Welcome to episode two of Capture the CISO Season 2!
Our judges are Arvin Bansal, CISO, C&S Wholesale Grocers and Brett Conlon, CISO, American Century Investments.
Our contestants:
- David Ratner, CEO, HYAS
- Russell Spitler, CEO & co-founder, Nudge Security
- Patrick Harr, CEO, SlashNext
And don’t forget to join us for the finals, LIVE, on Friday, May 17th, 2024 at 1 PM ET/10 AM PT. REGISTER.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to all our contestants who are also sponsors of Capture the CISO
HYAS
HYAS is a world-leading authority on cyber adversary infrastructure and communication to that infrastructure. HYAS is dedicated to protecting organizations and solving intelligence problems through detection of adversary infrastructure and anomalous communication patterns.
We help businesses see more, do more, and understand more in real time about the nature of the threats they face. HYAS turns meta-data into actionable threat intelligence, actual adversary visibility, and protective DNS that renders malware inoperable.
HYAS’ award-winning threat intelligence and investigation platform and protective DNS solution detects and blocks the beaconing requests of malicious and anomalous command-and-control communication and stops attackers from progressing.
Nudge Security
Nudge Security helps modern organizations manage SaaS security and governance at scale. Our patented SaaS discovery method eliminates blind spots, giving customers a full, continuously updated SaaS asset inventory from Day One. With AI-driven risk insights, security teams can readily understand their SaaS risk posture, prioritize security efforts, and regain control of IT governance. And, a human-centric approach to SaaS security orchestration helps security teams ensure proper governance while minimizing manual effort for themselves and friction for end users.
SlashNext
SlashNext’s Cloud Email Security leverages our advanced AI platform, purpose built to stop sophisticated BEC and advanced phishing threats. The service delivers industry leading 99.9% detection rate and 1 in 1 million FPs by utilizing Gen AI, natural language parallel prediction, computer vision, relationship graphs, and contextual analysis for:
- Broad threat coverage due to large and diverse LLMs
- Highest accuracy and a 48-hour detection advantage to stop sophisticated zero-hour threats
- Increased SecOps and user productivity from using a solution with the highest detections and the lowest FP
- 360° protection with threat protection across all messaging channels: in email, mobile and web
Request a demo https://slashnext.com/request-a-demo/.
Full transcript
[David Ratner] We’re the adversary infrastructure experts for proactive threat intelligence and cyber resiliency.
[Russell Spitler] Nudge Security, SAS security for modern work,
[Patrick Harr] Next gen AI, Cloud email security.
[Voiceover] Capture the CISO begins now.
[Rich Stroffolino] Welcome to Capture the CISO. I’m your host, Rich Stroffolino. This is the show where we get to listen in on the conversations CISOs have with security vendors about their products. These usually happen behind closed doors, but you get a front row seat with Capture the CISO. That’s why we are so excited to bring another season of this to you.
So, we have our contestants for today – HYAS, Nudge Security, and SlashNext. Quite a triumvirate of companies. Now, these are not direct competitors, but they are all going to be equally judged on the following three factors – is it innovative, does it solve a real need, and how easy is it to deploy.
So, the one that can best meet that Venn diagram, put all of those slices of pie together will be the victor. But that’s, of course, up to our judges, so let’s hear them now. First up, we have Brett Conlon, the CISO at American Century Investments. Brett, thank you so much for making the time and being here.
I’m excited for your input.
[Brett Conlon] Yeah, I really appreciate it. I loved season one. I had a little bit of FOMO. Now I got invited to be a judged in season two, so looking forward to this.
[Rich Stroffolino] And our second judge for this episode of Capture the CISO, the one, the only, Arvin Bansal, making his second CISO stint over at C-NS. Arvin, thank you so much for making the time. I know you’re busy over there and appreciate you lending your sage wisdom.
[Arvin Bansal] Thank you, Rich. Excited to be here and looking forward to the conversations.
[Rich Stroffolino] Now, our judges have already watched some short demos for each company’s product. They submitted these to us. They are familiar with their solution that they are going to be offering. They know what they do, and they have come armed with some questions. But, remember, if you want to get caught up on this, you just do so by going over to our website, ciso-dev.davidspark.dcgws.com.
And if you click on the blue “Capture the CISO” icon, it’ll take you to all of those glorious demos. Before we start bringing on the contestants, CISOs, I’m going to ask you, what gets you excited about a new vendor solution? Brett, can we start with you?
[Brett Conlon] I think anytime there’s a new solution that either is addressing a need that we have and allowing me to consolidate multiple products into one is exciting. The other part I really like is looking at something where a vendor comes in, and they’re looking at the problem differently. That they’ve taken a different approach to it.
I like to see that. I like to see that there is creative thinking around that problem solving.
[Rich Stroffolino] All right, Arvin, I’m going to pose the same question to you. What gets you excited about a new vendor solution?
[Arvin Bansal] The two things that really gets me excited about the new solutions are, number one, they’re potentially solving an existing problem but in a better way. And number two, our technology industry is evolving very fast, so having a new solution that looks at a new technology capability and securing that, that gets me excited.
HYAS
[David Ratner] HYAS is the world leading authority on cyber adversary infrastructure and the communication with that structure. HYAS is dedicated to protecting organizations and solving proactive intelligence problems through the detection of an attack’s digital exhaust, the anomalous communication patterns, and knowledge of adversary infrastructure.
HYAS turns meta data into actionable threat intelligence, adversary visibility, and renders attacks of all types inert. Our award winning threat intelligence and investigation platforms, as well as protective DNS solutions, allow organizations to get proactive against the threats they face and drive both operational and business resiliency.
[Rich Stroffolino] The voice you just heard was David Ratner, CEO of HYAS. Judges, I’m going to throw to you. What questions do you have for David? Arvin, I’m going to start with you. What do you want to know about when it comes to HYAS?
[Arvin Bansal] Today, our market is crowded with threat intelligence services provider, and our SOC is inundated with threat intels coming from everywhere. What is so special about HYAS, in your view?
[David Ratner] You know, it is true that there’s a lot of different companies out there that do threat intelligence, and some of them focus on specialized areas of information – dark web versus this, versus that. What’s really special about HYAS is, number one, our focus on the adversary infrastructure.
But number two is the fact that we have data around that subject matter that other people fundamentally don’t have. We gather data directly from authoritative sources on the internet. So, this isn’t people scouring the dark web. And we gather data from a combination of exclusive and private combined with open source and commercial data.
We pull all that into a big, giant, data lake, and then we work hard in a lot of our IPs in how we build connection between the nodes in that graph database to build a mapping of from what has happened, to what is happening, to what will happen. And utilizing data that other people don’t have, patented techniques around how domains and infrastructure move around on the internet in real time, and kind of the way we build that graph database is part of what makes HYAS super unique.
[Arvin Bansal] Can you give an example of the unique data and the outcome?
[David Ratner] Sure. You know, our threat intelligence solution, HYAS Insight, really takes all that information, all that intelligence in that graph database and focuses on three main things. We call it VRA. Verdicts. What’s good and bad on the internet? And that changes in real time. Related infrastructure.
Not just what do you know, but what is the related infrastructure in that graph database which is also owned by the same bad actor or the same bad actor group? And in fact, how do you create alerts to watch new infrastructure get created? How do you now watch the bad actor as closely as they watch you?
And, A, actors and attribution. Who is behind it? Where did it come from? And that could be what country, so that I understand as a company that my risks and my threat matrix are changing.
Or it could be all the way down to a meter worth of accuracy, here’s the house that the attack actually came from because I want to involve law enforcement and take bad actors off the field. And so from an infrastructure perspective, we can help organizations understand all three of those aspects, VRA – verdicts, related infrastructure, watch them as closely as they’re watching you, and actors and attribution.
And that helps them not just understand what did happen but what’s going to happen. I think the real key around threat intelligence is how do you use it to get proactive on what’s going to happen next, and that’s really where HYAS excels.
[Rich Stroffolino] Brett, can you jump in there? And do you have any questions for David?
[Brett Conlon] So, a couple questions. I saw HYAS Insights. I had a few questions around that. Trying to understand who’s your target audience or market for the Insight product?
[David Ratner] Yeah. So, HYAS Insight generally sells into anyone…into analysts, investigators, threat researchers, people focused on both threat as well as fraud. So, we have organizations and companies that are focused on the fraud side, chasing down fraud – either financial institutions or elsewhere.
And we have organizations that are focused on understanding the nature of the threats they face, understanding what happened, and most importantly getting proactive against that and understanding how they protect themselves going forward.
[Brett Conlon] Then if I understood correctly through the demos that I saw, is it more the analyst or if you’re looking at like a large scale organization or a SOC, putting the IOCs into HYAS for an output and for a correlation? Or is HYAS actually going into any of the existing SIEM tools or tools that create log sources so that they can actually automatically pull and correlate information and feed it back?
[David Ratner] You know, at HYAS, we focus on building products which are both easy to deploy, easy to manage, work by themselves, but also work better together with the stack. And so the demo you saw has a full user interface, and we have some people who purely use that user interface. But it’s also supported by a full JSON API, which integrates into visualization tools, tips, SIEM, SOAR.
Clients have even integrated it into proprietary toolsets. And so it can be used purely, automatically for data enrichment inside of your SIEM or inside of your SOAR, or you can go into the user interface and explore however you wish to.
[Brett Conlon] And then for Insight Protect, how do you find that to be different than tools like the web proxies that are out there today or the larger DNS providers that are out there that provide protective DNS? How do you find that to be…? Are you setting yourself apart in that area, or is that just sort of as a result of what you’re providing up front?
[David Ratner] Sure. So, HYAS Protect, which is our protective DNS solution… I will freely admit we didn’t invent the protective DNS space. I think we looked at it from a very different perspective in terms of how we get our data, and therefore perfected the ability to detect attacks in real time. I’ll give you two examples of that, of how we’ve done it differently.
First and foremost, from an efficacy standpoint, there’s actually an organization in Germany called AV Test, which publicly tests the efficacy of protective DNS solutions. In 2023, they tested HYAS. The report is available on their website. They concluded that HYAS was the most affective protective DNS solution on the planet today – meaning we detect attacks faster and before anyone else does.
It’s partly because we have knowledge that other people don’t have, if you think about the threat intel side and that graph database.
It’s because I understand what domains are going to be used for nefarious purposes before they get weaponized sometimes six, nine months before they actually show up in the wild, and I can be blocking those on the very first attempt versus most all other solutions, which are either detonating malware in real time or otherwise using lists and feeds to put things onto their denied list in what I call a hopa hopa model, which is, “I hope I can block it before my clients get infected by it.” So, that’s number one.
It differs in terms of our approach on how we get our data, and therefore the resulting efficacy is significantly better. But it also differs a lot from a flexibility and a go to market standpoint. Most every protective DNS solution is built to be the enforcement agent, the DNS precursor. And often times, a client needs to change their stack in order to utilize it.
HYAS is built, again, to integrate into a client’s environment and built to be flexible and rapidly deployable.
And so HYAS can be the enforcement agent, and we do that for many clients. But we also have others who want to integrate it into their EDR and let the EDR be the enforcement agent. We’ve done deep integrations there. We’ve done integrations into firewalls. And if you think about protecting other assets in the enterprise like the production environment, you don’t necessarily want to put something between your revenue generating side of your business and your consumer.
So, HYAS doesn’t even need to be in real time there in the middle of that transaction. I simply need to get a real time feed of what’s going on, and I can deliver alerts into a SIEM, into a SOAR, into a firewall, what have you, and let humans take action.
And so it’s that flexibility of deployment that allows us to be deployed in a variety of scenarios that no one else can go do in front of a production environment, in front of an OT environment, IT environment. We don’t care if you want it integrated into your EDR. Our whole approach is that you can take this and layer it into your existing architecture, number one, so you don’t have to change your existing architecture.
Number two, so that it’s future proof in doing so. We actually…using this model, we deployed one client that had 30,000 end points. We were fully deployed in under 30 minutes because of these kinds of integrations.
Nudge Security
[Russell Spitler] Nudge Security helps organizations manage SAS security and governance at scale. We start by discovering all the SAS accounts, giving you attribution of how it got into your organization, who has access, what resources are in there. Then ultimately, we help with SAS risk posture, prioritize your security efforts, and regain control of that IT governance.
And best of all, this is a human problem, and we take a human centric approach, working with the stakeholders across your organizations to get into compliance.
[Rich Stroffolino] The voice you just heard was Russell Spitler, CEO and cofounder, Nudge Security. All right, well, I’m going to throw it to Brett first. Brett, what questions do you have for Russell?
[Brett Conlon] Okay, Russell, got to go through your demo. And so questions I have right now are you’re taking an innovative approach and a different approach that sets you apart from just a CASB. Can you explain a little bit though how you’re able to once determining that you have unsanctioned SAS apps in the environment…how you’re able to see what the resources are, how you’re able to…I think detect MFA is what the product said?
But also then if the employee leaves, if those are still unmanaged, you’re deactivating those SAS apps. So, can you help me understand that a little bit better?
[Russell Spitler] Yeah, totally. That’s where the magic all really happens. So, one of the things that we recognized when we came in is the network centric approach is long in the tooth. Limited utility, limited actionability in terms of what you’re able to detect. We take an email based approach. We’re taking advantage of the one design pattern every SAS application has, which is as soon as you register, they start communicating with that user, driving usage, communicating through email.
In that email, we get incredible wealth of information. We get notifications when MFA gets turned on and off. We get notifications when AWS accounts join AWS organizations.
We get notifications when domains get registered, renewed. All of that allows us to get that granular insight into the different resources and aspects that are happening within those accounts. And then ultimately when it comes to revoking access when employees are leaving, one of the sort of undone steps when employees leave is what do you do with all those accounts that they registered with an email and password, the unmanaged accounts.
And there, we’re leveraging that same integration point.
So, what we actually have been able to do with the power of some AI bots that we have established is we can actually automate that password reset flow. So, if you think about Brett leaving the organization, we’ll reach out to Cloudflare and say, “Hey, please reset Brett’s email address…” Excuse me, email and password.
We intercept that password reset email, establish a new password, which allows us to ensure that that employee is not walking out with a post it note or a browser saved password and still having access to those systems.
[Brett Conlon] And that’s regardless of if you actually create that system and become a…put it under the enterprise umbrella at that point?
[Russell Spitler] That’s correct.
[Brett Conlon] Then you’re able to create, I think you said a risk based profile or a risk profile for the different SAS apps. How do you calculate the risk of those SAS apps where if I need to… You know, direct resources are focused on a particular SAS app first over another one, how do you figure out which one is a higher risk to the organization?
[Russell Spitler] Yeah, so there’s a few attributes that feed into that. First, which is a little bit of a departure from the industry, is we’re not like a Security Scorecard or a Bitsight where we’re talking about outdated browsers, and vulnerabilities, and things along those lines. We’re looking at positive attributes that we can assert about this application.
What sort of security certifications do they have? Where are they hosting their data? What’s in their supply chain in terms of what other SAS applications are they reliant upon? What authentication methods do they support? Do they support sign in with Okta? Those things allow us to start to understand what the security posture, and what security features, and the security program that they have.
Then we kind of compliment that with an understanding of what data is going into that application. At a high level, that can be categorical data of, you know, your HR apps have your employee information. Then we also augment that with, again, that human centric approach, where as new technology comes in or as you need more information, we make it easy for you to engage with the employees who own those applications to do quick surveys to understand exactly what kind of data is going in there.
And all of that feeds together to allow you to sort of prioritize the applications that need effort and the ones that are sort of currently covered under security controls or the ones that kind of can be left until tomorrow.
[Rich Stroffolino] Arvin, I want you to jump in there. What questions do you have for Russell?
[Arvin Bansal] Looking at the history of SAS security, Cloudflare, founded in 2009, is rumored to be one of the first SAS security company. Fast forward, we are looking at after 15 years. We have tons of players playing in this sector, SAS security for all your SAS applications like AppOmnis of the world.
Should we look at the Nudge Security as a complimentary add on to existing SAS security services or as a replacement of all things SAS security that we need?
[Russell Spitler] You bring up a really good point. And one thing that’s always important to clarify, of course, is Cloudflare is a security application delivered through SAS. And, certainly, they have some aspects of their platform which do focus on the securing of the Salesforces of the world, etc.
But the other thing that I would sort of remark is if this problem were solved then there wouldn’t be so many companies and people buying the product. And so when I look at the sort of market and industry problem right now, one of the things that we started our company with was talking with 200 security leaders out there among the industry, and almost consistently I heard the same response, which is, “I don’t know what’s out there, much less what I need to do to secure that.”
And so that’s really where we started and the focus of Nudge Security as we got off the ground, which was how do we give you that system of record. What technologies are in place in your organization? Who has access to it? What function does it provide? Who is the admin of those services? And that’s really where we’re focusing on that foundational data, understanding of what technology is in your organization, and then building from there to start complimenting some of the other technology that’s out there, whether it’s driving further SSO adoption or integrating into security analytics program.
Those are critical pieces, but they only work if you know about that technology and have made the effort to pull it into the rest of your security program. And that blind spot is really where we saw the need and where we came in with our solution.
[Arvin Bansal] So, in short, is it complimentary or replacement?
[Russell Spitler] It’s very much complimentary to something like an SSPM, as you mentioned, AppOmni. The SSPM capabilities and Cloudflare…certainly the sort of rest of Cloudflare is certainly a different beast all together.
[Arvin Bansal] The demo talked a lot about, “Hey, we’ll tell you not about the SAS security solution that you’re going to use but also we’ll capture the history of what SAS services people subscribed to and give you the inventory of that.” You know, that triggered a thought. I don’t think as an industry, many large companies have a good handle on the inventory of the third party license solutions on prem, let alone what’s in the cloud.
So, how do you capture the historical records, and what’s the reliability of that inventory you create?
[Russell Spitler] So, that’s one of the beauties of using that email discovery is the data source, is we actually get to go through all of those email archies you’ve been dragging around for years and look at that historical activity to build out that inventory. So, within a couple of hours of deployment, we’ll be able to show you all of the historical activity within your organization down to the level of who introduced the application, when it was adopted, and all the historical resources related to that.
In terms of reliability, certainly that’s not as reliable as the ongoing detection because we can’t analyze anything we can’t see.
So, if there are people out there who are particularly detelety for emails, we certainly could miss some signals. However, we’re not reliant on any individual signal. So, you know, for example, a GitHub account, I don’t need to see the account confirmation email. I can see a pull request or an app added to the organization, and all of those can be used to confirm the existence of an account for that employee within that app.
So, it does end up being reliable overall but certainly there could be chances for oversights just related to that limited visibility of people deleting emails.
SlashNext
[Patrick Harr] At SlashNext, our mission is simple – stop advanced phishing and BEC in email plus any messaging and collaboration apps used by your employees. With our purpose built/fixed AI, a combination of LLM, computer vision, NLP, and behavioral analysis models, we detect and stop zero RBC, advanced phishing, smishing, QR codes, and malicious files in M365, Teams, Zoom, SMS, WhatsApp, Slack, personal Gmail, and well north of 3,000 plus messaging apps.
Check us out at SlashNext.com and stop the phish.
[Rich Stroffolino] The voice you just heard was Patrick Harr, CEO of SlashNext. Arvin, I’m going to lead off with you. What questions do you have for Patrick?
[Arvin Bansal] First thing is every one claims to be using AI into their cyber security solutions. How do I measure the effectiveness of AI in SlashNext?
[Patrick Harr] I think, number one, you want to make sure your AI is purpose built for the specific threat type. The reason why I highlight that… We use a combination of gen AI, LLM really for text based type of threats. Second, we use for QR codes…this is another compromise user’s real time computer vision…we use a combination of NLP, computer vision, behavioral analysis for link based threats, and same thing for files.
So, I think at the end of the day, you want to make sure that it’s not just AI washing for AI purposes, right? It’s really how are you using AI specifically to the threat type, and how are you then measuring that based off your efficacy gain? So, meaning what is your detection rate? What’s your false positive rate?
And in our case, we also like to measure time to detection advantage. I think all three are very important, but it does come back to how are you applying AI techniques or AI models to the specific threat type.
[Arvin Bansal] And the follow up question is… We are still innovating and coming out with new companies who solve this problem. In part of the demo, you highlighted collaboration solutions like Slack channels and all. Can you expand more on what kind of threats or issues we really should be addressing in those collaboration channels?
[Patrick Harr] Yeah, absolutely. I would say email continues to be the number one way you compromise users. It’s very important to protect that. Obviously, we use an API based approach directly into the Microsoft Graph API. It takes about five minutes to basically integrate and protect those users. In fact, we did that for about 185,000 mailboxes with a very large company.
It’s very important to protect email. You want to protect email from those advanced threats, not just your basic signature based or born threats, which is what you’re going to find in some of the older solutions. I think second, as we’ve also seen out there in the wild, you are seeing attacks in Teams.
You’re seeing it in Zoom. You’re seeing it in executive impersonation in WhatsApp. You’re seeing obviously as the second most attack vector, SMS.
So, what do you do from a security control perspective for those messaging apps outside of email? I would highlight that’s kind of a big gap in the security postures that we’ve seen, and specific type of attacks that we’ve seen those apps… Again, executive impersonation. I have one customer that literally was traveling in Europe, and the next thing you know, there was an executive impersonation back to the financial team through WhatsApp and asked them to join a Teams meeting.
They had actually played a pre-canned video of that particular CEO to the CEO team, said, “Hey, I can’t hear you because you’re on mute. Can you upload this financial information on SharePoint?” That’s just one type of creative attack. We’re seeing that in Teams. We’re seeing it in others. We’re also seeing this in personal Gmail.
I think the very important thing to do now is to protect yourself not just in email but outside of email. Because at the end of the day, anywhere you can get messaged, you can get compromised. The bad actors know that, and that’s where they’re going to attack.
[Rich Stroffolino] All right, Brett, get in there. I want to hear some questions from you.
[Brett Conlon] Yeah, so, Patrick, I guess I’m trying to understand, what is it that differentiates SlashNext from what Abnormal does, or Tessian, or some of the other tools that have been out there, addressing just this issue?
[Patrick Harr] I think in email. I like to say you have to win in email to really prove yourself, because that is the number one attack vector. What differentiates us in email is our efficacy. When we compete head to head against those companies you mentioned, we win a fair share of the accounts. So, for efficacy, there’s really four ways you compromise a user.
There is plain text BEC. Second is QR codes. Third is link and fourth is files. So, we have purpose built AI engines and machine learning engines dedicated to each four of those. Whereas you’re going to find with the others, they may use third party data sources for some or all of those, and/or they built purpose built for BEC only.
So, I think that’s what differentiates us is our efficacy gain, on average, about 99.9% detection rate.
Very low false positive rate. In that case, for BEC, we’re using gen AI detection models. We have almost a near zero detection false positive rate. But it’s not just an email only world, as I said. It’s an everywhere else world as well. Right? Anywhere I can get messaged, I can get compromised. So, how do you protect yourself against SMS texts?
Second most attack vector. We’re the only ones that do that, that I know of right now. And it’s the ability to look not just in email but outside of email and all those other messaging collaboration apps, including your personal messaging apps. There’s been a number of breaches called lateral movement where they breach a personal Gmail, move over to the corporate environment, even if you have multifactor authentication or trusted environment through FIDO.
So, how are you going to protect against that? And at the end of the day, I think that’s what sets us apart in the industry.
[Brett Conlon] So, can I ask a two-stage question on that? What are you doing, or how are you deploying to people’s personal cell phones and personal email? Then where is that data being stored? Is it staying on the servers, or is it being pulled back in your tool for the analysis?
[Patrick Harr] There’s three components to our service. It’s kind of, again, a 360 degree user protection. Email is API based, ties directly into the service, deploys very rapidly. For the mobile side of the equation, mobile messaging apps, we have a mobile app that deploys on the phone. There’s two versions of that app.
There is a BYOD version, and there is a company owned version. Honestly, the only difference between the two, on the BYOD case, all of the machine learning, AI runs directly on the phone. Nothing ever goes back to the mothership, meaning no reports or incidents are every reported back. You only have your personal dashboard on that phone.
Again, that’s done for privacy purposes, and it’s done to really get user adoption for BYOD.
We also have that company owned version. And, again, in that case, we’re going to report back the threats. Again, where the machine learning is running against SMS, it’ll look at executive impersonation, send Patrick gift cards to the trade show, which has happened in my last company. Or that malicious link in SMS, we’re going to move that junk.
Same thing holds true in WhatsApp, Telegram, Teams, Zoom, etc. On the PC or Mac side, we have a browser extension. Honestly, [Inaudible 00:28:02] API into every one of those messaging apps and personal Gmail included.
In this case, you get the broadest coverage, about over 3,000 messaging apps. We use a browser extension. So, at the point of real time click, we provide real time click protection. Again, so that click in Gmail, in WhatsApp, again Teams, Zoom, etc. All that information, again, states local. The compute stays local.
We actually move our database there, so the machine learning database, etc., is local to that machine, again, to really respect privacy.
What do our CISOs think?
[Rich Stroffolino] All right, so we have from all of the contestants on this episode. They’ve all dropped off, and now we are in what I like to call the CISO sanctum. This is where we are going to hear the thoughts, the reactions of our CISO judges about what they just heard on the three variables. Remember, these are the three criteria we’re judging on – innovation, need, and ability to deploy.
So, gentlemen, I’m going to start out with HYAS. They were hot out of the gate here. You know, Arvin, I know you mentioned that they’re operating in a crowded market. What did you like about them, and what did you want to hear a little bit more about?
[Arvin Bansal] I really like a couple of things about them. Number one that really stood out for me was their DNS traffic protection. That, to me, is like shifting left onto the internet traffic and going much closer to where it needs to be. I really liked that part. And then second, they are really going after the threat infrastructure, where the threat actors are attacking from, how big or small they are, what are the tactics they’re using.
Because they will change based on who is attacking. You know, script kiddie, versus a nation state, versus people for financial something in between.
So, those were the two things I really liked about the company. The only opportunity I see is the applicability. So, if I have an organization that does not deal with the fraud as much, how much do I go after in beefing up my threat intel, which is part of my security operations, which is part of my looking at security incidents that I’m experiencing.
So, if I have a sector, manufacturing versus finance, the drive for threat actors and the crimes or fraud will be much more or much less than the banking sector.
[Rich Stroffolino] And, Brett, for you, where were some opportunities, and what did you like?
[Brett Conlon] I do like their creative approach to what they’re trying to solve for. I think opportunity wise, there is a lot relying on the analyst or the company to come into a tool and put information in. It didn’t seem like there was a lot around the more proactive side of looking into what IOCs the company already has and then sort of taking that, and summarizing it, and feeding it back to let them know, “Here are the other things that you need to be looking at as we’ve done our infrastructure analysis.” So, there is a lot of promise there, but right now it seems to be catered towards the larger companies that have more of the manpower that can go in and put that information in.
But I’m excited to see what they do in the coming time when they can take that information and actually be a little bit more proactive with it.
[Rich Stroffolino] Moving on to Nudge Security. Brett, what stood out to you, and maybe where were some opportunities?
[Brett Conlon] I had a lot of questions on this one, and they answered them actually very well. So, I think it’s a common problem, and it’s a problem that still exists because we haven’t solved it yet. And I think it’s still a pretty significant problem for larger companies and for small companies alike.
So, I do like how they’re approaching it. I think that how they’re approaching it, what they’re doing with it, and what they’re able to surmise from that is very interesting. I think some areas where I wanted to learn a little bit more about are what happens when data retention requirements kick in and how much of that information is getting passed to and from the security console that they have and the email system that we have.
But I liked it. I thought it showed a lot of promise. And I thought it was an innovative or a new way of solving an area that we are all frustrated with and we have a lot of angst around.
[Rich Stroffolino] Arvin, what did you think about Nudge?
[Arvin Bansal] They are looking at the history of SAS utilization within the company, and it’s not easy. You know, traditionally we were looking at the finances of who’s paying what using the credit cards, and then you have CASB solutions, and then you have SAS security solutions. But I really like they’re digging into emails.
They’re looking at multiple sources to create that inventory for us. And a second part is most recently, we had the UNC breach, which is sort of going into second party, third party of Optum and then Change Healthcare. So, when they mentioned in demo, they look at third party and fourth parties as well, so I really like that part.
In terms of opportunity, I’m questioning myself. I already have security scorecards of the world for my third party monitoring, breach history, and other pieces. How will I benefit, or what is different in Nudge Security versus the existing solution?
[Rich Stroffolino] Yeah, definitely some great food for thought, Arvin, on Nudge. We will see how that plays out in the scores. Let’s finish up though with SlashNext was last in our rundown today but definitely not last in our hearts. Arvin, what did you like about SlashNext, and where did you see some opportunities?
[Arvin Bansal] I think it was really innovative when Patrick talked about combining smishing, the SMS text, those annoying texts that we get. We, as a security professional, know what to click, not to click. But then combining the information from smishing, to WhatsApp, to email and then correlating all of those factors to come out with the real threat or nullifying those threat actors that are coming to us through different channels, I really like that part.
The other part which needs to be validated… For those of us who have spent probably decades in data security, the most dreaded word that we have is false positive. So, when I saw in the demo, you’re talking about 90s, closer to 99% of true positive rate, I’m like, “Wow. Is that really feasible? And is that where AI is coming into play or not?” That was the other area that I really liked in the demo.
Where it could be…the opportunity for improvement… When we talk about true positive, false positive, if I see a third party validating those numbers, I would trust it a little more.
[Rich Stroffolino] And, Brett, what did you take from SlashNext?
[Brett Conlon] I agree with Arvin. I think when I saw that percentage number, that stood out as something where it sort of distracts you and wonder where that information came from. I do think this is an area that’s a very crowded space and we’re seeing consolidation around right now. We’re seeing the bigger companies come in and grab these areas.
The bringing together the smishing and the cell phone information, plus personal browser information and personal email, plus corporate email was exciting.
But as he mentioned, you actually can’t correlate that information back for privacy reasons, which would make sense. So, at the end, we’re still stuck with we’re really just looking at three separate areas. And if it’s staying on the person’s personal device, unless it’s a corporate device, then we’re not really getting that information back and we’re not able to really take that information and better protect the company.
So, it’s back to one of the other products that are out there already and what it does to differentiate it, and right now I just didn’t see that. But they’re looking at the problem correctly, and so, again, exciting to see where they are in a couple months.
[Rich Stroffolino] All right. Well, the scores are in, and we have a definitive winner. So, Arvin, I’m going to run through your scores real quick here. First up, you had HYAS and Nudge tied with a 23 out of 30, so ranking very highly. But SlashNext for you just edged them out with a 24. So, Arvin, SlashNext, technically your top spot in our triumvirate of competitors today.
So, Brett, let’s go over to your scores. You gave HYAS a 12 out of 30, bringing their total to 35. For SlashNext, a 14 out of 30, bringing their total to 38. And with an 18 out of 30, you and Arvin named Nudge Security our overall winner for this episode of Capture the CISO. Now, Russell Spitler from Nudge Security is not here, and he won’t hear this result until this episode airs, but he is going to be joining us on May 17th for our live finale where we will name an ultimate champion for Capture the CISO.
You’re going to want go ahead and register for that right now by heading on over to ciso-dev.davidspark.dcgws.com and clicking on the blue “Capture the CISO” logo. Thank you once again, Arvin Bansal, and Brett Conlon, and all of our contestants today – David Ratner, Russell Spitler, and Patrick Harr, for making the time, for having great questions, for having great demos and presentations, and answering questions.
Everybody was upping their game. I really appreciate all of your time today. And remember to check out the demos for next week’s contestants, BugProve, Zenity, and Egress, and then tune in to hear them compete for a chance to join our other winners to see who will indeed capture the CISO. Until the next time we meet, I’m Rich Stroffolino, reminding you to have a super sparkly day.
[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows – Super Cyber Friday, Virtual Meet Up, and Cyber Security Headlines Week in Review.
All contestants of the show are sponsors of the podcast. If you’d like to sponsor and be a contestant, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Capture the CISO.