Here’s an awesome bonus episode of CISO/Security Vendor Relationship Podcast featured as the closing event at Evanta’s Global CISO Virtual Executive Summit.
Here’s what went down. The day before our recording, three representatives presented their unique and innovative security solutions to a panel of CISOs and the virtual audience in attendance.
The next day, everyone came back to offer up a quick elevator pitch and to be grilled by the CISOs. That’s exactly what you get to hear on this bonus episode of CISO/Security Vendor Relationship Podcast.
The episode is hosted by me, David Spark (@dspark), producer of CISO Series. The judges and contestants were as follows:
Judges
- Matt Crouse (@mattcrouse), CISO, Taco Bell
- Lara Divi, CISO, Dine Brands Global
GUESTS
- Sam Crowther (@kasada_io), CEO and founder, Kasada
- Chris Hines, vp of product marketing, Axis Security
- Greg Murphy, CEO, Ordr
Got feedback? Join the conversation on LinkedIn.
Thanks to all our sponsors for this bonus episode of the podcast
Full Transcript
Voiceover
Ten second security tip, go!
David Spark
Hey, this is David Spark giving you your ten second security tip and that is to listen to Security Vendors. There may be a time you don’t want to buy their product but heck, you may run into a friend that is interested in your product and just the education you get from a security vendor about how they are helping the security Eco system will be of value to you and to others in the community. So, if you can pass along some value to someone else, that helps all of us.
Voiceover
It’s time to begin the CISO Security Vendor relationship podcast. Recorded in front of a live audience.
David Spark
Oh my god, listen to that crowd. They’re ecstatic. Welcome everybody to the CISO Security Vendor Relationship podcast. My name is David Spark. This is a very unique and unusual episode. This is a bonus episode of the CISO Security Vendor Relationship podcast. We are on the very last day, and I believe the very last session, of the global CISO Virtual Executive Summit. Hosted by Avanta and this is the CISO Innovation Spotlight and it is a podcast for just this event that actually happened yesterday but we’re following up on it to have a deeper discussion, if you will. So what happened yesterday is three security companies with some unique products presented to a panel of CISO’s. And those three companies are Kasada, Axis Security and Ordr. And we’re going to hear from all three of them today. And the CISO’s asked a few questions then but they’re going to ask more questions now as well, so you can hear. So, we’re going to bring each representative from each one of the vendors on, one at a time. They’ll chat for a few minutes with our two CISO’s who I’m going to introduce in just a second. And then at the end, the CISO’s will make a determination of which one they like the best, what they didn’t like, what they did like, what they have hopes for, what would work, what wouldn’t work. Alright, everyone understand that? Let me introduce our two CISO’s. The first is Matt Crouse who’s the CISO of Taco Bell. Matt, make some noise so those people only listening can identify your name with your voice.
Matt Crouse
Hey David, thanks for having me today. And thank you Chris and the Advanta crew as well as our vendor partners. Really looking forward to it.
David Spark
Excellent. And also joining us is Lara Divi who is the CISO for Dine Brands Global. Lara, thank you so much for joining us.
Lara Divi
Hey guys, it’s Lara Divi. Thank you for the opportunity and thank you for having me. Glad to be here and seeing all you guys and looking forward to our session.
David Spark
So here’s my big question and I can always ask this whenever we talk about innovation, in cyper-security, in particular, when someone says an innovative cyber security company, and I’ll start with you Lara, what is it you’re looking for? What means innovation in cyber security to you?
Lara Divi
Modernization of cyber security, you’re looking for solutions that address not only today’s, if you would have challenges, but the future challenges that we’re going to have. Things that are coming down from, if you would have cyber threat actors that we haven’t seen, potentially that is going to be a challenge in the future for us.
David Spark
And Matt, what about you, what does that mean to you?
Matt Crouse
Not very different from Lara. I think it’s a recognition that no current security technology or vendor is ever perfect and looking for new ways to solve the challenges that current solutions and products don’t address or don’t address in ways that help us.
David Spark
In [UNSURE OF WORD] that opening tip I gave at the beginning of the show, how open are you to hearing about new solutions? I talked about this with a past co-host of mine, Alan Alfred, he said that he realized that he needed to keep himself open to listening to pitches from a lot of security vendors because if he’s going to do a better job of security at his organization, he needs to know what’s going on out there. And traditionally, and correct me if I’m wrong from the two of you, when a CISO wants to look for solution, they just go to other CISO’s. And if other CISO’s are just talking about the same products they’re using, and no one’s going outside, then it just becomes a massive echo chamber of old solutions. Have you seen this happen, Matt?
Matt Crouse
I have seen it happen and I think it’s really important in that it was a great tip that you gave because as a CISO it’s my job to understand my business’s risk, their technology risks and translate that to mitigation controls. But I only understand what’s happening inside of my own business organization. The vendor partner in the community understand what the bad guys are doing now, where they’re going next and how that needs to be mitigated.
David Spark
Lara, what do you do in terms of keeping up and making yourself open to new solutions that are out there?
Lara Divi
We have to keep up with new solutions and technologies and we have to be ahead of the game as we all know, and as you mentioned, that’s the only way we’re going to know what threats are out there and how we’re solving the problems. So when it happens, we know who our trusted partners and who are the vendors that we can go to and get help. And of course, from our CISO partners.
David Spark
Quick question for something I mentioned in the opening tip, have either of you seen a solution, it wasn’t right for you but you knew a fellow CISO, oh, this would be right for that person, have you passed that company on to that person? Not saying at the bottom but passed the name on? Yes?
Lara Divi
Yes.
Matt Crouse
Yes.
David Spark
Definitely done it? Alright. So this is my big comment to all vendors out there, it’s not always a one-to-one thing – CISO hears it and then buys it. CISO hears it, could tell other CISO who could then buy it. Or could then tell another CISO who could then buy it. So, it’s the ongoing education I think is critical. Alright, let’s bring on our very first guest and what I’m going to ask of all our guests when they come on, just give a quick pitch of what their company does so those people who are listening right now, who were not part of the discussion yesterday, have a general idea. And then I want all of us just to negate in a short conversation about the product. Alright, so let us bring on Sam Crowther who is the CEO and founder of Kasada. Sam, thanks for joining us.
Sam Crowther
I appreciate it, David.
David Spark
Alright. Sam, just give it to us in thirty, sixty seconds, what is Kasada for those who don’t know?
Sam Crowther
Easy. So we help organizations solve the problems that bad bots or malicious automation causes on websites, mobile apps and APRs, in a very, very simple and economical way.
David Spark
And I want to stress that one thing, I’ll start the conversation going right now because one of the things that you brought up yesterday was the percentage of traffic from bots that are coming to site, you said 60 percent, by the way I’ve heard 95 to 99 percent from others as well. But one of the things that maybe the security people are not paying attention, they may just be thinking about securing and let’s get rid of it, but if you’re physically taking in all this bot traffic, you’re paying for all this bot traffic as well. And saying that this is a solution that will not only help in security issues but help for economic reasons and I really like that you brought up that issue as well.
Sam Crowther
I think it’s awesome when security tools can provide very, very tangible business ROI in areas that are kind of adjacent. And that’s an area we found ourselves in where it’s so easy for bots to contribute to such a large percentage of someone’s Amazon bill, someones telecom bill, that we can actually have a good impact there.
David Spark
Alright. So I’m going to throw this to both Matt and Lara. You heard the presentation yesterday, you had some questions, but please feel free to grill and ask the questions that are on your mind and that might be on the minds of your fellow CISO’s as well. So, Matt, you want to start?
Matt Crouse
I appreciated your presentation yesterday. One of the things that we talked about was how you put the onus on the client that’s connecting to a website, to prove that they are good and to constantly prove that they’re good, what made you take that approach versus asking the question of do we think this person is good or not?
Sam Crowther
It actually was from experience that I had had being part of building a fraud group for a bank, I used to work with one of the investment banks as a security analysis and I sort of just did a few things. The problem was we were always making decisions after the bad thing had happened. Sure, you may be able to stop funds going out the door but it became very clear if you could actually stop it further upstream, there’s no longer a need for any of, you know, even a small percentage of the bad things happening, right? And one of the things that happened to us at this bank is the tighter we tuned the retro-active decision making, the more people just scaled up their operations on the front. It’s a numbers game, automation. So if they’re going to only get one out of hundred requests through, they send a million. If they’re only going to get one out of a million, they send a hundred million. And that’s sort of why we leaned into the approach that we took.
David Spark
Lara, do you have a follow up question?
Lara Divi
Absolutely. Sam, thank you so much for yesterday’s presentation, it was awesome. And one of the things I really liked about your product is your focusing on bot management or bot automation that caused technology innovation are using a lot of bot. So I one of the questions I had, and this was hopefully for the audience as well, how do you distinguish between false positives and false negatives? I really like the idea of focusing on bot management and automation aspect of, if you would have technology, because technology innovation they are using a lot of bots, digital channels, if you would have. So how do you distinguish in your product false positives and false negatives? And I also like the idea of capture, just eliminating that from your product because it does cause business disruption and impact, from a customer perspective.
Sam Crowther
Yes, so on the false positive, false negative side, because the two are obviously very impactful things, if we start on the false positive piece, one of the reasons early on we made the decision to move away from making classifications based on, like human interactions which leads to problems of classification later down the chain, is you get into that scenario where it’s actually relatively easy nowadays to… I think there’s a GitHub repocalled Humanize which will literally generate human movements for you. And you’re going to have a very, very good MR model to distinguish that. But we realized the tools that are being interactive with are very different and so if we could actually move away from detecting interaction patterns to how does the tool behave at it’s execution layer? How is the Java Script executing within this browser context? Does it indicate any signs of automation? We could actually vastly reduce that false positive risk because you’re no longer playing a tuning game of what looks acceptably random and human versus what looks automated. And on the false negative side, by going down that route of actually detecting the tool itself versus the interaction pattern, it means that someone could tomorrow go and create a new bot using the latest version of puppeteer. But because they’re actually using a framework that’s not a legitimate browser because it is a hooked chrome, it behaves differently to a normal chrome at some very, very low levels in the way that maybe it returns some data in the dorm, or even renders it. And so by looking for those differences, that’s how we manage the false negative problem at least, because someone has to actually really build an environment from scratch that mimics something legitimate.
David Spark
I’m going to throw a question to both Matt and Lara here, and obviously Sam, I want you to speak up, but one of the things that I have about innovative companies is the ease of implementation. And that there’s a lot of factors that come in ease some implementation, one of them can actually be cost if it’s really cheap, yeah, I can probably get this passed. But it also can be, what needs to physically move? From what you’ve heard, Matt, if you were to implement something like this, where do you see how easy or not easy it would be? I want to hear from your viewpoint, what you see so far?
Matt Crouse
For the ease of implementation, first of all you would have to make sure that it’s going to play extremely seamlessly with whatever WAF technology you’re using. I know we talked about that just a little bit during your presentation yesterday.
David Spark
And let me just pause for the audience and Sam, you can speak to this, mention that it could be a WAF replacement or it could work in conjunction as well. Go ahead, Matt.
Matt Crouse
And you can be a WAF replacement or not and in some cases companies like mine might choose not to go that route but we may choose to go with a vendor who can do a really, really good job at something surgical like bot detection. So we have to talk about do you integrate seamlessly? Can your operations integrate with their operations on a human side? And then what’s the latency involved in something like that as well, the hand-off between the two?
David Spark
Alright. And Lara, how would you think about implementation of this?
Lara Divi
Absolutely, scoping and integration. And the impact on digital technology channels. And in the back end, the integration with WAF or replacement and CDN, all that good stuff. It could be there is some, if you would have, medium impact to the environment.
David Spark
Alright. Sam, you get the final word here regarding integration or anything else you want, what’s your last thought?
Sam Crowther
That’s absolutely a good point, how many components of a system, a. does it touch, and where does it integrate into? And that was why we chose the model we did where it’s designed to just receive traffic in a new layer, behind a WAF, behind a CDM, to be as flexible as possible because again, when I was at the bank, it was terrible to get anything into the back end product.
David Spark
Alright. Well thank you so much. Let’s hear it again for our guest, Sam Crowther who is the CEO and co-founder of Kasada.
Sam Crowther
Thank you, David.
David Spark
Thank you again, Sam. Alright. Let’s bring on our next guest here, Sam that was excellent and we will be referring to everybody. This next person did not actually present yesterday but I’m guessing he actually knows the product with a hand-off from one to the other, it is Chris Hines who is the VP of Product Marketing over at Axis Security. Chris, thank you so much for joining us. They are thrilled to hear you are here. [LAUGHS] They see you.
Chris Hines
David, thank you for having me.
David Spark
Of course. Alright, Chris, let’s get the 60 second pitch from you as to what is Axis Security?
Chris Hines
I think if you think over the last two years the amount of data out there has increased by 100 percent. And now every user, device and application is now connecting over the Internet. The challenge is that network security was designed to protect what was on the network and a data center where people were working within the office itself. But with people working from anywhere and connecting to applications that no longer reside in the data center, what’s needed is a more secure means of connecting users to those applications. So what we do at Axis is, our fundamental belief is that one day the exchange of information will always be fast, safe and secure. So we sit in line between users and the business resources that they’re trying to get access to and we inspect that traffic. We verify access and we broker connections on a specific basis without having to place users on a network, without having to expose the infrastructure to the open environment. We see 500 percent year on year increase on ransomware threats because of things we like VPN to VDI. Our goal is connect users to resources in a fast, secure manner. And that’s what we believed we have developed here with the organization, this is something not just employees will be able to leverage, but that business can actually use for their entire business Eco-system of suppliers, of customers, of partners, of vendors who need access to operational technology for example. This is a connectivity company and I think this is one of those kind of rare opportunities for security people to actually drive transformation versus being that department of no. So very excited for you.
David Spark
So one of the big plays here was to be in the solution and zero trust model. I’m going to throw this to you first, Lara, what did you think of what Axis Security had to say yesterday and what are some of your follow up questions?
Lara Divi
I really liked the product and Chris, thank you for being with us today. As you said, it’s connecting users to the resources in a secure, fast manner. And what I like is your product, the way I heard it, it can integrate with existing technologies such as Okta and end Point Security and so on and so forth. So it’s very complimentary and it provides that holistic security and visibility that not only cyber security but the business needs into their users activity. So that said, one of the questions I have and I’m going to ask what David asked earlier, what would you think the effort is to deploy your product? The ease of if you would have the implementation, that was one thing that I was thinking about last night.
Chris Hines
Sure, absolutely. One of the benefits of this being fully cloud hosted is that we operate just like Netflix, just like Uber, just like Air BnB. Our customers pay a subscription and we offer and we maintain the service up for them. So the only deployment aspect is there’s an option where the customer could even go client list or client. And what that means is they can either deploy something on their device which will forward traffic up to the Axis cloud, or not. We can go, let’s say, you’re a third party vendor and you don’t even have to deploy anything. Now in either case, all we’d deploy is something called a connector and it’s a little front run time that runs within AWS, Azure or the data center and it front ends the application. It’s actually the core component that’s actually protecting the application from being exposed to the open Internet. And the only thing that little connector talks with is the actual Axis cloud. So this idea of zero trust is very important in that it has to be easy to deploy, because that is a challenge for many companies out there. So, cloud delivered, very light footprint within the customer’s environment. Again, there’s no appliances or anything like that. And to your point that you hit on before, we’re trying to help security people go from 50 different point products down to maybe the five that matter, of being able to integrate with the end point. With the Sim, with the identity provider of choice, are critical to being able you all move faster and securing this new modern workplace that we’re all in today.
David Spark
Awesome. Alright, let me throw this to Matt as well. And by the way, thanks for addressing the implementation question right up front. Matt, what are your questions?
Matt Crouse
That was a perfect tee-up to my question, it’s almost as if Lara and I collaborated [LAUGHS] but we didn’t talk before and compare notes, I promise. One of the things that I really liked in the presentation yesterday that we got, was that you guys provide very granular behavior in access control, defer exposure to applications. So rather than plopping somebody into my network and they can see everything, whether they can log into an application or not, now they just can’t even see it unless there’s a validated reason that their company approves or what have you. My question is how do you manage the maintenance of that list and how do we prevent that from becoming a sprawl of spaghetti with connectors all over the place, to every new application under the sun?
Chris Hines
Totally agree with you. I think the biggest difference in everything is we’re designed to connect users to applications versus networks. So in the past what you would, for network segmentation for example, you’d have the whole list of firewall policies for all your internal firewalls, because you’re looking at things that are layered three perspective, source IP, destination IP. Making a simple change request took much longer that it probably needed to. First of all, what we’re doing is the way we do segmentation is the on a per at level and is at layer seven. So although you will need to set new policies, those policies in terms of the amount are much, let’s say, smaller in terms of the amount of. The other piece we’re investing heavily in API’s. So as new apps, so let’s say Discover, or we have the ability to pull API’s from Cloud Strike or the identity access management, and automatically adapt policy in real time just through those API’s. The third piece is we remain in line when a user broker that connection through an application, and we’re inspecting that traffic. And if something malicious takes place or the context triggers an alert, we sever that connection as well. So we’re trying to automate as much as we can and we see a lot of companies investing in dev-ops. We’re not quite there yet but what we’re finding is a lot of people are really behind this notion of API’s. Being able to make policies easy to use and simple to use, is extremely important, and we think that looking at things that are app level versus network level, is a huge part of that simplification in the market.
David Spark
Excellent point. Alright, simplification seems like a big, big deal with your product right here given the volume of what you’re dealing with and a great point that you brought up here. Alright, we have time for just a couple more quick questions. Lara, what more do you have to follow up on this? What would it get you to want this or do you see something like this working in your environment? Or what kind of environment would need something like?
Lara Divi
Absolutely. So getting rid of the VPN, that modernization of cyber security when we allow our people to work from anywhere, if you would have, any place as long as their devices are secure and they’re connecting to us, most definitely I’m really interested. One thing that we talked about yesterday is privilege access, if you would have, Chris. For the sake of the audience if you could also help us understand how would this work for privilege access management?
Chris Hines
Absolutely. So there’s a couple of things to look at. What this technology allows the admins to do is to find very granular policies per application. So those policies are customized to the organization. They take a couple of things into consideration. The specific application you’re attempting to access, the user group, so for example, if you’re using an [UNSURE OF WORD] active directory, we’ll pull in those insights to determine, okay, Lara can get access to SAP but perhaps Matt cannot get access to SAP giving that he’s coming from a specific group. The next iteration of that is actually beyond just what we’re doing for kind of user access, but more so advent level RBAC, so Roll Based Access Controls as well. So when we think about privilege access management it’s from two layers. It’s the end users who the IT admin is looking to secure access for, but as well as the admins themselves. Because you don’t want to have over privilege access for your admins where maybe some need only read only mode but they’re going in and half visibility to maybe full visibility mode which could be an insider thread or a potential issue as well for insider malicious movement.
David Spark
Last question to you Mr Matt Crouse.
Matt Crouse
Thank you. I just wonder, Chris, how do you see this space evolving over the next couple of years? Our last guest talked a little bit about automation of technology within his space, how do you see your product in the space in general evolving from maybe this person should be able to access the application because I said so to this person should still be able to access the application because we still know we can trust them?
Chris Hines
Yes Matt, that’s a great point. What we’re thinking beyond that is what if the identity isn’t even a user? What if it’s an app trying to talk to another app? Or a server trying to talk to another server? Now the important thing for us is that we look at connectivity as any entity trying to get access to information. We focused on this notion of what we call zero trust network access, which really was remote access to private applications because many of the customers said that over the next 18 months, they’re going to spend on zero trust, the first thing is going to be ZTNA and then there’s going to be CASB and DLP. So we purposely focus on the core like foundational building block and as we look to evolve our platform we’ll be adding in capabilities like CASB and DLP which will be part of our swig. And even beyond security, because now we’re at this precipice of networking and security having to work more closely together, since we sit in line, we’ll also be able to provide visibility to the digital experience of every user by hot metrics. You know, if Lara is trying to get access to Microsoft 365 from her Mac laptop, all the points she went from from her Mac, to the router, to the ISP, to access, and everything beyond that, we’ll be able to pinpoint where the issues are and help IT solve those issues much more quickly. And that’s just the nature of being in line and being a cloud service on top of those policies and granular access controls that we talked about before. So, the industry for us, start with this notion of private apps, then we’ll have to continue down to all apps, open Internet where 98 percent of an Internet threat stem from the open Internet, and being able to think and apply that server to server traffic and app to app traffic as well, especially as a lot of these companies started adopting more hybrid cloud environments where those entities have nothing to do with users overall. But it’s the same notion – identity and policy define what gets access and we will help broker those connections in the right way.
David Spark
Excellent. That’s the half-time buzzer that came a little too late. Chris, thank you so much for joining us. The crowd appreciates you coming. We do. Right, let’s bring on our very last guest here. That will be Greg Murphy, who’s the CEO of Ordr. Greg. There you go. [LAUGHS] The crowd is pleased to see you as well. Alright, Greg, I loved your presentation yesterday. You are in a space of discoverability but a little bit more than just that which is what I think makes your story very intriguing. So why don’t you give us your sort of 30, 60 second pitch for those people who don’t know who you are because, again, many of our listeners here were not at your presentation yesterday.
Greg Murphy
Sure. Thank you so much. Ordr we’re the leader in what we call agent list connected device security. So enterprises today can have anywhere from hundreds of thousands to millions of connected devices that can range from everything from traditional IT infrastructure to IOT devices like IOT enabled toilet paper dispensers, surgical robots in the hospital environment. Our job is to make sure that enterprises know exactly what those devices are and that they understand how those devices behave and what they do on the network. And then we use that information to automate actions to secure those devices all without requiring software agents. So that the net result is that enterprises can detect and they can respond to faster to incidents like ransomware but they can also take proactive measures to minimize the blast radius and mitigate the impact whenever attacks do occur.
David Spark
Sounds like it’s addressing a lot of major concerns. Matt, what was your first take on this and I’m going to start with a slight negative here, what would be your concern of a solution like this?
Matt Crouse
My concern of a solution like this is always the false positive. Because you’re writing on my network, you’re interacting with my switch or my AP’s over an API and you’re allowed to take enforcement action on certain devices if they violate policy or what have you, my concern is always about the replacement devices, the break fix things and then false positives that may automatically mistakenly block a device off the network. How do you approach that?
Greg Murphy
It is a great question and I think that one of the things when you think about the kind of Christmas tree of lights of alerts that go off in front of [SOCI] analysts and the false positives, one of the ways you really address that is by making sure that you understand the behavior of these devices. So it’s not just, hey there’s a device that’s on your network that looks concerning or that has vulnerabilities, but we can actually pair that with information to say, you know, that device has a vulnerability and it is starting to behave in a way that no device like it has ever behaved before. It’s doing something different than that device type typically does. That’s probably something that your team needs to know about. So it’s by pairing that understanding of what the device is, what it’s vulnerabilities have, with the behaviors that you’re really able to help organizations prioritize and get to their highest priority incidents and respond to those as fast as humanly possible, or as fast as possible with machines these days.
David Spark
Alright. Lara, let me throw this to you, what are your questions about this and what intrigues you about it?
Lara Divi
Yeah, Greg, thank you so much for a wonderful presentation yesterday, really liked the product about if you would have end point detection and response, if you would have a mitigation. My question is the baseline as Matt says. If you would have the platform and integration with different systems and having the Christmas lights lighting up, and now we’re chasing after false positives, what is the impact of deployment of a tool like this within an environment? That is, yes, we have access management system, we have end point prevention and detection, how would that integrate with these existing systems?
Greg Murphy
Sure it’s a great question and we’re going to integrate with existing things like your CMDB, your asset database with your existing network infrastructure, with your sim, your firewalls. The key here is really making it simple. So we would install a hardware sensor or a virtual machine on the network off of a spanner or tap, and basically start watching the traffic on the network. We do this all passively. So basically, you install the sensor, go off to lunch and we’re going to come back and we’re going to give you a report of here are all of the devices that we see communicating on the network. And you made the point about base-lining these devices. One of the things that’s really interesting when you look at a lot of the devices that are agent-less, think of IOT devices, they behave in constant ways. A video surveillance camera doesn’t wake up tomorrow morning suddenly deciding that it’s going to communicate to different destinations on your network that it never did before. So once we have that baseline understanding of what the device is and what it’s communications patterns look like, we can really hone in very quickly to identify what normal behaviors look like and then to flag things that look anomalous, where you start to see devices behaving different from that baseline. And so that, that whole process, identification of devices is something that usually takes place within just hours, building the baseline is over a period of days just passively watching the traffic and then from that point on you have the information about devices. You have their identity and their behaviors and that enables you to start talking about intelligent policies to protect those devices.
David Spark
Matt, what do you like about this discoverability solution or essentially asset management solution which is a little bit more than others you my have seen?
Matt Crouse
What I really liked about this solution in yesterday’s presentation was we had a discussion about it toward the end, the ability for you to function not only as an access control mechanism for devices on my network, but also an ADR solution and you can help me get to patient zero if I do find myself infected. Because then I can go out and interrogate what patient zero did wrong and fix that problem systemically.
David Spark
Yeah and let me throw this last lead to you, I’ll have you comment in here as well Greg, but same with you, what do you like and what would make you eager to jump on a solution like Ordr, what would make you a little hesitant to do something like that?
Lara Divi
What Greg mentioned yesterday that I really liked is that the devices that are connecting to the network that now my team has to go chase. Well, what is this device that’s making a noise? Is it a false positive? Is it a false negative? We’re seeing perhaps some potential malware activities where with the Ordr platform we can easily identify it. What kind of concerns me is that that integration piece and really getting by end because this has to integrate with IT systems. It’s not only a security system but it takes that cross functional effort to get a tool like this deployed. If it was only cyber security it would be easy. And for a distributed network it takes a little bit of time to get this platform deployed.
David Spark
Alright and Greg, your final thoughts on this and any last sort of pitch you would like to make to our judges?
Greg Murphy
Yes, I think to respond to Matt’s comment, I think one of the things that’s really interesting is organizations, having that ability to look back when they find out about it and consider it. For example, one of our customers in the midst of the solar winds, said we’re lucky, we don’t have any solar wind servers in our network environment. And we were able to go back and say, well it’s funny, you’ve got a server that is actually communicating with the [UNSURE OF WORD]. And they were able to look by and say, oh, you know what, what happened here is that we had one of our groups had a POV version of solar winds that we never knew about but thank you for alerting us to that because we are now able to see that that device was there, now we can take actions to take it off the networks. So having that time machine that allows you to go back and say, wait a minute, we found about a new attack, hey have we ever seen any behaviors like that on our network? That’s a very, very powerful tool. And I agree with Lara, the point is, this has to be integrated into existing systems. And it’s organizations that have thousands of control points on their network, they’ve got intelligent firewalls, intelligent switching infrastructure. The goal is not to replace all of that but to integrate seamlessly. The problem with those stems today is that trying to find human beings to write the policies is incredibly time consuming. By automating that process we enable organizations to move towards this zero trust feature.
David Spark
Good point. Thank you so much, Greg. We are going to say goodbye to Greg. Well. Goodbye Greg. Thank you very much. Alright, now with just a few minutes left, I’d love to hear your thoughts both Matt and Lara, to the three companies that we saw today. I actually thought all were very impressive. What did you like? What didn’t you like? Please feel free to speak openly. Matt?
Matt Crouse
You know one thing that I liked is all three of these partners, they’re not solving new challenges. There’s nothing new about access or IOT or bot detection. But they’re all solving it in new ways. Everybody yes, is rushing towards zero trust because we all agree that that philosophically is the right approach, we need to constantly prove our validity, prove our worth or whatever. But they’re all solving it very technically in new and innovative ways and I really appreciate that because having been around the space for some time, one thing that we all know is that if you’re not constantly innovating you’re falling behind. And I’m not calling anybody out but I love to see new companies innovating in new ways.
David Spark
Yes and I propose that they are here part of the innovation spotlight. Lara, your thoughts.
Lara Divi
Total I agree with Matt, nicely said, Matt. They are looking at challenges that we have in a new way and they are thinking ahead of time. How do we ensure that the companies not only are protected, how are we solving business challenges? Remote workforce, if you would have ransomware, zero trust that will also address the human factor. So I really like all three products. It’s just a matter of which priorities do we have, which challenge or issues we’re trying to solve? And I really appreciate all three representatives from all the three companies. They did a fantastic job.
David Spark
Now I’m going to ask you which one was your favorite? We agree, they all did impressive, and I would want to know, and the favorite could be a whole mass of things, like they seem a little bit more ready for prime time, easier to deploy, this is a need personally that I have that’s really hurting right now, I’d want it. Explain which one is your favorite and why. I’ll start with you Matt, first.
Matt Crouse
I’ll go from the approach of problems that I see not just personally but across industry and talking to all my CISO peers, of the three we have bot detection, we had remote access and we had connected devices. I think the most common problem that I see and maybe it’s because I operate in the retail space, is bots. And so I really liked Kasada’s approach to stopping bots but I also like that they’re very flexible and they can solve multiple challenges. We talked about them being a WAF replacement or not a WAF replacement, that kind of flexibility is very, very important. And I think that they probably solve the broadest set of problems. Or they solve the problem that I see as the most common.
David Spark
Okay, so bot issues and yes, it is a pretty darn common problem. Lara, which one did you like the best?
Lara Divi
I really like all three but I like Axis the most because of their priorities and initiatives that I have to go password-less if you would have the zero trust integrated apps, monitoring end to end session which there are times that HR ask, hey, I want to know when a person logged in. And we’re like, hey, we’re cyber-security, we are not monitoring people’s productivity or activity. However I see other business use cases for the platform as well, so I go with Axis.
David Spark
Axis Security. Alright, now I know many people say, oh you’re all winners but literally this, it’s a first time I can actually say, you are all winners. And here’s why – Matt, you chose Sam Crowther’s company, Kasada for their solution at dealing with bot technology that’s going on. Lara, you chose Chris Hines with Axis Security, essentially connectivity issues. And our audience has chosen Greg Murphy with Ordr for their solution. So I can honest to God say, all three of you are winners. Congrats. Alright. I want to bring absolutely everybody back on as well and thank them all for participating here in the Innovation spotlight as part of the event as well. One of the questions I ask, by the way, all my guests no matter what is, are you hiring? So I want everyone to tell me if they’re hiring or not. And just make a final pitch for your company or how they can find out more about their product as well. We’re going to just go in order and then I’ll let our CISO’s close the show out. First, you Sam.
Sam Crowther
Yes we are absolutely hiring. We have almost doubled this year and are planning to do so next year going to sort of 150 mark. Kasada.io Is the best place to find out everything you need to know about us and our blog section which we have some pretty unbelievably smart folk on our team who write some pretty interesting pieces.
David Spark
And for those who are listening it’s Kasada spelt K-A-S-A-D-A.io. Sam Crowther is CEO and founder, alright, let’s go to Chris Hines who is the VP of Marketing Security over at Axis Security. Are you hiring?
Chris Hines
We absolutely are. So thank you if you’re one of the audience we have some very ambitious goals to take out some much larger companies like Z Scale or like Cisco so [UNSURE OF WORD]. You can find us at Axis Security.com and we’d be happy to speak with you, and you can connect with any of us on LinkedIn. Just search Axis Security on LinkedIn and connect with us.
David Spark
And AxisSecurities.com/careers for jobs. Alright, let me throw this to Greg Murphy, CEO over at Ordr spelled by the way, O-R-D-R. Let me just ask, you weren’t able to afford the E’s were you?
Greg Murphy
We couldn’t, we just couldn’t quite swing it. But now as business is growing we may be able to get that E in place.
David Spark
Get the E back in to the company. Alright, Greg, are you hiring?
Greg Murphy
Yes absolutely. We are hiring. David we would love to have you run our company zoom meetings [LAUGHS] as you know how to deal with mute issues. We are absolutely hiring across the world and growing. We just had a record quarter for the organization and if anyone is interested we’d love to have you talk to us. You can find information about the company at Ordr, O-R-D-R.net.
David Spark
Ordr.net. So we have an IO, we have a dot com and we have dot net. Alright, Matt, thank you so much for coming in. Any last thoughts as we close this out?
Matt Crouse
Thank you David for having me. You know, I’m actually going to give Lara a shout out here. I think she won with the quote of the day when she said, ‘if this was just cyber-security this would be easy’. And one thing that I love about all three of these presentations today was that you help us solve business challenges. You’re not just a pure place cyber-security vendor. You’re flexible, you’re adaptable and you can actually help my organization succeed which I love. So thank you all very much for that.
Lara Divi
Yes. Thank you all for having me, it’s a great opportunity to meet with all three vendors here.
David Spark
You are very welcome and as always, I have to thank Avanta for putting on this event, for being a great supporter of the CISO series and our audience. We greatly appreciate your contributions and for listening to the CISO/Security Vendor Relationship podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”
