Transcripts

This Week in Enterprise Tech Episode 553 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.


Lou Maresca (00:00:00):
On this week weekend Enterprise Tech, we have Mr. Curtis Franklin back on the show with me today. People are worried about their personal and professional devices, while the current administration just unveiled a new initiative designed to provide a higher degree of assurance for people and their devices. We'll see if that's gonna work. Speaking of cybersecurity, today we have Adam Gish, he's c e o, and Co-founder of Do Control. We're gonna get into just how you and your organization can remediate data exposure fast. You definitely shouldn't miss it. It's why on the set. This episode is brought to you by Cisco Meraki. Without a cloud managed network, this is is inevitably fall behind Experience, the ease and efficiency of Meraki's single platform to elevate the place where your employees and customers come together. Cisco Meraki maximizes uptime and minimizes loss to digitally transform your organization, Meraki's intuitive interface, increased connectivity and multi-site management. Keep your organization operating seamlessly and securely wherever your team is. Let Cisco Meraki's 24 7 available support. Help your organization's remote, onsite, and hybrid teams always do their best work. Visit meraki.cisco.com/twit.

TWIT Intro (00:01:15):
Podcasts you love from people you trust. This is twit.

Lou Maresca (00:01:28):
This is twy this week, enterprise Tech episode 5 53. Recorded July 21st, 2023. Holy Grail of SAS Security. This episode of this week, enterprise Tech is brought to you by Cisco Meraki, but employees working in different locations providing a unified work experience seems as easy as herding cats. How do you reign in so many moving parts? The Meraki Cloud Managed Network. Learn how your organization make hybrid work, work. Visit meraki.cisco.com/twit.

(00:02:05):
Welcome to twy this weekend, enterprise Tech, the show that is dedicated to you, the enterprise professional, the IT pro, and that geek who just wants to know how this world's connected. I'm your host, Louis Burka, your guy to the big world of the enterprise. I can't guide you by myself. I need to bring in a professional and an expert in its field, starting with our very own Mr. Curtis Franklin. He's principal, principal, analyst, and I'm Dia and the man who knows everything about the enterprise and is pretty much lives and eats it. Curtis, welcome back. Thank you. Been traveling a little bit this week, huh?

Curt Franklin (00:02:36):
I have. I got back late last night from out in the desert. Spent the week with a vendor. Splunk, as it turns out heard a lot of interesting things. The best part of any of these industry gatherings is getting to meet the people. Spent a lot of time with Splunk executives, with their partners, and perhaps best of all with their customers, hearing about how they're using technology, what they're worried about what they're hopeful about. So lots of good stuff going on and eventually I think I will be adjusted back to Eastern time zone and fully rested just in time to head back to Las Vegas for Black Cat and Defcon

Lou Maresca (00:03:23):
Know one, I'll give it to Splunk. They've, they've definitely developed a huge community and a huge ecosystem, and they just keep it alive. They just kind of keep pumping you know, pumping energy into it. And so did you feel like there was a lot of customers there that you like a lot more than usual? Or is it, was it pretty heavy?

Curt Franklin (00:03:41):
It it was a heavy customer focus and, and you're absolutely right. There may be other companies that have a user group as passionate as Splunk, but I think it's rare to have a user community that is both the size of Splunks and still has the passion. And it's, it's wild to see what the customers do with it as part of their job. And then it's always fun to, to hear about what some of the engineers do kind of on their own time. People are always coming up with really entertaining things, you know, people instrumenting their toy train layout, that, that, that sort of thing. But it's, it's really entertaining to see a lot of good people. And I, I have a, a lot on my head. I'm, I'm in the process of writing up some of my thoughts.

(00:04:42):
But I, I will say one of the, the, just real quickly, one of the things that was interesting, you can't have a conversation. You can't go to a conference in tech these days without talking about generative ai. And we, we had no real exception to that at Splunk. They were talking about how they're going to use it, how their, what their plans are. The thing that I liked was that they had what I thought was a very rational approach, talking about domain expertise, not trying to come up with an AI engine that will do everything for everyone, but keeping it in a lane and keeping it trained within that lane. I think that that is going to be one of the keys to success as various companies use generative AI in their, their products and in their services. You know, keep keeping a, a good handle on what your company is trying to do, what your customers expect you to do, and how you can make that happen. I, I think that is going to help with a lot of the privacy issues, a lot of the performance issues and a lot of the potential regulatory issues that we're gonna be talking about for a long time to come on this topic.

Lou Maresca (00:06:06):
Indeed, very interesting. I agree. You can't go anywhere without talking about some kind of generative ai, but, you know, hopefully it will be that it's actually helping things in the future. We'll see. Well, let's, let's get started because there's a lot going on in the enterprise. I can definitely tell you. I've been very busy this week now. People worry about their personal professional devices. I know I am. And when the current administration has just unveiled a new initiative to actually design to provide a higher degree of assurance for people about the cybersecurity of their devices, we'll see if it works. We're gonna get into what that means. Plus, speaking of cybersecurity, today we have Adam Gey, CEO and co-founder of Due Control. And we're gonna go into just how you and your organization can actually remediate data exposure fast, lots to talk about there. So definitely stick around. And if you haven't already, definitely subscribe to the TWI podcast at twit tv slash twi. Hit those subscribe buttons. And also, if you want to add free podcast service, that's right, club twit, that's at twit tv slash club twit for only $7 a month. You get all of our podcasts add free and of course discord server and all special events and lots of fun stuff. So definitely join and be part of that movement. But we do have to get into this week's news blips, cuz there's lots going on. So let's do that.

(00:07:20):
In a troubling cybersecurity update. The UAE is experiencing a sharp increase in root kit attacks against businesses with a staggering 167% increase reported in the first five months of 2023. According to Kabuki's research, the Middle East region as a whole has also seen 103% uptick root kicks. Root root kicks actually often are used by nation state groups and cyber crim criminal ratings offer a steal way to gain admin level control over a targeted hardware or even software. Now, James Mau, he's lead security researcher, BeyondTrust notes that while ransomware threats have dominated headlines, root kits remain a potential weapon in a hacker's arsenal. Now, general manager of UA e Rexs. As that, once a root kit is installed, attackers can actually launch attacks at will from ransomware to keystroke monitoring. Despite evolving security architectures, loopholes remain, particularly where users have local admin privileges and systems are left unpatched. These provide a pathway for attackers to escalate access, install root kits leading to potential total system compromise.

Curt Franklin (00:08:30):
Well, if you spend a lot of time reading dark reading, you know that good news is not the majority of what's on the page, but we've got some different news today. Here today, seven tech companies, Google, Microsoft Meta, Amazon Open ai, anthropic and inflection met at the White House to announce their commitment to cooperation on sharing, testing, and developing generative AI engines and models that are both safe and secure. The points on which they're committing revolve around information sharing and testing include as well as transparency of the information they compile. That's transparency with both the government and the public. Now, what sort of protections are the companies committing to? They include security testing their AI products in part by independent experts and sharing information about their products with governments and others who are attempting to manage the risk of the technology. Ensuring that consumers are able to spot AI generated material by implementing watermarks or other means of identifying generated content, publicly reporting the capabilities and limitations of their systems on a regular basis, including security risks and evidence of bias.

(00:09:44):
And deploying advanced artificial intelligence tools to tackle society's biggest challenges like curing cancer and combating climate change. Conducting research on the risks of bias discrimination and invasion of privacy from the spread of AI tools is a huge thing and a very good idea. Now it has to be said that the companies almost certainly didn't get together because they thought it was a great idea. They're trying to get out in front of AI focused legislation. The Biden administration says that it is working on with Congress that would provide safeguards and regulations for this kind of technology as well as preparing executive actions that are soon to be announced. It has been a long time since we've seen technology that caused this strong a reaction in so short a period of time. Let's remember that practically no one had ever heard of chat G P T prior to November of last year.

(00:10:44):
And political leaders see an opportunity to show just how much they care for their constituents and how much they know about technology. That combination has the potential to wreak havoc on a budding industry and change the way US companies can compete in a global market. I think we can all agree that guardrails around generative AI is good sense, especially around how it's used. And we can but hope that the ones being put into place protect us against the genuine risk of the technology. By the way, Google and Open AI will participate in challenges to hack their systems at Defcon. Next month. I'll be there and we'll look forward to reporting back here on twy.

Lou Maresca (00:11:32):
In a significant cybersecurity alert today, vulnerabilities that could expose large portions of the computing world have been discovered in firmware produced by Georgia based aami. Now these vulnerabilities were unearthed following a 2021 ransomware attack on hardware manufactured gigabit that leaked vital information including data related to major supply chain partners like Intel and a M d. Now, these flaws lie within the baseboard management controllers or BMCs. They're small computers integrated into the server Motherboards use widely cloud centers for remote management of large computer fleets. Researchers from security firm Elian actually found out these vulnerabilities and can be how they can actually be exploited, potentially granting malicious actors super user status within sensitive cloud environments. A successful attacks could lead to malware or even ransomware installation, physical server damage and prolonged systems shutdowns. A M I has released firmware patches available to customers through a restricted support page.

(00:12:33):
Organizations utilizing AAMI powered BMCs for server management are urged to actually install these updates promptly. Of course, the vulnerabilities underscore the need for stringent supply chain attack and risk management and constant patching as a safeguard both proprietary hardware and the wider cloud infrastructure. Well, folks, that does it for the blips. Next up the bites, but before we get to the bites, we have to think a really great sponsor of this week at Enterprise Tech and that's Cisco Meraki, the experts in cloud-based networking for hybrid work. Whether your employees are working at home at a cabin in the mountains or on a lounge chair at the beach, a cloud managed network provides the same exceptional work experience no matter where they are. You may as well roll out the welcome app because hybrid work is here to stay. We know this hybrid work works best than the cloud and has its perks for both employees and leaders.

(00:13:23):
Workers can move faster and deliver better results, whether the cloud managed network, while leaders can automate distributed operations, build more sustainable workspaces and proactively protect the network. An I D G market pulse research report conducted for Meraki highlights top tier opportunities and supporting hybrid work. Here they are. Hybrid work is a priority for 78% of C-suite executives. Leaders want to drive more collaboration forward while staying on top of a or boosting productivity and security. Hybrid work also has its challenges, right? The IgG report raises the red flag about security, noting that 48% of leaders report cybersecurity threats as a primary obstacle to improving workforce experiences. Always on security monitoring is part of what makes the cloud managed network so awesome. It can use apps from Meraki's, vast ecosystem of partners, turnkey solutions built to work seamlessly with Meraki cloud platform for asset tracking, location analytics, and much more gathering insights on how people use their workspaces.

(00:14:29):
In a smart space, environmental sensors can track activity occupancy levels to stay on top of the cleanliness of the area reserve workspaces based on vacancy and employee profiles, also called hot desking, which allows employees to quickly scout out a place to work locations in restricted environments can be booked in advance and include time-based door access. They also have M D M mobile device management integrating devices and systems. Allow it to manage, update, and troubleshoot company-owned devices even when the device and employer are in a remote location. Turn any space into a place of productivity and empower your organization with the same exceptional experience no matter where they work. With Meraki in the Cisco suite of technology, learn how your organization can make hybrid work work. Visit meraki.cisco.com/twit and we thank Cisco Meraki for their sport of this week and enterprise tech well folks. Time for the news bytes.

(00:15:30):
Now we have some interesting news this week. A significant movement from the current administration. It was actually to fortify cybersecurity standards is making headlines this week. They're unveiling the new US cyber trust Mark. Think of it as a energy star for smart devices. This initiative is really designed to provide a really, a much higher degree of assurance for consumers and and owners of devices about the cybersecurity of their devices. Now here's how it works. Products bearing this mark will actually indicate that they meet the security standards of specific security standards based on guidelines by the National Institute of Standards and Technology or nist. Now the label set to debut in actually 2024 will actually span a range of connected devices in our homes from smart TVs, microwaves to fitness trackers. Big tech companies, including Google, Amazon, and Samsung, have already pledged their support, but there's more than just actually that logo.

(00:16:25):
That's right, the cyber trust mark also includes a QR code, a handy feature allowing you to actually scan and verify that your device remains certified against evolving cyber threats. Now this is interesting because normally devices like smart devices, like in fact your refrigerator might be out of date, it might be a risk to your network. This kind of information transparency will extend to data collection sharing and how security updates are applied according to the FCC chair. And here's an interesting piece. The programming is considering an annual recertification process with a third party labs like Connectivity Standards Alliance or the Consumer Technology Association likely to conduct those reviews. That adds another layer of credibility to this endeavor. I think now the administration is also hoping to incorporate wifi routers in the laboring program an important step to these devices, often the gateway to our digital homes.

(00:17:16):
If you think about it, in fact, I, I have recently my my Google devices over there that are, are no longer being serviced, which is kind of annoying. Now, in the end, the goal is to clear, to drive the market towards creating more secure products by design and, and instill confidence among consumers and organizations alike. It's really, I think it's a bold move here for America's cybersecurity fabric and it reminds us all where we as it pros really need to be right, that cybersecurity isn't a one-time checkbox, it's really an ongoing commitment. So I, I wanna bring Curtis in here because this is interesting. Now, from an enterprise technology perspective, how important do you think the initiative like the US cyber trust mark actually is?

Curt Franklin (00:17:59):
Well, I think it'll be very important for a lot of consumers because they have heard enough to know that they should be worried about their connected devices. You know, they've gotten that from the general media and from their neighbors and from the internet. What they haven't gotten is some way to do anything about it, you know, so this is one of those glorious things where, you know, it, it's the, the consumer version of the asteroid that could strike the earth and wipe out all life here. Great, I can worry about it, but there's not a darn thing I can do about it. Well, this kind of mark actually gives them something they can do about it. You choose the brands that, and the models that have this check mark and you know that you've taken at least a modest step towards making sure that you're not opening up your home to electronic invasion by some sort of, of threat actor.

(00:19:03):
I think it's good as well because if the consumers respond and show a bias towards buying these devices, then it will be a strong incentive for the vendors to make sure that if their systems are able to get the, the check mark. So it can be a nice reinforcing thing. And, and I love it because it's not a a full regulation, this isn't the government telling people, you must design systems this way. It's simply rewarding them if they do kind of like the energy star thing that certain appliances get if they actually are energy efficient. So I applaud this. I think it has the potential to be a very good thing over the next, call it five years. We're just gonna have to see how the, the consumers in the country accept it.

Lou Maresca (00:20:03):
Yeah, I think this is a great step forward. I think, you know, especially when it comes to electronic devices, if you power management devices, that kind of thing, you know, there's the whole concept of UL listed, right? This is that underwriters laboratory stamp that your product can get. It means that your product can safely perform its operations as if it's you know, intended to do its job, intended to do. You can go buy a power adapter online that doesn't have this, but you could definitely risk yourself of that device maybe catching on fire or, or or burning a hole in your bag. And, and by the way, I have had this happen before, even just a small power nine volt or some nine watt power supply one that didn't versus one that did the one that didn't got so hot, it actually caught fire.

(00:20:45):
So I think there's, there's definitely gonna be some organization, some companies that don't look for this certification or don't want to be certified and you probably have that option to go buy them. But I guarantee that it will push the price down of those types of devices and push the price up of the valuable devices that are certified. That I think that's definitely an interesting thing. The question is how far up how far down it will be will be interesting to actually see. Now, Curtis, I wanna ask you another question. It, it talks a lot about data collection and the fact that data collection and data sharing is gonna start regulating that. Now that transparency, I think brings a lot of value. Do you think it brings value not only to the consumer, but also to the businesses as well?

Curt Franklin (00:21:27):
I think it does. And let me, let me say let me attack each of these differently. From the consumer side, we have always in this country treated personal data as a fungible thing, something you own and something which you can ideally with knowledge trade for a product or service. You know, if I want something and you're not gonna charge me a hard dollar price for it, I can give you something of value, my personal information and get it. As long as consumers know which information they're providing and know that they are providing the information. That's a great system. And I think what this does is it levels that playing field. We've gotten too many examples of products and services where they buried exactly what was being collected and how it was being collected on page 59 of a ula that no one besides a lawyer who drew it up ever read.

(00:22:27):
So I think this is a good idea there. And on the company side, I think it's also good cause it takes away underhanded data gathering as a competitive strategy. It makes everyone play on a level playing field. And also just like with so many regulations, it matters a little bit less precisely what the regulation is. It matters that companies know what they're trying to do, they know what the regulation is because they can design products, they can design services, they can build software systems to those regulations as long as the regulations don't just keep changing. And as long as here in the US they don't have 50 separate regulations, one for every state that they have to somehow try to make sense of. So I think this is a win-win. I I think it will ultimately end up benefiting people and companies across the board.

Lou Maresca (00:23:31):
Does sticking to the theme of costs, like to bring that up a lot because again, a lot of these regulations, they do kind of, they could change the landscape of the cost of things. Now they, they talked about the annual recertification process. I think that this is probably one of the biggest challenges manufacturers will, can run into. What about, what do you think, Curtis, is this something that, that is a push forward that will be helpful or you think it'll actually force organizations to, to offer less options because now they have to manage this long, long-term?

Curt Franklin (00:24:04):
Well, the, the nice thing about the annual recertification is that it gets away from saying that you have to re-certify at, you know, a point upgrade. And then you get on the over the definition of, well what is a point upgrade? And if we just change the labeling, does that mean we can add features and not, you know, it it takes care of that. And so I think that's good. I suspect that what will end up happening is that there will be a series of labs that are certified by the government to perform this kind of, of testing and recertification. Because as we all know, if it's one place they're already backed up. I mean, before, before the start of the thing, they're hopelessly behind. So there will have to be multiple places you can get it done, sort of like the emissions check to get your, your annual sticker for your car before you can get your license.

(00:25:00):
So I think it's a good idea. I think that unlike some people will companies will compare it to the medical devices where they basically have to be certified once in order to get their certification and then don't have to be re-certified unless they make a, a change mm-hmm. <Affirmative>. the result is that a lot of those systems are never changed, but you know, that that's less of an issue in that specific case. Consumer stuff people are going to drive, consumers are going to drive the manufacturers to make changes to improve their, their systems. And so I think we do need some sort of regular basis on which to recertify that they're still following the rules

Lou Maresca (00:25:47):
Right now. That's an interesting take. I think that the one thing I'm really worried about is the fact that it, this has garnered a little bit support from some of the tech giants like Google, Amazon, Samsung, and obviously we talked a little bit about cost. The fact that, you know, there are, there is an annual certification recertification. That means that they, that organizations that have the capital to do this mean that they probably could, they're probably gonna be part of this program cuz one, they get a little bit more visibility in the product lifecycle management to consumers and organizations, but also means that they can beat out the little guy, the little guy, not can't, won't necessarily be able to, to actually afford this type of thing. Do you think that this type of certification could be a huge impact on the market? Do you think that it's gonna change the landscape now because now we have a certification that means your device is safe, people are only potentially gonna only trust, let's say as an edge case scenario, people are only gonna trust those devices, they're not, not gonna trust the other ones. That means that these small organizations might not be able to afford the certification to main to maintain it and then they kind of get, they get squashed. Is that, is that a potential here you think?

Curt Franklin (00:26:55):
I think it's a theoretical potential. Sure. I think realistically think about it, when was the last time you went to your favorite electronic store and saw some bold garage based startup that had a device there that you wanted to buy? It really hasn't happened since, oh, 1986. The companies that are putting products on the shelves, the products who are selling in any quantity are large in some definition now where it could play with things are on some startups, you know, Kickstarter, that, that sort of thing. But I suspect there are going to be workarounds and carve outs. I think there are ways they're gonna be able to do thing, you know, to make sure that it disrupts innovation as little as possible. Our government and its regulators have shown that innovation is generally one of the things they want to encourage.

(00:28:01):
And so I think they'll, they'll find a way to deal with that. You know, maybe you get the first one you know, cheap and after that you have to pay rack rate. I, I don't know what that that's going to be, or maybe it's, you know, for the first 10,000 units, you know, if you have a 10, put a 10,000 unit cap on whether you have to have this and remember this is not in general something that's being required, something that's being offered. And just like you're willing to take a, a flyer on something that's on Kickstarter, you know, you can take a flyer all the way around because you have the ability to actually query the people doing it rather than being engineers stuck off somewhere where you have no idea where they are or who they are. So I can, like I said, I think it's a theoretical issue. I'm not sure that it's gonna be a practical issue.

Lou Maresca (00:28:57):
Sure. Yeah, I agree with that. I, I, you know, and, and again, I was trying to play a little bit of a devil's advocate there, but the, the reality is these types of certifications, they do add a level of trust to anything that you're buying or purchasing or using. And I, I definitely think it helps with the decision making. So, you know, obviously if a device costs a dollar more or even 20% more and it's, let's say UL tested and it's something that I'm gonna be using every day and, and I need it to be safe, I, I'd rather buy that. I'd rather spend the money and and and buy that. And I think it, it will have a similar effect here. I think. I definitely think if you're gonna want to buy something that you're, you, you wanna keep around for a while, you don't wanna just say, oh, I'll spend a little bit of money and throw it out in a year.

(00:29:41):
You know, I want to guarantee that it's gonna be safe for a long period of time, then you're gonna want something that's, that's certified with the the cyber trust mark. So I, I definitely think that this will, it'll be an interesting shift, I think slightly, but I, I definitely think you're right. I think the theoretical side of things is it's probably not gonna be that big of an impact. We'll have to see how it goes. Definitely. Thank you Curtis. Well, I think we should move on because we have a great guest that we need to talk a little bit about data security and making sure that we don't leak it. So left. Let's go ahead and jump into that. Well folks, it's time for the guests. My favorite part of the show where they come in and bring some knowledge to the twi, right? Today we have Adam Gish, he's c e o and co-founder of Due Control. Welcome to the show Adam.

Adam Gavish (00:30:24):
Thank you for having me.

Lou Maresca (00:30:26):
Absolutely. We're excited about this cuz we, you know, we've kind of had a theme this month of security, data security, that kind of thing. And this is just another, another loop in that loophole, and I want to get into a lot of details there. But before we do, our audience is a large spectrum of experiences and they, whether they're starting out in the industry to all the way up to CISOs, CTOs, CIOs, that kind of thing, and that people love to hear origin stories, they love to hear people's journey, journey through tech. Can you take us through a journey to, through tech and what brought you to do control?

Adam Gavish (00:30:56):
Yeah, a hundred percent. So I'm originally from Israel. You can tell about my accent. I've been in state for about eight years. I've been network security for about 18 years. I started in Israeli army in the intelligence unit doing network security, engineering, firewall, routers, road balances, everything you put in Iraq, quite physical but pathological. Progressed into software engineering, Java, Aven, spring Jenkins, all the good fellows. And progressed into product management most recently at the Google cloud security team where I helped launch the gov cloud solution to compete against the amazing Microsoft and Amazon. And, and, and you know, when I worked at Google, it was a quite a, quite a sensitive project. When you can imagine it's a big market and I of course as a product manager, I had to collaborate with external parties like my PR firm, marketing agencies and so on.

(00:31:46):
And of course I shared information with them over Google Drive, why not? The problem with that, every couple of weeks, information security will come in and open me a ticket ticket that said, Hey, I removed the permission. They're not employee, yada yada. And after several times I asked them, what are you doing? I mean, I'm just doing my job. And they're like, oh, it's not you, it's me. We don't have the context, the big company. We can't have external parties have access to our information forever. And that way I just knew it. There's gotta be a better solution for that.

Lou Maresca (00:32:20):
I love to hear those cuz you're basically trying to fulfill a need in the market. And it's, it's a huge need. It's a big need because we know that companies today, you know, in the, in the best case scenario, they have lots of SaaS applications or cloud applications. In a more complicated scenario, they have hybrid applications, they have on-prem applications, they have a combination of both. So they have data kind of floating around between all of these things shared, not shared, that kind of thing. So what, what, why don't I start with maybe the problem space. Are you, are you trying to solve the scenario where an organization might be more cloud native, they're focusing on cloud services and they might have, you know, hundreds of applications they use, maybe a little bit more legacy and some, some not that are sharing data or maybe exposing data and you want to catalog that and prevent that? Or what's the, what's the, like the foundational use case?

Adam Gavish (00:33:11):
Yeah, a hundred percent. I mean, it all comes down to understanding that in today's modern environment, security is not just about securing the the data, it's also about enabling the business, right? Because you can't just cut the code anymore. It works in the past in on-prem, not even anymore in today's reality organization. Use quite a few SaaS applications to push the business. Whether if you are on your journey to migrate from on-prem to the cloud, or you are cloud native, it doesn't even matter as long as you have data in the cloud, you allow your employees to collaborate over the cloud, it's game over, right? Because then you have employee data, customer information, company data, intellectual property all being stored and shared over various SaaS applications that do have phenomenal security capabilities from the gown up, right? Basic stuff like they encrypt the data that you stored there, right?

(00:34:06):
Of course, the liability. What the problem that in the shared responsibility model of SaaS application SA vendors go ahead and tell their customers, oh, when it come to your data, you own it. We give you the tool to store it, but you own the security of it, right? So you own the liability of whether it is being rated or, or stolen by either inside insider trapped, right? Frustrated employees or employees under legal holding or stuff like that. Or even third party that you work with that may or may not have a a, a good relationship with you, right? And so long story short, I think that organizations are way more exposed than ever today. But on the flip side, especially in this macroeconomic environment you can't just stop doing business, you gotta balance between the two. So that's like the foundational problem. How do we bring context to the game to balance between the two in the equation?

Lou Maresca (00:35:06):
Now lemme ask question now that obviously we wanna get into what due control does and how it helps, but I, I'm curious about the, the former, like the, the, what are organizations doing today without a tool like dual control? What are they doing to, to address this type of problem?

Adam Gavish (00:35:20):
A hundred percent. They, they do a bunch of stuff, right? Especially organizations who are on their path to migrate from on point to the cloud. So they still have the on-prem related security tools where they are pretty much more parameter based where they go ahead and put a fence around the data until it is protected now. But when you go to the cloud, there is no fence. It's like just everywhere and, and then the legacy technology become a little bit more tricky to maintain and, and, and, and to enforce the kind of security policy you want to enforce over time, right? The other thing that organizations do is to use products that are called data loss prevention DLP to first of all understand where do I have sensitive data just in general create some kind of a catalog, right? Oh, now I know that I have financial information in my SharePoint or I have employee information in my Google Drive. Which is great because now you have the location of your crown you know crown jewel, but you still gotta have a good way to protect it based on ongoing user behavior, which is a big gap today. So it's not a new problem, it's just an evolving problem that requiring more sophisticated tool. I would say

Lou Maresca (00:36:41):
That's the interesting part about the sophisticated tool. Cause obviously we hear a lot about zero trust you know, there's this so zero trust, network access, there's, you know, making sure we enable multifactor, there's least privilege, right? There's all these different principles that you should be following and starting to enable and start, you know, kind of your, as your north star to, to make sure that you're securing your data, whether you have one SaaS application or a hundred. Now this is a challenging thing for organizations cuz again, it costs money, it costs time, it costs, you have to spend a bunch of campaigns internally and externally to make sure that you're getting there. Tooling is obviously great, gets you there faster. Are there, is there tooling, again, kind of outside the context of due control. Is there tooling today that kind of gets you there or gets you closer but not necessarily what you need and, and organizations are starting to use that kind of thing?

Adam Gavish (00:37:31):
I think there are many tools that try to solve this problem indirectly. Some do it more successful than other, but for example, security awareness tools are great in ensuring that, of course you hit the stock two type two certification every year. But also making sure that every single employee, whether they new old they know all the best security best practices that the company has to meet, right? That's one thing. The second thing is just, you know, old school access reviews, right? Information security and gather in the room, show up a big ass screen and go reviewing all the different permissions. That's super label intensive, but you know what? It works, right? It it, it cut the code a little bit, reduced the liability just a little bit to ensure that everybody happier and have more confidence about the kind of the exposure they have.

Lou Maresca (00:38:23):
So I think that that makes sense. I think that obviously, you know, there there's the old processes that people can follow that, you know, that obviously could cost you more. Definitely in time for sure. Obviously there's, there's other, other applications that target these things too. You know, we talk a lot about data loss prevention and we talk a lot about, you know, seam solutions, that kind of thing. And, and these all have their own purposes in an organization. Now let, let's maybe get into how do control kind of processes this? What, what's the target audience here? Like what, what, what, what is it actually able to do? What, what, what gaps does it bridge?

Adam Gavish (00:39:00):
A hundred percent. I have to say before I say that this is not a sales goal, don't expect me to sell anything. I didn't just bring in a passion. We're

Lou Maresca (00:39:09):
Just here to solve people's challenges. That's what we're here. Yeah,

Adam Gavish (00:39:11):
Yeah, yeah, yeah. No, it's important. You know, some people, I dunno. So, so on a very high level, do control help you to connect a bunch of SaaS applications through API connectors only, right? So you not, it's like an e d where you have to install software and agents across the company endpoint. It's a experience from which we can perform a full-blown discovery of all the data that you have in multiple SA environments. From there, we also subscribe to tech to the WebBook events. So whenever users like you or me or third party applications consume and manipulate your SaaS hosted data, we get event directly from the SA provider in near real time that this is important because these allow us to go after user behavior and compare it to the overall attack surface based on the discovered inventory. From there, we also integrate with your broader IT tools, your HR information system, your E D R, your I D P, your sim to gather more business context and put it in the game to help you make more deterministic decision, right?

(00:40:22):
It not just showing you, hey, you have a lot of exposure in SharePoint number one to three, but more about, hey, you have employees who are living from Netherlands sharing p i in that SharePoint site that's a little bit more specific and way more actionable in reality, right? From there, all of those events as streamlined into a workflow. So you can set up automation around common scenarios, addressing insider threats, third party risk, programmatic risk to help you prevent this kind of data expectations at the scale of the enterprise. But also you can schedule workflows to perform those labor intensive procedures on your behalf. Access reviews, approval, PIR scanning, all this kind of stuff can be automated on everyone's behalf to save time on tickets, on meetings, on processes, stuff like that. And eventually the holy grail is give you our graph that shows you the kind of impact we have made on reducing your attack surface over time. For example, oh, now we have 25% fewer third party domains having access to your data, or oh, now we have zero ever encryption keys uploaded to your publicly available teams channels. Nice, right? And so all of those threat models are being visualizing consolidated in a way that security leaders can communicate it back to the executive and board members.

Lou Maresca (00:42:05):
Well, I do wanna bring my co-host back in because he is an expert in security and enterprise technology and I wanna get his opinion on this as well. Curtis,

Curt Franklin (00:42:15):
I appreciate it. I think one of my questions begins with, it's very easy to, to talk about this kind of protection as something that is sort of monolithic. Everybody does it the same way you get protection, but it seems to me that this is the sort of thing that would need to be highly tailored for each company based on exactly what their data is and precisely which regulatory frameworks they have to work in. So how difficult is it to tailor this for a specific company's needs?

Adam Gavish (00:42:53):
Very difficult. It take two years. No, I'm kidding. So e eventually what happened is when we onboard any customer, right we map out the data exposure against a number of industry common threat models, industry security standards like NSF or Mitre attack to help them get the benchmark. Where do they stand against that? Which is great, but not enough. The game changer is to get, again, use AI to cannot cross reference between what the average insider risk or third party risk user behavior against the anomalies that occur over time and surface those findings to help security and prioritize and cut mediation plan with data in hand with the relevant business units. So for example, it's not enough to go ahead and tell the head of marketing, Hey guys, we're not aligned external share anymore from your Google Drive folder. That's not gonna work. Like, you literally give no context to what the problem, right? The alternative will be, hey, head of marketing, we found out that 80% of the vendor you work with don't even review the files shared with them after one month moving forward, we're going to order expire those chain after one month automatically as well as giving an option for your team members to renew those access self-service, right? That is very specific data driven with business context to help pretty bridge a gap between security leaders and the rest of the business stakeholders.

Curt Franklin (00:44:36):
You know, bridging that gap I think is very important. And an another one that we hear a lot about is that companies have this kind of information stored in multiple places. You know, it's rare these days for a company to say, oh, I've, you never hear of someone saying, oh, we've got everything on-prem. Or, and it's RAR to hear someone saying, we've got everything in one big public cloud. People are going to have things in multiple clouds. Again, is that something that, that you are able to deal with and how, how much does that complicate things when companies are in fact scattering important and privileged information all over the landscape?

Adam Gavish (00:45:25):
Yeah, I feel like, you know, this is, there are two ways to look at it from a, from the department perspective, right? These, the provisioning aspect that hey, we are granting access to our users to certain data sets on which they can go ahead and work. And there's the authorization, like, oh, given that they have access, what do they do with it and how do we govern it? I think security have pretty good tools today to comprehend identity access and identity integrity and identity security. And they're gonna loyalty to say, Hey, marketing, you can only work on these certain apps, otherwise we're gonna cut it, right? The problem begins where they have the access to the app, what did they do from there, right? So you have the access to let's say box.com. Great. What's your user pattern? Nobody knows, right? Is it okay? It not, okay. It did govern, it did not govern. That's pretty tricky because no office on Box, I love them, great company, but they don't give you good enough tools even on the enterprise tier to understand what's going on. Like, you get an admin panel that literally doesn't help you to understand, you know, what my exposure, like what they would cause, what it may, a potential mitigation path, none of that. And this is just one app you could deal with like 20 of those or 50. So exponential.

Curt Franklin (00:46:47):
Well, when you're, when you're got a tool like, like the one that you have that's suddenly brought into an organization, do you find that you are often helping companies develop the controls? Or do they always have controls in place that they're simply using your services to, to implement? How, how does that work?

Adam Gavish (00:47:17):
We deal with both, right? Not all security teams are equal. Some have very developed and refined strategy that they certainly want to implement right away at the control. And that's cool to see that because we, it can unleash the creativity, right? And the flexibility of our platform. Other companies are really relying on us to come up and say, okay guys, this is like what we see from other companies. You should implement this 15 playbooks at a starting point and it's measure and take it from there. So it's all over the place. There's no one answer for that.

Curt Franklin (00:47:56):
Well, speaking of, of no one answer I've got to ask, do, is your relationship with your customers one that you have directly or do you work through a lot of integrators and you know, the, the channel that so many companies use

Adam Gavish (00:48:14):
All over the place, right? So as a startup, it's not like we are we, we are restricted to one channel or another, right? We're working with customer directly. We have phenomenal channels, partners that we work with. We are accelerating through the AWS marketplace and the ISV program, right? And it, it's interesting because the way you build your product, pretty much depending on the way you sell it and you know, if you want to sell to channel, then you have to develop feature that are necessarily benefiting your customers, but they, they benefit your, your channel, right? I don't know, self-service onboarding or export or your dashboard or stuff like that, which we try to avoid because we try to remain customer focused. But yeah.

Curt Franklin (00:49:00):
All right. Well, as, as we start to head towards the end of our program, I've got to ask, you said that your customers are all over the place in terms of their experience, their level of maturity, all that. So if someone was interested in getting started with you as a partner, how would they do that? How would, how would they go about taking that first step towards better control of access to their data?

Adam Gavish (00:49:29):
Well, I think it comes down to your security program maturity. I'm not gonna promote myself to companies who haven't even deployed an IDP or E D R in place, right? First thing first, of course. But assuming that you already have a sufficient security program in place and you are concerned about your SaaS data filtration then comes up, let's discuss, let's talk, understand your use cases, understand the channel, the alternative solutions you have tried to use. Maybe it's a technological challenge, maybe it's a headcount challenge. Maybe it, it's a talent challenge. It could be anything, right? And from there, we are really positioned to understand the situation and suggest our own solution in a number of ways from implementation, right? You could use it in a very advanced mode, right? Which highly sophisticated workload or you can get used out of the box policies that requiring minimal to no effort. It's really up to you and your, the strategy and what you're trying to achieve, which I think it's coming across many security products, not just to control.

Lou Maresca (00:50:39):
No, and I'm, I'm actually curious, this is kind of like a, I would say a completely end of the spectrum question, but obviously do control started 2020, it's not too long ago, but you've quite evolved over the, over the years. What are some key learnings you've had? What, what are some key learnings you've had over the last couple years that's kind of taken you in a particular direction?

Adam Gavish (00:51:00):
I think the most important thing that we laid by is the fundamental and the thing that's, people are people. So don't sell them, just talk to them. Underst, stand up challenges, understand what drive them, understand the, you know, the, the politics they have internally to get things done, stuff like that. Because that by its own unblock a lot of the product capability that we have launched to help them bridge the gap, not only from a security perspective, but from a business process perspective, right? So listening to your customers, treating them with dignity, understanding their restrictions and challenges. I think those, this is like the foundation behind any successful story.

Lou Maresca (00:51:45):
I agree with that. I agree with that. Well, what about, I, I wanna channel Brian Sheer, who is our co-host a little bit today. He, he usually loves to ask this question. I'm gonna ask it. I wanna see you do a little bit of crystal ball looking into the future. What, what are some of the strategies and growth opportunities you see maybe even future developments for you guys in the coming future?

Adam Gavish (00:52:04):
Yeah, a hundred percent. I think that, you know, down the road, the hope, the holy GRA would be that, you know you grow a company and then you are like, okay, I need a crm. Let's plug in a Salesforce. Oh, I need a E D R, let's plug in. I don't know, a cross. Like and oh wait, I have SaaS applications. It's plug into control, right? It's like a no-brainer. It's like a default way to do SaaS security. But the way to get there is very hard because very similar to IS SaaS is quite complex. There's so many threat models requiring very different technologies implementation, and it requires truly customer obsession from vendors like us to continue innovate on behalf of customers and building the right set of capabilities to solve for those problems. Right? and that requires consistency and world class execution ion and it's just not easy but doable.

Lou Maresca (00:53:04):
Right, right. Well, unfortunately we are running low on time, but I did want to give you maybe a chance to tell the folks at home or you know, organizations where they can go, where they can get started, how they can learn more about due control and obviously what I can do for them.

Adam Gavish (00:53:22):
Yeah, I mean, I'm, we are very happy to talk to give us a thumbs up to control.io. We are on LinkedIn and Twitter as well. I'm gonna be in the AWS New York City summit next week and I'm going to be in black hat. I'm not gonna be in DEFCON because my Bluetooth on my phone is on, so I'm gonna skip Defcon and stick to black Hat only without a hat. And generally we're looking to develop relationship with security teams who are just curious about advancing their journey. Again, I'm not a sales guy, so definitely not sales oriented. Happy to learn from your experience.

Lou Maresca (00:54:03):
Fantastic. Thanks again for being here.

Adam Gavish (00:54:06):
Absolutely. Thank you so much.

Lou Maresca (00:54:09):
Well, folks, you have done it again, you sat through not an hour of the best dang enterprise and IT podcast in the universe. So definitely tune your podcast catcher to twy and subscribe. I wanna thank everyone who makes this show possible, especially toe, my amazing co-host, Mr. Curtis Franklin. Curtis, what's going on for you in the coming week? Where can people find you?

Curt Franklin (00:54:27):
Well, I am back from the desert and getting ready to go back to the desert. I've got three weeks to finish a presentation and set up all of my calendar and be ready for black hat. And I'm brave. I am doing Def Con again, so I will be there spending a lot of time in the AI village pencil and reporters notebook, proudly in hand. But in the meantime, I've this last week put up a couple of articles on dark reading. I'll have more there. Got some stuff that I'll be writing for our subscribers. And looking forward to hearing from the Twight writer, you know, from Splunk's conference. I covered one of the keynotes on Mastodon and found that that was a good place to do that. So I'll probably be doing more Mastodon oriented coverage. But I am still on on Twitter KG four gwa, I'm on Mastodon at KG four GWA at sd mastodon.sdf.org on LinkedIn, on Facebook. Hey, come on, if you're on any of these social media pipes, look me up. Always happy to hear from members of the Twy Riot.

Lou Maresca (00:55:54):
Thanks Chris, for being here. Well folks, I also wanna thank you as well. You're the person who drops in each and every week to watch into and listen to our show and get your enterprise and it goodness. So go to our show page right now, twit tv slash twy that you'll find all of our back episodes and our guest information show host, co-host information show notes of course. But of course, right next to those videos there, you'll get those helpful. Subscribe there they are, subscribe and download links. Definitely subscribe to your audio version, your video version of your choice. Listen on any one of your devices, cuz we're on all of them. Definitely subscribe to the show. Could definitely supports the show and allows us to keep moving along. Plus, you've also heard what also supports the show is Club Twit as well. That's right.

(00:56:34):
Club Twit. It's a members only ad free podcast service where you can't, can't get, really can't get anywhere else. If you think about it, it's ad free. You get this amazing twit plus bonus feed that you don't get anywhere else and it's only $7 a month. And also you get access to the members only Discord channel. You get special events, you get to talk with producers, co-hosts, guests, whoever in the Discord channel. It's a lot of fun. So definitely join Club twit, be part of that movement, be part of the fun there cuz it really is a lot of fun. And of course, if you don't, if you want to join your entire organization, there's corporate group plans as well. That's right. It's a great way to give your team access to our Ad Free Tech podcast. All of them there. Plans start at five members of discount, a rate of $6 each per month.

(00:57:15):
You get as many seats as you like after that at $6 each. And this is a great way for your IT departments, your developers, your, your sales teams, whoever to get access to all of our podcasts. Definitely do that. And just like regular memberships, you can join thew Discord server and get that plus bonus feed as well. So definitely join the fund. Of course, they also have family plans as well as $12 a month. You get two seats there and you, you get $6 each per month after that for each additional seat. And you can get, just like I, again, regular memberships, you get access to all the great stuff that comes along with us. So definitely join Club twit, TWIT TV slash club twit. Now after you subscribe, definitely impress your friends, your family members, your coworkers with twy because we have a lot of fun on this show.

(00:57:56):
We talk about a lot of fun and interesting tech topics. So definitely have them join as well because I find, I guarantee they will find it fun and interesting as well. And if you're available, you've already subscribed. We are, we do this show live. That's right. We're doing it live right now. Fridays at 1:30 PM Pacific Time. You can watch the show live at live dot twit tv. That's right. Go to there. Right now you can see all the streams. Pick, pick, pick your favorite one, pick the lowest latency one, and we can send, come see, be the behind scenes, all the fun stuff that we do. Come see how the pizza's made. And lots of banter, of course. And of course, you can watch all my mistakes. So you can laugh out loud at that. And if you're gonna watch the, if you can watch the show live, you might as well jump into the IRC channel as well.

(00:58:34):
We have an amazing IRC group at IRC twit tv. Jumps you into the Twit live channel there. And they have a lot of fun characters in there. They give us some amazing topics to talk about during the show. Some live channels, live conversations. Of course, they give us some amazing show titles as well. You can see some of them there, right there. So thank you guys for being there and being part of the fun each and every week. Definitely hit me up. I want you to hit me up on Twitter, LinkedIn message on just like Curtis, I'm on all of them. Twitter.Com/Lu. I got a lot of direct messages, lot of great posts, cross posts, reposts a lot of fun stuff. I talk there. Twi LinkedIn. I have a pile of messages I have to get back to this week. It's been a very busy week, but I guarantee by Sunday we'll have them all done.

(00:59:17):
So thank you for all your messages there. Keep the conversations going, keep 'em coming. I love, I love hearing from you. You know, of course, if you wanna know what I do during my normal work week, definitely go to developers.microsoft.com/office. There. We post all the amazing ways you can make your office experience more customized and more productive. And if you haven't, Microsoft 365. If you pop up an Excel right now, there is a new tab called the Automate tab, and it's a great tab for you to be on because it can literally take away all the monotonous tasks that you have each and every week. When you format data or you pull data in from another source, or, or you're sending out reports, it lets you record macros and actually run them in power automate. So you can actually convert them and, and run them in power.

(00:59:59):
Automate. You can send emails, you can, you know, you can do a whole bunch of different automations. The power of automate power automate's got a lot of connectors, so definitely check that out. I want to thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support this week at Enterprise Tech. Each and every week we really can do the show without them. So thank you for all their support over the years. Of course, I also wanna thank all the staff and the engineers at, at twit because again, we couldn't do the show without them. I also want to thank Mr. Brian Che. He's not only our co-host, but he's also our tireless producer as well. And we will love to have him back in the coming weeks. But he, he does all the bookings and the plannings for the show. And I, I just, we, we just couldn't do the show without homes. Thank you, Bert, for all your support. Before we sign out, I wanna thank our editor for today because they're gonna cut out all of our mistakes, especially mine. So thank you, making us look good. And of course, thank you to our TD today. Mr. Victor. Victor, it's always great hearing from you and seeing you. Any special events this week, we wanna talk about

Victor (01:00:57):
After all the stuff that happened at the beginning of the show. I'm, I'm kind of drawing a blank, but <laugh>.

Speaker 6 (01:01:05):
<Laugh>.

Lou Maresca (01:01:05):
That's okay. That's okay. Well, you know, if you're part of Club Twit, you already know there's some amazing events Yes. That have come up. And you should definitely go listen to all

Victor (01:01:12):
Those things. I know it has a photo walk planned. Oh, fun. And also a he calls it coffee time, but I think Jeff Jarvis was getting confused, but he's, it's coffee time with Ant where he critiques your photos about coffee time. So

Lou Maresca (01:01:30):
Very nice. I love that. Look

Victor (01:01:32):
Good description on, on the, on, on the Discord.

Lou Maresca (01:01:34):
Sounds good. Thank you, Victor. Well, until next time, if you wanna know what's going on in the enterprise, just keep twiet

All Transcripts posts