 15 years later, and now, like

00:23:22
network encryption is blinding DPI very systemically.

00:23:25
It's hard to get a DPI Sensor where you need it, especially in

00:23:30
the cloud, because the clouds not friendly to doing deep

00:23:32
packet inspection.

00:23:33
Nobody likes appliances anymore .

00:23:34
It's a terrible model, has huge life cycle management, curation

00:23:38
Costs associated with it, not to mention what it's telling you

00:23:42
is hey, I saw a bunch of things which could be attacks.

00:23:44
Please figure out which ones are attacks.

00:23:46
So what we've done in a tography is like really change the, the

00:23:50
game and the equation to give you something that's super low,

00:23:53
friction, right.

00:23:53
So this is all the way back to.

00:23:55
You know the early days of start.

00:23:56
My experience as a technician in the early PC industry of you

00:24:01
know, from out of box stop and up and running as quickly as

00:24:04
possible.

00:24:04
You know time to install matters being frictionless

00:24:08
matters so, and letting you see things instantly about your

00:24:12
environment, like you don't even have to configure our stuff.

00:24:14
Well, as soon as you plug in the data sources, it will start

00:24:18
telling you stuff about your network that are very hard to

00:24:20
see otherwise, without you even have to configure it.

00:24:23
And then, once you start configuring it, it just gets

00:24:25
richer and richer of what it can tell you.

00:24:27
It's got a language in it so you can extend it.

00:24:29
So you know the easy stuff is easy.

00:24:30
The hard stuff is possible.

00:24:32
It's all API driven so you can plug it into your infrastructure

00:24:36
and extend it and things like that.

00:24:37
So this is a new way of doing network security that is built

00:24:41
on Really leveraging your existing infrastructure.

00:24:45
So we take flow data out of your on-prem infrastructure and flow

00:24:49
logs out of your cloud infrastructure as a real-time

00:24:52
data source for the activities that are occurring in the

00:24:55
environment.

00:24:55
But we also pull context out of your environments as well.

00:24:58
So we can pull context out of your EDR like a crowd strike.

00:25:01
We can pull context out of your VPCs in the cloud we can get it

00:25:04
from Axiomus or Wiz or you know , working on extending and

00:25:08
integrating all across the board so you can look at your network

00:25:12
traffic and activities that are occurring not just in terms of

00:25:15
show me all my database servers, show me all my executives and

00:25:18
what they're connecting to, but you can also do things like, say

00:25:20
, show me all of my traffic that is occurring to devices with

00:25:26
CVSS scores above 7.5 that are responding to the public

00:25:30
internet.

00:25:31
So like it's really a Super powerful way of understanding

00:25:37
your network environment and being able to look for, you know

00:25:39
, attack some compromises as well, as you know, just provide

00:25:43
you with kind of fundamental governance capabilities, which,

00:25:46
once again, are hard to do with scan, report tools like

00:25:50
vulnerability management or even CSPM tools hmm, wow, there is a

00:25:56
, there's a significant amount there, right, and I feel like,

00:26:04
okay, so I have two, two major questions.

00:26:09
Speaker 1: How do you build a product that is Working great

00:26:14
for the cloud as well as on-prem , right?

00:26:16
Like?

00:26:16
I feel like that is designing for two completely separate

00:26:21
things and that's a.

00:26:23
That's a gap that's hard to bridge, you know.

00:26:26
So how did, how did you accomplish doing that?

00:26:30
Speaker 2: Well, I'm just the CEO so I didn't have to.

00:26:31
But the guys who did do it, they saw the same, the same

00:26:36
problems that I did.

00:26:36
You know, if you have, if you have a bifurcated Security

00:26:39
platform where I treat on-prem differently than I treat the

00:26:42
cloud, I mean the cloud.

00:26:43
You know.

00:26:44
The joke is the cloud is somebody else's computer but

00:26:46
really the cloud is somebody else's Linux computer and you

00:26:49
don't really own the network.

00:26:50
But there is a network and you need to understand how it's

00:26:52
being utilized and you can really see what's going on by

00:26:56
Observing it properly.

00:26:57
And then you've got the on-prem world.

00:26:58
If I have two different technology stacks for looking at

00:27:01
both of those things differently, you know you're

00:27:03
gonna have gaps between them gaps and capabilities gaps,

00:27:05
invisibility Gaps and understanding Probably have

00:27:09
different teams running the tools.

00:27:11
Like you've got just this ever-expanding pile problems

00:27:15
because you're treating them as different things.

00:27:17
Your enterprise network is a composite of all of its

00:27:20
components and you need to treat it that way and that's what

00:27:23
this Platform is really designed to do treat your network as a

00:27:26
composite of all its parts instead of this part is

00:27:29
different than that part.

00:27:29
Well, if you're gonna do that, you have to understand okay,

00:27:33
what are the?

00:27:33
What are the fundamental Data types that I can pull out of

00:27:37
here that will show me the information that I need so that

00:27:39
I can treat these as Different aspects of the same thing?

00:27:42
Well, it's, it's flow data.

00:27:43
It's other.

00:27:46
There's other data types out there, like you know DNS or HTTP

00:27:48
logs, potentially, or you know whatever that aren't in the

00:27:52
product right now, but you know, obviously we're aware of, as

00:27:55
well as the context that you need to have.

00:27:57
You've got all these platforms out there that know all sorts of

00:28:00
things about kind of their area , where it's CSPM knows about

00:28:02
the configuration, vulnerability , state of cloud workloads.

00:28:07
Or, you know, a vulnerability management system does the same

00:28:08
thing about what's happening on prem, or like an axionist, which

00:28:13
is or axonious Sorry, it's more of a CMDB sort of platform, or

00:28:20
an EDR, like a crowdstrike, which you know has very granular

00:28:23
data about the systems that it's installed on, but isn't

00:28:25
installed on everything in every other.

00:28:26
So, like being able to weave that picture together and then

00:28:32
show the activities that are occurring on it is extremely

00:28:35
powerful and, like you know, it takes a little bit of

00:28:38
imagination.

00:28:38
But you know this.

00:28:41
This problem has been steering us in the face as an industry

00:28:43
for at least a decade and Natography is the first company

00:28:46
that's come along.

00:28:46
It's really Sympathizing this, this picture based on all these

00:28:52
data sources and then giving you one way to analyze it and

00:28:55
instrument it and treat it as your enterprise network, not as

00:29:01
that's cloud a, that's cloud b and this is my legacy on-prem

00:29:04
stuff.

00:29:09
Speaker 1: I would assume a solution like this does a really

00:29:10
good job of detecting Kind of rogue cloud accounts, right?

00:29:15
If, if you have a developer that you know determines, right,

00:29:21
that they want to use their company card to start an account

00:29:23
with GCP or something like that , when you're predominantly in

00:29:25
AWS, that would probably be something that would be pretty

00:29:31
easy for you to detect, right?

00:29:32
Yep, absolutely.

00:29:32
Yeah, I have a pain point with that because, you know, I

00:29:39
started at a company a couple years ago and they told me, oh

00:29:41
yeah, 100% AWS, there's nothing anywhere else.

00:29:43
We have 0365, but that's it.

00:29:47
Okay, you know.

00:29:51
And then I slowly started to find out, through the grapevine

00:29:53
of people you know mistakenly saying it, that we're in Azure.

00:30:01
And then, oh, randomly, oh, we're also in GCP, we're using

00:30:03
this other thing in GCP.

00:30:04
It's like guys, this is a problem, like security didn't

00:30:08
know this.

00:30:13
Speaker 2: Well, and it's not just that this is like and

00:30:18
you're never going to see it Like unless somebody tells you

00:30:20
about it like the old way that we would do things with DPI

00:30:24
systems is probably not going to find it either, Because D-Pack

00:30:27
inspection systems are primarily focused on what.

00:30:30
They're focused on finding threats that are active in the

00:30:32
network environment and they're looking north-south almost

00:30:35
exclusively and they're only looking for attacks.

00:30:37
So they're not even going to characterize the kind of the

00:30:42
connecto sphere I guess I'll just coin a word right now the

00:30:46
connected biome of your actual enterprise network, because they

00:30:49
have no ability to observe it.

00:30:50
It's outside the scope of their application, Whereas an

00:30:54
approach like what we're doing in that photography will show

00:30:57
you north-south, east-west doesn't really matter.

00:30:58
We can instrument any part of your network.

00:31:00
And oh, by the way, the other cool thing about it is that as

00:31:03
soon as you become aware that, oh, we got stuff in GCP, you can

00:31:07
shake information about what deployment you've got in GCP out

00:31:10
of the people who are doing it and you can deploy because we

00:31:13
are cloud-based.

00:31:14
You can deploy now, like right now.

00:31:18
Speaker 1: You don't have to deploy to plants.

00:31:19
Speaker 2: You don't have to get a workload up and running or

00:31:21
anything like that.

00:31:21
You guys turn on Flow over there and give me your VPC

00:31:25
context, we'll import it into the Netography and we'll see

00:31:27
what's going on.

00:31:28
Boom, and then you've got all of a sudden visibility into it

00:31:31
and you can start seeing what's actually there and you can start

00:31:34
instrumenting how you actually want to protect it and govern it

00:31:36
.

00:31:39
Speaker 1: Yeah, I feel like that's a huge pain point,

00:31:41
especially with the pandemic and everyone working from home.

00:31:44
There's no longer that oversight that used to be

00:31:51
present, and so then you can have a situation where employees

00:31:56
are starting to spin up and use other technologies and other

00:32:01
platforms to accomplish their job that the company didn't even

00:32:05
know about it, or whatnot.

00:32:06
One of the areas that I would imagine would be a difficult

00:32:14
area to master, especially with a product like this, is alert

00:32:19
fatigue and avoiding it and making sure that you're

00:32:23
providing the end user only what they need to make the proper

00:32:28
decision in an environment and showing them what they should be

00:32:32
paying attention to.

00:32:32
How do you address that within your system and within your

00:32:36
solution, because I would imagine having all of this data

00:32:41
and doing all of the logic and the matrixes behind it.

00:32:46
I would assume that that is a difficult challenge to go

00:32:52
through.

00:32:54
Speaker 2: Yes, OK, so now you're going to get some

00:32:56
orthodoxy here.

00:32:57
So let's talk about threat detection and compromise

00:33:02
detection, because this is the difference by degree.

00:33:06
So I obviously am one of the people who's primarily

00:33:08
responsible for the threat detection game, as it's been

00:33:12
done for the last 25 years, Like I established, a fairly iconic

00:33:16
piece of software that is one of the foundational elements of

00:33:21
event generation for detecting security incidents in an

00:33:24
environment.

00:33:25
Here's the problem with the approach and this is my analysis

00:33:30
of how we're doing with this approach after 25 years of doing

00:33:35
it.

00:33:36
The problem is that storage can detect hundreds of thousands of

00:33:40
things now and there's tons and tons and tons of rules for it,

00:33:45
and the issue is that if you don't configure your rule set

00:33:50
appropriately, you're going to get a lot of noise.

00:33:52
Even if you do configure a rule set properly, you're still

00:33:56
going to get a lot of noise the vast majority of things that it

00:33:58
detects, because we don't have the granularity to do a host by

00:34:02
host configuration of what storage should detect on a

00:34:06
device by device basis.

00:34:08
We're just going to look generally for the things we

00:34:10
think could be problems.

00:34:11
We're going to get an event load out of that and then we're

00:34:14
going to sift through that event load.

00:34:15
We're going to contextualize each and every event that's in

00:34:18
there for the stuff that I care about.

00:34:19
And then, of the stuff that I care about, I'm going to try to

00:34:24
figure out what well, what most of those events that I actually

00:34:27
care about were actually compromises.

00:34:29
Am I going to look for anything beyond compromises?

00:34:31
In most enterprises you're not.

00:34:32
You're just going to say I've turned 10 events into 10

00:34:36
events of interest.

00:34:37
I'm going to look at those 10 events of interest.

00:34:39
Oh, none of them actually affected anything.

00:34:41
Today, Guess, I don't care.

00:34:43
And tomorrow, none.

00:34:44
The day after that, none the day after that.

00:34:47
Oh, there's one.

00:34:48
Oh, I did get compromised.

00:34:49
Let's kick off our IR playbook and we are going to image that

00:34:52
machine, reformat it and get it back in service, and we're going

00:34:56
to take that image and run it through our forensics and our IR

00:34:58
process and figure out what's going on.

00:34:59
And that's what people do.

00:35:02
So what's the flaw with that?

00:35:03
Well, I did all of this stuff.

00:35:06
I curated all these rules, I got these snort sensors up and

00:35:09
running, I got them tuned and figured and performance working

00:35:12
at the rate that I want them to, and I swapped out.

00:35:15
Every three to five years.

00:35:16
I swapped out the hardware platform that they're on because

00:35:18
I have to, because either the vendor that I got from is

00:35:22
forcing me to because it's the end of life, or I need a fast

00:35:26
machine because I'm pumping more bandwidth now, or whatever.

00:35:28
So I did all that stuff so I could deal with tens of

00:35:32
thousands of false positives, no matter the source fire.

00:35:35
We invented whole new technologies to get rid of false

00:35:37
positives.

00:35:38
We're good at it.

00:35:39
We get rid of, give you 95% data reduction, not without too

00:35:43
much effort, but you're still dealing with 5% of 10 or

00:35:47
100, trying to figure out which one of these are the ones

00:35:50
that I care about.

00:35:50
And, at the end of the day, the outcome that you're actually

00:35:56
going for is I would like to know when I've actually been

00:35:58
compromised so I can kick off my IR playbook and get back to

00:36:01
business.

00:36:01
So we do that.

00:36:03
We have been doing that for 25 years, or what if I just said

00:36:07
hey, actually nobody cares about threat detection, Everybody

00:36:11
cares about compromised detection.

00:36:12
That's the outcome that you actually want.

00:36:14
Well, what we built in an autography is actually more of a

00:36:17
compromised detector than a threat detector, because what

00:36:22
we've come to understand now that we have a lot more great

00:36:24
here and we're no longer.

00:36:25
Time is actually a factor now.

00:36:28
Is that?

00:36:28
What if I only tell you about the stuff that was compromised?

00:36:31
By being able to essentially suss that out by looking at the

00:36:34
activities and behaviors of the devices and the environment

00:36:37
establishing because I'm a metadata driven platform that

00:36:40
knows a lot of context about the environment I can establish

00:36:42
where are my trust boundaries, what are my functional,

00:36:45
behavioral, operational envelopes that I operate within,

00:36:48
and then I can essentially observe the entire network and

00:36:51
all of it, not just north-south traffic but east-west traffic,

00:36:54
the stuff in the cloud, everything and look for stuff

00:36:57
essentially going off the rails and tell you with a very high

00:36:59
degree of accuracy hey, this thing has been compromised.

00:37:03
That's probably the bet that we're making.

00:37:07
This is the thesis in the topography is that's probably

00:37:09
what people actually want.

00:37:10
The outcome that people want is compromise detection so they

00:37:13
can kick off their IR playbook.

00:37:14
I've been reading blog post after blog post.

00:37:17
Kevin Mandia just talked about it.

00:37:18
Essentially it's all the subtext of all these things.

00:37:21
Coinbase just did a three-parter on how they're

00:37:23
making detection response scale.

00:37:25
All of it was we take this raw event load, we contextualize it

00:37:28
and marry up context with it.

00:37:29
When we figure out what the actual compromise is, we have

00:37:32
the contextual information associated with the event.

00:37:34
That was the compromise.

00:37:35
We can respond more quickly so we can kick off our IR playbook.

00:37:39
You see it over and over again that's the outcome that people

00:37:42
actually want from all this analytics, this massive

00:37:44
analytics infrastructure that we've deployed for really 30

00:37:48
years.

00:37:48
Finally, people are getting to the point where it's like, hey,

00:37:51
actually I don't care about every SQL slammer attack that is

00:37:56
still out there in the background radiation of the

00:37:59
internet.

00:37:59
I only care about the stuff that I could actually be

00:38:01
affected by, Because when I generate an event I know this is

00:38:04
very long drawn out explanation when I generate an event and it

00:38:07
goes into my event processing pipeline, it ends up in front of

00:38:10
either my level one guy in the SOC or my very small team.

00:38:14
It's going to be hours at least before that person sees that

00:38:18
event.

00:38:18
The difference between detecting the attack when it

00:38:21
happened and detecting that this machine has gone off the rails

00:38:23
and is in fact, compromised from a temporal standpoint again

00:38:28
doesn't really matter.

00:38:28
You're going to get the same outcome at the operator level.

00:38:32
That's what we're going after with this approach is hey, let's

00:38:35
just tell them about compromises.

00:38:36
Let's not worry about defining every attack, because we're not

00:38:38
doing lever layer seven inspection anyway.

00:38:40
I can't do layer seven inspection the way that we're

00:38:43
doing things.

00:38:44
Now there might be stuff that I can do down the road, looking

00:38:47
at things like DNS and HTTP and stuff like that.

00:38:50
That might give us deeper capabilities to find more

00:38:52
fine-grained attacks.

00:38:53
But fundamentally, what I really want to tell you about is

00:38:58
when things have gone obviously off the rails.

00:39:02
That's something that is doable with the approach that we've

00:39:05
taken here.

00:39:05
What it frees you up from is all this curation and life cycle

00:39:09
management, signature management, false positive

00:39:11
rejection all this crap that we've been doing since I was a

00:39:14
kid.

00:39:14
If we do this right and we are definitely seeing a lot of

00:39:21
success with our approach so far that's where we think that

00:39:25
we're going to make a big difference.

00:39:30
Speaker 1: Yeah, it's a totally different way of thinking about

00:39:34
this problem and how it should be addressed.

00:39:37
I worked with I think it was a XDR or something like that,

00:39:44
whatever coin term they had.

00:39:46
It was the most inundating tool I've ever experienced before,

00:39:56
especially when we deployed it and we have 5 alerts in

00:40:02
there.

00:40:03
My manager is like oh well, each one needs to be justified,

00:40:09
for we're a financial institution.

00:40:11
We have to have a justification behind all of it.

00:40:14
I'm sitting here like how am I going to make justification for

00:40:18
5 alerts this 5 alerts today?

00:40:22
This isn't even 5 over a year.

00:40:28
That was the most frustrating thing I've ever experienced,

00:40:31
because now I'm spending 100% of my time on this.

00:40:36
I'm not even able to do good enough quality of work on it

00:40:43
that I'm comfortable with, because I have to put my name

00:40:46
out there saying oh yeah, this is a benign alert, this doesn't

00:40:54
matter.

00:40:54
This is why it's false, positive, whatever it is.

00:40:57
I don't even have the time to do the research myself to go

00:41:02
into it, even in the data that they claim that they have within

00:41:07
their platform.

00:41:08
It was just such a headache.

00:41:11
Speaker 2: Yeah, it's insanity.

00:41:12
There's whole sectors of the security industry that are all

00:41:21
about oh, got alert fatigue, we can help.

00:41:22
Nobody's just saying why do we have all these alerts?

00:41:26
We can't look at the, despite the fact that we can do high

00:41:32
fidelity detections, we can't actually make a high fidelity

00:41:35
determination that you should care.

00:41:37
You have to have either a human being look at that, or maybe

00:41:40
you can have an AI look at it, or do some contextualization so

00:41:44
you can reject all the stuff that can't possibly be a problem

00:41:47
.

00:41:47
But beyond that, you just have to ask yourself the question.

00:41:55
The ha ha, maybe not funny thing is that all the way back to the

00:41:59
early days of start, I used to tell people don't run all the

00:42:02
rules.

00:42:02
For God's sake, do not run all the rules.

00:42:04
What you need to do is you need to run the rules for things you

00:42:07
could possibly be affected by and then write rules for stuff

00:42:11
that should never happen in your environment.

00:42:12
That's how you should run.

00:42:13
Snort.

00:42:14
Everybody would look at me and they're like oh, that sounds

00:42:16
great, marty, and nobody did it, because it's a pain in the butt

00:42:21
.

00:42:21
You have to stand top, fit and understand the things that

00:42:27
should never happen, and it gets harder and harder as the

00:42:30
network gets bigger and bigger.

00:42:31
Well, we've essentially turned the problem on.

00:42:33
Us Hadn't said look, look, how scattered these networks are.

00:42:36
I coined an acronym for what modern networks are.

00:42:38
I call them deed environments.

00:42:39
They're dispersed, ephemeral, encrypted and diverse.

00:42:42
This is what represents modern network environments, and

00:42:49
snort's still out there.

00:42:50
It's still doing a great job.

00:42:51
If you want to defend the crown jewels of snort, that's

00:42:52
probably a good idea.

00:42:53
But for broad capability across your entire deed environment,

00:42:58
your entire dispersed, ephemeral , encrypted, diverse,

00:43:01
multi-cloud plus on-prem network with a work from home workforce

00:43:05
, you're nuts if you even try.

00:43:12
So I'm a software developer, software engineer guy, but I did

00:43:18
five and a half years as chief architect at Cisco and for

00:43:21
security and things like that.

00:43:22
Coming up with an architecture that will work across all this

00:43:27
stuff is something that I had to do.

00:43:31
That I do now, and the team in the photography the actual

00:43:36
co-founders of the company came to the same conclusions that I

00:43:38
did, without talking to me which is why I'm working here Because

00:43:41
I was like we have the same idea, let's go.

00:43:44
And they actually built it.

00:43:46
I just did a whiteboard exercise.

00:43:52
This is the only way, from what I understand, and I've been

00:43:55
doing this for a while.

00:43:56
This is the only way to attack this problem Skellibly,

00:43:59
scaleably, across.

00:44:01
Take all comers and things like that.

00:44:03
This is the only way.

00:44:04
If you're going to do it, this is the only way that you can do

00:44:06
it.

00:44:06
We'll get more sophisticated and more data searches as time

00:44:09
goes on and things like that, but you can't do it.

00:44:13
The old way, the smart way, isn't going to get you where you

00:44:17
want to go anymore, and if you start looking at the outcomes

00:44:20
that people are actually trying to get to and things like that,

00:44:22
you start to say, hey, wait a second.

00:44:24
We should really rethink the problem that we're trying to

00:44:25
solve and how we solve it.

00:44:28
Speaker 1: Yeah, it's a really good point.

00:44:29
It's, I feel like.

00:44:32
I feel like that's a problem, that obviously it needs to be

00:44:38
solved, but it can only be solved by the people that have

00:44:43
done it for that long.

00:44:45
You have to have the experience with it.

00:44:47
You have to be able to say, oh, this is a bad workflow here.

00:44:52
Like this doesn't make sense for 99% of the organizations out

00:44:56
there.

00:44:56
And finding that new way to work, especially with the cloud

00:45:02
and how dispersed networks are, it sounds like that is, honestly

00:45:08
, it's probably the only path forward that we have, and I'm

00:45:14
sure in 20 years we'll look back and be like, oh, we have this

00:45:18
other brand new thing that allows us to prioritize things

00:45:24
differently, but that's 20, 25, 30 years away.

00:45:29
If we're talking about the modern day cloud and how it

00:45:35
works, especially with on-prem connections and whatnot, that is

00:45:42
the only way to go forward with it.

00:45:46
Speaker 2: Yeah, architecturally , in a lot of ways, the way that

00:45:50
this thing works is it's modeled on the way that EDR

00:45:54
works.

00:45:54
So EDRs if you understand how EDRs really do their thing they

00:45:58
collect metadata about what's occurring on a device, they ship

00:46:01
it up to a cloud backend.

00:46:02
They do their magic on the cloud backend, then they send

00:46:05
back to terminations, to the agents that are on the devices.

00:46:08
We're doing something kind of conceptually similar where we're

00:46:12
taking the data coming out of the infrastructure itself no

00:46:16
agents deployed or anything like that, no sensors, no agents, no

00:46:20
hardware and bringing it all to a cloud backend doing analysis,

00:46:24
and then we can respond to our APIs through whatever your local

00:46:28
native infrastructure is to be able to respond to attacks or

00:46:32
whatever else that you care to respond to.

00:46:34
And the cool thing about it is that, much like an intrusion

00:46:37
detection and prevention engine, our system works in real time.

00:46:40
It is not a store and query system like a Splunk or an XDR

00:46:44
or a lot of the technologies almost all the technologies that

00:46:46
are out there we, I think, almost uniquely, do what we do

00:46:51
in real time.

00:46:52
We can look back we have look back capabilities and stuff like

00:46:54
that but we're actually as data arrives, we analyze it, run it

00:46:58
through our processes and our models and things like that.

00:47:01
If we see something happening, we can actually respond as it's

00:47:04
happening too, which is once again architecturally like.

00:47:07
I'm a person who thinks about things for a long time before I

00:47:11
execute on them.

00:47:11
In fact, I thought about this for 10 years before somebody

00:47:14
else executed on it, and then it would come to be the CEO, which

00:47:17
was great, but the Sometimes there really is only one kind of

00:47:27
given the technology of the day , one way to go about it, and,

00:47:30
from my opinion, this is it.

00:47:36
Speaker 1: Yeah, being able to alert, you know, while an attack

00:47:41
is going on or while a compromise is going on.

00:47:44
I mean that's really critical, right, Like it's a.

00:47:50
You know it's probably a stupid statement saying that it's

00:47:54
critical because it's obvious, but it's not obvious of how many

00:47:59
solutions out there.

00:48:01
You know that even claim that they can do this and, you know,

00:48:06
fall short.

00:48:07
And there's many companies that have been compromised for, you

00:48:11
know, significant amounts of time.

00:48:13
The average compromise isn't detected for like six months or

00:48:17
something like that.

00:48:19
You know, and that's with all of the modern day technology that

00:48:21
we have.

00:48:22
And you know this is the same for large companies and small

00:48:28
companies.

00:48:28
You know, like they have 300 people on their security team

00:48:32
and then companies with, you know, three people on their

00:48:34
security team.

00:48:35
They're experiencing the same thing.

00:48:37
So it sounds like this solution is really like leveling the

00:48:41
playing field in a way, right, because it's, you know, one.

00:48:46
You don't need to be a network expert to dive into this thing.

00:48:49
At least it doesn't sound like it.

00:48:52
It works across all the platforms and it allows you that

00:48:59
if you're curious, you can dive into, you know, a certain

00:49:03
request or whatever it might be more, and find out the details

00:49:07
about it.

00:49:07
That's a really interesting solution that you have there.

00:49:13
Speaker 2: Thanks, yeah, it's, you know it's.

00:49:16
We believe obviously, or we wouldn't be doing this, we

00:49:21
believe it's a game changer, but it is.

00:49:23
You know time is a factor, obviously, in every attack and

00:49:28
the interesting thing, you know so there are, to your point,

00:49:31
there are advantageously few technologies that are able to

00:49:34
actually detect and respond in real time.

00:49:37
So EDRs one, ips and NGFW are another, and there's not really

00:49:40
a whole lot else out there.

00:49:41
So the very, very sharp end of the spear, technologies like

00:49:44
those are kind of it.

00:49:48
I guess WAF is to, for example, to, you know, get back to the

00:49:51
plane.

00:49:51
But the next level down.

00:49:54
But and the thing to understand is that you know EDRs run in

00:49:57
block mode all the time.

00:49:58
It's very natural.

00:49:58
But like most IPS, detection logic does not run in block mode

00:50:03
.

00:50:03
You know, we saw kind of 80, 20 , even at the sourcefire days,

00:50:08
when we were the premier intrusion prevention platform

00:50:12
out there, only about 20% of our customers actually ran our

00:50:17
stuff in.

00:50:18
So you know the the fascinating thing about it is that the the

00:50:25
next step is essentially getting into an eventing pipeline where

00:50:29
, you know, an analyst looks at it and decides if it's

00:50:30
compromised or not and then does something about it.

00:50:32
But in between, that is the ability to recognize something

00:50:37
going off the rails in real time and signal out to your

00:50:39
infrastructure to do something about it.

00:50:41
So it isn't quite you know at the point of attack, like you'd

00:50:44
have with an EDR and NGFW, but it's you know, as soon as

00:50:48
compromise is recognized, we can respond, which is like is

00:50:51
pretty cool.

00:50:53
And we also have the ability to respond to things like

00:50:55
governance issues.

00:50:56
So, for example, if I see configuration drift happen, say

00:50:59
you've got like Wiz and Wiz figures out hey, dev and Proud

00:51:03
are talking to each other in your cloud app.

00:51:06
You need to fix that.

00:51:07
And then you go do it.

00:51:08
And then you know push comes out of staging and all of a

00:51:10
sudden Dev and Proud are talking to each other.

00:51:12
A Wiz style CSPM is.

00:51:14
We're not going to see that till the next scan cycle.

00:51:16
We see it as it happens, we see it in real time.

00:51:18
But we can even signal back to Wiz and say hey, by the way, you

00:51:22
know this just happens, so you might want to take a look at it

00:51:24
and make a determination.

00:51:25
Or we can signal to their you know the operations team and say

00:51:28
, hey, we just saw this and this is contrary to your

00:51:31
configuration directors.

00:51:31
Hmm.

00:51:34
Speaker 1: Man, well, I feel like we could talk for another

00:51:37
two hours easily, you know, but unfortunately, you know, due to

00:51:42
time, we have to cut it a little short.

00:51:43
I guess not short, but we have to, you know, delay our

00:51:49
conversation, right?

00:51:50
But, martin, you know, before, before I let you go, why don't

00:51:55
you tell my audience, you know, where they could find you, where

00:51:57
they could find your company and all that good information if

00:52:01
they wanted to, you know, find out more about your solution.

00:52:04
I'll put all the links in the description of this episode, of

00:52:06
course.

00:52:07
Speaker 2: Yeah, absolutely, natigraphycom.

00:52:09
That's where I am these days and that's you know.

00:52:14
If you take a look at the website and start digging into

00:52:16
it, you'll see what we're up to and what we're useful for.

00:52:19
If you want to get a demo, we're always happy to demo for

00:52:21
people and you know there's a lot that you can look at on the

00:52:26
site and if you're looking at the site and you're looking at

00:52:28
the screenshots, asking yourself , wow, does it really look that

00:52:30
good?

00:52:31
It does look that good.

00:52:31
Our GUI is awesome and it's also composable, so you can

00:52:35
actually make your own dashboards and things like that.

00:52:38
So, yeah, it's an extremely powerful system.

00:52:40
But, natigraphycom, please check it out.

00:52:45
Speaker 1: Awesome.

00:52:45
Well, thanks everyone.

00:52:46
I hope you enjoyed this episode .