DLP can be a bit of a four-letter word in cybersecurity. False positives are a major problem with any traditional DLP solution because setting the right policy for your organization’s needs is always a moving target.
In this episode, Nitay Milner, co-founder and CEO of Orion Security, explains how they provide a “zero-policy” approach to DLP that brings in the missing piece of context to the category. Joining him are Steve Knight, former CISO at Hyundai Capital America, and Jack Kufahl, CISO at Michigan Medicine.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Orion Security
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking with Orion Security and what they’re doing in data loss prevention, you know it, DLP. Now the problem they’re addressing is that traditional DLP systems are ineffective and at their core, reactive. Helping us get some answers to these questions are Jack Kufahl, CISO over at Michigan Medicine, and Steve Knight, former CISO over at Hyundai Capital America. So, Jack, let me get started with you. Why is traditional DLP still a problem?
[Jack Kufahl] Without being terrible to traditional DLP, I don’t think it ever actually solved the problem. Traditional DLP, at least in my experience, requires you to first know where all your data is. And coming from a healthcare environment, that’s pretty impossible. And second, it requires you to know who’s precisely and exactly supposed to use that data and in the manner in which they’re supposed to be using it. And I’m an academic medical center and that’s also impossible. So, DLP from those two points of view required a whole lot of information about a pretty squirrely topic to begin with, which is where’s all your data, what’s it doing, and who’s using it, if you wanted to at all protect it, and products have fallen short.
[Rich Stroffolino] All right, Steve, let me come to you. Why are we still having problems with traditional DLP? Are you in agreement with Jack here?
[Steve Knight] Oh, yeah, the challenge has always been first finding the data and then being able to either using some kind of a keyword identifier or a regex setting, figure out what it is, then lay a classification to it, then use the classification to, of course, drive your rule base. But the top three for me, as someone who’s implemented at least two of the premier DLP programs are the following. Complex policy management and tuning, limited visibility across ecosystems, especially when you have a hybrid environment, and number three would be contextual understanding. That usually drives a lot of false positives and alerts. That means somebody has to go look at the alert and go, “Okay, what is this? What were they trying to do? No, this is okay. It should go out,” or “No, this isn’t.” And there’s a lot of tuning involved.
[Rich Stroffolino] All right, well, today we’re going to be talking with Nitay Milner, co-founder and CEO of Orion Security. Now, to start out, we need some answers to three essential questions and then we’ll springboard into the Q&A. So, Nitay, how do I explain the value of your solution to my CEO? What does your solution do? And maybe what are its limits, what does it not do? And what is the pricing model? Can you give us these preliminaries?
[Nitay Milner] Yeah, so I’ll start answering these questions. The first one is that the average cost of a data breach is around $5 billion. And if that’s not enough, recent Google’s threat report shows that there’s North Korean insiders already sitting in most of the Fortune 500 companies quietly siphoning data from there. And with the rules like SCEs, four-day disclosures, and NIS2, everything’s become basically a board-level emergency. So, yeah, DLP has bad reputation, but we believe that AI is feeling a generational shift in data security like in many other sectors in the security landscape. And at Orion Security, we’re building the first zero-policy AI-native DLP. So, think about it more like EDR for data. And I love that we started by talking about the problem with contextual understanding for DLP. We also believe that’s the main problem. If you don’t have the context, you can’t decide if this is an incident or just somebody doing their job. So, without adding a headcount to the company, what we do is we protect data across endpoints, emails, and clouds with a very low operational cost. And yeah, the pricing model is SaaS subscription billed annually to protect per employee, per employee protected.
[Rich Stroffolino] Fantastic. Okay, so CISOs, we’ve gotten just a little taste. We kind of just got just barely the bird’s eye view here. So, I’m sure you have a lot of questions. Steve, I’m going to start with you. What other questions do you have for Orion Security?
[Steve Knight] Well, let’s pick up on where we were with the lack of contextual understanding. Take us a little bit into how Orion is able to differentiate between, say, a malicious insider and a careless mistake.
[Nitay Milner] Yeah, so we developed an internal AI model that is called Indicators of Leakage, IOL for short, and it’s similar to CrowdStrike IOA, Indicators of Attack, if you’re familiar with that. So, basically, we’re taking into consideration multiple criteria, like the person doing the action, the type of data being exfiltrated outside of the company, the source of the data, where it’s being sent to, and then we make a decision if this is something that is relatively reasonable for that person to do or something that looks like a malicious insider or a human error.
[Steve Knight] And would you say that that is a tunable setting that you have there, or is it self-learning?
[Nitay Milner] Yeah, so it’s based on three different layers. The first one is the industry layer. So, understanding different industries, how they operate, healthcare, finance, etc., and how they handle their sensitive data. The second one would be company level. So, how the company is working with sensitive data, this specific company. And the last one would be the department and the employee itself. So, we learn all the different levels. And once you want to tune the system, you can basically give it affirmations. If you get a false positive, you can put a thumbs down and you can tell the system what was wrong in this. Is it the classification of the data? Is it a person that’s supposed to do this action? And it learns and gets better over time.
[Steve Knight] So, the thumbs up and thumbs down help with the, kind of like in ChatGPT, where you have the ability to say, “Yes, you did well,” or “No, you did not,” in that particular response?
[Nitay Milner] Exactly, and you can think about it like a reasoning model. So, we’re seeing a lot of reasoning model in the previous year. So, basically, they’re asking themselves the right questions in order to get to an answer like, okay, this person is sending financial data to a third party, but what if this third party is somebody that we’re working with? Okay, then it goes and checks the vendors list. And then basically it asks themself questions over and over again, like an analyst, basically, and then it gets to a decision if this is an incident or just somebody doing their job.
[Rich Stroffolino] Jack, let me get you in here. What questions do you have for Nitay and Orion Security?
[Jack Kufahl] A lot of vendors are entering the space within the last year talking about AI models, right, and the benefits of AI models. One of the things that has kept us relatively DLP-shy is the amount of human effort it takes to find an effectiveness, right? So, the amount of human effort in, in a traditional DLP model is pretty high, in my opinion. And those are the same humans that could be doing a risk assessment, taking a threat report, stopping an incident, just about anything that has a direct risk reduction capability. So, AI is attractive, but there’s also a lot of AI washing out there, right? It’s the new low-fat moniker for a lot of products that we should get a little bit more attention to. So, my questions are around, how is your AI model not about improving the technology, but about improving the way we would leverage the humans we have on staff to be more effective?
[Nitay Milner] Yeah, got it. So, basically, you can think about this next generation of DLP tools as AI agents that join your team and can help you better do your job with much, much less effort than the traditional tools. So, instead of reviewing everything manual, instead of when you get a DLP alert today, what you do is you look at it, you don’t really have context. You need to jump between 10 different tools to understand who did the action, what type of data was it, where it came from, and get to a conclusion if this is just a false positive or not. So, imagine having just an AI companion that can go along the way and helping you answer all the questions beforehand. So, once you look at the outcome of the incident alert, you get all the information to get to a final decision if this is something that demands more taking care of or something that is already solved.
[Rich Stroffolino] The floor is open. So, Jack or Steve, any more questions?
[Jack Kufahl] Yeah, back to this AI as an employee and not a technology is more of the direction that I like to see vendors moving in. But the great thing about human employees is you can send them to conferences, they can build context outside of just their immediate local world of who they’re working with and the data that they’re working with. So, how does your AI learn not just from us, but from others?
[Nitay Milner] Yeah, so our model basically is based on the open source and the big models in the market. So, as they get better, our AI model gets better as well, not only specific to DLP, but it gets more context and more learning. The data that your employees learn about in conferences is one hundredth of the information out there over the internet, which AI can learn and better implement.
[Steve Knight] So, I have a question. In terms of real-world use cases because that usually comes up when you’re going through an RFP and you’re trying to compare legacy DLP systems to what you’re offering today. Do you have any examples that you could walk us through of a real recent incident where the software was able to catch something that was going out that shouldn’t?
[Nitay Milner] Yeah, a recent incident that we have with a big company that we’re working with, about 20,000 employees, is that a person in the HR department was about to leave the company. He was marked as a high-risk employee by the system because he’s leaving the company. So, they got marked as a risky employee. And we found out that they sent all of the salaries of the company to their personal email. So, the system did it by basically looking at the data destination, looking at the name of the employees, understanding this is a send-to-self incident in the company with somebody who’s leaving the company and data that shouldn’t get out of it, and the system caught it automatically. It’s an AI-based detection without creating any policies.
[Steve Knight] That’s outstanding. What’s the level of lift from an analyst perspective? I mean, are we going to run into a situation where we have one or two dedicated individuals that are always looking at the software? Or what’s the alert fatigue like?
[Nitay Milner] Yeah. So, we’re talking about less than 10% of false positives. We’re measuring everything we’re doing. We’re acting like a data company ourself. If we want to reinvent DLP, we got to do it the right way. We’re stepping into big shoes that we need to fill in a beaten-up market. Right now, the situation is we have, in most of our customers, we have under 10% of false positives. So, just to give you a sense, in a company with around 10,000 employees, it’s about at 20% of an FTE time to manage the system entirely. So, if you needed a team up until now of 10 people, DLP experts writing policies all day and dismissing the false positives, for now it’s about 20% of one FTE.
[Steve Knight] And do you see that strategically, when you look at your roadmap for your product development, do you see that percentage even going lower to where it almost becomes automated in the future and more of a metrics review than a hands-on review?
[Nitay Milner] Yeah, so what we’re trying to get to is something that is very similar in experience to EDR. So, it’s a plug-and-play solution. You get value right outside of the box, a lot of value, and you don’t have a lot of false positives. But if you want to go ahead and configure it and make it very specific to your use case, you can decide how much manual effort do you want to put into it. And it’s every company and its own decision on how much effort they want to put in their DLP project.
[Jack Kufahl] You know, one of the questions that I had is, and I don’t think it’s unique to healthcare, but I like to say we’re using the past 20 years of cutting-edge technology all at the same time, right? Managing legacy, managing conventional, and integrating some of this data is important. So, if we have a conventional DLP program or DLP interface or data governance flow, sort of a whatever that means, right, how does this tool supplement it, or does it replace it, or does it work in parallel? Is it complementary, supplementary, in replacement of, in service to? How does your company engage with that changing the oil in your car while you’re driving it sort of problem?
[Nitay Milner] Yeah, yeah, definitely. So, we have a few, like, deployment models. We don’t expect a bank with 100,000 employees to just remove their Symantec or Forcepoint and just rely entirely on a new tool in the market. So, for smaller companies, we replace the entire DLP stack. It’s fairly easy. We do support endpoint agents, browser extension, API integrations, emails, etc., like I’ve mentioned before. So, with smaller companies, it’s easier. As the company is getting bigger and the DLP maturity is higher, then we can sit next to the current tools and basically making them better. So, for example, if you’re using Microsoft Purview, I presume you’re suffering from a lot of false positives. Then we can sit next to it, bring the context into it, and slash the number of false positives in around 80%.
[Steve Knight] Is it important that my data be labeled in order for your tool to work better? Or can you do through discovery the proper context of information that might be moving around in my environment?
[Nitay Milner] That’s a great question. So, we can either integrate with your current labeling system, like Microsoft Information Protection for enrichment, but we do have our own LLM-based classification engine. So, we’re not based on regex anymore. You have an engine that is based on large language model that can identify and classify any type of data from CAD file designs to Figma designs to code to text to images, and that’s where we think the world is going when it comes to data classification. One cool feature that we have in the product is that you can define custom data classifications with a prompt. So, if you have any specific type of data that is relevant only for you, not like PCI or PHI, you can write a prompt, explain the type of data that you’re looking for, give a few examples, and the LLM will learn and will catch that instances of type of data in the company.
[Steve Knight] Oh, that’s brilliant. And it leads right into the next question, which would be, how does Orion help me with my compliance needs?
[Nitay Milner] Yeah, definitely. So, as a DLP company, DLP is a part of a lot of compliance. We’re helping companies to basically – and GLC teams in specific – to automate the process around SOC2, around NIST, and around all the different frameworks and compliance like GDPR and CCPA to collect the data that you need in order to pass these different compliance and frameworks.
[Rich Stroffolino] Jack, I’m going to let you have the last question here before we have to close here.
[Jack Kufahl] Sure. Looking at some of the other DLP products, both conventional and novel, one area that seems to be a line in the sand is how well the product works with highly discoverable structured data and data that’s all over the place in the unstructured space, the endpoint space or the SaaS space where a lot of risk is hiding.
[Nitay Milner] So, I’ll divide the answer to the first one is what we cover, and what we cover is basically endpoints, SaaS applications, including cloud and including emails, but we’re focusing on data in transit. That’s where we believe data is at risk. We’re not a DSPM tool. We wouldn’t scan all your databases. And to be honest, we don’t believe this is a good approach for security because scanning all your data in the company can take years. And after you get it, like, okay, now I have the visibility, but how do I protect the data? So, what we do, we do have a type of posture management, but it’s only applicable for data in motion. So, imagine having a dynamic graph of all your data in the company and seeing how it flows between different devices, applications, and users in the company. When it comes to data classification, the LLM engine is really good at classifying unstructured data and not only the regex patterns that we’re familiar with.
[Rich Stroffolino] All right, well, Nitay, what’s one thing we didn’t ask about that we need to know?
[Nitay Milner] Maybe I’ll tell you that customers that partner with us get a dedicated engineer, 24/7 Slack channel, quarterly RISC workshops, and open APIs for custom workflows. We make our customer a top priority and we’re working on leading the way on this shift in data security and DLP with AI. So, appreciate you taking the time to listen to this episode and thank you very much.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. But remember, to learn more, head on over to orionsec.io. We’ll have that link in our show notes. And if you have any feedback or questions for Nitay or the rest of the Orion team, send them over to us, feedback@CISOseries.com. And if you talk to Orion, remember, tell them the CISO Series sent you. A huge thanks to Jack Kufahl and Steve Knight for helping us learn more about Orion Security, and a big thank you to Nitay Milner from Orion Security for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com. Thank you for listening to Security You Should Know, connecting security solutions with security leaders.