Welcome to episode one of Capture the CISO Season 2!
Our host is Richard Stroffolino and our judges are Geoff Belknap (@geoffbelknap), CISO, LinkedIn and Steve Zalewski, co-host, Defense in Depth.
Our contestants:
- Omer Singer, vp, strategy, Anvilogic
- Satish Veerapuneni, CEO & co-founder, Lumeus
- Sivan Tehila, CEO, Onyxia
Watch the contetants’ demo videos below.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to all our contestants who are also sponsors of Capture the CISO
Anvilogic
Anvilogic breaks the SIEM lock-in that drives detection gaps and high costs for enterprise SOCs. It enables detection engineers and threat hunters to keep using their existing SIEM while seamlessly adopting a scalable and cost-effective data lake for high-volume data sources and advanced analytics use cases. By eliminating the need for rip-and-replace, Anvilogic allows security leaders to confidently join the rest of the enterprise on the modern data stack without disrupting existing processes. Security operations teams at banks, airlines, and large tech companies use Anvilogic’s modular detection engine, thousands of curated threat scenarios, and AI security copilot to improve detection coverage and save millions of dollars.
Lumeus
Lumeus.ai offers Zero Trust Security for AI, enabling IT Security to efficiently manage ShadowAI, control AI access, and enforce AI guardrails. It integrates seamlessly with existing security infrastructures, supporting identity platforms like Okta, Google, Active Directory, and network security platforms from Palo Alto, ZScaler, Fortinet, enabling a smooth deployment.
Furthermore, Lumeus.ai features flexible deployment options for its gateways and control plane. Typically, the gateways are deployed within your network to support an isolated environment, while the control plane operates from the cloud.
Onyxia
The Onyxia Cybersecurity Management Platform empowers CISOs and security leaders with the ability to continuously strengthen their security programs and proactively reduce risk exposure. Our AI-powered cybersecurity management platform provides real-time security assessment and benchmarking, full security stack coverage visibility, and streamlined board reporting. With Onyxia’s predictive insights and data intelligence, CISOs can proactively improve their organization’s cybersecurity program performance and risk management, achieve organizational compliance, increase security stack efficiency, and optimize the business-level impact of their strategic security initiatives.
Full transcript
Intro
00:00:00
[Omer Singer] Break free from SIEM lock-in.
[Satish Veerapuneni] GenAI-based, zero-trust security.
[Sivan Tahila] Take your security program from reactive to proactive to predictive.
[Voiceover] Capture the CISO begins now.
[Rich Stroffolino] Welcome to Capture the CISO. I’m your host, Rich Stroffolino, and we are really thrilled to be bringing this show back for another season. This is the show where you get to listen in on the conversations CISOs are having with security vendors about their products. These are usually behind closed doors, nice mahogany doors sometimes, sometimes they’re weird sliding doors, a variety of different obstacles to pathways, yet they are now open to you.
You get to listen in on these conversations and we have some amazing vendors that are coming in, going to be put under the CISO scrutiny, I’m just going to say it, and see which emerges victorious.
For our contestants on this episode, we are welcoming in Anvilogic, Lumeus, and Onyxia going under that glorious CISO spotlight. And we’re going to find out a little bit more, find out about our judges’ thought process. I’m really excited. I’ve watched all of these demos, really good stuff, so I’m interested to see what stood out to the CISOs and what they want to hear some more about.
These companies are not direct competitors. They are, although, being equally judged on the following three factors and criteria. Number one, is it innovative? Number two, does it solve a real need? And three, how easy is it to deploy? All key considerations. We’ll see if anyone can complete the magic Venn diagram.
For our hosts today, we’re not holding back on the big guns for the first episode this season. We have Geoff Belknap, the CISO over at LinkedIn. Geoff, thank you so much for making time to be here. I’m excited to hear your thoughts.
[Geoff Belknap] Thanks for having me. I’m excited to hear which CISO has beautiful, luscious mahogany doors because that’s not any CISO suite I’ve been in. Maybe Steve’s office was that way.
[Rich Stroffolino] Well, yeah, let’s find out. Steve Zalewski, the co-host over at Defense in Depth. Steve, thanks so much for being here. And what is your door situation?
[Steve Zalewski] Well, thank you for having me. And Geoff, thank you for raising the bar as we get started. I will say when I was at Levi’s, my office was glass. So, even though I had a door, it was all glass.
[Geoff Belknap] Glass, the finest of woods.
[Rich Stroffolino] [Laughter] Well, thank you so much, both of you, for being here. You’ve got some questions and want to learn a little bit more. And remember, if you are watching this, you can check out these demos too. You can be on the same page as our CISOs. Just head over to CISOseries.com and click on the blue Capture the CISO icon.
I have some questions for the judges here. We’re going to start with you, Geoff. What gets you excited about a new solution from a vendor?
[Geoff Belknap] I think the things that are always really exciting are any vendor that is solving a problem that I really have. It’s easy to look around at what all the other vendors are providing. If I use sort of the zero-trust marketing spree that we went on, I think last year or the year before, it’s really hard to immediately go like, oh, this is a problem that Geoff actually has versus something that an analyst firm has told me I need to build a product for.
So, I get really excited about that. And I get really excited when a vendor wants to partner with me to solve a problem that just nobody else is solving yet.
[Rich Stroffolino] And Steve, I know CISOs in glass offices shouldn’t throw stones, but what gets you excited when you’re talking about a new vendor solution?
[Steve Zalewski] I look at it two ways. I go one, from an efficiency perspective, is it allowing me to stop wasting perfectly good resources on a problem that isn’t worth solving? So stop chasing the rabbit. The second one is what I call the defectiveness opportunity is, are you solving a problem that isn’t just neat, but it’s actually advancing the state of the art to stop the attack, which is ultimately what we’re responsible for.
And so it keeps us kind of on task to what we’re ultimately wanting to do to protect all of our business. So, one of those two things, or if it’s both, then it’s a grand slam home run.
[Rich Stroffolino] All right. So, we know now what our judges are looking for in some new, exciting solutions here. We’re thankful for all of the vendors that are going to be on here for going under the CISO hot seat. So, let’s bring on our first contestant.
Anvilogic
00:04:33
[Omer Singer] Anvilogic breaks the SIEM lock-in that drives detection gaps and high costs for enterprise SOCs. It enables detection engineers and threat hunters to keep using their existing SIEM while seamlessly augmenting it with a scalable and cost-effective data lake. Security operations teams at banks, airlines, and large tech companies use Anvilogic’s modular detection engine, thousands of curated threat scenarios, and SOC copilot to improve detection coverage and save millions of dollars.
[Rich Stroffolino] The voice you just heard was Omer Singer, VP of strategy at Anvilogic. Steve and Geoff, you’ve heard that, hey, connecting the SIEM with a data lake, that sounds awesome to me, but watching the demo, you’ve dug in some of the details, what stood out to you guys? Geoff, let’s kick it off here.
[Geoff Belknap] Sure. I think the first question that I have is how do I deploy this? Is this strictly cloud native? Is it on-prem? What cloud does it work with? What’s that look like?
[Omer Singer] Anvilogic itself is a SaaS platform, but we do plug into your existing Splunk deployment. So, whether that’s Splunk on-prem, whether that’s Splunk cloud, could be a mix. We have customers that kind of have to keep some Splunk on-prem, for example, as their SIEM, but we can deploy into that.
And then the data lake options that we support, for example, Snowflake, are only available in the cloud. And we’re able to either host that on behalf of the customer or plug into the customer’s own Snowflake environment.
[Geoff Belknap] Great. And then just as a follow-up question, my take on this is based on your pitch and the prep materials that we had, that this is effectively replacing log forwarders that I might use or log forwarders that I might be running of my own that would otherwise be sending data directly into some of these other tools like Splunk or Snowflake.
Is that how I should think about deployment here, or is there a different place that you get in between?
[Omer Singer] I’m glad you asked that because it does come up a lot, right? We all know Cribble, for example, awesome company. They’ve done a great job kind of freeing up the pipeline. And customers that use Cribble can choose where the data goes. Some of the data keeps going to a SIEM like Splunk. A lot of the data though, gets dumped in the data lake because it’s so much more cost effective, so much more scalable.
And that stays in place. Where Anvilogic fits in is in freeing up the analytics. So, once you send that data, wherever it goes, if it goes to Splunk, if it goes to your data lake, Anvilogic then lets you have detection engineering, have detection content, a threat hunting interface. So, that’s where it fits in so that the data that you’re routing outside of the SIEM is not contributing more risk, but actually can contribute to the SOC’s workflows.
[Geoff Belknap] So, the way I might think about this, and forgive me if everybody’s not as familiar with AI as I am, but I might use an AI prompt generator because I want to generate a consistent prompt across a bunch of different models like Stable Diffusion or other things. Is this kind of the same way I’m thinking about Anvilogic in that I can write a detection and Anvilogic will package that up and deploy it to Splunk or Snowflake or whatever my underlying data set might be so that I can have that consistent detection logic across wherever the data is?
[Omer Singer] That’s right. And we have all those pieces that these different data lake platforms don’t have, right? So, what you’re describing is you defined a rule, you’d probably want to have version control, right? You want to be able to manage its life cycle. You want to determine how often it runs and maybe tie it into a scenario that has multiple stages.
All that happens within Anvilogic, including the prompt, by the way.
[Geoff Belknap] So, last one, would you say you’re kind of a GitHub or a CICD for detection engineering on top of these data lakes?
[Omer Singer] Managing the version, definitely one part of it, and including, yeah, that prompt. Addressing the skill shortage, right? Where a ton of opportunity from the data lakes, but we don’t want to be held back by the skill shortage. So, that’s definitely one part of what we do.
[Rich Stroffolino] Steve, what are your thoughts on this?
[Steve Zalewski] Let me ask you this. One of the things that I thought about when I looked at what you were doing and what you said is, can I actually replace my SIEM with Anvilogic?
[Omer Singer] We see some security teams going in that direction, but the reality is, for example, if Splunk is your SIEM, you’re probably not going to replace it completely because there are a lot of other organizations that might be using it as well. So, if you think about your application logs going to the SIEM, there may be other teams in DevOps or IT that have their own use cases for it.
So, what we see is a preference to be able to maybe reduce some of the weight on it, move some of the workloads out, but not deprecate it completely. If that’s the direction you want to go, it is possible. But I think what’s very unique about this product is it recognizes a reality that for a large SOC, ripping and replacing the SIEM is just not an option.
So, if that’s the only way that you can kind of modernize your SIEM, you’re kind of going to be stuck with the old thing. By supporting both the legacy and the new, then we let you shift workloads to the data platform that makes the most sense for them. And by the way, just on that, I just want to add one of the things that we do is we support importing the rules from the existing environment because you have these SOCs that have spent years and years building, fine tuning detection content for their environment, if they were to switch to an entirely new SIEM, oftentimes with a different proprietary language, they would have to lose all of that.
So, we import it, and you continue to run it, just being able to manage it alongside the new stuff that you build that can also support the data lake.
[Steve Zalewski] Okay. So, now I’m going to be aggressive, right? Which was today I have a 10-person team. Tomorrow, I only get a four-person team. When I think about some of the consolidation we’re having to do, I look at a tool like yours as an opportunity to realize, look, a lot of what’s in the SIEM is log files, and log files tell me what happened.
They’re not reporting on what’s happening. And so my opportunity here is to stop doing more with less, which was keep reporting the same incidences without me doing something, to doing less for less, which is let’s focus on the new types of incidences that are going to stop an attack that I can do with a smaller number of people.
And so while I appreciate the fact that I can keep doing the old job and you talk about that, can I use Anvil to, in essence, rethink through your armory to look at the types of needles that I want to be able to go, “What’s happening now and what do I do to stop it?” as opposed to just having a thousand existing roles?
[Omer Singer] Yeah, absolutely. So, I think one thing is getting rules off the shelf for scenarios that are common across the industry is important. And there’s just so much stuff that you need to build out to get good coverage. As a map to MITRE ATT&CK, etc., you want to show, demonstrate that you’ve got that coverage, getting it off the shelf is helpful.
But I think there’s also an opportunity through AI where we’ve seen, looking at the past detections, and recommending how you might be able to cut down on noise. Because if you want to do more with a smaller team, you want to free them up. You don’t want them chasing all these false positives.
One of the things we do is we point out, hey, of the X amount of alerts that you’ve had in the last week, last month, you can cut out 200 of those if you just add these and these conditions to such and such rules. With these fine tuning recommendations, you’re able to do a lot more with less. And then also moving from atomic detections to more scenario type of detections where you’re saying, I’m not going to fire a notification to my SOC to run down every time this happens because I know the next thing they’re going to do is check if this happened.
Why don’t we tie those together into a scenario and reduce noise that way? So, attacking the false positives, definitely an important way to let a SOC do more with less.
[Rich Stroffolino] All right. Well, I think that’s just going to do it for the questions for Anvilogic. Thank you so much, Omer, for joining us today, sitting in the hot seat and answering the questions. Really appreciate your time.
Lumeus
00:12:11
[Satish Veerapuneni] Lumeus.ai offers zero-trust security for AI, enabling IT security teams to efficiently manage shadow AI, control access to AI, and enforce AI guardrails. Lumeus integrates seamlessly with your existing security infrastructure, supporting identity platforms like Okta, Google, Active Directory, and network security platforms like Palo Alto, Zscaler, Fortinet, and many more, enabling a smooth deployment.
[Rich Stroffolino] The voice you just heard was Satish Veerapuneni, the CEO and co-founder at Lumeus.ai. Steve, I’m going to start with you. What questions do you have for Satish?
[Steve Zalewski] When I think about service edges in your product, there’s two in my mind. There’s a simple view. I’ve got a network service edge, and I have a data service edge. Network’s primarily for old school private data centers, data edge when I’m out in the cloud and I’m SaaS. And I have IAM edge that needs to lean in on both sides.
Does your product solve one or both? Which of those two service edges does it solve?
[Satish Veerapuneni] At the end of the day, we are an identity service edge, especially as employees are more remote. We follow the identity of the employee and specifically to the destination like AI.
[Steve Zalewski] And then how do you deploy for a traditional network edge, and then how do you deploy for a data service edge?
[Satish Veerapuneni] Our typical deployment is a customer obviously has an existing zero-trust security solution. So, let’s say they have a Zscaler or a Palo Alto or a Fortinet, one of these in their environment. We sit right next to them as a network proxy, and we give visibility into, for example, shadow AI.
Now, if a customer cares about egress security, then we sit in your cloud right next to your firewall. It could be an AWS firewall, or it could be a Palo Alto firewall. We would sit right next to it. So, the changes in your infrastructure, whether it is on the endpoint or whether it is on the app, is very minimal as a result of something like this.
[Steve Zalewski] And then if I understood correctly, you’re basically network packet inspecting. So, you are getting into the proxy, you’re watching the network packets, you’re inspecting them, and then what? Are you actually changing the content of the packets? Are you blocking the packets? What is your ability to be able to influence or to be able to implement policy based on when I detect something is either accidentally or maliciously attempting to move through?
[Satish Veerapuneni] We start off with visibility first. We sit on top of the existing infrastructure, SSE or firewall, and then the controls usually are like firewall controls. You can block a specific user or a group of users to a destination. You can block based on topics. We call it TBAC, topic-based access control.
You can block based on context, behavior, like unusual behavior, for example. You can block all of that. We can also do redaction of PII data. So, we can do both firewalling as well as redaction inline. We would decapsulate the packet, like you said, and then we can do all of this. We re-encapsulate and then we send it to the destination.
[Steve Zalewski] Obviously, once you’re inline, it’s all about speed because if you fall behind, if there’s latency, or if you drop packets and you don’t get there. So, are there any limitations that you have with regards to being able to keep up with high bandwidth requirements?
[Satish Veerapuneni] Yeah. I mean, right now we are looking at AI traffic, which is primarily request response, and it is not very heavy like elephant flows. So, what we are focused on are just destinations, which are AI destinations. So, the traffic requirements in terms of flows and throughput requirements are not that high.
But definitely to your point, I think latency is something that we think about a lot. So, right now, if someone sends a request to ChatGPT, obviously your response comes back in hundreds of milliseconds today. I mean, at least consumers are used to that. So, our firewalling does much faster than that.
So, within the response timeframe that ChatGPT or any other AI destinations do, we can do firewalling function.
[Geoff Belknap] Well, a great set of questions. The thing I want to come back to real quick is deployment model. Is this a device or is this SaaS? Is it something I’m going to run on hardware on my premise? How does this work?
[Satish Veerapuneni] Both our data plane as well as control plane is based out of Kubernetes, and we can deploy it in your infrastructure, and it’s software based. It can deploy in your cloud.
[Geoff Belknap] Okay. So, you’re going to give me a container. I’m going to deploy that however I need to deploy it. And you’re, not to diminish it, but you’re just an L7 proxy with an L7 focus on AI interactions. Is that the right way to think about it?
[Satish Veerapuneni] Absolutely. That is the right way to think about it. For the data plane. Yeah.
[Geoff Belknap] Is there another plane that I should be thinking about? Like are you involved in the control plane here too?
[Satish Veerapuneni] We have a control plane that is managing all of these data planes. So, your policy plane is your control plane. So, the data plane is, like you mentioned, primarily L7 proxy.
[Geoff Belknap] Got it. Okay. And then you’ve got something else controlling the L7 proxies.
[Satish Veerapuneni] That is the control plane. Yeah.
[Geoff Belknap] Makes perfect sense. The follow-up question I have is you’re very, very focused on AI and building guardrails, which is a feature that feels sorely missing from a lot of solutions, especially if you’re already using an L7 proxy or something that’s going to be making some decisions on ingress and egress traffic.
How good are you at the other things? Can I replace my traditional network DLP with you? Or are you going to sit next to everything I’m already doing from that perspective?
[Satish Veerapuneni] We think about that pretty much every day. It turns out that AI traffic by itself is massive. There is something new that is happening every day. Especially I think last week, we’ve all heard about AI software engineer, Devin, right? So, there is going to be a lot of new things happening around AI.
So, we made our deliberate choice that let’s do DLP, integrated DLP, but for AI. Not replace the DLP of, let’s say, one of the secure service edges. That’s not something that we want to do. We want to focus on just AI traffic but do integrated DLP for AI.
[Geoff Belknap] In that case, am I deploying you or your solution specifically against services or users that I have as groups that are just focused on AI? Or are you going to sit next to my existing proxy or my existing network infrastructure and look for the AI to begin with? Are you doing that discovery or…?
[Satish Veerapuneni] The shadow AI use case is all about sitting right next to your existing network infrastructure. You might have a Palo Alto, or you might have, let’s say, a Netskope or a Zscaler. We sit right next to it. We look at all the traffic. We configure them to forward AI traffic to us. So, we keep a tab of all the AI web, and we get only that traffic routed to us so that we give you the visibility of any risks that are going to AI from users.
The same applies to applications that are talking to AI web as well, right? So, both user to AI as well as applications to AI.
[Geoff Belknap] Got it. So, you’re a drop-in or a bolt-on add-on to work that I’m already doing, and you’re going to help offload the AI element of that.
[Satish Veerapuneni] Yes.
[Geoff Belknap] Do you have a way out of the box to harmonize those DLP rules between your AI-specific DLP and any DLP I might already have?
[Satish Veerapuneni] Yeah, absolutely. I mean, today we start off with shadow AI, and then we integrate with the existing SSEs. Now, there will obviously be some gaps as a startup, and these are things, as customers say, that it’s a must-have. We always build for it.
[Rich Stroffolino] All right. Fantastic. Thank you, Satish, for joining us today, for answering these tough questions. Really appreciate your time.
Onyxia
00:20:44
[Sivan Tahila] The Onyxia Cybersecurity Management Platform empowers CISOs and security leaders with the ability to continuously strengthen their security programs and proactively reduce risk exposure. Our AI-powered Cybersecurity Management Platform provides real-time security assessment and benchmarking, full security stack coverage visibility, and streamlined board reporting.
With Onyxia’s predictive insights and data intelligence, CISOs can proactively improve their organization’s cybersecurity program performance and risk management, achieve organizational compliance, increase security stack efficiency, and optimize the business level impact of their strategic security initiatives.
[Rich Stroffolino] The voice you just heard was Sivan Tahila, the CEO at Onyxia. Geoff, where are we going with the questions here?
[Geoff Belknap] Well, I think a common question for everything that’s a great place to get started is, how do I deploy it? I assume it’s a SaaS product, at least from the demo and from the discussion, seems pretty clearly like that. How do I deploy it, and how do I onboard myself or my data to it?
[Sivan Tahila] We are a SaaS solution, and all of our integrations are basically based on API. So, it’s very easy to create integrations with any security product. It takes a few minutes to deploy. The data population and correlation is also being done automatically. From what we’re seeing and experiencing with our existing customers is that sometimes they can’t even believe how easy it is to deploy and how immediately they can get the insights and data that is presented to them in the dashboard.
And to your other question regarding inviting other team members, so it’s very easy to do that as well. You can basically just invite your colleagues to join the platform, and sometimes also see some CISOs inviting not only their team members, but also other C-level and executives in their organization to be part of this dashboard.
[Geoff Belknap] And I understand you can also baseline some data. So, I can say, here’s how I’m doing against patch compliance or vulnerability patching. I can compare myself to like Steve, something like that.
[Sivan Tahila] Yeah. So, when we started, I was trying to solve a problem that I’ve experienced when I was a CISO myself many years ago, and I remember myself always collecting data manually in order to understand how I’m actually functioning from a KPI perspective. When we started, we were basically collecting around 200 Excel sheets from CISOs who were currently managing manually their security programs, and we were trying to understand what are the top best practices.
Based on that, we created those KPIs, but what we also asked them to disclose was basically the SLA for these KPIs. So, when you’re onboarding to the platform and you’re activating a specific API, you can compare yourself or benchmark yourself to other CISOs in other specific industries. Obviously, it’s all anonymized, but you can see from an SLA perspective where you’re at comparing to others.
[Geoff Belknap] Great. And then last question. One of a CISO’s favorite hobbies is getting blamed for everything. One of the things that I feel like we don’t do enough is not share the blame, but maybe share the love about how our partners and the folks that we have relationships with in our organization can do more to improve security.
Is there a concept of sort of understanding accountable parties and reporting, for example, like the patch compliance example we talked about? Can I say, “Hey, Steve and Rich own these computers, and they’re not patch compliant based on this data. Is that something that you can walk me through in your tool or something for the future?”
[Sivan Tahila] Yeah. Well, we are going to add a community model very soon. So, you’re not only going to be able to compare yourself, but also sometimes ask the community on what they’re doing. And I think what we’re missing now is a standard in the industry for some things. There is no standard for security KPIs, not even for SLAs.
Most of the time, the CISO come up with those KPIs and SLAs and numbers, but we do see that it’s very helpful for you, especially when you’re reporting to management to show them where you’re at comparing to others. Also from an efficiency perspective, how you can do more with less and being able to not only manage your environment, but also comparing it to other companies’ environment to see where you have potential overlaps, redundancies, or where you can maybe utilize better some of your security products.
It’s obviously something that is very much relevant and aligned with your security program, and it’s something that you continuously want to assess and also demonstrate improvement over time. And that’s something that you can do when you’re using our platform. One of the things we have there is the ability to show improvement over time and we’re collecting the data from the past year.
So, at any time you can go back and see how you improved over time, and if you want to justify an investment in a specific tool, for example, it’s very hard today to do that when you don’t have very accurate data and understanding how it’s aligned with your KPIs. And with Onyxia, you can see if you invested 100K in a specific product, how it exactly serves the security program, which obviously we’re all here to serve the business and the business objectives.
[Rich Stroffolino] All right, Steve, what questions do you got?
[Steve Zalewski] It’s great when I have a big security team, right? And then measurement and metrics and what Geoff and I talk about, what do you want to be? How do you want to grow? More and more I see organizations don’t have that luxury of size. So, my question to you is, can I bring you in and make you my MSSP to manage all of my measurement to be able to do all that reporting out of the box?
[Sivan Tahila] I don’t know if MSSP is how I would call it, but yeah, for some companies, obviously MSSPs provide that. But we do see that CISOs that are using us just basically freeing up so much of their analysts’ time. And often there are teams of analysts who are basically working on aggregating the data, doing the correlations in the back end.
When CISOs have these teams, it’s great. But if they don’t, this is something that is really part of their day-to-day job. And we help them save their time so they can focus on what matters, and we’re going to do the heavy lift of the data and the correlation and all those things at the back end. So, we’re definitely seeing many clients [Inaudible 00:27:17] lot of time.
And we actually just onboarded a client that was about to hire two analysts in order to manage their KPIs and because he used us, he eventually hired just one. So, he can manage Onyxia and make sure that everything is always maintained, even though you don’t need to always maintain it. It’s one time onboarding, but we save them another salary of an analyst.
So, that’s how we see CISOs looking at us.
[Rich Stroffolino] Thank you, Sivan, for joining us, for answering these questions. You talked about Onyxia doing the heavy lifting, but you were doing the heavy lifting with those questions. So, truly appreciate your time. Thank you so much.
What do our CISOs think?
00:27:56
[Rich Stroffolino] All right. Well, all of the contestants, they’re no longer on our recording right now. They can’t hear us. We are in what I’m dubbing the CISO Sanctum. This is where we can deliberate, we can discuss, we can consider all of the pitches, all of the questions that we’ve had. And again, we’re judging these on three variables – innovation, need, and ability to deploy.
Three key ones. Geoff, I’m going to go with you. I guess what stood out the most with Anvilogic, and maybe what would you have liked to have heard more?
[Geoff Belknap] One of the really interesting things that we didn’t probably spend enough time on during our questions are this really feels like a time to value solution in the sense that very quickly I can get some value out of this by doing two key things that I think are important for any maturing detection engineering program, which are one, get CICD level orchestration and management of your detection engineering workflows.
It was very clear Anvilogic can help with this. And the other thing that I think is really important that we just barely scratched on is it looks like it’s something that really raises the effectiveness level of all my detection engineers. So, I’ve got kind of a low code, no code approach to building queries if I’m kind of inexperienced, but I also have an advanced authoring mode that I can use if I know what I’m doing.
Doing that across all of the different places where I have data, that’s actually really useful, and I think ultimately very innovative.
[Rich Stroffolino] Steve, what about you for Anvilogic?
[Steve Zalewski] So, some of the questions I asked him kind of indicated my bias, which was for large companies that have a lot of data, then this is a nice way to be able to bring in an additional capability that we just can’t do with the existing SIEMs, right? You’re introducing this concept of it’s more than just what happened.
But some of what I see and where I was really interested in as I have smaller teams and as I rethink what I want to get out of my SOC and SIEM is that this is innovative because it allows me to, in essence, as a small team, come in and look at them as the SOC and SIEM to identify what I need to find, not just be more efficient at how I’ve traditionally found problems.
And when I asked them some of those hard questions, you could hear they were like, “Well, we’re not really there.” They’re a little more thinking about the efficiency, but I think the effectiveness and the fact that we’re all frustrated with our SOCs and SIEMs, this is some innovative thinking to move us in the right direction.
[Rich Stroffolino] All right. And then for our second contestant, Lumeus, Steve, I’m going to start with you. What stood out? Maybe what did you want to hear a little bit more about with them?
[Steve Zalewski] Yeah. Does it solve a real need? Absolutely. GenAI is here to stay. We’ve all got to figure out how we move beyond restricting the business and the use of GenAI to embracing the business and managing the risk of GenAI. And so his ability, that it’s DLP kind of centric first, and where he’s putting it into the pipeline, yeah, absolutely.
We need it. There’s no doubt about it, right? He’s one of many, but we absolutely have to get some good stuff out there and then innovate on it. That is what I really, really liked. The way that they do it, it’s nice because it’s a network play. And so like Geoff kind of alluded to, which was, we know how to integrate in.
It’s not that it’s necessarily easy, but we know where to put it in order to be able to use it. So, kind of the ease of deployment, it’s difficult because it’s networks. The innovation, I would say, there’s not really much to innovate there other than the fact that we need the ability to deploy what we can today specifically for GenAI models.
[Rich Stroffolino] And Geoff, yeah, you were really hitting on that deployment drum during the questioning there. Anything else stand out to you or anything you wanted to hear more about?
[Geoff Belknap] Well, I think the deployment is going to be the really sticky part with a solution like Lumeus. When you have to deploy the network, if you’re not already engaged in a network DLP deployment, it’s a heavy lift. And that’s not to say what Lumeus does isn’t valuable. And I think it certainly can add some value, especially if you’re really high risk of losing intellectual property, but it’s going to be a big, steep cliff to climb over to deploy it on the network that way.
That being said, I think what’s really interesting is this sort of layer seven approach to AI or to solving some of the emerging risks when it comes to people’s rapid adoption of AI. Long term, I think there are questions about whether a network is the right place to do this. Would love to see something that’s like a browser plugin or another place that’s easier to deploy and that’s easier to sort of troll for that shadow AI deployment that I’m sure that exists a lot.
But I think it’s really innovative to look at here are different ways that we can approach solving this problem that a lot of people really have.
[Rich Stroffolino] All right. And last and certainly not least in our hearts, Onyxia. Steve, I’m going to start with you. What stood out? What’d you maybe want to hear a little more?
[Steve Zalewski] Where I gave them really high is does it solve a real need? The ability to visualize that data, to have a conversation about how do you defend your security program, is like top of mind for all of us. We’re really struggling with how do we demonstrate value. That was why when I talk with her, you could hear the passion.
She was a CISO. She had lots of people manually creating spreadsheets and trying to draw pictures and trying to be able to have that conversation. So, she said, “Let’s take the technology problem out of this and let’s look at the people and the process and figure out those conversations where I can draw you the right pictures.” That I really liked.
Is it innovative? No, it’s not really innovative other than the fact that she’s built some really nice visualizations. So, it’s innovative compared to spreadsheets like we’re all doing, and it gives us some flexibility. The only place I would say where innovation kind of peaked for me where I’m like, ha ha, how do I demonstrate I’m hiding in the herd?
Her ability over time to be able to incorporate data from everybody else, anonymize it, and allow me to be able to look at my executive team or my leadership and be able to demonstrate not what do you want from maturity, but where do we stand and is it good enough so that we stop walking away from this maturity for maturity’s sake?
[Geoff Belknap] I’ve got to push back a little bit on the innovative side because I think in our roles, we see so many vendors that have a brand new technology that they’re launching that’s going to let you inspect memory or look at system calls and running processes and workloads or maybe do some magical divination of what C2 callbacks are going to be.
All of those things are really innovating tactically. Real innovation sometimes looks like obvious answers. You’re like, “Oh, well, duh, obviously you would want to do that.” And it doesn’t feel innovative, but at the time it’s transformative. Those ideas that you immediately get that make sense to you are real innovation.
And I think in this case, people in this chair see a ton of solutions every day that are solving a tactical issue. What we don’t see are things that really understand what it’s like to run a security program and what you really need to make that program better. And I think where Onyxia helps is it’s looking at that systemically and systematically and programmatically.
How do I make a security program even better? This is a place where I’m personally really excited about the startups that are coming up that are not saying, “Hey, I’m going to stop malware even more.” They’re like, “Hey, here’s how to better understand your security program. Not just how it stops malware or ransomware or phishing, but how it actually delivers value to your organization.”
[Steve Zalewski] I want to dovetail on that for a minute, which was the word that you used that really piqued me was transformative. So, in this case, innovative versus transformative, it is definitely transformative. And that’s not something we’re supposed to characterize, but it’s really cool. And the reason why it’s transformative for me is his first generation here is around service level agreements, right?
Or SecOps efficiency. Is all of my security controls working? But where I see this transformative then is that’s kind of compliance and operational efficiency, but we’re getting into a risk conversation more and more, which is how do I characterize the risk program we’re going to have to build? And are my tools operating and are they effectively managing my risk?
And I think that’s kind of an innovative area that’s next up. And she’s one of those ones that’s pushing that transformative conversation over time.
[Geoff Belknap] Yeah. I think one of the number one questions that new CISOs get from boards or executive leadership teams are, how does our program compare to somebody else? And here’s the solution to answering that problem, which having a good database to answer to that question is as good as having money for an advanced EDR solution.
Closing
00:36:43
[Rich Stroffolino] It is time now for our final score and to indeed declare a winner. Steve, I think I’m going to go through your scores first. To your point with Onyxia being transformative as opposed to innovative that we were talking about as one of our criteria, you gave them a total of 22 out of 30.
And then it remains a tight race in your book though because both Lumeus and Anvilogic ended up with a score of 25 out of 30. So, a very, very tight race from what you are providing there, Steve. So, thank you for those scores.
We’ll start out with Onyxia for you, Geoff, you rated them a little higher I think on the innovation front. Correct me if I’m wrong, but you gave them a total of 25 out of 30 for a total of 47 out of a potential 60. So, a very good showing by Onyxia. Lumeus, Geoff, you gave them a 15 out of 30. And then last you gave Anvilogic a 24 out of a potential 30.
And that brings them to a total of 49, which makes them our winner for this first episode of this season of Capture the CISO. Congratulations to Anvilogic. And thank you to Satish Veerapuneni from Lumeus, and from Sivan Tahila from Onyxia for being on the show. Again, they were all fantastic. Really great stuff.
Omer Singer from Anvilogic is not here and won’t hear this result until this episode airs, but they will be joining us May 17th for their live finale. And you can go ahead and register for that right now by going to CISOseries.com and clicking on that blue Capture the CISO logo.
Remember, you can also watch all of those demos. If you heard what we were talking about, maybe you haven’t dug into all the demos yet, and you want to figure out where this fits into your organization, please do so, CISOseries.com. Thank you so much, Geoff Belknap and Steve Zalewski for being our judges on the show.
Remember, check out those demos. For next week’s episode, we’re going to be talking to HYAS, Nudge Security, and SlashNext. So, make sure you tune in for that to see who will be the winner for that episode of Capture the CISO, and we’ll see who’s going on to the finals. Until the next time we meet, remember everybody, have a super sparkly day.
[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, Virtual Meetup, and Cyber Security Headlines Week in Review. All contestants of the show are sponsors of the podcast.
If you’d like to sponsor and be a contestant, contact David Spark directly at David@CISOseries.com. Thank you for listening to Capture the CISO.