Transforming AppSec: Neatsun Ziv, CEO @Ox Security

^{This transcript was generated automatically by AI. If you find any mistakes, please email us.}

[00:00:00] Announcer: Hello, everyone. You're listening to cloud next, your go to source for cloud innovation and leaders inside brought to you by Global Dots.

[00:00:15] Ganesh: Picture this. You're finally on that long awaited vacation. The sun is setting over a [00:00:20] tranquil beach and the stress of work seems a world away. But then your phone buzzes.

[00:00:24] It's an alert from the office. A critical vulnerability has been found in one of your applications. So the relaxation evaporates, you're pulled back into a world of urgent patches, code reviews and endless battle against cyber threats. This is the reality for many of us in the world of application [00:00:40] security, but I guess today is waging war on the grunt work in search of a better way of AppSec.

[00:00:45] I'm Ganesh D'Awesome and joining us in this episode of Cloud Next is Nitin Ziv, co founder and CEO at Ox Security. And together we'll delve into how the traditional methods of endless alert noise, manual triage, and duplicated efforts are giving way to innovation [00:01:00] and solutions that redefine the industry.

[00:01:02] Nitsan, before we start, what should people know about you?

[00:01:05] Neatsun: Wow, that's a good question. One thing that I really like to do, but I don't have the time since Ox, is windsurfing. So this is definitely something I would like to find time to do again.

[00:01:17] Ganesh: That is not the answer that I expected to that [00:01:20] question, but that's very cool.

[00:01:21] Um, it's nice, nice that there are, there's a human element behind CEOs that you're, you're not just a, uh, a walking, talking, uh, cloud security machine. So I know you have this vision of eliminating grunt work in application security. Can you tell us? How that innovation gives businesses [00:01:40] a competitive advantage.

[00:01:41] And what does that look like?

[00:01:42] Neatsun: I think that the example that you started with saying you're on vacation and then something happens is something that we all know, uh, it happens to everybody, not necessarily in AppSec, but in every space of security. And the challenge is that this is our world. Now, the better and more prepared you are to [00:02:00] that event, the easier it is.

[00:02:02] And maybe this can be handled without you actually being involved in the process. And I think that in order to get that, you need a lot of maturity to understand what are the questions that need to be asked? Who should I communicate this to? Not just how do I fix it? And then where should I fix it?

[00:02:19] Because sometimes you [00:02:20] get an alert and it's. On a thousand different places, or you don't even know where should you fix things. So really just understanding what is the playbook, how should I play this specific alert, is a great progress that many don't have an idea how to even start this. So this is why you see a lot of communities just trying to understand and [00:02:40] help each other, saying, Oh, I'm doing this, I'm asking those questions, and I'm trying to communicate this way.

[00:02:45] And especially as you move to more, um, regulated and publicly traded companies, you're going to see that there are actually requirements that nobody really understands in the details.

[00:02:55] Ganesh: Yeah. I completely agree with that. And the, the birth of [00:03:00] private, uh, CISO groups on WhatsApp and Telegram definitely speaks to that.

[00:03:05] I see some very high profile people asking each other what on earth they are doing about X, Y, or Z. Absolutely. You know, it's this, it's the sort of thing that, um, media companies would love to get their hands on. I'm sure. Um, you have a very long [00:03:20] history in the world of AppSec. I know you have 12 years of working for Checkpoint under your belt.

[00:03:26] So looking on like the journey of AppSec landscape. Can you share insights on pivotal decisions and thought processes that have helped to shape the market?

[00:03:35] Neatsun: Wow. Yeah. So, uh, Checkpoint for 10 years, um, managing this cybersecurity business [00:03:40] unit. And I think that, um, during that time, we've seen quite a lot of, uh, issues that became huge.

[00:03:47] Starting with the embedded passwords inside of, uh, some boxes that somebody had to actually go and patch each one of the boxes to cases like log4j and other cases like SolarWinds and CodeCov [00:04:00] and so many other cases that we've seen out there, hacking groups, the evolution of, uh, crypto and ransomware. So we've seen a lot of those cases throughout the past, uh, 10, 12 years.

[00:04:12] And when you look on this journey, what you're actually seeing is that it's constantly evolving. Year after year, there's [00:04:20] innovation on the threat exercise and the defenders need to actually evolve back and say, you know what, if you're doing this, I will do this. And if as a defender, you're keeping the same ideas and concept that you had 10 years ago, you're going to be overrun.

[00:04:37] It's, it's a definitive answer.

[00:04:39] Ganesh: I [00:04:40] like that. It's the, the queen of hearts race where everybody has to be running at full speed. in order to stay in the same position. And if you don't, you're not running at full speed. You're going to be at the back. That's for sure. And looking at those, you know, how the market has changed over the years, can you think of some factors that have influenced your [00:05:00] strategic tool set for discovery analysis and remediation within your product?

[00:05:03] Neatsun: I think that one of the challenges that we had internally to understand is let's say that you have an exposure and at that moment you're trying to understand, okay, should I actually worry about this? Yes or no. And does it mean that the vacation is ruined? Or is it [00:05:20] just a few minutes to say, Hey, this case looks like that case.

[00:05:24] Let's do this. Or even better. My team knows how to do it without me getting involved or even better. I don't need to do anything because it's automatic completely. I think that in order to understand that you, you need to understand case by case, what is the playbook? So let's say something [00:05:40] that I helped a friend just a few days ago, I started a company.

[00:05:43] Uh, one of their passwords was embedded into the code. The code was somehow leaked by a human mistake. And at the moment afterwards, it got to GitHub. And now you get to the position saying, okay, what is my playbook? So the easy answer is, [00:06:00] okay, just remove the password. But then the password's already out.

[00:06:04] So you should probably rotate the keys. And if you're saying, okay, I rotate the keys, I need to tell the DevOps, because some of the systems are not going to work after that. And the question, okay, how long has it been there? Can I go and check the logs and see, had anybody already accessed those [00:06:20] things?

[00:06:20] What happened? And you've got a lot of follow up questions. Then you're saying, okay, if I've got an exposure, do I need to inform upper management? Do I need to tell my board? Do I need to tell my customers? And you start asking those questions and saying, Oh, wow, I don't really have the playbook. And I really hope that there is a playbook that I should follow because [00:06:40] maybe I should have noticed the fact that I should communicate this to my customers, but I forgot about this little case and now they're actually exposed and they're going to be part of my software supply chain and I'm going to be the root cause for that.

[00:06:53] Um, and you see that there is no playbook and really thinking about this through is a big deal. [00:07:00]

[00:07:00] Ganesh: That's, yeah, the, the, the oh shit moments, as I'll call them, there is no playbook for those. And it's actually, uh, it's quite frightening the number of attack vectors that a CISO has to navigate. Um, it's ridiculous.

[00:07:16] You know, when we speak to people and they say, we know we need to [00:07:20] improve our security posture. It's like, well, you have so many exposures you don't even know. Just

[00:07:29] Neatsun: one statement that I must say that I don't really agree with you saying, where do I start? Is there a playbook? So if you don't have a playbook, it means that you're going to improvise.

[00:07:39] Now [00:07:40] there was a great experiment done, uh, in one of the large companies saying, if there's an incident, this is the playbook. And somehow they go to this event, said, no, it's something small. Let's not run the playbook that you already practiced. And let's do something off script. You can imagine how it went, uh, not as planned.

[00:07:59] [00:08:00] Now, when you've got a playbook, the playbook is there because you're thinking about what you want to do next when you have time to think about it. If you're thinking on the spot and your entire management is decentralized and you're not in the same room, which is a rare commodity today, then for sure, you're going to miss things out because [00:08:20] it's under pressure.

[00:08:21] People are remote, not in a convenient place to work. They don't have all the data and not a lot of people in the same. So definitely you're going to miss something if not planning for this event.

[00:08:31] Ganesh: Going back to the theme of this podcast, reducing that manual repetitive work. And it's not just a technical issue, [00:08:40] it's a strategic one.

[00:08:41] But how do you believe the integration of automated analysis and triage processes can redefine the industry, um, and overall increase security. And, uh, you know, you get 10 points if you can answer that without saying machine learning and AI.

[00:08:54] Neatsun: Okay. I will do it without saying, uh, those terms. Uh, first of all, I don't think [00:09:00] that the, the, uh, solution goes through, uh, those technologies.

[00:09:04] Uh, they might aid, but they're not the solution trying to throw the data. on some kind of technology and say, this will solve the problem. It's definitely not going to do that. I think that the number one thing that you need to understand is first of all, what is your playbook? [00:09:20] Let's say that you know your playbook.

[00:09:21] Now it's about making sure that you can run it in a precise way and you've practiced it. Let's say that you've got a technology that you're going to run for the first time ever. So the probability it's going to work is not that high. Now, if you're constantly using this technology and you polish the results and you [00:09:40] see the end cases and you constantly tweak it, then by the 100th time that you're going to run it, then it's going to be right.

[00:09:48] So I don't think that there's going to be like a one off that is going to handle the case. It's either going to be All in and saying this is the way that you do it, except for end cases that we're going to manually [00:10:00] observe and the rest is going to be automatic, or it's not going to be the one offs that are going to be done using automatic and this can be done in numerous ways.

[00:10:11] Starting with manual playbooks to automatic playbooks. And I would be surprised if in the coming five to 10 years, we're going to see [00:10:20] somebody, an AI that simply replaces the technology because they don't have the, the learning capabilities yet to understand all the edge cases. And they're going to project everything that they understood from previous cases to a new case will, which will probably be even worse.

[00:10:34] Ganesh: Yeah. Um, I like, I like the idea of playbooks [00:10:40] And, but I somehow feel that the, the thing that is going to sting you is the thing you don't have a playbook for, you know, if people had planned correctly for all the ways they were going to get hacked or, or ransomware or, you know, leaked secrets like you discussed.

[00:10:55] They, if they had a playbook for that, probably it wouldn't have happened in the first place. [00:11:00] Maybe the building of playbooks stops it happening, but yeah. Well, any thoughts on that?

[00:11:05] Neatsun: Yeah. Well, we just did the lecture, uh, which we called, uh, the black swan effect. You know, we had here, uh, a major event in Israel, um, which is kind of a black swan and a black swan by definition is something that [00:11:20] is very hard to predict, but in retrospect, it's very easy to tie in all the facts saying, Oh, of course we should have seen that now.

[00:11:28] In order to understand cyber event, there is always mechanics of how things work when when you're doing the other side or the threat actor side, you want to go [00:11:40] through several stages. So you want to pick up your target. It's not that you're just, uh, praying and spraying that it will stick. You need to figure out who's your target, then work on the target, trying to understand how can I get to a better position, find your entry point, then try to do lateral movement and persistence.

[00:11:58] So there, there is [00:12:00] some kind of technique that helps you As a threat actor and as a pen tester to understand what's the right way to do things. And if you're not going through this framework or some kind of a framework, it is very, very hard to complete the task from the beginning to the end to the end.

[00:12:15] In order for something to be a complete black swan, you need to think about Each [00:12:20] one of those stages in a completely original way. And if you need to do the exfiltration of the data and the persistency and, and each one of them need to be very, very original. That's a very, very, very, very, very, very high end, uh, job.

[00:12:37] Which is very, very [00:12:40] rare, meaning if you take, um, the cases that we've seen, you don't see a lot of black swans, the components and the ingredients we've seen them before, and you probably could have blocked a lot of them with the right preparation.

[00:12:54] Ganesh: And talking about those, those people then, so the, the exact kind of people who'd be looking at these, [00:13:00] triaging them.

[00:13:01] and considering the amount of noise, have you got any philosophies or leadership advice for better efficacy or efficiency of those security teams? I mean, particularly when it comes to manual triage. So

[00:13:13] Neatsun: let's split the risks into two kinds, the one that kill you and the one that you're saying it's a hygiene or second [00:13:20] tier.

[00:13:20] So the ones that kill you are the ones that in one attack you can get from point A to point B. So if somebody gets into your database, that you hold all the records and you've done no work whatsoever to encrypt the data or make sure that you've got access control or limits on [00:13:40] rates or whatever it is.

[00:13:41] And they can simply pull all the records or drop the table. Well, that's one of those cases that one move can kill you. Now, most companies are really not in that state. they already have a few layers of defense. And at that point, you want to get to the situation that you're saying, okay, what are the things that are one [00:14:00] strike?

[00:14:00] And then what are the things that require two strikes or three strikes? And if you think that you are able to eliminate one of those strikes, then you might have initial access, but you cannot propagate the attack. Preferably, by the way, prevent the initial access. That's the best way, but that's not always the case.

[00:14:17] So this is why people are building it defense in [00:14:20] layers. Now it is hygiene. The, all the rest of the cases are hygiene. For example, if you've got password and I'll take that case because it's easy, that is embedded in your code, but it is not publicly exposed. It is in your code. But then somebody has, for some kind of reason, access to your code repository.

[00:14:39] And then [00:14:40] they see the passwords. Then in two strikes, they're going to get whatever they want. Now, the more strikes that you're going to have or require them to iterate and manually combine attack vectors, this is how it becomes harder for them. Now, at a certain point you're saying, okay, my comfort level or my risk appetite is up to two strikes or three [00:15:00] strikes or just on the entry point.

[00:15:02] And once you can define it saying, how do I think about what is risk for me? in my organization, then you can say, okay, I don't want anything that is one strike. I don't want anything that is initial access. And you can start focusing on the things that really can breach the comfort levels that you have in terms [00:15:20] of where can you actually, uh, take an organization.

[00:15:24] Ganesh: And someone who's been in the, in the trenches with app security. Do you think there's a breakthrough moment or innovation in appsec that has significantly altered your strategic outlook?

[00:15:35] Neatsun: I think that when we looked on cases like, uh, not Petia [00:15:40] for the first time, uh, that was 2017 and we started seeing that, um, somebody's tempering with the.

[00:15:47] way that software is being built as part of the breach to the Ukraine accounting software. At that point, we said, wow, this is like a good idea to rethink, uh, for a second, what is the [00:16:00] attack landscape? Because up until that moment, we, we just thought about the components that you are actually using. And what that attack showed us is saying, okay, maybe I cannot just.

[00:16:11] temper with your code, but I can go one step backward and see how you're actually building the code. And can I temper in those areas [00:16:20] and inject myself to something that everybody already trusts? I think that was really an awakening call saying, can we rethink the strategy? What should we think about? And as we started seeing this happening, we started seeing more and more of those cases.

[00:16:36] We definitely understood this is where the world is going to. [00:16:40] And yes, this is really, at that moment we step out and say, we really do rethink the strategy. It's not the same as 10 years ago. How do

[00:16:47] Ganesh: you think that impacted what you do? Is it all in your product, particularly, you know, in it or your door, just your vision at the time where, you know, in your role at Checkpoint at the time.

[00:16:56] Neatsun: So in Checkpoint, we were not doing AppSec by itself. We were more [00:17:00] focused on the actual attackers themselves, how they're taking the advanced attack in the more later stages. Um, I think that what it taught me is really about thinking about the world in a broader sense, saying you don't need to always think about the same attack methods with minor changes.

[00:17:17] There are hundreds of different attack vectors, [00:17:20] and you should start thinking about the entire field instead of just thinking about the same thing that you've already seen hundreds and thousands of times. And this really changed the perspective saying, if there are hundreds of those cases, then it's not something I'm going to remember.

[00:17:35] It's not something that I'm going to have muscle memory to, to defense. I need to really think about [00:17:40] how do I protect against the things that are more rare, the more on the far side of the curve. That's a big difference.

[00:17:48] Ganesh: I actually feel sorry for CISOs today. It used to be an easier job, basically. It got a lot harder for people, big time harder.

[00:17:57] Um, and we talked a little bit about [00:18:00] the guy on holiday who doesn't want to have his holiday interrupted, which I think is actually, it's a good metaphor for everything application security. Just how do we stop the guy's holiday getting interrupted? And can you give us a bit of a, an unpack on how implementing strategies like alert prioritization.

[00:18:18] Has had, you know, [00:18:20] noticeable changes in your organization. Of

[00:18:21] Neatsun: course. So, um, it goes back again to the playbook. So the playbook is the way to define what is your risk appetite and how you're reacting to that. So once again, I'll go to the password example. So let's say that you've got a password embedded in code and somebody goes and say, Oh my God, we found a password embedded [00:18:40] in the code.

[00:18:41] So the question is, of course, what is the context? If the context is my keys to my Salesforce. And it is right now in a public repository and everybody has access to it. And I don't have two factor authentication. Oh, yes, you should be in panic, but if it is a private repository and it [00:19:00] requires two factor authentication and a few other mitigating risk, and it is locked to IP in certain countries, you know what?

[00:19:08] It's a hygiene problem. It's not that bad. So if you say, okay, there is a set of considerations that I can take into account saying, if I find this and this and this. Not that bad. [00:19:20] On the other hand, if I find this and this and this, oh, this is really, really bad. This is something that requires. So it's not a one magic trick saying just multiply everything by the magic number and you're going to get the answer.

[00:19:33] It is about you thinking about how do you treat and risk or respect risk. Now [00:19:40] you asked me before about different organizations. So for a small organization, they don't have a lot of assets and they're not a high profile target. Then probably saying, you know what, it's not that bad. On the other hand, if it's a big bank that has a lot of liability, then for them it is really, really bad.

[00:19:58] This is something that [00:20:00] violates a few of the standards that they need to meet. And they cannot handle the case of saying, yes, we've got a breach in our SLA. It doesn't need to be a breach, an actual security breach, but breaching SLA can sometimes cause penalties that might be even worse than an attacker coming, uh, to your, uh, [00:20:20] environment.

[00:20:20] Ganesh: Makes perfect sense. Uh, I have a feeling that obviously having alert prioritization is a dream for people because I don't think there are many companies on planet earth who, if you ask them, have they got enough security budget and security personnel, they would say yes. In fact, I think, I think the, [00:20:40] the, the number of companies is actually zero if you actually ask them.

[00:20:44] So.

[00:20:44] Neatsun: Yes, exactly.

[00:20:45] Ganesh: But one thing, so we have to basically trust alert prioritization. We, the, the, the CISOs, the community, everybody basically has to trust that. Um, how do you instill that trust? [00:21:00] How, how can you, how can you give peace of mind to somebody that, Hey, listen, we've, we have, we've, we've got the correct prioritization.

[00:21:06] You don't need to worry about that. And then conversely, if there's an outlier case that turns out that the priority was wrong. How do you deal with that?

[00:21:16] Neatsun: First of all, an awesome question. Uh, when we started our quest at [00:21:20] OX, uh, we originally thought about, okay, let's take a, the first factor multiplied by zero 26 and then second factor and try to get to some kind of an approximation.

[00:21:31] We showed it to a bunch of people that we trust and said, okay, can you just explain to us why is that true? I don't know. [00:21:40] It's like we took the averages and it makes sense. So no, I cannot work with that. You need to understand. I need to be able to explain everything that they do. Let's say that something happens.

[00:21:50] I can't just say, Oh, it's because we multiplied by 0. 26. It makes perfect sense. Don't you understand? No, we need to understand the line of thinking [00:22:00] saying this is not connected to the internet. And this is why we said there are other things more important or more urgent. then this issue. So there is no way to take it and just crunch data and say there's a fuzzy logic behind the scenes and it will be fine.

[00:22:15] Don't worry. It works. Um, it doesn't work this method. You need to be [00:22:20] able to explain your reasoning in a human terms. So if you're saying it is not connected to the internet, there is no API. with a trace from the internet to the vulnerable function. And we see that the vulnerable function requires those parameters that are not fit in those case.

[00:22:38] This is a hygiene problem. It's [00:22:40] not a real risk. That is fine. But then you need to prove it with facts and more than you need to prove it with facts. You need to be able to provide those facts upfront saying it's not what I'm telling you and trust me, but I've prepared for you a work paper with all the details that you need to know why I got to this [00:23:00] decision.

[00:23:00] Now, if you think that in your case, those decisions are wrong, or you would have treated them differently, let me allow you to enter the way that I take decisions, imagine a no code workflow and say, okay, you know what? In my case, I want to tweak those, those, and those, and add those cases and adapt it to the way that [00:23:20] I'm considering risk and my risk appetite.

[00:23:22] So we're trying not to think about risk as something that is universal. Each and every organization to work with are doing different tweaks to understand the risk in the way that they're willing to tolerate. Now, it has nothing to do with the size of the organization. It [00:23:40] has nothing to do with the industry.

[00:23:41] We've seen different companies in the same segment. in different sizes, doesn't matter which one of bigger, but they've got different risk appetite. Some of them are full cloud, some of them on prem, some of them require everything to be handled. Some of them require longer SLA, meaning every organization has its own risk appetite.

[00:23:59] Ganesh: I can [00:24:00] imagine some of those conversations were pretty tricky and that's probably shaped your product quite a bit. On a philosophical note, I've been talking to people recently about open sourcing and making, you know, helping the community to get stronger. And, uh, I spoke to the CISO of XPEL, which is a soccer as a [00:24:20] service company, and all of their machine learning, uh, has rules applied to it, which will say if something's an alert.

[00:24:27] So, you know, if somebody gets a, token and it's used to do something in Okta and blah, blah, blah, blah, blah. And they have actually, you know, because people need to know how they've, in the same way that people want to know what's in a high alert, people want to [00:24:40] know why, uh, they've got a breach. So they actually provide the.

[00:24:45] The SQL, if you like, or the query that's running on their data set. So if you want to go and take that, you can go and do, do something with it yourself, which is, I think is very cool. And it moves towards like a more open way to help everybody out who maybe can't afford the big [00:25:00] products. What do you feel about that?

[00:25:02] And it's something that you'd be open to. So,

[00:25:04] Neatsun: so, um, we are a big supporter of open source. We've got, um, an open source called Megalinter. Which is the way for organization that want to start their opposite journey without paying anything using open source tools, [00:25:20] uh, one click, and they can get security embedded into their into the pipeline.

[00:25:24] It usually is a great idea to start with something that is simple until you cannot learn the facts before you go and buy a product just because buying a product means that you're committed to a journey. And sometimes companies want to say, I need this product. It doesn't matter what it is. It [00:25:40] might be a sock or, or, um, a sassy or doesn't matter what it is, but then not really mature for that.

[00:25:45] And then I'm going to waste a year or two with a vendor that is two sizes bigger than they are at this moment. And they're not going to find the match that they need. So always start small, scale, uh, and as you have more requirements [00:26:00] that require better granularity, move to a more, I would say, enterprise grade, uh, company.

[00:26:06] Ganesh: Can you, can you spell Megalinter for us?

[00:26:08] Neatsun: M E G A L I N T E R.

[00:26:11] Ganesh: Megalinter. Okay. Never heard of that. That's a totally awesome piece of advice for people to, to start on their AppSec journey. Um, What [00:26:20] about the other guys who are at the other end? So people who are, and you know, let's pat you on the back, and let's say they're using the best AppSec platform, which is Ock Security, and they've got SOC as a service, and they've got these other things.

[00:26:30] What's the, what do these people then do? And assuming they've written playbooks, and, and done all that nice stuff. You can't just stay still. Everybody knows that. We, [00:26:40] we said that previously, even in this episode. What do they do then? You know, how do they stay on top after this point in your eyes?

[00:26:47] Neatsun: Okay. So, um, there's a public resource called Oscar, the open software supply chain attack reference.

[00:26:53] And imagine a map that takes you through the attacker's point of view from how did they do reconnaissance [00:27:00] up to how they exfiltrate data. Now imagine that this map is dynamic. So every time that there's a new attack vector, It appears on this map. There are hundreds of those cases. So you can start and play and understand how you're going to play in each one of them.

[00:27:16] Or you can start thinking about it as a way of saying, let's zoom [00:27:20] out and say, I don't have time to understand all of those cases. AppSec is just one practice out of three, four, seven that I have in my organization, then I probably need to rethink the strategy and saying, okay, I need to take it in a different way.

[00:27:35] Saying what happened in those cases that are more rare and I don't see on a [00:27:40] daily basis. And let's use something that the industry already adopted as saying, I understand this is a good way to handle those cases. And if you get to those then do this, this, and this, or even better than that. How can I prevent those cases from happening?

[00:27:58] So in the larger [00:28:00] organization, what you see they're thinking of is how do I detect issues? How do I prevent issues? How do I do incident response in case that somebody actually bypassed my defense mechanism? And how do I recover? So they're thinking those four steps. The concept behind it is [00:28:20] the law of big numbers.

[00:28:22] So if you're a small organization, then you're getting x amount of attacks per year, week, choose your period of time. If you're a large N, you're going to get 10x. If you're way larger, 100x. And if you're huge, a thousand x. And the way, the moment you get to [00:28:40] the hundred x and a thousand x, you're starting to see the end cases, those 0.

[00:28:45] 3 percent probability that you're going to find a unique case that nobody's ever, ever seen before. And then you start thinking about it in different ways. So the more, the bigger you are and more assets that you have and more risks that you have, you start [00:29:00] thinking about what's the next layer. How can I protect if something is passing my WAF or API security?

[00:29:06] How do I get to this? And if somebody is already breaching my cloud, then this is what I'm going to do. Now, the repetitive work and the fact that you need to constantly. add more people to the mix and trust them [00:29:20] to do the work in endless amount of details and communicate with the developers and work with DevOps.

[00:29:25] And it's a recipe that nobody perfected yet. Um, meaning making a process work just with humans, uh, without anything that is automated. It's just a matter of time. And we see this right [00:29:40] now. Every day you see five to 10 different cases being, uh, brought to the news.

[00:29:45] Ganesh: And I like, I like the tearing up there because it's, you have, you know, you have your OWASP top 10 and then you've done that.

[00:29:54] And then you have to look at your MITRE framework and then, okay, maybe everything there. And now you've got the Oscar. I [00:30:00] think it's always amazes me that there's something else. There's like another, there's always a something else. And there's some other new framework. And I think probably we don't know what the framework is yet.

[00:30:10] I feel like there's a new framework that needs to come because lots of, lots of security is so, uh, stale and backwards. So they're talking about a new [00:30:20] NIST regulation that's going to come out now. It's too late. You know, everything that's going to be in there, the whole, the whole field will have moved on by then.

[00:30:27] Um, philosophically. How do you, how do you think we, you know, the tech community can fight against this, and like the arms race where let's be honest, in the majority of cases, the arm, you know, [00:30:40] the bad guys are winning a lot of the time.

[00:30:41] Neatsun: So I think that, um, I'll take SBOM as an example. So SBOM is a requirement to provide software bit of material, all the list of open source that you're using as part of your software that you're releasing.

[00:30:52] Now, it is right now mandatory for U. S. federal organization to provide this and require this [00:31:00] from their vendors. The challenge is nobody knows what to do with it right now. Let's say I got a list of S bomb, imagine Excel spreadsheet, four columns, open source name, version, license. And known vulnerabilities.

[00:31:13] Now, this list is going to have 10, 000 issues inside of them. Now, here's my list, [00:31:20] Mr. Vendor, or Mr. Consumer in this case. And you need to ask yourself, what am I going to do with this list? Let's say that the vendor has critical vulnerabilities. Am I not going to use the software? Am I not going to buy it?

[00:31:34] Am I going to ask for a discount? Let's say that you already have this, you just need an update, but the update doesn't fix all the [00:31:40] issues. Well, then you're going to pull it from production. So you get to a lot of end cases where somebody just thought the first line of defense, because then you say, okay, how many of the cases that we had last year would an S bomb, an accurate S bomb would have actually sold for me?

[00:31:58] So, wow, this is less than 1%. [00:32:00] That's it. 1 percent solved by a very, very tedious process. Definitely not going to be the way into the future. On the other hand, it takes a lot of the organization that are more on the lager side and requires them. To understand what they're doing. So it's definitely a great move in turning the lagger or the middle of the [00:32:20] curve, uh, towards a more secure place.

[00:32:22] The more secure organization are further away years into the future from, uh, those organizations.

[00:32:28] Ganesh: The, uh, yeah, couldn't agree more with the sbo. It's literally, uh. to pull people from the lowest tier up further along, basically. Um, [00:32:40] we like to ask everybody who comes on the show, if you could go back in time and give yourself one piece of professional advice, what would it be?

[00:32:47] Neatsun: Oh, wow. That's an awesome question. Um, I actually wouldn't want advice from the future. It's, uh, I think it ruins the fun.

[00:32:59] Ganesh: That's, that's a [00:33:00] great,

[00:33:00] Neatsun: that's a great answer. That's very philosophical. Um, of course, um, uh, advice on, on stocks to choose that other than that and nothing

[00:33:12] Ganesh: more. I think it has to be professional advice, not financial advice, but that's, that's very Zen.

[00:33:19] And listen, you're. [00:33:20] You're a super smart guy. You're at the, you're at the forefront of, you know, AppSec in the world, I would say. And what, what do you see in the crystal ball looking into the future?

[00:33:32] Neatsun: So one of the trends that, uh, I've been tracking for the past, um, seven or eight years is the amount of attacks groups out [00:33:40] there.

[00:33:40] So the amount of groups that actually have the incentive. And the motivation and the means to do a cyber attack and the number keeps growing drastically. Now, I don't know if, um, eight years ago it was like 200 because we didn't know about everything and now it's way more than 2000, but the [00:34:00] more people that you see that are in the engagement of finding.

[00:34:04] ways to extort money. It means that you're going to find more and more creative ways. Think about it as like an Olympics. And if you invite your Olympics, just 10, then you're going to get a good result. With a hundred, you're going to get even better [00:34:20] results because one out of the hundred is going to be not one of, but now we're at one out of 2000.

[00:34:25] So you're going to find way more unique things. And number two in the list is golf surfing. Very, very good, way better than the one of 10. that you found in the beginning. So if you look on this trend and you're saying, okay, so this is [00:34:40] accelerating, the number of disclosed vulnerabilities per year is increasing year over year.

[00:34:45] Last year, we almost touched 30, 000 known vulnerabilities disclosed per year. That's like 82 per day. So you get a point saying, okay, I understand that the guys that I need to face are getting more number. [00:35:00] They've got more tools. They've got more known vulnerabilities out there. Okay. I think that the trend is definitely something that we're going to be, um, It's a concern.

[00:35:11] Ganesh: On the plus side, at least neither of us will be out of work anytime soon. It's a, it's a job that has, you know, good future [00:35:20] prospects. Just out of interest, how do you stay on top? So there's, you know, 82 vulnerabilities a day and, you know, 20 tools to try and manage that. But one of the ways you stay on top of current trends in the industry, just out of interest, any podcasts or YouTube things you follow?

[00:35:36] Neatsun: Um. So I read quite a lot. Um, [00:35:40] so I get all the sources. I've got a good team of people constantly working 24 seven to make sure that everything that goes in gets an immediate evaluation, trying to understand what the implication is, something that we should be aware, should we raise the level of readiness?

[00:35:55] Um, in most cases, it's not a black swan. It's something that we've seen [00:36:00] before. Um, then we've got the network of about 400 CISOs over slacks, uh, slack that we simply send interesting findings once in a while, um, saying, look, this is probably going to get to your way. It's right now still not on the high alert.

[00:36:14] It has all the criteria to be something big. Hopefully it will not become something big. Uh, once we [00:36:20] know the details, we will share more. Um, and you get them engaging saying, okay, Our guys looked in it and we think this and this is what we're going to do as a precaution. And when you've got a large group of people, you've got the, the, uh, the powers multiplier.

[00:36:34] Um, so you can actually understand what are other thinking and just not have one state [00:36:40] of mind, but you're going to have a lot of different people thinking about the same problem with different point of view.

[00:36:44] Ganesh: I, there's definitely something about ego in there and there needing to be less of it generally in the industry.

[00:36:50] Uh, and paraloyer, I would say as well, because particularly in a British market, there's, you don't want to look like you don't know what you're doing, [00:37:00] or, you know, it takes a lot for somebody, it takes some courage to come out and say, I'm not sure how I'm going to defend against X, Y, or Z. But actually, you know, all the CISOs are in this together and that the more of them that are sharing openly on Slack groups, the better.

[00:37:14] So I'm, I would definitely support that.

[00:37:16] Neatsun: Exactly. Uh, security is definitely a group play and not a single [00:37:20] play.

[00:37:20] Ganesh: Yeah, I totally, I, I don't know how actually we, we get people to be more collaborative because there's so many great ideas that come out of, um, you know, people I chat to on the show basically, but, you know, there's so many great ideas come out of people.

[00:37:33] Yeah. Um, but I somehow still feel that everybody's so in their own, in their own [00:37:40] bunker, in their own problem solving thing that actually getting together, you know, to form, you know, we need like a lapsus of good guys or we need like a BitLocker of good guys or something like that. You know, I don't know how we do it.

[00:37:54] We need to go employ loads of Bangladeshis or something, an army of good guys out there. I don't know. [00:38:00] But, um, yeah, that's something for, something for a philosophical end of it. Neaton, it's been totally great talking to you. Is there any like closing thoughts you'd like to leave to our listeners?

[00:38:12] Neatsun: No, if anybody wants to talk, uh, uh, further details, always happy to chat, uh, via LinkedIn.

[00:38:18] Um, that's the [00:38:20] best way to, to get ahold of me.

[00:38:21] Ganesh: Really, really thanks for your time. Um, you are one of the good guys and we're, we're lucky to have you on our side.

[00:38:26] Neatsun: Thank you very much. Enjoy the conversation.

[00:38:29] Ganesh: This episode was produced and edited by Daniel O'Hana and Tomer Mouviton. Sound editing and mix by Bren Russell.

[00:38:38] I'm Ganesh The Awesome, a senior [00:38:40] solutions architect. And if you're ready to deep dive and start transforming the way you approach security, then the team and myself at GlobalDots are at your disposal. It's what we do, and if I don't say so myself, we do it pretty well. So, have a word with the experts, don't be shy, and remember that conversations are always for [00:39:00] free.

[00:39:00] Find us at GlobalDocs. com

This transcript was generated automatically by AI. If you find any mistakes, please email us at tomer.m@globaldots.com

This transcript was generated automatically by AI. If you find any mistakes, please email us at tomer.m@globaldots.com

[00:00:00] Announcer: Hello, everyone. You're listening to cloud next, your go to source for cloud innovation and leaders inside brought to you by Global Dots.

[00:00:15] Ganesh: Picture this. You're finally on that long awaited vacation. The sun is setting over a [00:00:20] tranquil beach and the stress of work seems a world away. But then your phone buzzes.

[00:00:24] It's an alert from the office. A critical vulnerability has been found in one of your applications. So the relaxation evaporates, you're pulled back into a world of urgent patches, code reviews and endless battle against cyber threats. This is the reality for many of us in the world of application [00:00:40] security, but I guess today is waging war on the grunt work in search of a better way of AppSec.

[00:00:45] I'm Ganesh D'Awesome and joining us in this episode of Cloud Next is Nitin Ziv, co founder and CEO at Ox Security. And together we'll delve into how the traditional methods of endless alert noise, manual triage, and duplicated efforts are giving way to innovation [00:01:00] and solutions that redefine the industry.

[00:01:02] Nitsan, before we start, what should people know about you?

[00:01:05] Neatsun: Wow, that's a good question. One thing that I really like to do, but I don't have the time since Ox, is windsurfing. So this is definitely something I would like to find time to do again.

[00:01:17] Ganesh: That is not the answer that I expected to that [00:01:20] question, but that's very cool.

[00:01:21] Um, it's nice, nice that there are, there's a human element behind CEOs that you're, you're not just a, uh, a walking, talking, uh, cloud security machine. So I know you have this vision of eliminating grunt work in application security. Can you tell us? How that innovation gives businesses [00:01:40] a competitive advantage.

[00:01:41] And what does that look like?

[00:01:42] Neatsun: I think that the example that you started with saying you're on vacation and then something happens is something that we all know, uh, it happens to everybody, not necessarily in AppSec, but in every space of security. And the challenge is that this is our world. Now, the better and more prepared you are to [00:02:00] that event, the easier it is.

[00:02:02] And maybe this can be handled without you actually being involved in the process. And I think that in order to get that, you need a lot of maturity to understand what are the questions that need to be asked? Who should I communicate this to? Not just how do I fix it? And then where should I fix it?

[00:02:19] Because sometimes you [00:02:20] get an alert and it's. On a thousand different places, or you don't even know where should you fix things. So really just understanding what is the playbook, how should I play this specific alert, is a great progress that many don't have an idea how to even start this. So this is why you see a lot of communities just trying to understand and [00:02:40] help each other, saying, Oh, I'm doing this, I'm asking those questions, and I'm trying to communicate this way.

[00:02:45] And especially as you move to more, um, regulated and publicly traded companies, you're going to see that there are actually requirements that nobody really understands in the details.

[00:02:55] Ganesh: Yeah. I completely agree with that. And the, the birth of [00:03:00] private, uh, CISO groups on WhatsApp and Telegram definitely speaks to that.

[00:03:05] I see some very high profile people asking each other what on earth they are doing about X, Y, or Z. Absolutely. You know, it's this, it's the sort of thing that, um, media companies would love to get their hands on. I'm sure. Um, you have a very long [00:03:20] history in the world of AppSec. I know you have 12 years of working for Checkpoint under your belt.

[00:03:26] So looking on like the journey of AppSec landscape. Can you share insights on pivotal decisions and thought processes that have helped to shape the market?

[00:03:35] Neatsun: Wow. Yeah. So, uh, Checkpoint for 10 years, um, managing this cybersecurity business [00:03:40] unit. And I think that, um, during that time, we've seen quite a lot of, uh, issues that became huge.

[00:03:47] Starting with the embedded passwords inside of, uh, some boxes that somebody had to actually go and patch each one of the boxes to cases like log4j and other cases like SolarWinds and CodeCov [00:04:00] and so many other cases that we've seen out there, hacking groups, the evolution of, uh, crypto and ransomware. So we've seen a lot of those cases throughout the past, uh, 10, 12 years.

[00:04:12] And when you look on this journey, what you're actually seeing is that it's constantly evolving. Year after year, there's [00:04:20] innovation on the threat exercise and the defenders need to actually evolve back and say, you know what, if you're doing this, I will do this. And if as a defender, you're keeping the same ideas and concept that you had 10 years ago, you're going to be overrun.

[00:04:37] It's, it's a definitive answer.

[00:04:39] Ganesh: I [00:04:40] like that. It's the, the queen of hearts race where everybody has to be running at full speed. in order to stay in the same position. And if you don't, you're not running at full speed. You're going to be at the back. That's for sure. And looking at those, you know, how the market has changed over the years, can you think of some factors that have influenced your [00:05:00] strategic tool set for discovery analysis and remediation within your product?

[00:05:03] Neatsun: I think that one of the challenges that we had internally to understand is let's say that you have an exposure and at that moment you're trying to understand, okay, should I actually worry about this? Yes or no. And does it mean that the vacation is ruined? Or is it [00:05:20] just a few minutes to say, Hey, this case looks like that case.

[00:05:24] Let's do this. Or even better. My team knows how to do it without me getting involved or even better. I don't need to do anything because it's automatic completely. I think that in order to understand that you, you need to understand case by case, what is the playbook? So let's say something [00:05:40] that I helped a friend just a few days ago, I started a company.

[00:05:43] Uh, one of their passwords was embedded into the code. The code was somehow leaked by a human mistake. And at the moment afterwards, it got to GitHub. And now you get to the position saying, okay, what is my playbook? So the easy answer is, [00:06:00] okay, just remove the password. But then the password's already out.

[00:06:04] So you should probably rotate the keys. And if you're saying, okay, I rotate the keys, I need to tell the DevOps, because some of the systems are not going to work after that. And the question, okay, how long has it been there? Can I go and check the logs and see, had anybody already accessed those [00:06:20] things?

[00:06:20] What happened? And you've got a lot of follow up questions. Then you're saying, okay, if I've got an exposure, do I need to inform upper management? Do I need to tell my board? Do I need to tell my customers? And you start asking those questions and saying, Oh, wow, I don't really have the playbook. And I really hope that there is a playbook that I should follow because [00:06:40] maybe I should have noticed the fact that I should communicate this to my customers, but I forgot about this little case and now they're actually exposed and they're going to be part of my software supply chain and I'm going to be the root cause for that.

[00:06:53] Um, and you see that there is no playbook and really thinking about this through is a big deal. [00:07:00]

[00:07:00] Ganesh: That's, yeah, the, the, the oh shit moments, as I'll call them, there is no playbook for those. And it's actually, uh, it's quite frightening the number of attack vectors that a CISO has to navigate. Um, it's ridiculous.

[00:07:16] You know, when we speak to people and they say, we know we need to [00:07:20] improve our security posture. It's like, well, you have so many exposures you don't even know. Just

[00:07:29] Neatsun: one statement that I must say that I don't really agree with you saying, where do I start? Is there a playbook? So if you don't have a playbook, it means that you're going to improvise.

[00:07:39] Now [00:07:40] there was a great experiment done, uh, in one of the large companies saying, if there's an incident, this is the playbook. And somehow they go to this event, said, no, it's something small. Let's not run the playbook that you already practiced. And let's do something off script. You can imagine how it went, uh, not as planned.

[00:07:59] [00:08:00] Now, when you've got a playbook, the playbook is there because you're thinking about what you want to do next when you have time to think about it. If you're thinking on the spot and your entire management is decentralized and you're not in the same room, which is a rare commodity today, then for sure, you're going to miss things out because [00:08:20] it's under pressure.

[00:08:21] People are remote, not in a convenient place to work. They don't have all the data and not a lot of people in the same. So definitely you're going to miss something if not planning for this event.

[00:08:31] Ganesh: Going back to the theme of this podcast, reducing that manual repetitive work. And it's not just a technical issue, [00:08:40] it's a strategic one.

[00:08:41] But how do you believe the integration of automated analysis and triage processes can redefine the industry, um, and overall increase security. And, uh, you know, you get 10 points if you can answer that without saying machine learning and AI.

[00:08:54] Neatsun: Okay. I will do it without saying, uh, those terms. Uh, first of all, I don't think [00:09:00] that the, the, uh, solution goes through, uh, those technologies.

[00:09:04] Uh, they might aid, but they're not the solution trying to throw the data. on some kind of technology and say, this will solve the problem. It's definitely not going to do that. I think that the number one thing that you need to understand is first of all, what is your playbook? [00:09:20] Let's say that you know your playbook.

[00:09:21] Now it's about making sure that you can run it in a precise way and you've practiced it. Let's say that you've got a technology that you're going to run for the first time ever. So the probability it's going to work is not that high. Now, if you're constantly using this technology and you polish the results and you [00:09:40] see the end cases and you constantly tweak it, then by the 100th time that you're going to run it, then it's going to be right.

[00:09:48] So I don't think that there's going to be like a one off that is going to handle the case. It's either going to be All in and saying this is the way that you do it, except for end cases that we're going to manually [00:10:00] observe and the rest is going to be automatic, or it's not going to be the one offs that are going to be done using automatic and this can be done in numerous ways.

[00:10:11] Starting with manual playbooks to automatic playbooks. And I would be surprised if in the coming five to 10 years, we're going to see [00:10:20] somebody, an AI that simply replaces the technology because they don't have the, the learning capabilities yet to understand all the edge cases. And they're going to project everything that they understood from previous cases to a new case will, which will probably be even worse.

[00:10:34] Ganesh: Yeah. Um, I like, I like the idea of playbooks [00:10:40] And, but I somehow feel that the, the thing that is going to sting you is the thing you don't have a playbook for, you know, if people had planned correctly for all the ways they were going to get hacked or, or ransomware or, you know, leaked secrets like you discussed.

[00:10:55] They, if they had a playbook for that, probably it wouldn't have happened in the first place. [00:11:00] Maybe the building of playbooks stops it happening, but yeah. Well, any thoughts on that?

[00:11:05] Neatsun: Yeah. Well, we just did the lecture, uh, which we called, uh, the black swan effect. You know, we had here, uh, a major event in Israel, um, which is kind of a black swan and a black swan by definition is something that [00:11:20] is very hard to predict, but in retrospect, it's very easy to tie in all the facts saying, Oh, of course we should have seen that now.

[00:11:28] In order to understand cyber event, there is always mechanics of how things work when when you're doing the other side or the threat actor side, you want to go [00:11:40] through several stages. So you want to pick up your target. It's not that you're just, uh, praying and spraying that it will stick. You need to figure out who's your target, then work on the target, trying to understand how can I get to a better position, find your entry point, then try to do lateral movement and persistence.

[00:11:58] So there, there is [00:12:00] some kind of technique that helps you As a threat actor and as a pen tester to understand what's the right way to do things. And if you're not going through this framework or some kind of a framework, it is very, very hard to complete the task from the beginning to the end to the end.

[00:12:15] In order for something to be a complete black swan, you need to think about Each [00:12:20] one of those stages in a completely original way. And if you need to do the exfiltration of the data and the persistency and, and each one of them need to be very, very original. That's a very, very, very, very, very, very high end, uh, job.

[00:12:37] Which is very, very [00:12:40] rare, meaning if you take, um, the cases that we've seen, you don't see a lot of black swans, the components and the ingredients we've seen them before, and you probably could have blocked a lot of them with the right preparation.

[00:12:54] Ganesh: And talking about those, those people then, so the, the exact kind of people who'd be looking at these, [00:13:00] triaging them.

[00:13:01] and considering the amount of noise, have you got any philosophies or leadership advice for better efficacy or efficiency of those security teams? I mean, particularly when it comes to manual triage. So

[00:13:13] Neatsun: let's split the risks into two kinds, the one that kill you and the one that you're saying it's a hygiene or second [00:13:20] tier.

[00:13:20] So the ones that kill you are the ones that in one attack you can get from point A to point B. So if somebody gets into your database, that you hold all the records and you've done no work whatsoever to encrypt the data or make sure that you've got access control or limits on [00:13:40] rates or whatever it is.

[00:13:41] And they can simply pull all the records or drop the table. Well, that's one of those cases that one move can kill you. Now, most companies are really not in that state. they already have a few layers of defense. And at that point, you want to get to the situation that you're saying, okay, what are the things that are one [00:14:00] strike?

[00:14:00] And then what are the things that require two strikes or three strikes? And if you think that you are able to eliminate one of those strikes, then you might have initial access, but you cannot propagate the attack. Preferably, by the way, prevent the initial access. That's the best way, but that's not always the case.

[00:14:17] So this is why people are building it defense in [00:14:20] layers. Now it is hygiene. The, all the rest of the cases are hygiene. For example, if you've got password and I'll take that case because it's easy, that is embedded in your code, but it is not publicly exposed. It is in your code. But then somebody has, for some kind of reason, access to your code repository.

[00:14:39] And then [00:14:40] they see the passwords. Then in two strikes, they're going to get whatever they want. Now, the more strikes that you're going to have or require them to iterate and manually combine attack vectors, this is how it becomes harder for them. Now, at a certain point you're saying, okay, my comfort level or my risk appetite is up to two strikes or three [00:15:00] strikes or just on the entry point.

[00:15:02] And once you can define it saying, how do I think about what is risk for me? in my organization, then you can say, okay, I don't want anything that is one strike. I don't want anything that is initial access. And you can start focusing on the things that really can breach the comfort levels that you have in terms [00:15:20] of where can you actually, uh, take an organization.

[00:15:24] Ganesh: And someone who's been in the, in the trenches with app security. Do you think there's a breakthrough moment or innovation in appsec that has significantly altered your strategic outlook?

[00:15:35] Neatsun: I think that when we looked on cases like, uh, not Petia [00:15:40] for the first time, uh, that was 2017 and we started seeing that, um, somebody's tempering with the.

[00:15:47] way that software is being built as part of the breach to the Ukraine accounting software. At that point, we said, wow, this is like a good idea to rethink, uh, for a second, what is the [00:16:00] attack landscape? Because up until that moment, we, we just thought about the components that you are actually using. And what that attack showed us is saying, okay, maybe I cannot just.

[00:16:11] temper with your code, but I can go one step backward and see how you're actually building the code. And can I temper in those areas [00:16:20] and inject myself to something that everybody already trusts? I think that was really an awakening call saying, can we rethink the strategy? What should we think about? And as we started seeing this happening, we started seeing more and more of those cases.

[00:16:36] We definitely understood this is where the world is going to. [00:16:40] And yes, this is really, at that moment we step out and say, we really do rethink the strategy. It's not the same as 10 years ago. How do

[00:16:47] Ganesh: you think that impacted what you do? Is it all in your product, particularly, you know, in it or your door, just your vision at the time where, you know, in your role at Checkpoint at the time.

[00:16:56] Neatsun: So in Checkpoint, we were not doing AppSec by itself. We were more [00:17:00] focused on the actual attackers themselves, how they're taking the advanced attack in the more later stages. Um, I think that what it taught me is really about thinking about the world in a broader sense, saying you don't need to always think about the same attack methods with minor changes.

[00:17:17] There are hundreds of different attack vectors, [00:17:20] and you should start thinking about the entire field instead of just thinking about the same thing that you've already seen hundreds and thousands of times. And this really changed the perspective saying, if there are hundreds of those cases, then it's not something I'm going to remember.

[00:17:35] It's not something that I'm going to have muscle memory to, to defense. I need to really think about [00:17:40] how do I protect against the things that are more rare, the more on the far side of the curve. That's a big difference.

[00:17:48] Ganesh: I actually feel sorry for CISOs today. It used to be an easier job, basically. It got a lot harder for people, big time harder.

[00:17:57] Um, and we talked a little bit about [00:18:00] the guy on holiday who doesn't want to have his holiday interrupted, which I think is actually, it's a good metaphor for everything application security. Just how do we stop the guy's holiday getting interrupted? And can you give us a bit of a, an unpack on how implementing strategies like alert prioritization.

[00:18:18] Has had, you know, [00:18:20] noticeable changes in your organization. Of

[00:18:21] Neatsun: course. So, um, it goes back again to the playbook. So the playbook is the way to define what is your risk appetite and how you're reacting to that. So once again, I'll go to the password example. So let's say that you've got a password embedded in code and somebody goes and say, Oh my God, we found a password embedded [00:18:40] in the code.

[00:18:41] So the question is, of course, what is the context? If the context is my keys to my Salesforce. And it is right now in a public repository and everybody has access to it. And I don't have two factor authentication. Oh, yes, you should be in panic, but if it is a private repository and it [00:19:00] requires two factor authentication and a few other mitigating risk, and it is locked to IP in certain countries, you know what?

[00:19:08] It's a hygiene problem. It's not that bad. So if you say, okay, there is a set of considerations that I can take into account saying, if I find this and this and this. Not that bad. [00:19:20] On the other hand, if I find this and this and this, oh, this is really, really bad. This is something that requires. So it's not a one magic trick saying just multiply everything by the magic number and you're going to get the answer.

[00:19:33] It is about you thinking about how do you treat and risk or respect risk. Now [00:19:40] you asked me before about different organizations. So for a small organization, they don't have a lot of assets and they're not a high profile target. Then probably saying, you know what, it's not that bad. On the other hand, if it's a big bank that has a lot of liability, then for them it is really, really bad.

[00:19:58] This is something that [00:20:00] violates a few of the standards that they need to meet. And they cannot handle the case of saying, yes, we've got a breach in our SLA. It doesn't need to be a breach, an actual security breach, but breaching SLA can sometimes cause penalties that might be even worse than an attacker coming, uh, to your, uh, [00:20:20] environment.

[00:20:20] Ganesh: Makes perfect sense. Uh, I have a feeling that obviously having alert prioritization is a dream for people because I don't think there are many companies on planet earth who, if you ask them, have they got enough security budget and security personnel, they would say yes. In fact, I think, I think the, [00:20:40] the, the number of companies is actually zero if you actually ask them.

[00:20:44] So.

[00:20:44] Neatsun: Yes, exactly.

[00:20:45] Ganesh: But one thing, so we have to basically trust alert prioritization. We, the, the, the CISOs, the community, everybody basically has to trust that. Um, how do you instill that trust? [00:21:00] How, how can you, how can you give peace of mind to somebody that, Hey, listen, we've, we have, we've, we've got the correct prioritization.

[00:21:06] You don't need to worry about that. And then conversely, if there's an outlier case that turns out that the priority was wrong. How do you deal with that?

[00:21:16] Neatsun: First of all, an awesome question. Uh, when we started our quest at [00:21:20] OX, uh, we originally thought about, okay, let's take a, the first factor multiplied by zero 26 and then second factor and try to get to some kind of an approximation.

[00:21:31] We showed it to a bunch of people that we trust and said, okay, can you just explain to us why is that true? I don't know. [00:21:40] It's like we took the averages and it makes sense. So no, I cannot work with that. You need to understand. I need to be able to explain everything that they do. Let's say that something happens.

[00:21:50] I can't just say, Oh, it's because we multiplied by 0. 26. It makes perfect sense. Don't you understand? No, we need to understand the line of thinking [00:22:00] saying this is not connected to the internet. And this is why we said there are other things more important or more urgent. then this issue. So there is no way to take it and just crunch data and say there's a fuzzy logic behind the scenes and it will be fine.

[00:22:15] Don't worry. It works. Um, it doesn't work this method. You need to be [00:22:20] able to explain your reasoning in a human terms. So if you're saying it is not connected to the internet, there is no API. with a trace from the internet to the vulnerable function. And we see that the vulnerable function requires those parameters that are not fit in those case.

[00:22:38] This is a hygiene problem. It's [00:22:40] not a real risk. That is fine. But then you need to prove it with facts and more than you need to prove it with facts. You need to be able to provide those facts upfront saying it's not what I'm telling you and trust me, but I've prepared for you a work paper with all the details that you need to know why I got to this [00:23:00] decision.

[00:23:00] Now, if you think that in your case, those decisions are wrong, or you would have treated them differently, let me allow you to enter the way that I take decisions, imagine a no code workflow and say, okay, you know what? In my case, I want to tweak those, those, and those, and add those cases and adapt it to the way that [00:23:20] I'm considering risk and my risk appetite.

[00:23:22] So we're trying not to think about risk as something that is universal. Each and every organization to work with are doing different tweaks to understand the risk in the way that they're willing to tolerate. Now, it has nothing to do with the size of the organization. It [00:23:40] has nothing to do with the industry.

[00:23:41] We've seen different companies in the same segment. in different sizes, doesn't matter which one of bigger, but they've got different risk appetite. Some of them are full cloud, some of them on prem, some of them require everything to be handled. Some of them require longer SLA, meaning every organization has its own risk appetite.

[00:23:59] Ganesh: I can [00:24:00] imagine some of those conversations were pretty tricky and that's probably shaped your product quite a bit. On a philosophical note, I've been talking to people recently about open sourcing and making, you know, helping the community to get stronger. And, uh, I spoke to the CISO of XPEL, which is a soccer as a [00:24:20] service company, and all of their machine learning, uh, has rules applied to it, which will say if something's an alert.

[00:24:27] So, you know, if somebody gets a, token and it's used to do something in Okta and blah, blah, blah, blah, blah. And they have actually, you know, because people need to know how they've, in the same way that people want to know what's in a high alert, people want to [00:24:40] know why, uh, they've got a breach. So they actually provide the.

[00:24:45] The SQL, if you like, or the query that's running on their data set. So if you want to go and take that, you can go and do, do something with it yourself, which is, I think is very cool. And it moves towards like a more open way to help everybody out who maybe can't afford the big [00:25:00] products. What do you feel about that?

[00:25:02] And it's something that you'd be open to. So,

[00:25:04] Neatsun: so, um, we are a big supporter of open source. We've got, um, an open source called Megalinter. Which is the way for organization that want to start their opposite journey without paying anything using open source tools, [00:25:20] uh, one click, and they can get security embedded into their into the pipeline.

[00:25:24] It usually is a great idea to start with something that is simple until you cannot learn the facts before you go and buy a product just because buying a product means that you're committed to a journey. And sometimes companies want to say, I need this product. It doesn't matter what it is. It [00:25:40] might be a sock or, or, um, a sassy or doesn't matter what it is, but then not really mature for that.

[00:25:45] And then I'm going to waste a year or two with a vendor that is two sizes bigger than they are at this moment. And they're not going to find the match that they need. So always start small, scale, uh, and as you have more requirements [00:26:00] that require better granularity, move to a more, I would say, enterprise grade, uh, company.

[00:26:06] Ganesh: Can you, can you spell Megalinter for us?

[00:26:08] Neatsun: M E G A L I N T E R.

[00:26:11] Ganesh: Megalinter. Okay. Never heard of that. That's a totally awesome piece of advice for people to, to start on their AppSec journey. Um, What [00:26:20] about the other guys who are at the other end? So people who are, and you know, let's pat you on the back, and let's say they're using the best AppSec platform, which is Ock Security, and they've got SOC as a service, and they've got these other things.

[00:26:30] What's the, what do these people then do? And assuming they've written playbooks, and, and done all that nice stuff. You can't just stay still. Everybody knows that. We, [00:26:40] we said that previously, even in this episode. What do they do then? You know, how do they stay on top after this point in your eyes?

[00:26:47] Neatsun: Okay. So, um, there's a public resource called Oscar, the open software supply chain attack reference.

[00:26:53] And imagine a map that takes you through the attacker's point of view from how did they do reconnaissance [00:27:00] up to how they exfiltrate data. Now imagine that this map is dynamic. So every time that there's a new attack vector, It appears on this map. There are hundreds of those cases. So you can start and play and understand how you're going to play in each one of them.

[00:27:16] Or you can start thinking about it as a way of saying, let's zoom [00:27:20] out and say, I don't have time to understand all of those cases. AppSec is just one practice out of three, four, seven that I have in my organization, then I probably need to rethink the strategy and saying, okay, I need to take it in a different way.

[00:27:35] Saying what happened in those cases that are more rare and I don't see on a [00:27:40] daily basis. And let's use something that the industry already adopted as saying, I understand this is a good way to handle those cases. And if you get to those then do this, this, and this, or even better than that. How can I prevent those cases from happening?

[00:27:58] So in the larger [00:28:00] organization, what you see they're thinking of is how do I detect issues? How do I prevent issues? How do I do incident response in case that somebody actually bypassed my defense mechanism? And how do I recover? So they're thinking those four steps. The concept behind it is [00:28:20] the law of big numbers.

[00:28:22] So if you're a small organization, then you're getting x amount of attacks per year, week, choose your period of time. If you're a large N, you're going to get 10x. If you're way larger, 100x. And if you're huge, a thousand x. And the way, the moment you get to [00:28:40] the hundred x and a thousand x, you're starting to see the end cases, those 0.

[00:28:45] 3 percent probability that you're going to find a unique case that nobody's ever, ever seen before. And then you start thinking about it in different ways. So the more, the bigger you are and more assets that you have and more risks that you have, you start [00:29:00] thinking about what's the next layer. How can I protect if something is passing my WAF or API security?

[00:29:06] How do I get to this? And if somebody is already breaching my cloud, then this is what I'm going to do. Now, the repetitive work and the fact that you need to constantly. add more people to the mix and trust them [00:29:20] to do the work in endless amount of details and communicate with the developers and work with DevOps.

[00:29:25] And it's a recipe that nobody perfected yet. Um, meaning making a process work just with humans, uh, without anything that is automated. It's just a matter of time. And we see this right [00:29:40] now. Every day you see five to 10 different cases being, uh, brought to the news.

[00:29:45] Ganesh: And I like, I like the tearing up there because it's, you have, you know, you have your OWASP top 10 and then you've done that.

[00:29:54] And then you have to look at your MITRE framework and then, okay, maybe everything there. And now you've got the Oscar. I [00:30:00] think it's always amazes me that there's something else. There's like another, there's always a something else. And there's some other new framework. And I think probably we don't know what the framework is yet.

[00:30:10] I feel like there's a new framework that needs to come because lots of, lots of security is so, uh, stale and backwards. So they're talking about a new [00:30:20] NIST regulation that's going to come out now. It's too late. You know, everything that's going to be in there, the whole, the whole field will have moved on by then.

[00:30:27] Um, philosophically. How do you, how do you think we, you know, the tech community can fight against this, and like the arms race where let's be honest, in the majority of cases, the arm, you know, [00:30:40] the bad guys are winning a lot of the time.

[00:30:41] Neatsun: So I think that, um, I'll take SBOM as an example. So SBOM is a requirement to provide software bit of material, all the list of open source that you're using as part of your software that you're releasing.

[00:30:52] Now, it is right now mandatory for U. S. federal organization to provide this and require this [00:31:00] from their vendors. The challenge is nobody knows what to do with it right now. Let's say I got a list of S bomb, imagine Excel spreadsheet, four columns, open source name, version, license. And known vulnerabilities.

[00:31:13] Now, this list is going to have 10, 000 issues inside of them. Now, here's my list, [00:31:20] Mr. Vendor, or Mr. Consumer in this case. And you need to ask yourself, what am I going to do with this list? Let's say that the vendor has critical vulnerabilities. Am I not going to use the software? Am I not going to buy it?

[00:31:34] Am I going to ask for a discount? Let's say that you already have this, you just need an update, but the update doesn't fix all the [00:31:40] issues. Well, then you're going to pull it from production. So you get to a lot of end cases where somebody just thought the first line of defense, because then you say, okay, how many of the cases that we had last year would an S bomb, an accurate S bomb would have actually sold for me?

[00:31:58] So, wow, this is less than 1%. [00:32:00] That's it. 1 percent solved by a very, very tedious process. Definitely not going to be the way into the future. On the other hand, it takes a lot of the organization that are more on the lager side and requires them. To understand what they're doing. So it's definitely a great move in turning the lagger or the middle of the [00:32:20] curve, uh, towards a more secure place.

[00:32:22] The more secure organization are further away years into the future from, uh, those organizations.

[00:32:28] Ganesh: The, uh, yeah, couldn't agree more with the sbo. It's literally, uh. to pull people from the lowest tier up further along, basically. Um, [00:32:40] we like to ask everybody who comes on the show, if you could go back in time and give yourself one piece of professional advice, what would it be?

[00:32:47] Neatsun: Oh, wow. That's an awesome question. Um, I actually wouldn't want advice from the future. It's, uh, I think it ruins the fun.

[00:32:59] Ganesh: That's, that's a [00:33:00] great,

[00:33:00] Neatsun: that's a great answer. That's very philosophical. Um, of course, um, uh, advice on, on stocks to choose that other than that and nothing

[00:33:12] Ganesh: more. I think it has to be professional advice, not financial advice, but that's, that's very Zen.

[00:33:19] And listen, you're. [00:33:20] You're a super smart guy. You're at the, you're at the forefront of, you know, AppSec in the world, I would say. And what, what do you see in the crystal ball looking into the future?

[00:33:32] Neatsun: So one of the trends that, uh, I've been tracking for the past, um, seven or eight years is the amount of attacks groups out [00:33:40] there.

[00:33:40] So the amount of groups that actually have the incentive. And the motivation and the means to do a cyber attack and the number keeps growing drastically. Now, I don't know if, um, eight years ago it was like 200 because we didn't know about everything and now it's way more than 2000, but the [00:34:00] more people that you see that are in the engagement of finding.

[00:34:04] ways to extort money. It means that you're going to find more and more creative ways. Think about it as like an Olympics. And if you invite your Olympics, just 10, then you're going to get a good result. With a hundred, you're going to get even better [00:34:20] results because one out of the hundred is going to be not one of, but now we're at one out of 2000.

[00:34:25] So you're going to find way more unique things. And number two in the list is golf surfing. Very, very good, way better than the one of 10. that you found in the beginning. So if you look on this trend and you're saying, okay, so this is [00:34:40] accelerating, the number of disclosed vulnerabilities per year is increasing year over year.

[00:34:45] Last year, we almost touched 30, 000 known vulnerabilities disclosed per year. That's like 82 per day. So you get a point saying, okay, I understand that the guys that I need to face are getting more number. [00:35:00] They've got more tools. They've got more known vulnerabilities out there. Okay. I think that the trend is definitely something that we're going to be, um, It's a concern.

[00:35:11] Ganesh: On the plus side, at least neither of us will be out of work anytime soon. It's a, it's a job that has, you know, good future [00:35:20] prospects. Just out of interest, how do you stay on top? So there's, you know, 82 vulnerabilities a day and, you know, 20 tools to try and manage that. But one of the ways you stay on top of current trends in the industry, just out of interest, any podcasts or YouTube things you follow?

[00:35:36] Neatsun: Um. So I read quite a lot. Um, [00:35:40] so I get all the sources. I've got a good team of people constantly working 24 seven to make sure that everything that goes in gets an immediate evaluation, trying to understand what the implication is, something that we should be aware, should we raise the level of readiness?

[00:35:55] Um, in most cases, it's not a black swan. It's something that we've seen [00:36:00] before. Um, then we've got the network of about 400 CISOs over slacks, uh, slack that we simply send interesting findings once in a while, um, saying, look, this is probably going to get to your way. It's right now still not on the high alert.

[00:36:14] It has all the criteria to be something big. Hopefully it will not become something big. Uh, once we [00:36:20] know the details, we will share more. Um, and you get them engaging saying, okay, Our guys looked in it and we think this and this is what we're going to do as a precaution. And when you've got a large group of people, you've got the, the, uh, the powers multiplier.

[00:36:34] Um, so you can actually understand what are other thinking and just not have one state [00:36:40] of mind, but you're going to have a lot of different people thinking about the same problem with different point of view.

[00:36:44] Ganesh: I, there's definitely something about ego in there and there needing to be less of it generally in the industry.

[00:36:50] Uh, and paraloyer, I would say as well, because particularly in a British market, there's, you don't want to look like you don't know what you're doing, [00:37:00] or, you know, it takes a lot for somebody, it takes some courage to come out and say, I'm not sure how I'm going to defend against X, Y, or Z. But actually, you know, all the CISOs are in this together and that the more of them that are sharing openly on Slack groups, the better.

[00:37:14] So I'm, I would definitely support that.

[00:37:16] Neatsun: Exactly. Uh, security is definitely a group play and not a single [00:37:20] play.

[00:37:20] Ganesh: Yeah, I totally, I, I don't know how actually we, we get people to be more collaborative because there's so many great ideas that come out of, um, you know, people I chat to on the show basically, but, you know, there's so many great ideas come out of people.

[00:37:33] Yeah. Um, but I somehow still feel that everybody's so in their own, in their own [00:37:40] bunker, in their own problem solving thing that actually getting together, you know, to form, you know, we need like a lapsus of good guys or we need like a BitLocker of good guys or something like that. You know, I don't know how we do it.

[00:37:54] We need to go employ loads of Bangladeshis or something, an army of good guys out there. I don't know. [00:38:00] But, um, yeah, that's something for, something for a philosophical end of it. Neaton, it's been totally great talking to you. Is there any like closing thoughts you'd like to leave to our listeners?

[00:38:12] Neatsun: No, if anybody wants to talk, uh, uh, further details, always happy to chat, uh, via LinkedIn.

[00:38:18] Um, that's the [00:38:20] best way to, to get ahold of me.

[00:38:21] Ganesh: Really, really thanks for your time. Um, you are one of the good guys and we're, we're lucky to have you on our side.

[00:38:26] Neatsun: Thank you very much. Enjoy the conversation.

[00:38:29] Ganesh: This episode was produced and edited by Daniel O'Hana and Tomer Mouviton. Sound editing and mix by Bren Russell.

[00:38:38] I'm Ganesh The Awesome, a senior [00:38:40] solutions architect. And if you're ready to deep dive and start transforming the way you approach security, then the team and myself at GlobalDots are at your disposal. It's what we do, and if I don't say so myself, we do it pretty well. So, have a word with the experts, don't be shy, and remember that conversations are always for [00:39:00] free.

[00:39:00] Find us at GlobalDocs. com