Security Unfiltered
Security Unfiltered
From Mossad Officer to Unit 8200 Hacker & Beyond With Daniel Schechter Leader In App Security
Ever wondered how a military intelligence background could transform a career in cybersecurity? Meet Daniel Schechter, our guest who began his journey in the Israeli Defense Forces' elite Unit 8200, and now navigates the fast-paced world of IT security. Daniel’s story is one of transition and growth, illustrating how skills honed in intelligence work can be leveraged to tackle the challenges of modern cybersecurity. Through his personal anecdotes, Daniel offers a glimpse into the real-time, analytical capabilities that cyber technology brings to intelligence and how this shapes operations today.
For those curious about a cybersecurity career, this episode is a treasure trove of insights. We promise to take you through the steep learning curves and the passion required to thrive in this ever-evolving field. With stories that range from military parallels to reflections shared with my wife, who also works in computer security, we paint a vivid picture of the vast responsibilities and exhilarating potential within the cybersecurity landscape. It’s a field where continuous learning isn't just an asset; it’s a necessity.
As the digital world shifts towards cloud-based solutions, we tackle the intricate challenges this brings to IT security. From understanding cloud security roles to enhancing product security with AI, our conversation uncovers the critical need for diverse expertise to manage these advances. We explore building collaborative relationships between developers and security teams, emphasizing the essential role of communication and mutual respect in addressing vulnerabilities. Whether you're a seasoned professional or a newcomer, this episode offers a comprehensive view of the cybersecurity realm's dynamic nature.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, daniel? It's great to get you on the podcast. You know, I think that we've been planning this thing, I want to say, since like June or something. At this point, I mean, primarily, my schedule has just been garbage, you know, like it's one thing after another, right Like the kid gets sick one week, derails me for two weeks and then something comes up. It's always something. It's always an eventful time in my life, I guess.
Speaker 2:No, always something, it's always an eventful time in my life, I guess. No, I'd say so. I, I hope, I, I hope your kid will get better soon. But I'm very happy that we, you know, we stick, we stick into running after each other. I'm really, really glad that we have, you know, a chance to talk yeah, yeah, absolutely.
Speaker 1:You know, you know, daniel, I, I, I always start people off with telling what made them want to get into IT, what made them want to get into security. And the reason why I start everyone off there is because there's a lot of people that are listening that maybe they're trying to figure out. Is IT even possible for me? You know, like, is this a realistic goal? Should I actually spend time in it? Should I actually spend time in it? And I feel that hearing everyone's story right, hearing everyone's background with getting into it or developing that interest, is always really helpful, because I remember when I was getting in, all I wanted to hear was someone else came from my same background that did it right. Because once you hear that, it kind of like unlocks your brain.
Speaker 2:It's like, oh, this is possible, right. So where did that start for you and the Israeli Defense Forces? And I was very, very happy to join the intelligence. Actually, another technological side in the beginning I actually joined a bit more kind of was a forward-deployed intelligence type of thing, and I think when you are doing intelligence in the 2010, and I would assume other people did some service and relate to this you understand that cyber is a very, very big part of what intelligence is in modern times.
Speaker 2:And for me, as a person that was always rechasing impact. I felt like you know, I heard all of these stories about people that said, look, I had this great idea. I woke up in the morning, I went to my computer in the evening, I got all of those things and I was like, oh, I want to do it as well, and so I decided to try and cross the river and to a unit called 8200, which is the second unit of 8200. And I was there in the cyber sector and actually, despite being already an officer, I started from scratch, you know, from researcher, team leader and forward. So this was my path into cyber and technology.
Speaker 1:So when you were on the intelligence side. Would that be like the equivalent to an officer in America's intelligence services? Yeah, okay, okay, so that I mean that that tells me you know things of like what I can ask and whatnot. Right, like I've had former like CIA officers on and I mean my audience, you know, they can go back and listen to those episodes Like there was like five questions where I asked him. He's like, yeah, I can't, I can't say that, right, but but that's so, that's really interesting.
Speaker 1:So when you were in that role, you saw the impact of technology, you know, on your role when you were in it, you know, in that 2010 timeframe, right frame, right, did you, did you see the role potentially transforming into, like, hey, I'm like, at some point I'm part hacker and part officer, right, like, was there? Was there a transformation there going on? I imagine that there could be. Right, because I'm thinking of I'm obviously I'm not asking you to speak about any of this, I don't expect you to even know anything about it, right, but I'm personally I'm thinking about Stuxnet in terms of, okay, like now it's like kind of blending, almost right, because we're finding out that you know one of the methods that they could have potentially gotten the USB drive in was through like the water system, and then, you know, someone on the inside pulled it out and put it into a server or whatnot.
Speaker 1:I mean, that's all conjecture, right, it's all assumptions, right, but, like to me from a cybersecurity professional, it sounds like, okay, you have someone that has some knowledge that is a little bit beyond just like the physical aspect of being an officer, right, and so was that present. And then is that kind of what sparked that interest of, oh, I want to go, I want to go more on the cyber side, right, I want to go, maybe, to the people that are creating this stuff and whatnot.
Speaker 2:So does that make sense? No, it is. I can't talk about know, stocked it, or anything because I didn't know. I wish, I wish I would knew more, I wish I, you know, I knew more about it, and but I think when it comes to to this, at least for me, it's always about, you know, those experiences where, essentially, you're you're sitting in a room and trying to make a decision from the other side of the room I'm not talking, you know, I'm not like you.
Speaker 2:We're always taking it in our heads to spec a lot, even like, you know, you're trying to do like a defense mission on, you know, like a counter-terror type of mission, and I think that 2010 has really shifted the way towards understanding how much impact does this, you know, cyber has, both in the ability of the real-time aspects of it as well as the ability to really understand deeply things that are, you know, really, really hard. I think that the last few years kind of showed us and I think in Israel specifically that it cannot go by itself. It should always be as part of the overall, I would say methodologies itself, and it should always be as part of the overall, I would say, and methodologies. But at least for me. I was like how come there is such an important part of my job that I don't really understand that and and it is for me like this, alongside the fact that I saw the impact and I saw the enthusiasm and I and I also saw the opportunity to actually make a difference.
Speaker 2:I think one of the amazing things about cyber is that and I always remember when I talked about it when I changed is that you know, sometimes in order to do like complex, like intelligence mission, you need, like big teams and, like you know, months of preparation, like physical complexities and with cyber, you still need highly trained, very, very, very successful people and a lot of preparation. But essentially one of my best experiences, I remember I had one of my soldiers when I was already a team leader. She was like I have this idea, let's try this out. And from a no-go to a wow, we did it in less than 24 hours with two people in a room. This was like a crazy dream come true and for me at least, it was part of the ability to create an impact. Now, from the defender side, I'm saying that I think it's also part of the challenge, because we're living in a world where the number of people that are capable of doing those things is just crazy.
Speaker 1:Yeah, you know, the number of people that are capable of doing those things is just crazy. Yeah. Yeah, that's, you know, that's fascinating. There's a lot of like rabbit holes that we could go down with what you just said, but I think it's really important, though, to have purpose in your work, you know, to be like, hey, this matters. Right, those people may not even realize that it matters, but it matters, and I think that that was one of the things that kind of opened my eyes to cybersecurity.
Speaker 1:Right, because a little background right, I got my bachelor's degree in criminal justice. I wanted to go into the federal government. I wanted to go and be that officer that's like in the, you know, a dark hole on the earth, just trying to, you know, make the world a better place. Right, like, I really wanted to do that. I really wanted to have that impact. I figured I probably wouldn't make it past the age of 40. I probably wouldn't have a family or whatever.
Speaker 1:Right, because I was, I was fully sold into this thing, and during the you know the the interview process right, it's a two-year process you know, I'm in help desk and someone at that company was like, hey, you should think about, you know cybersecurity, like why don't you go pick up the Security Plus book and see if it interests you, right? And so I've told this story before. But you know, I picked it up and I couldn't put it down. And so, just to be sure, I picked up a Network Plus book and that thing would only put me to sleep. I mean, it wouldn't matter where I was, how well rested I was or anything like that. I would be at work and I would wake up 30 minutes later and my boss would be like Joe, what the hell are you doing? I'm like I'm sorry, man, I can't be reading this book at work. It just puts me to sleep, you know. But that was the thing that kind of caught my attention.
Speaker 1:And then I started to realize, oh, I can, like I can, spend a lifetime in these different domains of security, right, like a light passion of mine. Right that I'm starting to get back into a little bit, probably because my PhD is forcing me to. Is wireless security right? So the wireless security is forcing me to? Is wireless security right? So the wireless security, like the hacking side of it, came very easy to me in in my masters. Right, like that, because it was.
Speaker 1:It was a very hands-on program, so like you're not just talking about oh yeah, this is why you know wpa is bad or web is bad. It's like no, I'm in, I'm in the lab, like I'm manipulating these tokens and I'm doing it myself, right, like I understand it very well, which is more than I can say from malware, reverse engineering that was. That was like extraordinarily difficult. That was like the only class I got a b or a c and you know, during my whole program and I was so mad because I spent so much time on it and still suck. But like this is a field, know, where you can have a lot of impact in other people's lives, even if it's just your own companies. You know, your own employees, data, whatnot, right, which really isn't isn't even the case anymore, I don't think, because if you're a company, you probably have someone else's data to some extent, but I, I don't. I don't mean to ramble right, but like finding that purpose, I think is critical and it definitely helped me quite a bit.
Speaker 2:Well, totally, and I think that one of the things that I experienced because of the transition and I think I wouldn't seem you like you experience and I think that implicitly you kind of said it's like I think that if you don't come with this there is a lot of struggle in the beginning because it's such a big world Now, even now within the company. So we build the company like the company we develop. Of course most of our workers are people that came from the same units and kind of did security for a long time. But when we started onboarding other people that you know came from the same units and kind of you know, did security for long, but when we start onboarding other people, you start seeing what richness of a world there is when it comes to security.
Speaker 2:And I think that for many people when it's like their first step in also for myself I remember, and my wife is also like in computer security, and I remember like I sat with her in the beginning just to understand, like the basics, because there is like a, there is a bar, like you know, the barrier to entries still so high.
Speaker 2:But I think, going back to what you said, I think that, if you really like I think the security is not a profession for people that doesn't love to learn but if you are enthusiastic about learning, if you are enthusiastic about like technology and about innovation, I think you just find yourself once you cross the bar, once you are you know, start like you know, you start mentioning like WPA and other like other encryption things, but you know underneath it's like okay, understanding how you know RF is working and understand how you know encryption is working, so many things that encapsulate like those two words that you mentioned there. And I think that once you cross the bar and start understanding the concept and I was very lucky for my wife to be there for me and but to be there for me but it's just such a big world, it's such a crazy world, it's such an impactful world.
Speaker 1:Yeah, yeah, that's a really good point. You know, like when you're getting started, that bar is actually high, but once you get into it you realize, man, that was like that was nothing, right. I was a couple of years ago. This episode actually never released because the government stepped in and basically informed me in other ways like, hey, this episode probably shouldn't go live, right, and I'm not someone to have the government show up at my door and so, yeah, I prefer to have my freedom, right. So, but I was talking to a cyber warfare developer for the US military, and so this guy this guy, you know gets a target package, figures out you know how to hack it in the way to provide an officer or the government, just overall, right with the intelligence that they're looking for, the government, just overall, right, with the intelligence that they're looking for, you know. They give the guy the target and they say we want this in the end, and he figures out how to get it.
Speaker 1:And one of the things I asked him was have you ever, like, been handed a target package that you just couldn't figure out? You know how to hack the cell phone, how to hack the laptop, whatever it is, you know. Did you, did you ever, you know, reach a dead end? And he actually said no. He said literally like, if you, as long as you're creative, you know, and you have the right tools in front of you and you have the right training, there's literally nothing you can't do. And so I I dove into the training a little bit with him again, like this episode, you know it was like it was a situation where it's like, okay, I know, you know just from my prior experience that you definitely cannot be talking about any of this shit. You know I'll probably edit out that bad word, I'm sorry, but you know you probably can't be talking about any of this stuff. And so I figured, while I'm even talking to the guy, this is never going to go.
Speaker 1:But he was talking about the training that he goes through, right, just to be in that role, and it's like a two, two and a half year training, which is interesting to me because I, you know again, right, like I'm very into like the special forces and intelligence side of things. I've learned everything that I can about that area. You know, you look at, like special forces, forces training, those guys are training for two and a half years minimum, like two and a half years just to get their foot in the door, to be like, yeah, I'm a navy seal, yeah, I'm a green beret or ranger or whatever. It might be right, and it's interesting to see that translate over to the cyber world. Right, because what he was telling me is like you know, you, you know coding languages so well that you're dreaming in code like you're. You're, you're literally dreaming in code and you're figuring out new ways.
Speaker 1:You have tests every two hours, every single day of the week, seven days a week. You know like there's there's literally no breaks. Every once in a while you get, you know, a day off. You know just to like recoup and whatnot. But to be so immersed in that world is really I mean, it's fascinating. You're not going to get that anywhere else. You know, like I work from home, right, Sometimes it's difficult for me to fully immerse myself into that world, even though I have all of the liberty to you know, research and study whatever I want. But to be at that level to know it so well, it's like the back of your hand, you know. And that doesn't even describe it properly, in my opinion.
Speaker 2:Yeah, no.
Speaker 2:I think one of the things I'm seeing and here I can talk about myself, I can talk about my co-founder, itai, and most of our teams. They are crazy good people. Some of them started this when they were like and one of our architects was like you know, he told me like he got into security because he wanted to get some more coins in one of the first games he played. He wanted to get some more coins in one of the you know one of the first games he played and oh, okay, so let's, let's find how to uh, create, you know like, generate a key. Let's find out and then like, from here to what he is today, which is probably one of the best, first best researchers I know, and and we have some of them there. But I think that, like, like you mentioned, and I think it goes to every craft, I would say I think every, every craft and it can go away from even like it's always about muscle memory and intuition and they are both functions of a lot of experience. Because intuition, essentially, people think that intuition is something that you just have or not have and, of course, some people just have a better. Probably they're wired maybe in a better, probably, like they're wired, maybe in a better way to understand certain things. But essentially, all right. I instant tell that like intuition is a matter of like. How much? How much time you tried it before? And and I think that we're seeing just going back to security and others, just like, you know, you have to do it again and again, and again and again and again, until you know, built up in the muscle memory but also in the intuition.
Speaker 2:I think that the part of the so-called like challenge when it comes to security, unlike maybe other crafts, is that the muscle memory might be deceiving sometimes. Because, going back to this, you know we're living in a world where the pace of change is so, so you know. So we are in application security and I think that applications, or product security today, and I think product security practitioners, you know they're living in a world where technologies are changing so quickly that their basic intuition is a key. Basic intuition is a key, but they always have to be in this position of like. But maybe something new has happened, maybe something new has changed. So I need to go with my intuition because this will, you know, 80%. But I always need to be open-minded. And we actually see, I'm very lucky some of our customers, some of the products we're working with, the best security practitioner I know are the ones that on the one side, have like immense intuition and immense you know opinion about how things should be, but on the other side, extremely open-minded and eager to learn.
Speaker 1:I see it also from our team, like engineering side or developer side, as well as the customer and because the world is changing it's an interesting problem, right, because technology is changing so quickly, but it's like it's changing at an increasing rate, like it's not changing at the same rate that it used to. You know, 10 years ago, when I got in, when I got got into security right, I had already been in IT for maybe five years before that. Right, I loosely say that because it was like a help desk college role, right, you know, when I was getting in, even just 10 years ago, it was very different, right, cloud security wasn't a thing. That wasn't, that was not a field. That was. That was we don't need security in the cloud, the cloud takes care of all of it. That was we don't need security in the cloud, the cloud takes care of all of it. That was that mentality. Right, I mean, that was 100% of that mentality.
Speaker 1:And now cloud security is getting to such a scale, right, where, just 10 years later now, we're kind of venturing down the path of, oh, I need a cloud security IAM person, I need a cloud security network person, you know, like, I need someone that does the infrastructure side of cloud security. And I think companies are slowly waking up to that, because right now, typically companies are like, oh, I just need one cloud security guy and he'll do it all, and I'm sitting here like to do everything that I do. Do you basically have to be a developer, an infrastructure guy, a help desk guy, a network guy? I mean, you are an entire it team all in one. And, god forbid, my cso is out, because now I'm also the acting cso over the cloud. It's like.
Speaker 1:It's like, man, this is uh, this is a lot, yeah, no, I tell you, yeah sorry yeah, I mean, well, I'm just saying, like you, look at other industries right over 10 years, it doesn't change that much, you know, like, arguably it really doesn't, but it seems like we're going at a pace that's like a breakneck pace and ai, you know, is only, it's only making it faster, right? So we're already at a deficit in talent in the world to fill these roles, we're already not able to fill these roles. But it's only going to expand, it's only going to grow significantly. Yeah, no, I talked about.
Speaker 2:You know, I remember going back to. You know we are really experiencing kind of the changes in product security and application security. And I remember, you know, going back to your days, even you know, back then, when you thought about application security was okay, you know, my developers need to, I need to provide them something to scan their code. But, like you know, my developers need to scan their code. I put some web application firewall. You know I'm, you know, but the concept was okay, let's let's talk firewalls, let's talk you know, layer three problems. Okay, it's a layer seven issue, but but it was and and to be honest, like for many years it was okay because you know you had like one one entry point. You know, like you had like a dmz on our everything going in, going out, like it was very kind of, you know, gathered. The amount of languages was somehow like not even languages like okay, authentication, so each and every developer like built their own stuff. And you know there was not so much like third-party integration into the applications and stuff and now and also then it was already hard but it was somehow manageable, I would say, and I'm talking now with like with people you know, like product security and application security and essentially, you know we're living in a world where they have to understand and and said you know, they come in.
Speaker 2:One of their developers tells them look, we can't really fix it all, help us understand what it is. Now they need to understand exactly, in the language of this specific thing, why this specific code is allowing an attacker to do something. Now they go back to the developer. The developer tells them yeah, I understand, but you know the Kubernetes configuration doesn't really allow this to happen. So they now need to understand Kubernetes for real.
Speaker 2:Yeah, but I understand about the infrastructure, but the AWS configuration I understand, but this doesn't really allow this to pass. Okay, but we have a Cloudflare configuration, but the CDN, but the gateway configuration, it's like it's so hard. You need to understand everything, not to mention the fact that you need to now know it on, not only on your thing, but on the, on the open source, all the third-party applications you have, all the first-party code you have, and essentially, the amount of people, like you said, like the amount of people that are taking care of the problem, maybe double itself. The amount of problems and the amount of issues probably potentially grow over time yeah, yeah, that that is a.
Speaker 1:That's a really good point, you know, because, like even just 10 years ago, right, like the idea was throw a waft in front of your apps and you're good to go right, it was okay.
Speaker 2:To be honest, I remember from the other side this was a very good solution back then.
Speaker 1:Yeah, yeah, there was no worry about like code scanning. I mean there was, you know stuff out there for code scanning, but people, literally the mentality was, well, if I got a WAF in front of it, what does that matter? You know, the WAF should be catching everything you know. And that wasn't a terrible mentality. I remember being told, hey, you need to deploy imperva WAFs to, you know, our environment, and just dreading going through the configuration of it and everything else like that, you know, and I kind of like I, I tried to like dodge that project. And now now I'm over here like deploying a aws waft, you know, to the entire environment, like over 140 accounts in aws, and I mean it's, it's everything that I dreaded, you know, 10 years ago. It's, it's, uh, it is not fun and it's.
Speaker 1:The technology is evolving so quickly that we almost have, like fringe, you know, startup technology companies that are the ones that are able to create the product to actually adapt with how quickly these environments are changing. And you know, I remember when I was doing the RFP for the WAF project that I'm doing right now was doing the RFP for the WAF project that I'm doing right now there was only one solution that we looked at. We looked at 15 different solutions. There was only one solution that was actually able to scale with the size of the environment that we needed and the diversity of the environment, right. Because it was like oh oh, we have stuff in containers, we have stuff serverless functions, we have functions as a service, we have all of this stuff right. And there was literally only one vendor and they were brand new.
Speaker 1:They were like a two, three year old company and I think that's unfortunately. That's why we kind of like pass on, because when you go, when you're a two or three year old company and you go into a hundred year old company environment, people are a little bit nervous. Right Me. I'm like, hey, give me them, you know, because I know that they work, I know that they do good work. You know, give me that solution because I know it'll work perfectly fine for our environment. But people get hesitant. You know, when it's a, a, when it's that difference, you know, in, in, in life, right, they're like well, we don't know if this company is going to be around in five years, we don't know if they're going to be bought by someone or you know, whatever it might be. And I'm just sitting over here like, well, why don't we buy?
Speaker 2:them. Now I think that they, I think that you had a very like like recapping what I. I think that probably one of the biggest challenges today in security is just velocity, Like pure, just velocity, pure. And I think, like you mentioned, you know, velocity is always a game. Startups were always, I would say, better to handle velocity, because their velocity is like you know you can get into physics.
Speaker 2:But you know, as our own startup I didn't even like to present, but right now I'm kind of the co-founder, ceo of Mego Security, which we are trying to address the exact problems of the application and the private security I mentioned. But putting this aside for a second, maybe I'll talk about it more later but for us, going back to the, it's all about velocity Because technology changes, like the amount of changes that happen. Technology changes in both sides, by the way, because the amount of technology your engineer is using is just going wide and the amount of third-party interdependency, the so-called like within your own system, is going wide. We just spoke of authentication before. I think right now, like even try to imagine, even in your environment, how many different components are actually touching authentication and how many of them are actually in your control today. It's crazy, like crazy, to understand the difference.
Speaker 2:Ten years ago, one team, one place dates like probably you have an IDP, your gateway is doing some things, your cloud is doing some things, you have microservice here, you have a microservice there. There you have an old legacy system. So crazy, and I think the bottom line is that with the velocity creates a lot of opportunities to the other people that knows how to handle velocity, which is attacker, especially because attackers really like velocity. Because it's not only that the amount of technologically is going wide, but also the amount of you mentioned AI. The amount of code is just going crazy, like the amount of code being generated, the amount of permits being done a month, the amount of new API you're releasing, like it's so, so, so hard to manage yeah, yeah, there, there's a.
Speaker 1:There's someone on my team that I mean you just look at the amount of commits that he made and he's not a developer, right, he's not a developer.
Speaker 1:And last month he made over 100 commits to, uh, to just my code base and just just the thing that I own. And I'm sitting here like you know how, how, how in the world do we keep up, right, like, is there, is there a good, you know solution for it? Like, how does migo do it? Right, like how, how do you enable security teams to stay up to date, you know, kind of on top of what's going on in the environment? Because you know, to be honest, there's times when I don't even know what's going on on the outside world, right, like I don't even know what's developing, what's coming or anything like that, because I'm spending so much time in my own environment I don't even know, like, how to prep for the future, right, so how do you maybe address that right? How do you make it easier for that internal environment knowledge so that people can, you know, kind of adjust and catch up?
Speaker 2:I guess at this point, yeah, no, and, as you said before, I think it's essentially it's a learning game essentially. And then the question is kind of how do I manage to focus my learning on the right places and know what I need to learn like right? These are, like always, two questions and I think that, at least for us, we said let's learn ourselves outside of the security world how other people try to address this problem, because velocity and is not only a problem of security, it's also a problem of IT, it's also a problem of you know developers. It's a problem for many people and I think that the last few years actually created a real revolution in the way that people are thinking about monitoring and keeping up with what's happening in the world of observability monitoring and keeping up with what's happening in the world of observability. So what we said going back and we are kind of focusing on you know the world of how do we help you kind of stay on top of those you know changes. So we said okay, actually for performance, like if something will break down in performance, you're probably going to know about it, maybe not as security, but your DevOps, your SREs, somebody have a tool somewhere to help you. Maybe you don't have full coverage, maybe you don't have everywhere, but observability really changed the way we're thinking about just environments, not security per se. So we said, okay, this is one place we really want to learn from.
Speaker 2:And the second thing I think with the revolution of AI, it's more about okay, how can I? Because you know people think sometimes AI is like this magic wand that you can say, okay, let's put AI done. But we said, if you actually combine AI and the ability to utilize AI for anomaly detection and NLMs or any other generative AI for automation of so-called basic reasoning processes, you can actually, with the right data set, you can actually reduce by much the ability to at least, I would say, triage and take action. And at least for us, we said okay. So these are the two revolutions that should lead, the way that we're thinking about security, like observability and AI, and the way that we did it is we say how can we take observability and the data you have, as well as kind of other data that we can create, in order to really help you tell a story from a security perspective? So, like your DevOps are telling you know a story about. You know, this is how much you know, this is the, you know, the request time. This is the problem here. This is the problem there. How can we tell a story In the world of security? This story is probably going to be around.
Speaker 2:Essentially, I'm sending a request from the internet. Where does it end? What does it allow? Where does it start? Where does it end? What permission, what data? Essentially, it encapsulates other words that we spoke about maybe before, but like less radius exposure. But essentially it's all about from an application or product standpoint, I'm sending a request. What fiscal, what data query it allows me to do?
Speaker 2:Essentially and in the past, monolith application was an easier problem, but easier problem in a world of distributed application is it's almost impossible problem. But thank God for observability and for amazing projects, like you know, opentelemetry, or to, like you know, other things that we're utilizing Elastic Profiler and like other tools that are, you know, becoming industry standard, in order to really kind of do what we call deep tracing, essentially Distributed tracing alongside, like deep application profiling, and this allows us to essentially help you see your application and then utilize all of those that, I think, in order to start asking questions about them. Because, going back to the commits, out of those, like you said hundreds of commits. You probably care only about those who actually change something in exposure, something in data access or maybe something, or introducing a new risk or violating a policy that you didn't really want to have.
Speaker 1:That's interesting. So you're kind of approaching it almost from like the reverse side. You're saying well, what do people care about the most, right from different changes and commits and whatnot? And then we'll provide visibility around that to give them the ability to respond, and we'll also provide some sort of enhanced you know capability with AI to respond quickly. Is that? Does that kind of sum it up correctly?
Speaker 2:Yeah, I think that the world that we want to live in, going back to this, is a world where you know, in order to give control back to security people, in order to be on top of this, the expertise, going back to the intuition, will always be with people. I think that we're seeing that AI can take you so far, at least for now, right, and then the question is how can we help you better enforce the things that you want to know about and better act on them? To start being asked, because today, when it comes to product security and other stuff, we just kind of talked about you know, tracing, but then, if you are actually introducing into this, you mentioned, like, how do I know about how things are happening in the world? So, okay, now I know about my application, how every transaction starts from the internet where it ends. Now another question is okay, so how is that actually a factor in my application, like, not my? So this is where the threat intel feed and where the vulnerability feed comes in. To overlay with this, to say, okay, so now I understand that from all of the different attacks, all the different vulnerabilities that are in the world, this is where I'm actually, you know so involved to an attack and for that. And then, like, the flow that we want to create is a flow where you know those product security teams can actually do like, can actually live in a world where you know those product security teams can actually do like, can actually live in a world where you know something new has happened. I get a notification on this can automatically, because I have this visibility can automatically identify okay, it's great that I have this 50,000 times in my code.
Speaker 2:But really, really, you know, when we look at it and how your application actually behaves, when we're kind of taking all of the production content from all of the different tools you have, when we're kind of analyzing how your application actually works, it's really exploitable in like three, four places. And of these four places, the things like and this is how an attacker will exploit it, and here we're actually utilizing AI to emulate how it's going to look like. And then like, all of the, provide me a proof to the developer, provide me a proof. So it's really done like dude, this is tracing, you know it from your SRE like address it like a production issue, go fix it, but on the other side, we can tell you look, if you change, going back to your big like WAF project, because your WAF might not be configured right now in a way that allows you to stop it because they are, maybe, you know, be configured right now in a way that allows you to stop it because they are, maybe, you know, because you now need to go for triggers.
Speaker 2:So the other side is okay, we already know how it is. We already know we have a WAF, let's help you just like. So, on the one side, let's help you open a, you know, a Jira ticket or whatever you want a ticketing for the developers and open an SLA to like okay, this is a cool thing. But on the other side, you know, like Joe, this is the WAF configuration you need to make right now in order to buy yourself those 12 hours until the end. And, at least for us, this is how we believe that the future of product security should be, where the entire so-called middle manual work is being automated to allow you to redefine what you want to focus on and to make sure that your actions are being done by developers until you have the ability to actually understand how to mitigate it in the meantime.
Speaker 1:Yeah, that's really fascinating. Yeah, that's really fascinating. It does take the term application security and it turns it into something completely different, like you say, product security, because that's a more holistic view. Maybe the number one thing when I'm dealing with developers is them understanding the actual context of what I'm talking about. Right, I say cross-site scripting risk or cross-site scripting vulnerability, and if they know what cross-site scripting is, they still don't understand what I'm saying. Right, I barely know what cross-site scripting is Like.
Speaker 1:Every once in a while I got to look it up to refresh my memory, you know. But that's really fascinating that it provides that proof, because the number one thing that I'm always asked well, where's the proof? Right, this doesn't even happen in our environment. No one even comes to our application and does this. Why are we putting in the work to do it? What's the proof? We don't even know if this is a real thing. And their I mean their first question to me always is well, can you even pull this off? You know what I'm sitting here like? Well, technically I can't. I can't even have like that kind of VM in our environment. My CISO literally won't let me because he thinks I'm just going to blow up the world if I have something like that in the environment, you know, and so that becomes a very sticky point for me, you know, and so that becomes a very sticky point for me, you know.
Speaker 1:And then it also like on the reverse side, right, it comes to mind, you know, maybe a couple months ago I had 150 developers on the call at the same time, which was very odd for me, because when they set it up and then they invited me to it, you know, and I'm like, okay, there must be something like really wrong going on. Right, and they're trying to get me to put in an exception for something and they weren't explaining it properly, right, and they were intentionally not doing it properly because they wanted me to put in an exception, thinking it was one thing when it was actually another, because they didn't want to spend the next two months, you know, working on this thing to to really iron it out and make it right. And after like 30, 35 minutes of me questioning them, you know, I finally got to the truth of them essentially wanting to bypass the WAF, that I've just spent two years of my life trying to get deployed and rolled out and configured and everything else like that. You know. But in that situation I think about it from from like both sides, right, we're showing the validity of this attack and then we would also be able to show the validity of that configuration change, saying, hey, I can't, I can't make this configuration change or I can't allow this in the environment because it's going to do X, y and Z.
Speaker 1:If I wouldn't have spent the 30 minutes going through those questions and being used to being badgered by different people to get something through right, if I wasn't used to that sort of thing, I would have just made the exception, not thought anything about it. I would have figured, hey, they're the about it. I would have figured, hey, they're the experts, they're the devs, they know about the code, they know about these apps. I don't know about these apps, I don't know about the code. You know I'm at a disadvantage but I knew better to keep on asking.
Speaker 1:But it sounds like, from from your solutions perspective, I could have probably just pulled it up and seen it. You know, right there, right, like, if I make this change, what would that be? And it kind of just like filters through, and I would be able to at least have that knowledge in a more quick, you know, available way to me, which is, I mean honestly, that's critical right, because as security people, you're always called in at the last minute. Okay, like, like, right when something needs to get done. You're called in at the last minute and you're expected to understand this very complex problem. You know and I feel like your solution may provide that guidance that we're lacking almost.
Speaker 2:And I think it goes back to your intuition, because, going back to what you said, you know your personality and your intuition probably allowed you to to to identify this issue right, because I would, I would know and, knowing a lot of security personas, you know it's. It's not easy to sit in front of 100, like probably probably the the most expensive meeting of this year in your company, you know. So it's like, you know, sitting in a room and asking them questions for 30 minutes and we all know we are developers you have no patience for those people, you have no patience with security when those points in time come. And then it becomes this game of attestations of like let's hypothesize this, so maybe let me understand this, but in our code it's not really like this and for, at least for us, it came to a realization that you know it. Like even the best teams and it sounds like you have like the fact that they called you in means that you have very good relationship with them. But even the teams with the best relationship today have no common ground to even talk about what's true.
Speaker 2:And I think, going back to this, like even before we kind of. This is why it's so important for us to kind of and kind of waste. This is where we believe that the observability, but really deep observability, and like the ability to take the same data but to take it into security context, is so important, because what we believe in is like the such a conversation should go like look guys, let's open this. Wherever it is, doesn't really matter. It doesn't matter if you say we provide it in mingo, but like, let's put it aside, but from a council perspective, let's open this, let's have this conversation.
Speaker 2:You, you can show me like okay, if we're doing this, you know how, how things will change. Okay, you understand that right now you are open a direct path from the internet to like a PII, right, so you understand that I'm not able to do an exception of this. So, and it's like the entire conversation changed. Now you might say something like okay, so maybe let's enforce something different, otherwise, maybe let's do this, maybe. But it allows us to think of a place where, going back to this, we start talking evidence, we start talking knowledge, because I think that we can't accept that even the most amazing product security team, most amazing security teams, 20 people, whatever many people who handle so many changes, and it's not only this, like you mentioned, it's like all the new code and it's being pushed, all the updates are being pushed.
Speaker 2:You know there is a feature that requires a configuration issue, but you're still being called to this because, and like, who's being called now? Maybe it's not the app security being called, maybe it's the cloud security engineer. That doesn't have the context because it does, because it's such a complex problem and the truth is so slippery. We have to start talking more evident, because I think that the siloed approach today is really putting into, it's really creating like an unnecessary yeah, that's a really good point.
Speaker 1:I think you also bring up a really good point about the relationship right that must exist. For me to even get invited to that call right and it's. It's interesting. I don't I don't even think about it that much because I do it kind of, you know, like innately, as soon as I get into a role I'm I'm meeting as many people as I possibly can. But, like you know, I I really did take the time to build those relationships with those developers. I mean, I went completely out of the way most of the time just to talk with them. You know, send them Uber Eats gift cards, github gift cards, you know, or not GitHub, grubhub, you know, just to like show, like, hey, you know, I'm acknowledging you.
Speaker 2:I see you yeah.
Speaker 1:Your work really matters to me, right, and now, you know, now they give me the time of the day, right, like, if I need 30 minutes with them, they give it to me. There's no issues with other people, with just about everyone else. And I am slowly finding out they're like man, I can't get a hold of these devs. I'm like what? Like I'll go text him right now. He'll respond to me at five minutes, you know. And it's true, right, and people are like kind of blown away about how that's possible. But it all starts with that relationship, you know, and then a technology, a strong technology like yours, comes in and it gives you all that knowledge, all that you know, all that insight that you need, that maybe that dev is a little bit nervous about telling you. You know, like, that's, it's uh, maybe they don't know.
Speaker 2:You know, like, I think you know today, today comes back to think, essentially, think security, and security and engineering is is like two sides of the same.
Speaker 2:You know, same partnership, right, but but I think that today, when it comes to this and you mentioned like multiple things, but I think that you know, being engineers ourselves, this is we highly evaluate the people that actually know what they're talking about. Always, I think that the number one when it comes to technological mindset, if somebody sounds like they're talking they don't know what they talk about, they lose credibility very quickly. And I think that the second thing is that you know you really want to get something out of this when it comes to, like, learning something new, knowing something new. So, going back to this, you know, when you talk to them about success, they learn something new about it comes to learning something new, knowing something new. So, going back to this, when you talk to them about XSS, they learn something new about it. They gain something from this conversation. And I think, going back to the initial problem, I think that today we are almost sending a lot of like. I'm hearing this you know, somebody got like 10,000 vulnerabilities. He automatically calls security of like okay, what do I do with all of this? I, he automatically calls security of like okay, what do I do with all of this? I don't know. And then security is kind of is losing credibility because what can I do with this? So, you know, some people, from a personality perspective, can create those relationships, but for some of them, we're living in a world today where we have to find a way.
Speaker 2:Going back to this and kind of how we envision this is to say look, I checked this for you. Going back to this, this is the proof. We already managed to recreate it. Can you pull it yourself? Yeah, I already managed to. I haven't pulled to recreate it. Go check it yourself if you want, but I already checked it for you.
Speaker 2:This is what you need to do and, by the way, I'm going to buy you 12 hours. I'm doing some mitigation, I'm going to approve it with my, with my bot. I'm going to buy 24 hours by doing this and this and that, but you know it's just a patch, you need to fix it right. And if it's for us, this allows you to say, like you know, to end such a thing with like, no guide, like first engineering you. You did great 24 hours from the first minute we saw this is a real problem. Until you fix it, you are amazing. Let's celebrate this second. You know. You know that you can count on me to buy the time and make you look like the hero in the end of this, and I think that today it's like we're just not built in a way to do this type of a win-win situations and we want to create this win-win situation yeah, yeah, that's a really good, that's a really good point that you bring up that.
Speaker 1:I I feel like we could keep talking for another hour or two, right.
Speaker 2:Let's do it another time it was fun.
Speaker 1:Yeah, yeah, it went by quick. You know well. Daniel, I really do appreciate you coming on. I think it was a fantastic conversation. I definitely want to have you back on.
Speaker 2:Same here. It was great. And I think, going back to what you said, it doesn't matter where where people start. I think, like both of us, you kind of mentioned where you started.
Speaker 1:I think that, for everybody listening, I think if you are passionate about just learning and colleges, like, don't be hesitant to get into security, like the bar is high to get in, but the outcome is, you know, it's amazing yeah, yeah, absolutely well, daniel, before I let you go, you know how about you tell my audience where they can find your company if they wanted to learn more about your solution and whatnot, and maybe where they can find you if they wanted to connect.
Speaker 2:And we will love to you know, speak with any one of you on going back to kind of how we can help you kind of reshape and rethink about the way we're doing cloud security today. And you can find us on LinkedIn, on web, on Twitter or XNOW and you can, you know, of course, send me direct LinkedIn messages. I'm trying to be as responsive as I can. Really really love to meet everybody.
Speaker 1:Yeah, absolutely Well, awesome, you know. Thanks everyone. I hope you enjoyed this episode as much as I did. It was great having you on, daniel, and I really do appreciate you know you sticking with me there and still coming on.
Speaker 2:No, of course, I'm really looking forward to hopefully continuing it, because I felt like there are so much more things we can talk about.
Speaker 1:Yeah, yeah, absolutely Well, thanks everyone. I hope you enjoyed this episode. All right, Bye. Thanks so much.