The fragmentation and vast amount of data generated from enterprise tools create a convoluted landscape for cybersecurity professionals to navigate. This complexity is exacerbated in large companies with dynamic environments, where innovation and growth must be balanced with the ever-present need for security.
In this episode, Piyush Sharrma, CEO and co-founder at Tuskira discusses what the company is doing to unify security tools and validate defenses in this sea of data. Piyush is joined by our panelists, Mike Woods, vp, cybersecurity, GE Vernova, and Keith McCartney, vp, security and IT, DNAnexus.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Tuskira
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today we’re talking about to Tuskira and what they’re doing in preventative cyber defense. And really, the problem they’re trying to address is data sprawl. So we have on Keith McCartney, vp, security and IT at DNAnexus and Mike Woods, vp of cybersecurity at GE Vernova.
Gentlemen, I have to ask, why is data sprawl still a problem?
[Mike Woods] I think it’s at the heart of a big problem for cybersecurity. There’s just so much telemetry coming from so many different tool sets. Our tool sets are sprawly. We have different tools for different needs. Our systems are sprawly. We have IT, we have OT. So things are very chatty. And then when you get down in under the hood, the schemas and the data models are not always normalized.
[Rich Stroffolino] Yeah. Keith, we know this is a historic problem, but why are we seeing this as still a problem?
[Keith McCartney] Well, we’ve got dynamic environments, especially at scale in larger companies. You can either lock everything down and you have no change, or you allow for innovation and you’ve got change. So you’re constantly trying to track that change, understand what it means, and identify where you’ve got risk in the environment.
[Rich Stroffolino] All right, well, to try and get some answers here and learn a little more about Tuskira, we’re going to be talking to Piyush Sharrma, the CEO and co-founder of Tuskira. And we always start out by answering three essential questions. So, Piyush, how do I explain the value of your solution to my CEO?
What does your solution do, and what does it not do? And then we’ve got to dig into the pricing model. So can you give us these preliminaries?
[Piyush Sharrma] Organizations are drowning in security tools, yet still getting breached. Why is that so? Every security tool connects to your assets and environments in an organization and collects a ton of data, but they don’t talk to each other. This is where Tuskira comes in. Tuskira solves this problem by connecting all your security tools, identifying actual attackable problems by running certain simulations on our proprietary generative AI-based simulating technology.
We can preemptively predict what are the vulnerabilities and what are the tool tools an attacker is going to evade, so that you can preemptively identify how you optimize these controls. And when we talk about these controls, we’re not talking about just the protection control.
Think of it as turning your cybersecurity from a more reactionary defense into an AI-powered security operations, which is very preemptive.
[Piyush Sharrma] We look at all your tools. We look at how many assets you have, what your users and devices. That’s all the core assets that you want us to protect, and that’s what we focus on as part of the pricing.
[Piyush Sharrma] Nothing rocket science, very, very simple.
[Rich Stroffolino] All right, CISOs, I’m sure you have a lot of questions. Mike, let’s start with you. What other questions do you have about Tuskira?
[Mike Woods] Let’s just start with a little bit on where does this sit in the Venn diagram, if you will, of all of the other tools that are “Hey, we’re the all-in-one shop for you.” There’s a lot of different products offering that same sort of capability out there. Can you give me some understanding of where you see it fitting in the Venn diagram between vulnerability management, maybe a continuous threat exposure and posture management, and all of these other areas that products are saying, “Hey, we can be your all-in-one.” What makes your product different, and where do you see it fitting in that Venn diagram, if you will?
[Piyush Sharrma] The simplest way I can explain this problem is, today you have two kinds of tools. One set of tools that are finding your problem, and the second set of tools who are actually taking actions, like your SOAR, who are automating some of the response of the actions. We are going to sit in the middle of your SOAR and your detection tools like VM or vulnerability management, ESM, DAST, AppSec tools.
Triage all the critical problems that you have, identify how you manage or respond to these threats using your existing control set. That’s number one.
Number two, your point was how we are different. When we look at the threats or zero day or vulnerability, we are not looking at just remediating or patching. We are looking at taking another step to go and take some mitigations on that. Remediation and patching has a lot of physics problem and it is going to hit the ceiling pretty soon.
What do you have in your control? Your control is you have the control of the tools that you purchase, like your EDR, firewall, web application firewall, email security. And all these tools are very well capable tools, but they are very deep technology stacks.
Now, this is where Tuskira are really, really powerful. And this is the most unique part of Tuskira, which is, we can actually correlate all the threats coming from your existing tool, correlate with the tool how you have deployed your protection stack, identify where the gaps in your defenses are, and just do those mitigations today.
Customers are talking about, “Hey, 200,000 vulnerabilities,” but most tools will not be able to tell you how many are defended vulnerabilities and how many are undefended vulnerabilities. You are not going to get breached on things that you know, you’re going to get breached on the things that you are not defending.
One of the things that we’ve seen is most tools have branded themselves as some type of AI, or at least having an AI function. How has Taskura approached this that’s different, and how can we trust your AI and your models to make relevant conclusions about our environments?
You’re right, there are a ton of tools who are trying to position themselves as AI. First and foremost is, AI is not a database. It’s not rows and columns that you can somehow retrofit into your infrastructure and an application, and somehow it will work. AI requires data. Data needs to be transformed in a structure that AI will understand at a scale.
In the security industry, the biggest problem is the data is too much. There’s too much data, and if you want your AI to be able to do the right level of reasoning, you have to apply an AI first approach, not the AI later approach.
When we started this journey, we realized very quickly that AI has its own limitations in terms of how big a context it can take. If I have to analyze 300,000 or a million vulnerabilities, the contextual data around this will be in petabytes. This is where the whole agentic AI helps us in the picture.
I created its own TuskMind—we call it TuskMind. TuskMind is our framework that brings data and the AI together. One of the fundamental ways we’re solving the problem in the AI scaling problem is, we don’t bring data to the AI, we bring AI to the data.
[Piyush Sharrma] We have been in cyber for a very long time. We made sure that the models we are using are not trained on customer data, and that actually helps us scale even better because the models are domain experts trained on specific use cases, and they are not supposed to know what the customer data is all about.
This is why there are two big elements of the platform. Number one, the mesh. Mesh is nothing but an anthology that defines the data across your assets and findings, alerts, and your defenses. And the second part is, how do you break down the AI problems or AI use cases into smaller pieces? That was the first part.
The second part—what models? We are using multiple small language models. They are enriched, they are fine-tuned. These models also train on various different algorithms on how do we detect attack path, how do we define vulnerabilities, their criticality, understanding about cloud infrastructure, understanding about our OT infrastructure.
So we have been very centered and very focused around how do you use the power of small language models, scale it out to millions and millions of data points.
[Mike Woods] Hey, one other question comes to mind on this, because you had mentioned earlier, you know, patching is more of a lagging activity versus your protective controls, you know, technology you have deployed within your infrastructure or your estate. So what is your stance on how to look at AI going forward?
I can’t tell you how many new concepts have come up almost daily. I have trouble keeping up with it. I subscribe to a lot of things, I’m sure a lot of you do as well, in terms of trying to get information on this. So what are you doing with the product to make sure that you’re keeping up with the pace of change in the market?
[Piyush Sharrma] There are two kinds of products that exist in the AI. One, we use AI more for conversational, which is, I’ll throw you XYZ AI as a term and give you an interface where you can ask your questions. Ninety-nine percent of the products out there today are like that. That’s a very simple, solved problem.
The second grade of the technology is where AI can actually be augmented as well as autonomous. This will happen only when you use AI for reasoning.
This is where we started. If we really have to change the life of a security operator, you have to do more reasoning using AI, and let the operator decide how they want to react to it. It is all about how fast you’re able to analyze the entire data set of some of the large enterprises, and how quickly you are able to create an outcome.
Outcome could be how much noise reduction I’m able to do, how many threats we are able to neutralize. Now, neutralization means how accurately you are able to identify what policies need to be changed based on the threats we have. That was the first set on the tech part.
How do we keep up? This is built in as part of the platform, where some of these capabilities—like if I have to bring a new model tomorrow, how do you do it? If we think that the use case is conversation, you’re always under pressure of replacing these models because you need more thinking, more pre-training.
But we are using it for reasoning or empirical calculations. So what happens is, in our case, we limit the AI or the model by being very specific on the fine-tuning and providing very specific context data. This allows our models to be less prone to changes because we’re controlling the fine-tuning.
So these models, to us, are nothing but an engine—a security operator like an assistant, but more for the limited use cases that we want them to deliver. If you think cyber is not a generic conversational problem, cyber is all about correlating patterns and data.
[Keith McCartney] That’s great. We talked a little bit about how you get the data, how you normalize the data, how you make sense and prioritize the data. Then what happens after that? How do you fit into our ecosystem for remediation? What can we expect there?
[Piyush Sharrma] Sure. I’m going to touch two things, Keith, here. One is remediation, and the second is mitigations, and I’ll explain both why it is important. So, and I’ll take a security—the real use case. There was a breach happened sometime in 2024. A very large enterprise had got breached. 3 1 liability was reused.
They were medium and low critical vulnerability. Today, you can remediate or patch only high compliance critical vulnerabilities.
The way we fit into your infrastructure is, we 100 percent APIs. We connect to different controls through their control plane, bring in the contextual data, and then we start generating our own intelligence. The point I’m going to make about remediation is that remediation is essential. Remediation will happen and has to happen, but it takes its own pace.
It has its own velocity. There is a lot of severe impact it can bring in to the product, and you don’t want to break your systems.
For example, let’s say there is a remote code execution vulnerability we found in your environment, which is highly impactful based on the exposure posture, based on internet, and et cetera, et cetera. Now, there are two ways to do it. One, should we identify that there is a protective agent sitting on the workstation or compute on which this vulnerability was reported?
That could actually help you in mitigating the lateral movement of attacks. Or you can actually go and tune your initial access products. Or you can actually optimize your reverse proxies if your application is so critical that it won’t— they won’t let you change any of your posture. You can probably change your reverse proxies or SASE so that you can block some exfiltration of the data.
And this is a beauty; we call it mitigation, where vulnerability exists, but you contain the posture or exposure of that vulnerability by using the technology that you already have. And I love the concept, but personally, I’m fascinated about what we are able to do using just by the data. Twenty years ago, no one could think, actually, that something like this can be built.
And it has—it is happening because of two reasons. One, data commodity. So data platforms like Snowflake, Databricks, have changed the game of how you collect the data, how you normalize the data. And the second part is the power of generative AI, without which it is impossible to get done. And that is why all the platforms, they essentially only talking about providing you workflows around service ticketing, sending to Jira, ServiceNow, but not the real mitigation like we’re talking about.
[Rich Stroffolino] Piyush, before we get out of here, what haven’t we asked that we need to know about Tuskira?
[Piyush Sharrma] There are two or three salient points which generally are always in the back of our head. Number one, we don’t replace your existing security tools. We enhance and unify them. We have bidirectional conversation with your security tools, where your tool can give us the data, we can create a risk of that data by running all our simulations and analytics, and give you data back.
We don’t generate generic vulnerability reports. We believe in brutal prioritization of the vulnerability, and we use defensibility to prioritize your vulnerability, not just exploitability.
When we receive a vulnerability or a threat or a zero day, we look at it from the angle of your ability to defend that vulnerability, not just how you or somebody can exploit it.
[Piyush Sharrma] And number three, we are not detection control. We are preemptive control. AI is all about finding the next word. Preemptive security and Tuskira is all about predicting and preempting the attacker’s next move, and this is where AI is really good at, and this is where we are going. Looking at your control posture, looking at your defense posture, looking at your application posture, we can actually predict what are the top two, top three, top four ways which have the highest probability of getting exploited, and what simple, small changes can actually give you an 80 percent impact.
[Rich Stroffolino] That’s it for this episode of Security You Should Know. To learn more, head on over to Tuskira.ai. Big thanks to Keith and Mike for helping us learn more about Tuskira, and a big thank you to Piyush Sharrma from Tuskira for their time and being game to answering all of these questions.
Thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know: Connecting security solutions with security leaders.