Welcome to episode three of Capture the CISO Season 2!
Our host is Rich Stroffolino and our judges are Christina Shannon, CIO, KIK Consumer Products and Dan Walsh, CISO, Paxos.
Our contestants:
- Attila Szász, CEO & Founder, BugProve
- Steve Malone, VP of Product Management, Egress
- Ben Kliger, CEO, Zenity
And don’t forget to join us for the finals, LIVE, on Friday, May 17th, 2024 at 1 PM ET/10 AM PT. REGISTER.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to all our contestants who are also sponsors of Capture the CISO
BugProve
BugProve offers a vulnerability management platform for embedded devices.
Its unique feature of identifying zero-day vulnerabilities sets it apart from other solutions, ensuring proactive protection against emerging threats. By providing comprehensive software bills of materials and identifying vulnerabilities in open-source components, it offers a holistic view of device security, and its monitoring function empowers organizations to act fast.
These features help companies get compliant with upcoming regulations such as CRA, RED, and Cyber Trust Mark.
Its high-speed scans deliver results within minutes, accelerating the testing process significantly. Moreover, with no setup fee or commitment, BugProve ensures rapid return on investment realization.
Egress
Egress is the only cloud email security platform to use an adaptive security architecture to continuously assess human risk and automate personalized security for each user across the enterprise. Egress Intelligent Email Security integrates seamlessly into Microsoft 365 to deliver AI-powered behavioral-based threat detection that eliminates advanced phishing attacks, human error, and data exfiltration.
Combining contextual machine learning and AI, we use zero-trust and pre-generative modeling to provide the highest efficacy of phishing detection to prevent attacks that get through native controls and secure email gateways. For outbound detection, we leverage social graph and pre-trained deep neural networks to detect anomalous behavior and stop accidental data loss and intentional data exfiltration. Our products also deliver behavioral-based micro-training through real-time teachable moments, tangibly reducing risk.
Zenity
Zenity is a security and governance company that enables businesses to securely unleash business application and AI development throughout the enterprise. Zenity’s agentless platform is built from the ground up with a security-first approach. With SOC 2 Type 2 and GDPR compliance, Zenity is uniquely positioned to help our customers implement strong application security practices throughout AI, low-code, and no-code development.
Full transcript
Intro
[Attila Szász] Product security is simplified for embedded devices.
[Steve Malone] Only cloud email security platform to use an adaptive security model.
[Ben Kliger] Securely unleash citizen development.
[Voiceover] Capture the CISO begins now.
[Rich Stroffolino] Welcome to Capture the CISO. I’m your host, Rich Stroffolino. And this is the show where you get to listen in on the conversations CISOs have with security vendors about their products. These usually happen under a shroud of secrecy. You usually don’t have an ear into these conversations, and that’s what we love about Capture the CISO.
You get visibility into this process. And we’ve got some fantastic companies today that are competitors that are going to be in that CISO hot seat. So first up, we’re going to have BugProve, Egress, and finishing off with Zenity, and we cannot wait to get to them. Now, these companies are not direct competitors, but they will be judged equally on the following three factors.
One, is it innovative? Two, does it solve a real need? And then finally, three, how easy is it to deploy? Now, to see which company fits into the Venn diagram of all of these criteria the best, we have Christina Shannon, the CIO at KIK Consumer Products. Thank you so much, Christina, for making the time being here.
Cannot wait to hear some of your questions.
[Christina Shannon] Excited to be here, Rich. Thank you.
[Rich Stroffolino] And we have Dan Walsh, the CISO at Paxos. Dan, thank you so much. I know your time is valuable and I appreciate you being here.
[Dan Walsh] It’s great to be here, Rich. Thanks.
[Rich Stroffolino] All right. Thank you both so much again for joining us. Now, our judges have come prepared. They have watched demos of each company’s product. They’ve already pre-scrutinized, if you will, so they are locked and loaded, I believe, ready for some questions. They know what the products do, and we cannot wait to hear some of their thoughts.
And if you want to be so prepared, just like our CISO judges, you can watch the demos of all of our contestants. Go to our site, CISOseries.com and click on the blue Capture the CISO icon. We’ll have them all there for all of our episodes so you can be on the same page. Before we start, CISOs, what gets you excited about a new vendor’s solution?
Dan, I’m going to go with you first.
[Dan Walsh] I think what gets me excited about new vendor solutions are a couple things. I think one, is this something I’ve seen before, or is this something that I haven’t seen before? Some of the best solutions that I’ve seen are solutions that when I see them, at first, I’m like, “That’s probably not real.” It could be that it’s not and then in which case we dismiss it.
But in cases where I have that initial feeling or initial reaction and then I actually see it and it’s like, “Wow, we’ve taken another step in the security field. This is great.” So, hoping to see some of that today.
[Rich Stroffolino] And Christina, you have a new vendor solution. What’s getting you excited?
[Christina Shannon] What gets me most excited is when the vendor solution is helping to solve the problem, right? In the sense of if you have a business problem and you can solve it with technology that increases efficiency or there’s cost savings or whatever the benefit is, a lot of times you can’t really deploy it, especially think about AI, other emerging tech, without really thinking about how you are covering risks or covering security gaps.
So, I love it when new technology comes out that’s really solving some of those challenges in the sense of AI or other things. Automation, where they come out and they’re like, “Okay, you can do both.” That’s what gets me excited is that the new products are really identifying holes a lot of times in existing tech and then it’s making it to where you can realize innovation while you can be secure.
BugProve
[Attila Szász] BugProve offers a vulnerability management platform for embedded devices. Its unique feature of identifying zero-day vulnerabilities sets it apart from other solutions, ensuring proactive protection against emerging threats. By providing comprehensive software bill of materials and identifying vulnerabilities in your open-source components, it offers a holistic view of device security and its mitering [Phonetic 00:04:10] function empowers organizations to act fast.
[Rich Stroffolino] The voice you just heard was Attila Szász, CEO and co-founder, BugProve. CISOs, you’ve heard the pitch, you’ve seen the demos, the information is now in your minds. Christina, I’m going to go with you first.
[Christina Shannon] So, I just wanted to say first, I really appreciate the fact that you guys are tackling IoT. That’s a hard field. Certain industries might still say that IoT or OT in general, there needs to be more attention, there needs to be more focus on it. And so that alone, I think, is a big push forward.
And then I really like the way that you scan code, and you fix vulnerabilities. I really love the monitoring feature, right? You’re not requiring to go rescan a project, for example. With that being said, I’m switching back again. From an IoT standpoint, is it possible to actually scan like a PLC or something like that, or how are you guys actually finding vulnerabilities in the firmware?
[Attila Szász] With IoT, the real problem is that compared to the application security tooling that you might have for software composition analysis, the IoT technology stack is super heterogeneous. It’s lots of like C, C++ code that’s not managed code, so there isn’t a package manager. And so compared to the application tools, which will not work for this use case, we really identify these C, C++ components which might contain CVs.
But on top of that, we have an engine we call PRIS, which will give you similar results like a static analysis tool would, but it’s specifically tailored for IoT. So, it can really glimpse into those components in the firmware where we would suspect that an external motivated attacker would find their entry points.
And so we can correlate those entry points with those parts of the code that we find dubious. We use this engine, and we can raise these alerts. Actually, it works well with embedded Linux systems, so those that have more computing power, but with the actual code analysis, we can go down to real-time operating system use cases.
So, not even PLCs, but we are able to scan most C, C++ code that was compiled to binary. And this is something that again, application security tools won’t help you with that.
[Rich Stroffolino] Dan, do you want to jump in?
[Dan Walsh] Yeah, I do. In a previous life, I was a CISO of a large healthcare company. We had lots of medical devices from MRI machines to lab machines, things that were very much in the IoT space. Would a healthcare company be a good customer for BugProve, or are you more primarily working with the manufacturers of such devices?
[Attila Szász] Yeah, we work with medical device manufacturers. Actually, I also have a background in medical security, worked for one of the big radiotherapy device manufacturers, and definitely we can scan medical devices. But for that, there are other security standards, such as the HIPAA and the MDR regulation in the EU, and we try to map our security findings to those regulations.
But absolutely. There’s one gotcha with BugProve, and I will be transparent. Some of the medical devices are running Windows, and so this is on the roadmap. The way BugProve works is specifically tailored for BSD and Linux-based embedded devices.
[Dan Walsh] I also noticed on your website that BugProve has discovered multiple CVEs. I saw specifically a use case where you discovered, I think it was 34 CVEs in a camera. Talk to us a little bit about your research and development, how you’re able to get at the forefront of getting to the point where you’re reporting these CVEs.
[Attila Szász] Yeah, so that part is a separate unit from the development unit. Basically, we felt to be a respected and trusted security vendor, we also have to do our independent security research. But we’re actually doing that using our engine. So, basically, we downloaded lots of IP camera firmwares, and we tested them for vulnerabilities.
And for that particular vendor, we actually coordinated with the U.S. Homeland Security Cybersecurity Department to disclose that because it turned out that even though that particular vendor sort of went out of business, there was still a large distributor in the U.S., so it really posed a significant threat to customers.
And eventually, this resulted in a security advisory where we recommended that all of these users should change their cameras to a new one.
[Dan Walsh] It sounds like this team is dedicated to searching for firmware as it’s getting released, and then scanning it for these vulnerabilities.
[Attila Szász] Yes, exactly. And we are using our own tooling. Obviously, we want to showcase it, but in general, we follow all coordinated disclosure policies, which are standard. So, really, we make sure that no one gets hurt in the process.
[Dan Walsh] And then if you could say, like, this is the one feature, this is the one product that sets BugProve ahead of your competitors in the space, which I realize there’s not a ton because of the niche market that you’re in, what would you say it is?
[Attila Szász] Again, this is our engine we call PRIS, the zero-day detection engine, which is actually able to look into different executable files and find those entry points and security-sensitive problems. Again, like this, if you’ve seen like a static code analyzer, this is something like that.
But the real power of BugProve is that we don’t take the source code. If you are an IoT manufacturing company, at the end of your build pipeline, you would have the firmware as the artifact because that gets actually put into the hardware chip, the flash. So, you have that anyway, and so you can integrate us in your CI/CD pipeline within 5 minutes, and we will be able to provide you these insights in maybe 15 minutes altogether.
This is one of the powerful features that we have that not even our direct competitors have. And again, like the bigger names in the application security space, using the IoT firmware, we do have a more contextual understanding of the sensitive code parts, whereas a source code scanner would only look at separate code units, not really understanding how an actual IoT device would be attacked by a malicious motivated attacker from the outside.
[Dan Walsh] Got it. So, it sounds like the implementation for a developer to put this into CI/CD is relatively low effort.
[Attila Szász] It is pretty low effort, but you can also use this if you’re a security professional, so maybe… I was like a private security engineer at a big medical device company, and we had like internal pentest. So, in that case, you can use this manually to really automate maybe a week of your manual and repetitive tasks and clearly focus your research on those weak spots that we identify using different security coding metrics and other heuristics.
[Rich Stroffolino] Christina, get in there with the last question. I see you’ve been sitting on one.
[Christina Shannon] Maybe tell us a little bit more about the approach that the product takes in terms of prioritizing risk treatment. There’s a million vulnerabilities. Maybe just tell us a little bit more about how your product helps security teams know what to go after first.
[Attila Szász] Yeah. Alert fatigue is a big problem. With the supply chain security issues, you can set up CVSS filtering, and you can set up component-based filtering within your projects. You can carry those settings over like your product portfolio. But with the zero-day scanning, we are really sort of by default focusing on the most likely vulnerabilities that could result in remote code execution vectors, which in turn are usually the root cause of the biggest breaches that your organizations can face.
But most of this is actually customizable via our advanced settings when you upload a new scan.
[Rich Stroffolino] All right. I’ve got to call it right here. Thank you so much, Attila, for joining us.
Egress
[Steve Malone] Egress is the only cloud email security platform to use an adaptive security architecture to continuously assess human risk and automate security for each user across the enterprise. Egress integrates seamlessly into Microsoft 365 to deliver behavioral-based threat detection that eliminates phishing attacks, human error, and data exfiltration.
[Rich Stroffolino] The voice you just heard was Steve Malone, VP of Product, Egress. I’m going to get started with you, Dan. What questions do you have about Egress?
[Dan Walsh] I think the first question is I’d love to learn more about how human risk is calculated, Steve, because I think there can be a lot of noise-to-signal challenges with that, and if you get it wrong, you will probably slow or shut your business down going too far the one way, and going too far the other way, you’re actually putting your business at risk.
So, I’d love to hear a little bit more about this. I noticed on the website for Egress, there’s some LLM, there’s some AI, there’s some behavioral analytics. Can you bring that home a little bit more for me in terms of how that actually works?
[Steve Malone] Essentially, we see three big problems that mean that we need to assess human risk. So, the first is that the people inside our customers’ organizations represent the biggest risk. Email is the primary channel of threat, but lack of visibility hampers security teams. So, assessing human risk we feel is the only way really to control that risk and to control the threats.
So, essentially, we’re aggregating data to derive that intelligence, and that is a combination of data that comes from our products. So, it’s telemetry from processing of inbound and outbound email. But we also aggregate telemetry from other sources. So, for example, OSINT or open-source intelligence, we aggregate data from Microsoft 365 itself.
So, essentially, we use that to calculate what we call intrinsic risk. So, risk formed from characteristics about the person, so maybe their job title, tenure in the business.
But then most importantly, we bring in telemetry from other third-party security products that a customer may have in their environment. So, if they have, for example, a secure services edge product, a secure web gateway, maybe other security products in the environment, maybe a security awareness and training product like KnowBe4, we can bring in risk telemetry from those products as well.
So, we believe that by aggregating that risk telemetry, we can present a risk score for each user that will change over time and then take action on those scores.
[Dan Walsh] Follow-up question. Can you set a score for a particular user? Like what if the machines aren’t telling you, and you are pulling pieces of the puzzle together, you’re realizing that this person’s maybe a risk, and we need to kind of address that?
[Steve Malone] That’s a great question. So, we’ve based this around this concept of data aggregation. So, we believe that that is a more accurate method of scoring than actually being able to kind of manually set those scores. So, there’s an amount of poisoning that would be introduced if we allowed humans to go in and manually toggle those.
But the key thing to get across is that the risk scoring can be used in two ways. So, it can be used to derive insight. So, it gives you a centralized view of your people. So, you can see and take manual actions on the users that are either increasing in risk or have become higher risk. That’s valuable insight for a security team, but obviously the fact that they’re interpreting that information means that they can use it within whatever policies or whatever other tools or toolings that they may have.
However, it is possible to configure our protection products for email to take what we call adaptive security actions. So, those are optional, but they can be configured. If you trust the risk scoring and the aggregation of that scoring, we can change certain settings in our products to essentially make them more or less restrictive for users.
[Rich Stroffolino] Christina, get in there, I want to hear some questions from you.
[Christina Shannon] So, I love the just-in-time security awareness that you’re bringing, right? I totally agree that most people when they’re doing email, they’re not conscious, they’re doing it unconsciously, right? So, then the banners where you pop it up and show phishing, maybe just describe a little bit more about how your product does the just-in-time security or the just-in-time awareness.
And then also too, from a reporting standpoint, maybe just go into how you deliver reports that show here’s your risky users based off their profiles, things like that.
[Steve Malone] So, one thing just to put out there, so we are security first. So, our primary focus is ensuring that the inbox is clean, so we’re not delivering anything that is really unsafe to users. But this problem of phishing has been around for a very long time, and every organization uses email, and people are the biggest risk within an organization.
So, traditional approaches to education, so things like making people watch videos and doing phishing tests, in isolation those don’t work. They don’t change behavior. But we find that by injecting these dynamic banners into email in real time, and not every email, but some emails, we can use those teachable moments essentially to kind of nudge the user.
So, this is based on nudge theory, which is a genuine kind of psychological principle.
So, using nudge theory, we can give the user these little nudges to say, “This email, we’ve sanitized it, but this email would have been unsafe, so be cautious about this next time.” And we find that that’s a better approach than pulling somebody out of their workflow and maybe making them watch a video or do a training course because people forget, security is not the job of everybody in our organizations, but using this teachable moments methodology, we can kind of make them more aware in the moment.
So, that’s how we present to the end user.
But then we also feel that it’s obviously critically important to engage with the security teams. So, within what we call the Egress Security Center, which is dashboarding portal, or our administration portal, we’re essentially able to present the risk of the organization as a whole. So, you can flash up a dashboard.
This will show the trending risk for the organization as a whole. But you can also drill down into each individual user. You can trend and track the increasing or decreasing risk for each user, and we’ll give you security recommendations. So, things that you may want to consider based on the type of risk that each user is presenting.
So, if somebody is receiving a very, very high volume of very targeted inbound phishing, but they also make a lot of mistakes, they’re sending emails and putting the wrong recipient on those emails, then we can give you tailored advice as the security practitioner to help you understand how to deal with those users.
[Rich Stroffolino] Dan, I’ll let you have the last question.
[Dan Walsh] So, Steve, what is the implementation burden, right? So, it sounds like on the Microsoft side, it’s relatively low. But what about if I want to integrate CrowdStrike or another, maybe like KnowBe4, as you mentioned, or some of these other solutions that you have integrations with? What does that look like on the security team?
[Steve Malone] So, it’s actually really, really easy, and we work around the fact that we don’t want to introduce additional burden to any of our customers. So, for those two third-party vendors that you mentioned, so CrowdStrike, KnowBe4, we have integrations with. We actually just announced an integration with Netskope as well.
But in all cases, essentially, you grab an API key from the other product, you come to the dedicated integration section within the Egress Security Center, you drop in that key, you hit the authenticate button, and we’ll start pulling in that additional threat telemetry right away. So, a couple of seconds, and you’re good to go.
[Rich Stroffolino] Thank you so much, Steve, for joining us today. I really appreciate your time and answering these tough questions.
Zenity
[Ben Kliger] AI has totally reshaped the way that business gets done and puts business users at the forefront of innovation. Business users of all technical backgrounds can now build powerful apps, automations, and copilots using simple text prompts or wizard-based processes. However, these applications introduce a ton of risk to the enterprise because they are built outside of the purview of IT, without a software development lifecycle, and without the use of code.
Zenity is the world’s only security and governance platform purpose-built to enable business-led application and AI development.
[Rich Stroffolino] The voice you just heard was Ben Kliger, CEO, Zenity. Christina, I’m going to ask you to kick things off.
[Christina Shannon] I’ll probably just ask a million-dollar question, right? I’m a CIO, and I want to unleash a copilot everywhere in my environment, but I’m aware of the issues with authentication and the data privacy challenges. Maybe just go through a typical use case in more depth of how you have helped solve the data privacy, risk exposure challenges with copilot.
[Ben Kliger] Sure. So, think about it at the end of the day when people are building copilots. Again, we talk about business users who are building that. They’re not tech-savvy or security experts. They’re probably using some no-code capabilities. Maybe they’re even using GenAI itself to build the copilot.
They’re not really aware of how to use identity in a secure way, what it means to do data sanitation, what it means to take actions or to apply actions on the side of the copilot. It’s actually an application that they’re building. So, with our deep analysis, what we’re able to do is that we’re connecting to platforms like Microsoft Copilot, like Salesforce, as well as others because we know that copilots and no-code is really everywhere today in the business, right?
In every business productivity suite, every type of a CRM, ERP, whatever solution that regular users are using, it’s there. We’re connecting to these platforms via their APIs. We inventory, back to your question, all of the copilots, and we go very deep into the business logic that…which copilot was actually built.
So, we’re actually able to see what type of data input as well as outputs the copilot can generate, and by that, we’re able to detect if there is anything bad going on in terms of the behavior of the copilot, in terms of how it was created, again, from an application security perspective.
[Christina Shannon] How are you making sure, though, that only who’s authorized to use it can use it?
[Ben Kliger] Sure. So, obviously, think about it. It’s so popular in organizations today to share, especially with business users. One person in the organization is building an amazing copilot, whether it’s for their own or for their team members, and they’re sharing that copilot or application with their peers.
They’re actually also sharing the underlying credentials as well. Because we’re able to see both the creation of the application as well as its activity, we can detect if, for example, a user is stealing the underlying credentials or the underlying identity of the original user who created that copilot.
So, that’s how we do it, for example.
[Rich Stroffolino] Dan, get in there. I know you have some questions.
[Dan Walsh] I think the big question that I have is, when I was reviewing your website, there’s a lot of different use cases that are in regulated industries, right? Like healthcare, financial services. How is Zenity tackling the data classification aspect of this, given that to play in any regulated space, not only in the U.S., but also around the world, you really need to be mindful of those compliance obligations?
[Ben Kliger] Sure. So, first, you’re asking about our data collection and stuff like that. So, obviously, we don’t actually collect raw data into our platform. By being able to connect to the platform and monitor where we pull metadata about all of the underlying created apps, automations, copilots, whatever that would be.
So, that’s one thing. Second thing with regards to compliance and how we can help regulated industries, we have built and embedded data classification engines into our platform that enables us, by analyzing the metadata, to detect if an application or an automation, for example, is processing or is connecting to either a sensitive or to let’s call it some sort of classified data that we’re able to detect.
That way, we’re able to come up with supporting such use cases where regulated data that shouldn’t go, for example, outside of the organization or that shouldn’t be available to many people in the organization actually is.
[Dan Walsh] And then a follow-up question. So, if I want to use Zenity, right, [Inaudible 00:25:07], this is a problem that I’m trying to solve. What does the implementation of this tool look like? How much effort is that on my security team?
[Ben Kliger] Honestly, minutes. The way that we connect to the underlying platform is based on API connectivity. We need to have some sort of managed application in your environment or even SSO defined. We support all sorts of authentication methods. Once these details are inserted in the platform, Zenity is a SaaS solution.
Within minutes, we’ll start scanning your platform. And within minutes up to like an hour, it depends again on the scope of your environment, we’ll show fresh results in our SaaS platform where you will first gain visibility again. You will see the full inventory of all of the assets. Again, very granular visibility to every object that people have either created, manipulated, edited, whatever.
After that, of course, we’ll also analyze it against risk.
[Christina Shannon] Does your platform require somebody to stay in the tool for reporting and dashboarding? Can you integrate?
[Ben Kliger] Everything we’ve built in Zenity, we’re focused on large enterprises. We think we understand how large enterprises work, and we know that it’s important to play in the overall ecosystem. Everything we’ve built is API first. That means that our users can build reports, export on top of our APIs, as well as they can leverage the Zenity Webhook API export continuously in order to, again, pull results outside of the platform to their ticketing system, to their SIEM.
That’s what our current clients are doing.
[Dan Walsh] Do you have integrations with ChatGPT?
[Ben Kliger] Not at the moment. Of course, it’s on the roadmap. And when we talk about generative AI, again, we’re focused on the enterprises. So, open AI enterprises will be critical probably somewhere down the line. Today, we do know that GenAI plays a critical role, especially in the existing business productivity SaaS ecosystems of Microsoft, of Salesforce, and of ServiceNow.
ChatGPT is, of course, on the roadmap.
[Dan Walsh] And I heard earlier, you said that you can integrate with SSO providers?
[Ben Kliger] Correct. We can integrate with Okta, for example.
[Rich Stroffolino] Excellent. Well, I think we’re going to call time just now. Thank you so much, Ben, for joining us today. Really interesting stuff. I appreciate you sitting in the CISO hot seat and answering some questions.
What do our CISOs think?
[Rich Stroffolino] All of our contestants have dropped off the call. They are no longer listening in. We are in what I like to call the CISO sanctum. This is where we can deliberate what we thought of each presentation, what we thought of each answer to all of the tough questions that we had. And we’re going to see how each of the contestants did when it comes to our three variables.
Remember, we’re judging each of these companies on innovation, need, and ability to deploy. So, let’s get into the first of these companies, BugProve. Christina, where did you think they nailed it, and where do you see some maybe opportunities to do more?
[Christina Shannon] So, I mean, I think they nailed it in the sense of they are addressing a need that not many companies out there are addressing, right? And I think that the way that they’re going about it is comprehensive. And then it’s also they’re catching, like the fact that they’re looking at it from a zero-day standpoint, and then their methodology around that I think is really good.
That inevitably is going to make you get the really bad stuff first, or it should. Where they probably have some work to do is there’s other products out there that do OT, that do OT scanning. I think some of the things that would help from a firmware standpoint is understanding are passwords set to default-default, things like that.
And I’m not sure it goes that far yet on the firmware side. But otherwise, I think it’s a really good product from the standpoint of fitting the need and being innovative and didn’t seem like it was hard to implement either.
[Rich Stroffolino] Dan, what’d you think?
[Dan Walsh] I like the fact that they’re in a very high research niche type of market. I like the fact that they are discovering new CVEs. I mean, I think that’s very impressive that their research arm is really demonstrating the strength of the team and the product there. I also like the fact that they’re able to generate SBOMs.
We didn’t get into that too much, but that’s something that’s really critical in the firmware space. It does seem like it’s relatively easy to deploy. It does seem that they’re more targeted at the manufacturers and less at the users of it, which by nature of firmware, I guess that makes sense. I think to Christa’s point, maybe the next iteration of that is are ports open, are configurations incorrect.
I think that could be an opportunity where they could go, but I think overall, it’s a really solid product.
[Rich Stroffolino] All right. Well, moving on to Egress, some very interesting questions I thought came up on there. Dan, I’m going to start with you. Where do they knock it out of the park and where can they dig out a grounder to first?
[Dan Walsh] Yeah. So, this was tough because I’m a little bit skeptical when I asked the gentleman about, hey, can we put in an artificial score? And the reason for that is I can’t tell you how many times HR pings me and says, “Hey, we’re having a problem with this person. They’re a flight risk,” or “We’re going to terminate them because their performance has been terrible.” I don’t know that that always necessarily is reflected in the human risk score all the time.
Or if a manager comes to me and says, “Look, I think this person’s up to something.” And of course, we want to take a data first approach, but I think sometimes these situations can escalate very quickly. And so that’s, to me as a concern, just to sit back and let the data tell us when there’s a lot of noise in that and trying to get a really good signal.
I think if they can actually do it because obviously I’ve not used the platform, I think it’s amazing. I think that they’ve got really strong integration with Microsoft, which is key. But I think if you’re not a Microsoft shop, obviously that would be fairly lacking. And I am curious to learn more, I think about how long the tuning of this actually takes.
From my experience, every organization is different, every organization uses tooling different and has a different culture, and that culture is reflected in the systems and the data. But I think overall, it’s a very interesting platform. I do think it’s solving a real need.
[Rich Stroffolino] Christina, what did you make of Egress?
[Christina Shannon] I think, what was their percentage of stopping payloads? Like 99%?
[Rich Stroffolino] It was high nineties. Yeah.
[Christina Shannon] Yeah. High nineties. That was super impressive to me. I have used a lot of the other products, and I haven’t ever seen that type of effectiveness in terms of stopping the bad stuff. I would say that I also like that even though they’re stopping the malicious payload, that they’re doing the user education, right?
So, if the user clicks on the link and then they’re educating them as they click on the link, I really like that. Or the part where they have integration, right, with secure internet gateways. Today, like in my world, for example, we go to two different places, right, to look at that. But with that integration, it’s streamlining really the detection and response really processes.
So, where I would say they probably have some work to do is I’m not sure yet that they differentiate themselves enough from some of the big players in the market. That’s probably the main thing that I’d want to hear more about or know more about because these products have been around for a while and there’s some really good players, and so to actually move from one of those products to this product, is it enough of a differentiator to move?
[Rich Stroffolino] All right. Let’s finish up with Zenity. Christina, what did you think they nailed it on and where did you want to hear more?
[Christina Shannon] Again with them, I think that they’re addressing a need. A lot of CISOs and a lot of security teams are looking to figure out how they can enable the business and CIOs to launch Microsoft Power Apps and use bots within those Power Apps. And so I think that they’re doing well by coming up with a solution to solve that problem in terms of if there’s any type of IAM leaks, things like that, I think that those are all valid.
Where I think that they’re lacking, or I don’t know if it’s lacking, but in terms of understanding more of the data privacy issues or data protection type risks. I did hear them say that they could show, right, they do a scan, and they can show the sensitive data, but I’d like to see it just go a little bit further in that sense.
Because a lot of times, to bring in these tools or buy these tools, you have to be able to find a little bit more preventative, right, too, versus more detection and response.
[Rich Stroffolino] Dan, how about you?
[Dan Walsh] So, I like Zenity with a few caveats. I think if your organization is saying we are going to be building copilots, we’re going to be embracing AI, these platforms, ServiceNow, Salesforce, etc., or Microsoft, and we need a way to govern that, I think this is a perfect solution. I don’t think a lot of organizations that are outside of high tech have set that path forward, have defined that, and I think as a result, what you have is a lot of decentralized AI use.
You’ve got HR saying, “We want to do this little HR project.” You’ve got some developer creating their own little ChatGPT bot to help them do some things in development or trying to look at their source code. And a lot of it is kind of shadow AI, shadow LLM, and obviously, Zenity doesn’t address that.
And I actually think that that is the majority of the risks that CISOs are facing today. It’s like bring your own LLM. It’s like instead of BYOD, it’s BYOLLM or BYOAI. And I think that that is probably where the majority of the risk is for CISOs and companies today. But again, I think they’re doing a really great job at the enterprise level, which to be fair to Ben, that’s what he said out of the gate, and so for that reason, I am a fan of this platform.
[Rich Stroffolino] All right, we have the scores. The scores are in, they have been tallied, they have been double-checked. First up here, we’re going to go and see. Now, Christina, it seemed like you were liking what you were hearing here based on your scores. We have BugProve and Zenity tied with 25 out of 30, and Egress edging ahead with a 26 out of 30.
So, a very tight race right out of the gate. Dan, there’s a little bit more dynamic range, we’ll say, in your scoring here. We have Zenity with 24 out of 30, giving them a 49 out of 60, a very respectable score. For Egress, you gave them a 20 out of 30, bringing them to 46 out of a potential 60. And BugProve with 25 out of 30, having a total of 50, and that makes them our winner for Episode 3 of Capture the CISO.
Now, just a reminder that Attila Szász, the CEO over at BugProve, is not here, and they won’t hear the result until this episode airs, but they will be joining us on May 17th for our live finale. You can go ahead and register for that right now. To get in on that live finale, ensure your seat, you can head over to CISOseries.com, click on the blue Capture the CISO logo, and make sure you register.
Thank you so much, Christina Shannon and Dan Walsh, for making the time for your deliberations, for your considerations in this whole process. I really appreciate it. And thanks also to our contestants, Attila Szász, the CEO and founder at BugProve; Steve Malone, VP of Product at Egress; and Ben Kliger, CEO at Zenity.
So, now, we have our lineup for the Capture the CISO finale. Yes, BugProve will be joining Anvilogic and Nudge Security for one final round of CISO scrutiny to find out who will truly Capture the CISO. I’m Rich Stroffolino from all of us here on the Capture the CISO team, here’s wishing you and yours a super sparkly day.
[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, Virtual Meetup, and Cybersecurity Headlines Week in Review. All contestants of the show are sponsors of the podcast.
If you’d like to sponsor and be a contestant, contact David Spark directly at David@CISOseries.com. Thank you for listening to Capture the CISO.