Episode Transcript
[00:00:00] Speaker A: Oren, welcome aboard. Thank you for joining the show today. I'm so happy to have you.
[00:00:04] Speaker B: Thank you for having me here. I'm super excited.
[00:00:07] Speaker A: Wonderful.
I want to jump right to the chase.
Tell us the worst kind of, you know, emotional stressful situation that you were dealing with in CyberSecurity.
[00:00:22] Speaker B: It was five or six years ago. I flew into Help A Bank. They thought they had a ransomware event. They thought. I flew with my other co founder, Adid there. We sat down, went into the bank, a big sock, Amazing screens. Everything is on red.
A ransor attack in the bank. Now we're sitting down in front of the screens and I'm asking, is that a real like cyber security event? They said, we don't know. So the next question was, is that a ransomware event or you are trying to print something and it doesn't print.
And then a bit of embarrassment and then they realized they saw that it was a ransomware event in the entire bank, but they couldn't print anything because one of the security control thought that when you are sending to the printer to print something, it's a ransomware attack. So everything was blocked. So they actually didn't printed mortgages to no one like for a day. And it was like a lame false positive, I will say. But that was embarrassing because I was a part of the team that was responsible on the product that was deployed there. So it was. Yeah, it was.
[00:01:33] Speaker A: So they were being held, you know, they were being held at ransom, but it was by their own, you know, quote unquote, security guard. I love that.
[00:01:42] Speaker B: Yeah. And it happens to everyone. You cannot imagine. Like every practitioner you will sit with, he will say, yeah, I blocked some business applications in the last two days and something didn't work because I've done everything good. But the product actually blocked something. So, yeah, it's pretty common.
[00:01:59] Speaker A: That's amazing. So I mean, what was the root cause of that? Was that just a configuration error?
[00:02:06] Speaker B: Eventually, when the security vendor, any security vendor, when they built the controls themselves, like an EDR operation system firewall, waf, like sase, all of those, everyone are building an amazing controls or products and they also validate false positive and they validate it to be 99% bulletproof because there is no 100% in false positive. So globally, that's amazing. You have 100,000 customers.
[00:02:35] Speaker A: Crazy.
[00:02:35] Speaker B: 99% true positive. But for the 1% of false positive, that means that the developer sat down at the office of a manufacturer, created an internal application and this application was built very good for the business unit that is, that needs it. But eventually, when the security control saw it, they thought it's a bad actor, but it's not. It's just a bad development. So in some of the cases that I've seen, it's not the mistake of the vendor and it's not a mistake of the developer. He actually developed what's needed, but maybe with some mistake. So I cannot blame anyone.
I can just say that every practitioner has seen that in the last 48 hours. If he sat in front of his logs, he.
That's not real. So that's a false positive.
[00:03:27] Speaker A: It's. It's funny. My wife's a physician, so she says when you're the 0.1%, for you, it's 100%, which is exactly how it feels. Right.
[00:03:40] Speaker B: I love that.
[00:03:41] Speaker A: I love that. Both health and cybersecurity.
So, Owen, I want to ask you, when a lot of stuff has happened over the last two years, when it comes to cybersecurity, one might say more than in the last 10 years in some ways, especially due to the introduction of ChatGPT, what is the most scary thing for you today in cybersecurity? What is the, let's say, number one threat that's on your mind and on the minds of security officers around the world?
And maybe those are two different things, maybe it's not the same.
[00:04:19] Speaker B: Yeah, I think it's a unique role. First of all, it's the Chief Product Security Officer. It's not the ciso. It might be the system, by the way, but it's more of the Chief Product Security Officer, but because he needs to think about the product security. Now, it's not the DevOps, it's not the security teams. They're responsible to find something bad. But with what you said just now, ChatGPT, I am seeing so many challenges and again, so many responses to it from the industry.
To resolve the challenge in the usage of the gen AI, when I've built before some dashboards and some SIM tools in the past, one of the questions I've got is, can you tell me if a user exfiltrated data into my genai that is used internally or he sent it to his own? It's like uploading to a Dropbox, a personal Dropbox. Everyone knows this use case, everyone's to block the personal Dropbox, but the company Dropbox you want to upload there, can you do that with the Genai tools, detect the action itself, but from a security standpoint, can you validate that the tools that you deployed are not using Genai and exfiltrated data. It's like we are regular to purchase products, deploy them and they should do an amazing network management like SolarWinds.
But then someone deploy malicious code and then all of the users are getting the malicious code and then everything is exfiltrated as said or stated in the news. But it's the same. You will deploy a product that is utilizing a Genai. Can you validate? No data is sent outside of your boundaries. So I think this is something that we see now with lots of companies that are building a protection against Gen AI attacks. But I will just say it's not just an attack, it's just data acceleration or DLP even, but on Gen AI because everyone are using it. So I think this is something massive because it's how to manage.
[00:06:36] Speaker A: I mean this is absolutely terrifying because it just takes the level of the attack to a whole new. A whole new level that it was hard, I think for us to imagine maybe five, ten years ago.
We, you know, with the election in the United States, we've had a little bit of these teasers. I don't know that it's actually happened that much, but what we've been, you know, made to be afraid of is, you know, a completely generated, you know, fake speak by a politician. It doesn't even exist. And in the same way, right, we get an email that is generated by Genai.
[00:07:15] Speaker B: Wow, I have a story on that. I have a story on that. Ari, you must hear that. I have a story on that. I've sat down.
[00:07:21] Speaker A: Yeah, first tell us the story and then I'll finish my question.
[00:07:25] Speaker B: Okay, cool. I've sat down in RSA in a presentation there. I will not say with whom.
And the speaker was someone from the US government. That was a few years ago. So I feel comfortable to say or to tell the story. And he was asked, have you seen the usage of deepfake in the government level? A government against government. And the story he told on the stage was the following.
One of the, I don't know, ministers in the US called his equivalent in the Ukraine.
He started to speak with him after 10 minutes of discussing internal affairs, of course, between the two nations.
He asked a question that the other side responded like the Ukraine side responded, but wanted to know a bit more about something. Now, the US representative, he asked a personal question. Then he realized something is wrong. He asked a personal question and from his testimony, the other side started to scramble. It was like, what? What does it mean? He was like, very, very he didn't understood what I've asked and then he disconnected. So what they found out is that yes, a deep fake was used between governments because even in product today and you can do that if you want, you can record yourself. I was recorded with our marketing team and they told me now I can actually use your voice just on every video. I just need a text. So then he used chatgpt of the text. He used my voice and cool. It works a bit like strange but I heard like a French guy, not an Israeli one. So it's funny. But I think the usage of the deepfake in the government, it's already here, it's already done. They already seen that what will happen in a year, no one else, my lord.
[00:09:29] Speaker A: I mean there's a little bit of a rat race here happening or an arms race where even the problems that we have today so for example, you know, Gen AI and maybe this is not right today, but it was right six months ago had issues with text. So if there was text in a Gen AI image it didn't look so good. I think this has already been solved. So we're in this arms race where the attackers are getting better, the defense is hopefully getting better. I haven't seen, maybe you can share with us but I haven't seen seen great solutions to detect gen video yet deep fakes.
Is this now just another problem that we're going to have to deal with in our lives or you know, are there smart ways to prevent these issues when it comes to deep fakes?
[00:10:19] Speaker B: First of all there is a personal way like a consumer side. But I will ask first, who is the target as well in cyber security I've done offense over the years. I've also of course done defense most of my years. I know in Verity I'm doing defense but the question is what is the target of the attacker, what he is trying to achieve? He's trying to go after a consumer to steal something personal or the target is to infiltrate an organization by luring a user to just double click a file. So you just need one phone call to succeed or it's something massive or more than that for the consumers. The best way that I've heard because it's very hard to protect consumers because a consumer will not pay the amount of dollars that will be paid in the industry on a big security and heavy security product. They need something for consumers. So maybe there are products for consumers for that. I have not seen something look so shiny. But the easiest way is just to have or to ask A personal question, because that's the easiest way. And you can put it on not after 10 minutes, but just wait for 20 seconds to do it. So this is one way to do it, but to do that inside an organization that the attackers will use the deep fake. I think the attack in Vegas, I think it was the mgm, right?
They got, they got attacked there. I think it was mgm. Never mind the thing, there was someone from the desk, the system got the phone call from the IT manager saying I need my password please. So they said okay and just gave him password.
Maybe they've used deep fake, maybe they didn't. It was a human error there. So it's more of training and this kind of stuff.
I'm not seeing like massive products today because when you are thinking about the market, the question is who will purchase, right? Is that a consumer or the business? Does the business have this as a massive challenge, like phishing, like ransomware, like vulnerability, patch management or. It's a small portion of it, I think still from a state of mind, it's a small portion. But that's why if you will open a startup today, in three years you will have the technology that will answer the challenge. That's how it's built. You have a vision, that's a vision that you've just put on the table. But what will happen in three years, you need to start to develop now.
[00:12:58] Speaker A: Yeah, that's such an important paradigm that you're describing, right? You have a very organized entity, right? If it's organized crime or countries, whatever that are trying to attack a. And they're, they're small, they're united, they're organized, they're funded. And really they're attacking a another entity which is completely disorganized, has no funding and is not even thinking about the problem on the day to day. And that's all of us, right? That's the population at home, it's mom, dad, grandma, our children.
It just creates this, this distance, right, in skills and capability that the question is, well, do we even have any chance to fight against it? Let me ask you a question. What do we need to do here? Is there legislation? Does the government need to get involved? Do we all need to have cybersecurity classes at school when we're studying?
Is there any hope?
[00:13:56] Speaker B: Government getting involved is.
You have an upside and a downside. Yeah, an upside, by the way.
And in the US there is a definition from the government like an mssp. I will say that a governmental MSSP that collects data from the different sections in the government, I'm not a part of this project. I just heard about that. And then they analyze it for those hospitals, manufacturing, they assist them, they alert them like cisacav, CISCEV or any cert, Global Cert or US Cert for example. He alerts actively the managed organizations by them on the attacks, but they are not obligated, some of them not obligated to send their data out.
That's the thing. But the government give us the service of alerting us without getting the data from us. Now as a consumer, no one cares because we are actually consumers. So what? So I get a ransom on my laptop at home with my son. So nothing bad happened. I will format it. It's not a managed organization or a government managed organization like an oil pump organization that the uptime of the organization is important. Maybe some secret sauce inside that no one wants to share with the Chinese or the Russians or someone else. So the government will be there. I will say that I've seen in few certs that we are working with like governments that we've seen that they are looking to improve the security of managed organizations and not just a spread of consumers, but in some cases the consumers themselves are creating the groups to protect themselves. You can go to Telegram, I can send you some groups there. It's like you get alerts from all of the types. The question is what can you do with it? But consumers are building tools for consumers like a tool I've seen two weeks ago, I think you get an SMS smishing and then you put the entire SMS that copy paste into a website that just someone built for free. And then you get if it's a phishing SMS or not.
Simple. So it's simple, you don't need to pay for it, you don't need to install any agent on your phone. But would you go to every SMS to do that? Would you remember it? That's training, that's awareness that I don't think everyone will have training in awareness.
[00:16:26] Speaker A: We're kind of expecting that our utilities and I'm comparing text messages and phones now to water and gas and electric. We kind of expect our utility providers to kind of just be secure. So as a. I'm not going to check every SMS that I get.
I'm hoping that Google, I'm on Google Fi, that's my utility for my phone. I'm hoping that Google is monitoring this shit and is preventing bad actors. I can't imagine, you know, having to check every text that I get manually. That's kind of ludicrous what would you.
[00:17:02] Speaker B: Pay 25 bucks for an anti malware protection on your phone, on the four phones you have at home. So 100 bucks a month for that. As a consumer, that's at 1200 bucks a year to protect my malicious SMS.
[00:17:15] Speaker A: Yeah. You know what, you know, with the average, you know, average salary in the United States mean salary of $67,000. That's a lot of money, right. People don't have, you know, a lot left, you know, after all their expenses, to be like, oh, I'm gonna, you know, think about, you know, cybersecurity, you know, that's, that's not on the table. Quite honestly, I agree with you. You know, it's a difficult conversation, right, because we, we intuitively think about government that, you know, well, we don't want government getting into everything, Right. We don't want to pay more taxes for government to do a bad job.
[00:17:51] Speaker B: Yeah.
[00:17:51] Speaker A: And yet another thing. But on the other hand, we have these things, right, that if government won't do it, nobody's going to do it because there just isn't a structure of incentive for anybody to care. Right. So, sure, if you're a corporation, like you said, then, you know, that corporation cares and the government cares if that corporation is going to stop, you know, the ports or the oil or something like that. But if you're just a person, you know, probably the only person who cares is maybe your insurance company. So maybe they're working on your behalf. And it's a situation where we really want to figure out who's taking care of the things that nobody cares about. And that's really where we want government to be active. Do you think that there, there needs to be like, there's an fda, right, that takes care of, of food and drugs. Do you think we need a security, you know, organizations similar to the fda?
[00:18:44] Speaker B: I think they will have a hard time to get budget because if they will show that they've blocked 20 ransomware events in 20 different hospitals, okay, you've paid for it and that's fine. The tax money pay for it.
[00:18:58] Speaker A: Right.
[00:18:58] Speaker B: But if they will show that they were able to alert or to block an attack on 20,000 laptops in D.C. that are not related to the government at all.
[00:19:13] Speaker A: What's the roi?
[00:19:14] Speaker B: What's the value? Yeah, it's okay. Format them and move on with your life. Just back up, do an mfa.
I think that their focus will be not forever, but for the next few years on critical infrastructure. And you said that the examples are that they are improving. I Will say, like ransomware in a hospital or a healthcare organization is something very common, unfortunately.
[00:19:39] Speaker A: Right.
[00:19:40] Speaker B: But what they've realized is they will get hacked, how much time it will take them to recover. So recovery planning that they will get in eventually someone like a mistake, you'll get a phone call, you'll open a malicious file, like something bad will happen. But what I've seen in four occasions in a year in ransomware events in different hospitals, the first one it took them like three weeks to recover. But it's the same government. Government done their training, the research. They've called all the other ones and said you have open check, you can buy any backup service or application you need and store them. They have like a month after another one, that's two weeks the month after or the two months after another one that was a week of recovery. And the fourth one, it took them like a day and a half because they were trained with the recovery. Because you can block 99% with the tools that you have. You can do that, that's what Verity does. But you can actually take the controls and block everything you can, all the exposures, vulnerabilities, Someone will get in, so he will succeed. So disconnect everything through to the garbage. And if you take the 24 hours and just come back, there is a hospital in France, it took the three months because they didn't have nothing. So all the patients needed to move. I think the government are doing good. They have their budget more for the managed organization.
[00:21:09] Speaker A: That's such an interesting paradigm. I mean, we think about security of, oh, we just need to protect ourselves. But what you're introducing is this vertical of, well, actually it's not only about protection, it's also about recovery. Right. If I need to be 99.9999% secure, but my recovery takes, you know, three months. Maybe it's better to be 98% secure but have a recovery of two hours. That is such an interesting paradigm.
I don't think that's a discussion that I've had, you know, so far. So I think that's such a wonderful insight. I really, really appreciate. Is this something on the top of mind for organizations around the world? Are they practicing their recovery processes or is this just not something people are thinking about?
[00:21:58] Speaker B: They are saying that they are practicing it. They are signing the compliance tools that they have done that. They've paid for the data centers in east and west in the cloud, They've paid for the on prem data centers in Texas, in Nashville, because they wanted it to be in different locations.
Did they test it? I don't know. Because that means you need a downtime. So let's think about it. You have a bank and now we have a training in a month. We need to move to the backup now. It's a must. They must do that. Would they do it fully?
That can be a disaster by itself because they have not worked on the offline tools, they worked on online. They want to move to the offline now. A question. Does the CISO will approve. The CIO will approve to them to move before they check if it's updated in the day you get called, you don't know if the backup processes are updated. What are the versions that you just go and you open the door. Okay, let's take it, let's move. That's what you do on day one. So would they give their teams, okay, you have from now start move to backup. They will take down the entire bank. So they prepare for it and they validate it upfront and they upgrade and update the backup services. And they must do that. So it's a good training, but they are not training themselves for the real life, I think, because in the real life it will not work. You will move to backup and then, I don't know, someone just cut the cable. That's life. So are you trained for that? I don't think so. I know that everyone are doing it. You must, you will not have compliance if you have not done that.
[00:23:42] Speaker A: But how such an interesting.
Yeah, that's such an interesting comment. Because what you're saying really is there is a difference between a simulation and a test and real life. And the thought of just going and you know, you know, saying, well, we're actually going to move on to the backup side and delete all our active data is horrifying. It's terrifying. It's downtime, it's potential loss of data. But if it's already happened, then you're like, well, now you're the hero. You're trying to save the day. But if you're advocating, oh, we should have a, you know, a 100% accurate test, which you're actually saying, oh, I'm gonna open myself to actual risk where it was not necessary. So making that decision is almost impossible. So really what you're trying to do is, oh, let's try and simulate this to the nth degree, which is incredibly, incredibly difficult.
[00:24:32] Speaker B: Yeah. And remember, if there is a ciso, a cio, not head of infrastructure, infrastructure security, head off. He will be there for 12 years, 15 years, maybe seven. If he's also in the DevOps and Cloud, they will do it for years. CISO and CIO are changing roles. CISO is moving. So he came to a company, he's done the training to the team. He explained what is the definition, what needed to be done. He's done the two security control assessment that he needs to do on a yearly basis and then he moved on.
So now it's someone else problem. So it's not someone else problem.
He didn't train himself in this organization and he didn't told them that they need to be trained. So I hope the sisters that are coming or coming to a new organization, one of the first question is where is our dlp? Okay, show me. Nah, that's not how it should work. I need some budget because I need to be prepared. I hope that when a sister is getting in, that's the question.
[00:25:35] Speaker A: Yeah, and I know exactly how that conversation goes with the, you know, the CEO or whoever holds the budget. Like, well, you know, we've all been down that path.
[00:25:45] Speaker B: Unfortunately we need to reduce like 50% this year. So you can dream, but you need to reduce 15%.
[00:25:52] Speaker A: Yeah, this is, this is true. It's. It's never on anybody's mind until you're the day after an attack, then everybody's thinking about it. But if things have been good for five years, why would I increase the budget for my, you know, disaster recovery or for, you know, whatever. It's like we're, we're okay, aren't we?
Until we're, we're, you know, day one after a hack, then everything changes.
[00:26:16] Speaker B: Of course there are a few ways to look at it like there is a missing point here because there are compensating controls for everything. For a user theft, enable mfa for a running of an exploit on a server that is exposed outside, enable an intrusion prevention system signature in your IPS of your PALO or faulty or checkpoint or whatever.
If you are targeted by malicious files, just use your sandbox and you will reduce the risk dramatically.
This is one second is a different question. I think the world has been changed in the last 15 years in the following question.
From your standpoint, as a practitioner or as a manager of security in organization, when you are coming to the security organization, do you think the attacker is already inside? What do you try to block him infiltrating or exfiltrating? Because 10 years ago I heard like, yeah, exfiltration, they're already here. I just need to block them on the way out. So anti Box tools and to analyze processes like all the EDR that came to the wall like crazy DLP that you want to validate the data that is exposed.
But then the detection world came. So you are not blocking, you just detect and respond. So data came successfully and then you respond to it. You respond very fast. You want to reduce the MTTR like Mintampo response.
[00:27:45] Speaker A: Right, right.
[00:27:46] Speaker B: With automations AI and the EDRs. But again, is the attacker is inside or not? I think we are not asking ourselves that or something was changed there. I'm not seeing lots of people asking that anymore lately.
[00:28:01] Speaker A: That's so interesting. Owen, there, there. This was. First of all, this was an amazing discussion. I appreciate it. I. I think not enough do we get to really get our hands dirty at this level. So I appreciate it. I want to ask you one last question and we ask all our guests this question. It's a personal question, not so much about security.
If you had to go back to 20 year old, 20 something year old Oren, what advice would you give him?
[00:28:33] Speaker B: There are three, I think.
First, buy more bitcoins that you have.
[00:28:41] Speaker A: No hack answers. No hack answers?
[00:28:44] Speaker B: No. That's like definitely definite something that I will do.
Second, remember that when you're going to the academy, it's not the real life because it takes time. When you go to the academy to university, you learn not cybersecurity like computer science and math and then you come to the real world and shit, it's different.
So realize upfront that you need to have experience and it's not only about your academic background. And third, don't stop playing the violin. I was playing the violin from the age of four until the age of 18 and I stopped because I've joined the army for 14 years, so I've stopped. So I will tell myself, don't stop because it's for you and for your kids. Because when I'm playing today to my daughter, she's looking at me like that. And that's the best time of the day. So don't stop playing because you can actually be a musician if you want.
[00:29:52] Speaker A: I absolutely love that. Owen, thank you so much for your time today. I appreciate you.
[00:29:57] Speaker B: Thank you very much.
