Capture the CISO S1E1: Conveyor, Pentera, and Votiro

Welcome to episode one of Capture the CISO, hosted by Johna Till Johnson (@JohnaTillJohnso), CEO, Nemertes.

Our judges are Shawn Bowen (@SMbowen), CISO, World Fuel Services and Mike Johnson, co-host, CISO Series Podcast and CISO for Fastly.

Our contestants:

• Christopher Gomes, head of product, Conveyor
• Jake Flynn, sales engineer, Pentera
• Aviv Grafi, founder and CTO, Votiro

Got feedback? Join the conversation on LinkedIn.

Huge thanks to all our contestants who are also sponsors of Capture the CISO

Conveyor

Conveyor makes security reviews fast, easy, and accurate for both vendors and their customers. How? By making it easy for 3rd party risk teams to get basic info on vendors, request access to their security docs (like SOC 2s and PenTests), and get their security questions answered without actually issuing a questionnaire. Check out our video to see how Conveyor can save you 71% of your time on your vendor security reviews.

Pentera

Pentera’s Automated Security Validation Platform is designed to help teams increase their security posture against modern day threats across the entire attack surface. Evaluate your security readiness with continuous and consistent autonomous testing with granular visibility into every execution along the way. Validate your tools are working effectively by safely emulating attacks & prioritize your remediation efforts with true contextual driven results. With Mitre ATT&CK framework mapping, stay on top and test your environment against adversary techniques to create an optimized process from testing to in-production. Don’t just operate, validate!

Votiro

Can you trust the files and content entering your organization? Votiro Cloud’s Zero Trust open API proactively disarms files of known, unknown, & zero-day malware threats at scale without adding friction, interrupting user or application workflows, or impacting file fidelity. Votiro reduces work, alerts, & risk for IT and security teams while enabling the seamless flow of safe files.

Votiro is tool-agnostic, and provides virtually limitless auto-scale capabilities to handle any file throughput and the greatest span of file formats, preventing malicious files uploaded to web apps, portals, data management platforms, and cloud services.

Full transcript

[Chris Gomes] Conveyor is a trust platform that makes security reviews fast, easy, and accurate for vendors and their customers.

[Jake Flynn] Assure security readiness across your complete attack surface.

[Aviv Grafi] Votiro delivers safe content from any source to any destination at scale.

[Voiceover] Capture the CISO begins now.

[Johna Till Johnson] Welcome to Capture the CISO. I’m your host, Johna Till Johnson. We have three companies competing today – Conveyor, Pentera, and Votiro. All are vying for a CISO’s interest. These companies aren’t direct competitors, but they are being assessed along three axis – is their solution innovative, is it solving a real need, and how easy is it to deploy. I’d also like to introduce this episode’s CISO judges. We have Shawn Bowen, who is the CISO at World Fuel Services, and Mike Johnson, the CISO of Fastly. Our judges have already watched demos of each company’s product, so they know what the products do, and they’ve come armed with questions. You, too, can watch demos of our contestants’ products. Go to our site, CISOseries.com, then click the blue “capture the CISO” icon. Before we start bringing on the contestants, CISOs Shawn, Mike, what do you think about these three axis. I like them because basically innovation is does it do something that justifies my putting a line item in my budget, solve a real need, ditto, and easy to use is a sec ops issue. But to you guys, do these metrics make sense to you?

[Mike Johnson] The one that I like the most is the does it solve a real need. That’s the first question that I always have. Is it innovative is also interesting. How does it set itself apart from what else is in the industry? And then finally, ease of deployment – is it something that’s going to be shelf ware for me? Then I don’t want to buy it. So, I like these three axis.

[Shawn Bowen] Ease of deployment is a big one for me because that’s much am I going to be committed. If it takes three months to install it on a one-year contract, I’ve already wasted a quarter of that. Does it solve a real need, I’m with you, Mike. There’s a lot of products that are PowerPoint deep and fail on deployment. And so it’s one of those things that not only does it solve a real need, but is it going to replace two of my tools, or three of my tools, or does it actually fill a gap that I was unaware of. And similarly innovative, I think I’m with Mike on it. It’s interesting but not always critical. I think that’s more important to company startups.

[Johna Till Johnson] Let me ask you just a wild card question – when we talk about does it fill a need, and you guys both highlighted the gap that I’m unaware of. In my experience, one of my hardest things is to get a line item on the budget for filling that need, let alone putting a particular product in that line item. Is that case, or is that not a problem that you guys are dealing with?

[Shawn Bowen] For me, I think that’s about prepping the battlefield. You start with one quarter. You kind of start to hint at there’s a gap. And the problem when you deal with salespeople is they want to sell it the same day that they demoed it for you. The reality is it’s going to take you probably a couple quarters to get through the right approval processes.

[Johna Till Johnson] I love that phrase – prepping the battlefield. Mike?

[Mike Johnson] I totally agree with Shawn that you can have a demo or have an evaluation maybe even a year before you do a purchase. So that when you are coming back, you’re like, “Oh, I saw this thing in the past. This is a gap that I’ve identified. I will put this as a line item in my budget.” But the other thing that I would say is we’re constantly reprioritizing. There might be something that we thought we needed at the beginning of the year, and it was the right thing at that time. But later in the year, it’s not as important to us. And something else has come along that, “Oh, this is a gap. This is something that’s really significant for me. I’ll shuffle budget around so that this now becomes a line item in my budget.”

[Johna Till Johnson] Before we kick off the segment, I just want to stress again how brave these companies are for joining us before they’re also sponsors. So, a huge thank you to our contestants for supporting our brand new show.

Conveyor

4:02.750

[Chris Gomes] We came up with the idea for Conveyor at our previous company. We were SOC2 and ISO27001 certified. And yet we were still filling out enormous questionnaires to sell our product, and we saw our customers were doing the same thing. And we thought, “There has got to be a better way for vendors and their customers to build trust. Questionnaires suck. Security reviews take too long, and no one is any safer.”

[Johna Till Johnson] Joining us now is Chris Gomes, head of product for Conveyor. Chris, can you give us a quick 30-second summary of what Conveyor does?

[Chris Gomes] Our vision is a world where security questionnaires are a thing of the distant past. And the way that we’re bringing that about today – if you have a vendor to review, just tell Conveyor. If they’re on our network, you get instant access to their security and compliance artifacts. If not, upload whatever you’ve got – their SOC2, their security whitepaper, their trust packet. We will parse those documents and find answers to your questions or the controls that matter for that vendor and flag issues proactively for you. And in doing so, we save you 79% of your time on that security review and help you complete it five times faster.

[Johna Till Johnson] Shawn, I’m going to ask you first – what do you think about the Conveyor solution?

[Shawn Bowen] I think it’s an interesting product. I think I’ve seen some similar products to this solution space. The question I kind of have is it looks like it was tailored for SaaS products and being able to fill it out whereas what about other customers that are just doing traditional third party engagements. I didn’t really see that as your target audience. So, who exactly is the target audience of this?

[Chris Gomes] The target audience is large technology enterprises that have a large number of SaaS vendors. So, you’re exactly right that the primary pain we solve is security reviews of those SaaS vendors that are going to be handling sensitive data, take way too long, and don’t actually help you manage risk affectively.

[Mike Johnson] I totally agree with the premise. Questionnaires suck. I don’t feel that it’s actually helping us to improve security, so I’m interested. I really enjoyed the demo. What I’m curious… So, there’s a couple things. The first is 71% is a very specific claim. So, I have to ask, where does that number come from?

[Chris Gomes] Great question. And at the time we recorded the demo, it was 71%. We’re now at the equally specifically 79%.

[Mike Johnson] Okay.

[Chris Gomes] With all of our early access partners we’re actually benchmarking the speed at which they’re completing the reviews and comparing it to the original baseline and how long it would take them previously. So, right now we’re batting 79%, which is basically a five X improvement. And our goal is to get to 90%.

[Johna Till Johnson] I love that answer, Chris. As an analyst who for my living is often asked to benchmark things, I’m much happier that you’re doing it on a rolling basis with all your clients because I just want to point out that that gives folks an objective sense of the people who didn’t 79 as well as the people who did because you’re not cherry picking the clients. So, I think that’s actually a very important point – that you’re not cherry picking your clients.

[Mike Johnson] That actually brings me up to one of my other questions, the rolling aspect. So, what about retests? This is a point in time, the first time I’m engaging with a vendor. I’m going to want to make sure that their security is up to my standards as we continue our engagement.

[Chris Gomes] Conveyor helps you with that initial point in time assessment, and then it’s pretty much set it and forget it. So, depending on the inherent risk of the vendor, you can set review for a year, every couple years. That’s not that different than most vendor management tools that are out there. But what is different is that when it comes time for that retest, you don’t have to do any sleuthing. You show up to Conveyor. We’ve pulled their latest security and compliance artifacts like the copy of their latest SOC2. We rerun the questions and controls that you care about on that vendor. And assuming your use case hasn’t changed, it should be the same questions and controls that are relevant. And then we just flag for you what changed. So, you no longer have to start from scratch. You’re not reinventing the wheel. You can just focus your attention immediately on has their security posture degraded in any way or has our use case changed. And, “Well, let me focus on the new questions that result.”

[Mike Johnson] To me this seems like a two-sided market. You have the vendors. You have the people who are selling things you have the people who are buying things. Two sided markets are always very interesting to satisfy both. I actually looked up my own company. I saw our score. And I’m curious how I manage my own score. We all like to gamify, right? Like, “I want the highest score.” But at the same time this is something that my customers ideally in your world are depending on your service to review my security. So, I’m curious as a vendor, as someone who sells products that would be reviewed by yawl, how do I manage that? How do I make sure that the automation hasn’t picked up something really weird, or I’ve had so much experience with other vendors in this space that scored things totally unfairly and then you end up having to spend all this time maintaining it? So, I’m curious the other side of the market, on the vendor side, what is that experience like?

[Chris Gomes] We actually got our start at Conveyor helping vendors build trust with their customers, and so we have a lot of happy vendors like Datadog, PagerDuty, Freshworks that are using our platform to share their security and compliance posture. Now, when you refer to your score, what you’re referring to is for the top roughly 149 top Cloud SaaS vendors, we collect publicly available information from their websites primarily about their trust posture, and we essentially grade how transparent they are in communicating trust publicly. We amend those reports if the vendor says, “Hey, you got something wrong,” or, “Hey, we’ve got this other page,” or, “We updated this page.” We happily amend that. We retain sort of edit rights over those reports to make sure that the vendor is not just blowing hot air. But if you wanted to go a step beyond that, what Data Dog, and Pager Duty, and Fresh Works are doing is they’re actually hosting their latest SOC2 and compliance documents on our network. And that helps them accelerate their sales cycle and make it really easy for their customers to say yes in that security review.

[Johna Till Johnson] You talk about being able to redo this assessment annually, every couple years, whenever the client wants to do it. I have a question that’s sort of related to that, which is to what degree have you automated your processes? Because ideally I would want to be redoing these quarterly. At least your target demographic will. That could be a scale issue if it’s not heavily automated.

[Chris Gomes] The way that our process works today is we have essentially a domain specific search engine that we’ve developed, and it helps both vendors respond to questionaries when they do come in, but it also helps for this use case, which is I’m assessing my vendors, I have a series of questions, and I have a corpus of their security and compliance artifacts. And so at this stage it’s heavily automated. But since it is an early access product, we’re still QA’ing every result before you receive it as a customer. And so we say, “Bring it on.” If you want to review them every quarter, even better. And we’re happy to help you do that.

[Johna Till Johnson] So, that helps us sort of asymptotically approach the perfect scenario of having real time assessment. Not that you’re promising that, but at least you can kind of see your path towards that. Chris, thank you again for joining us today.   

Pentera

11:42.087

[Jake Flynn] We came up with the idea of Pentera when traditional pen tests and vulnerability management became unmanageable with the current threat landscape.

[Johna Till Johnson] That was Jake Flynn, sales engineer for Pentera. Jake, thank you for joining us.

[Jake Flynn] Thanks for having me.

[Johna Till Johnson] Jake, please give us just a quick 30-second explanation of Pentera and what you do.

[Jake Flynn] Pentera really is that automated security platform intended to provide those security professionals with that consistent and continuous execution based results through autonomous penetration testing. Now, we are an agentless solution, taking the viewpoint from the attacker’s perspective by emulating those real world tactics, techniques, and procedures – providing our customers with the ability to prioritize their remediation efforts and really focus on true impact within the environment. Now, with that type of approach, we remove false positives and test against production environments by executing safe and comprehensive exploits, validating your security controls across the entire stack, and accelerating your red team exercises by automating those repetitive tasks internal red teamers conduct on a consistent basis. Lastly we do provide comprehensive reporting and step by step guided remediation, so teams can affectively increase their security posture and reduce their exposure.

[Johna Till Johnson] And Jake, before I hand this over to our CISOs to start the questioning, in a nutshell, you’re talking about automated continuous ENY in a box?

[Jake Flynn] So, it’s really taking penetration testing in a manual perspective and automating those exercises. So, instead of more of a point in time approach towards getting those yearly or biyearly penetration tests, now you have the ability to conduct those exercises without having to hire on a complete red team to do so as well or affectively increasing their exercises by running those executions for them automatically so that they can focus on the true impact or tricky aspects to the environment and their security tools involved with it.

[Johna Till Johnson] Okay, great. And, Shawn, I know you are chomping at the bit to start asking some questions, so why don’t you start firing questions at Jake?

[Shawn Bowen] Generally I’m a huge fan of attack paths and being able to visualize those. I think it helps people understand the chain of events and how left in the attack chain you can get to reduce the significant amount of damage in your environment. But the concern I have with the product is most of my engineers and most of my developers, they don’t want to go to a specific product on it. And so to steal a phrase from [Inaudible 00:14:08], how do get in the path of the engineer so they can see the problems that they’re introducing into their environment in a little bit more real time. How do we live through this product without living in the product?

[Jake Flynn] This solution really is intended to automate those exercises. But ultimately we do give you the ability to pick and choose which exploits run along the way as well, and they do map out each individual step by step action along the way. And you can obviously port those over to your log aggregation or SIEM solution so that you can correlate obviously blue team responses or responses from your security solutions and those exercises or those executions from the red team side of things. Now, with the control that you do have, you get to choose and pick which executions you want to run on which individual devices and have a little bit more granular or sculpted tests in that regard. Along the way though, you ultimately have the ability to really narrow down what you’re looking to target. For instance, let’s say we’re targeting end point controls. You can run more local executions in that regard – whether it’s file based or fileless. And then ultimately maybe you want to leverage more on the network side of things and being able to target more on the NDR solutions or the IPS/IDS and seeing of those types of solutions are optimized to be working how we intended them to in the first place.

[Shawn Bowen] Another question on this relevant to my company specifically – by the end of this year we will have no data centers, and we have a remote workforce. So, how does this attack path mapping work in an either Cloud hosted or Cloud native environment?

[Jake Flynn] Really what we’re intending to do there is to be able to deploy out the solution in that agentless approach. Because obviously the attacker is not going to be deploying out agents across the environment as well, right. From there, that’s where we have what we refer to as attack notes that span across the environment. Now, for fully on prem, it’s pretty straightforward. Just having an attack node between all the local area networks within there. For more of a distributed architecture where 50/50 let’s say…50 on prem, 50 on Cloud… We have specific exploits for let’s say targeting to give you a quick example Azure 80 Connect. Have something in regards to targeting let’s say those Connect servers or targeting AD integrations there along the way. Then for fully Cloud environments, there is a little bit different aspect to that for how our solution operates in regards to let’s say how it’s hosted in the first place. So, for one aspect, let’s say it’s AWS CC2 instances or if we have more of an Azure Cloud deployment as well, we can target some of those types of integrations in regards to where those connections are coming from as in where those endpoints or where those end users are connecting into the Cloud as well. Now, it really depends on what that Cloud deployment looks like, but with the remote attack nodes or dynamic attack nodes, those distributed architectures, we would ultimately have to have one on prem there to be able to span across that network there.

[Mike Johnson] So, Shawn asked one of my questions, which was Cloud native companies. This is my world. This is my life. I want to take that a little but further. Your examples were all focused on when all the discussion has been Azure, AD. Some of us are Mac only shops. So, I’m curious what that looks like in that world. If we’re Mac and Linux, what does your testing look like in those kinds of worlds?

[Jake Flynn] The demo really was focused a little bit more about Windows environments. The example that I showed was a Windows environment. But we do obviously have the ability to span across the other operating systems as well. Now, we’re not just focusing only on endpoint controls as well. We are focusing obviously on network side of things, to that point. Now, it doesn’t matter if it’s let’s say a Linux device there where we have specific exploits for escalation privileges and extraction [Inaudible 00:17:52] keys to give you a quick couple of examples there. However, Mac devices as of right now since they have a little bit different infrastructure there, they would be a little bit something that we would consider outside of our scope as of right now. But it is something we are attributing to as we move along our roadmap.

[Mike Johnson] So, I’m curious, who is your target customer for this? Automated controls testing, that’s a lot. So, I’m curious – who is your ideal buyer of this product?

[Jake Flynn] With this type of approach here, we’re fairly vendor agnostic in that regard. Whether it’s a smaller company that doesn’t have the ability to bring on red teamers in house, this would be able to help them really prioritize their remediation efforts as opposed to getting a long list of CVEs and going top down perspective. But from let’s say more of an enterprise perspective, larger corporations that have red teamers there, we are more targeting in regards to being able to optimize those processes as well. And then really giving them the impact scoring or prioritized remediation scoring based off of their particular environment and set up there. So, I would say we’re very vendor agnostic in that regard, but it really depends on whether or not they have in house red teamers or not. It’s really dependent on optimization or providing that context that they currently do not have here today.

[Johna Till Johnson] Just to be clear when you say vendor agnostic, you really mean buyer agnostic.

[Jake Flynn] Exactly.

[Johna Till Johnson] Jake, thank you very much for joining us.  

Votiro

19:18.061

[Aviv Grafi] I came up with the idea of Votiro when I was at Pinterest, and I found that the easiest way to hack into an organization was still sending a malicious document. And I thought what would be a best way to solve that problem.

[Johna Till Johnson] That was Aviv Grafi, founder and CTO of Votiro. Thanks for joining us.

[Aviv Grafi] Thank you for having me here.

[Johna Till Johnson] Aviv, go ahead and give us a quick 30-second summary of what Votiro does.

[Aviv Grafi] Votiro’s API proactively disarms content of known and unknown threats at scale that other security solutions miss without adding any friction, without blocking files, and without interrupting the users. Votiro reduced the work for IT and security teams, reducing the risk while enabling seamless and instant flow of safe content and data into the organization. We do that by applying content disarmament reconstruction technology, which actually turned the problem on its head. And instead of looking for bad stuff, we always deliver good, known content.

[Johna Till Johnson] So, is it fair to say that you’re constantly filtering content to look for stuff which is not good because you’re using the good stuff as the whitelist, and if you discover something that needs to be addressed, you’re seamlessly behind the scenes addressing and remediating it?

[Aviv Grafi] So, actually we know what is the good parts of the documents, let’s say the content, the text paragraph, and things that really matter for productivity. And by delivering only the good content we’re just keeping behind all the unknown maybe malicious, maybe not. So, we’re not in the game of trying to guess whether this is bad or not. We’re just allowing the good content. And in that way, we’re just enabling the business productivity where the users just don’t care whether this file is malicious or not because they can just open it and work with it.

[Johna Till Johnson] But the key thing here is continuous content filtering.

[Aviv Grafi] Yeah, so we continue to filter the good parts and delivering that, correct.

[Mike Johnson] I really liked the approach. The whole idea of, “Oh, we’re not going to try and find badness because that’s an always changing environment.” So, I like the idea of “We know what’s good.” A few things I’m curious about. One is… So, I’m a Gmail shop. We use Gmail. I’m trying to understand how this is better than like the built in preview of Gmail. If I just have an attachment come in via Gmail, I click on it. I get a preview. Nothing is downloaded locally. So, how do you compare against that?

[Aviv Grafi] Yeah, so the preview is just to get a thumb version of the documents. So, usually if you’re talking about Word documents, if you’re a legal firm, you need to see the changes that are tracked. You need to see the features that’s actually in those very sophisticated file formats. So, the preview, maybe that’s nice. But if you really want to be productive and need to do your job, you need to see the entire file on your desktop.

[Mike Johnson] So, again, getting the fat document. How are you dealing with Excel documents that actually have important macros? Usually these products just discard all macros, but I’ve now received a spreadsheet that’s utterly useless because the macros are gone. How do you handle macros in this world?

[Aviv Grafi] Yeah, so you’re correct, some of the solutions are dropping the macros all together. But we understood that for productivity a lot of financial organizations…not just financial…they need to work with macro enabled documents. So, we enabled a CDR approach that used machine learning in order to understand that this is a benign macro – this is a legitimate macro. So, we know how to profile those good macros. And in that way, we know that this is good, and we’re allowing the macro to go in as opposed to some suspicious macro that we may want to drop or may want to quarantine. Yeah.

[Mike Johnson] I’m Mac shop as well. How does your product help me as a Mac shop versus, again, the traditional Windows world that everyone has all sorts of file based viruses to worry about? So, for those in the Mac world, how does your product help?

[Aviv Grafi] Votiro’s technology is an operating system and end point agnostic because we do that on the gateway level, and we focus on the file format. We focus on the specification of the documents and the content, and this has nothing to do with the end point, nor the application that actually opened that file. It can be a mobile device. It can be a Mac. It can be a Linux operations system. It doesn’t really matter. We focus on the file itself, on the [Inaudible 00:23:26] itself. And that’s why we agnostic to any endpoint feature.

[Shawn Bowen] We all love security. You’re talking to security people. I want this applied to everything. But how absolutely annoyed are the users with this process? Because I understand a financial company or a defense company or someone that’s used to the security life of having to badge in 35 times just to get to the bathroom, etc., and passwords everywhere. But for most companies, this seems like we’re going to piss off a lot of users. So, how are we kind of balancing that, or what’s the feedback from users living through this?

[Aviv Grafi] Votiro solution is actually seamless and transparent to users because we’re delivering the exact same file format, exact same features, exact same user experience. In fact user doesn’t really know that Votiro were there, and we processed those documents. The way that we’re doing that is that we’re the file format experts. We know how to replicate those documents in the way that we preserve all features. So, from the end user point of view, it’s actually way better than the other traditional solutions that might block or might quarantine their documents or emails that they now need to call the help desk. We’re always delivering the version that they can work with and they can be productive. So, from their point of view, they actually don’t know that Votiro is there.

[Shawn Bowen] Mike kind of touched on one of the questions about how you’re not destroying the documents, but what about the history or the metadata that’s following those files that sometimes is important. If you’re recreating the document, how are we translating that over to the document to keep the history and some of the underlying content that may be important for tracking purposes?

[Aviv Grafi] We’re not flattening the document. We’re allowing all the history to be kept, to be moved to the delivered content, delivered piece of file. And actually we’re moving all the metadata like the author name, the properties of the document. Anything that really the users might look for including the history. The history, that’s the structured data that we know how to process and how to recreate. So, the user actually can work with tracked changes, all those features that you actually mentioned.

[Shawn Bowen] Is that not corrupting the integrity from a forensics standpoint? If you’re able to recreate a file with essentially a fake history. I guess I have a lot of hmm about that. Just kind of thinking through that. Like if you’re recreating a file, but you’re traveling all that over, how does that stand up?

[Aviv Grafi] So, the way that we’re doing that, we keep for a retention period the original document. [Inaudible 00:26:01] that you need the original for any reason, we keep that for weeks, or months, or years – depends on your configuration. So, we can always access the original if you need it for any purpose, including legal purposes.

[Johna Till Johnson] Are you able to run this on backups? So, if I have for example backed up all of my content, but I have a sneaking suspicious that I may have backed up some ransomware, is that a potential use case, or no?

[Aviv Grafi] Yes. We see more and more organizations where they’re moving their backup or actually their old file service to the Cloud, and they now want to retain everything on S3 buckets. So, we have our product connected to their AWS S3 buckets. So, anything that now moves to the Cloud either from the historical backup or new from any client facing application goes through the process of Votiro, and we’re doing the same process for terabytes of data that move to the Cloud or goes through that application.

[Johna Till Johnson] That’s actually a very, very interesting use case I want to highlight because most people don’t think about the need for constantly filtering content that is backed up because ransomware attackers have now learned to implant ransomware in backed up content.

[Shawn Bowen] In your demo, you walk through obviously a simulation. But if a file that is like business correct – it’s got good necessary data – but has some malicious content in it, are we still able to maintain some of that integrity and help kind of do forensic analysis to look at where that may have happened in the process? I’m thinking a valid file being sent between a couple of employees, and somewhere along the line it gets some sort of malware ingested into it through whatever method. But are we able to kind of start to use this as an incident response capability, or is this just purely end user protection?

[Aviv Grafi] Actually Votiro solution can integrate with the threat intelligence solutions that you might have already in your organization. So, we can either share the data on the original structure of the documents, so to get some hints and deliver those hints to threat intelligence. This is one. And on top of that, we have a process that we call retrospective scanning. We send those files a week after they’ve been received to a traditional detection solution that maybe they can find something in it. So, after the fact, you go, “Look, a week ago a malicious file…someone tried to hack me. Don’t worry. We’re safe, but you should now know that this is the artifact that was malicious and infected.”

CISO Reviews

28:35.928

[Johna Till Johnson] What do our CISOs think? Mike, Shawn, we’ve come to the point of the show where it’s time to hear your final thoughts before you give us the scores. The contestants have all dropped off, so we can be honest here. As a reminder, these companies are being judged on innovation, ease of deployment, and solving a real need. But right now I’d like to get your subjective sense of how each of them did. Mike, why don’t you just go ahead and start us off with your thoughts on Conveyor?

[Mike Johnson] Conveyor, I totally agree with the value proposition. Vendor views suck. They’re a pain in the butt. And I think the area is ripe for destruction. It might not be the right word but for disruption for sure. What I worry about is this is going to be yet another score chasing opportunity whereas a vendor I’m going to have to go and make sure that I’ve got the best score possible because my customers might not use me if I’ve got a low score. So, on the vendor side, I’m always concerned about these automated platforms. You never really know what you’re going to get out of it. On the buyer side, it makes a lot of sense. I like the fact that it’s automated, frequent rereviews. I like the fact that it’s not much work. And I like the fact that I’m not asking a whole lot of my vendors. I’m not sending them a 500-question questionnaire. I think there’s something here. It solves a need. Innovation, some. User deployment is truly easy. You’re just going in and giving a list of vendors. I wish I had a better idea of what the pricing looked like. That was something that when we’re talking about ease of deployment, kind of took a point away from that. But at the same time, I give them some back for the fact that even if you don’t pay for them you can look at their public scores and actually get a lot of value just without even being a customer. And so I kind of gave them some points back for that.

[Johna Till Johnson] Shawn, what are your thoughts on Conveyor?

[Shawn Bowen] Conveyor, interesting. I think as Mike mentioned, I think that there’s a few people kind of doing this similar type of approach. For me, the ease of deployment for the tool itself, simple. The concern I have is integrating it into my third party risk management program as a whole, the entire process, what connectors do I have for external validations, several products you can think that do that. That would compliment the score. So, this is just one portion of that third party risk management. I want to know how it integrates into the ecosystem rather than having my team log into four different tools to try to generate a report or to manage the third party. And so for me, that was something that we didn’t quite get to, and the questions that they may or may not do. But from an ease of deployment piece, I think the tool itself is fairly simple. And like Mike said, I’m a big fan of showing off your product, giving people a playground to experience the product without having to deal with a salesperson.

[Johna Till Johnson] What about Pentera?

[Mike Johnson] Pentera, what I struggle with a bit there is this is a space that’s been around for a while. Automated attacked simulation has been around ten years or so, and it hasn’t really taken off. Maybe they’re doing it in a new way that solves some of the old problems, but it’s just never been a big uptake. I don’t feel that this is a product for your average enterprise, your average company. That was why I asked the question of who is your target market. I don’t think there is going to be a single small business or medium business out there that purchases this product. This is solely going to be for controls validation. I can’t use this to satisfy any of my penetration test requirements for any of my compliance frameworks. They all require third party attested signed penetration tests. This doesn’t solve that. This one I struggle with. I’m not sure that this is something that most CISOs would be interested in.

[Shawn Bowen] I agree with Mike. It’s been around for a while. The problem is you have to have someone skilled enough to use it. I ran the report, and I got lots of interesting information. The walk through on how to solve the problem is nice. But now I’m still relying on engineers to do that. The last thing engineers are going to do is go read a Wiki page and then follow up to do it unless we really twist their arm. We want to kind of get in the path of that or make it some sort of automated patching solution that integrates into that. I know they had a vulnerability scanner as well. And so I think that they kind of spread out pretty good, but the demo only walked through the simulated red team component of it. But they also had gray box and vulnerability. I’d be interested in seeing what’s there, and why would I want to use them over one of the leading vulnerability scanners that are out there. And then again, what’s the integrations like to the rest of my environment so that I can adequately see it. I am still concerned as we go into the future. I know not everyone is going to be off in the Cloud. There will be a lot of on prem, and there will be some network devices that there is still value on this. But when you have a distributed workforce and you have essentially isolated machines at each individual house, how does attack paths really get articulated in that. And so I’m a big fan of the product itself. I think in the future their competitive space or their targeted customer environment is getting smaller. Yeah, that’s a difficult one for me. The security geek in me likes it, but the practical CISO, it’s kind of difficult. Because I either have the people that are skilled enough to do this, and now I’m just making their life a little bit easier, or I don’t have the people to do it, and the tool is just too complicated for them. They have to learn MITRE ATT&CK, and they don’t even know how to spell AAT&CK.

[Laughter]

[Johna Till Johnson] Okay. And Votiro.

[Mike Johnson] I like the way that Votiro is going about solving the problem. I asked about macros because I’m so used to these kinds of solutions just removing macros and saying, “Hey, we’ve solved your problem.” And it doesn’t. It renders the files useless in most cases. I like the approach of we know what’s good, and we’re going to copy that over. One of the things we didn’t talk about in the interview but they mentioned in their video is they handle password protected files. The workflow there is actually reasonable. I thought they solved that. Traditional file scrubbers either just completely delete the file, “This is encrypted. We can’t do anything with it, so therefore you can’t have it,” but they recognize there’s a problem and approach that. So, I think this is one, there’s still the question of how many companies really run this much on attachments that it’s that important to them. But it’s solving an old problem in a new way, which I give them a lot of credit for.

[Shawn Bowen] Votiro, I think is, again as Mike articulated…this has been around for a while. We have host based protection that will catch this file when you open it up. We even have defenders and other products that are embedded into a file when you open the file. Sometimes they’ll say, “Hold on. It’s read only while we’re scanning.” And there is some existing technology around this space in defending us. I am concerned… I know that the answer was it’s relatively real time, but I could see… In their demo it appeared you had to open up a PDF, and then it translated back to a Word document. It just seemed… I could see some users being highly annoyed. And depending on the industry you’re in, you may or may not have users that are comfortable with that level of security. And so I think it’s a solid product for those sectors that security is on the forefront.

Final Scores

36:39.537

[Johna Till Johnson] Both of you made some excellent points. And with that, now is the time for us to give us your scores. Mike, can you give us your total scores for each of the companies?

[Mike Johnson] For Conveyor, 21 points. For Pentera, 17 points. For Votiro, 20 points.

[Johna Till Johnson] Okay, great. Shawn, can you give us your scores for each of these companies?

[Shawn Bowen] Conveyor, 15 points. Pentera, 18 points. Votiro, also 18 points.

[Johna Till Johnson] What that gives us is a total score of for Conveyor 36, for Pentera 35, 38 for Votiro, which makes Votiro our winner. But wow, these are really, really close scores. Votiro will be joining us for our live finale on June 17^th to compete against the other first round winners. You can register for that finale by visiting our site and clicking on the Capture the CISO logo. Join us on the next episode to hear Light Spin, PlexTrac, and Torq compete for a chance to make it to the finale. And that brings us to the end of the show. Thanks, my friends. In particular, thanks to our CISOs, Shawn Bowen and Mike Johnson. And thanks specifically to our contestants – Chris Gomes from Conveyor, Jake Flynn from Pentera, and Aviv Grafi from Votiro – for sponsoring and supporting us here on Capture the CISO.

[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, Virtual Meetup, and Cyber Security Headlines, Week in Review. All contestants of the show are sponsors of the podcast. If you’d like to sponsor and be a contestant, contact David Spark directly at David@CISOseries.com. Thank you for listening to Capture the CISO.