Capture the CISO Finals – Season 1

Capture the CISO Finals Season 1

A fantastic first season of Capture the CISO finishes with a fantastic finale.

The show went live last Friday, June 17th, 2022, and you can watch it right here, or please listen to the finished edited audio here.

The entire season of Capture the CISO including this finale was hosted by Johna Till Johnson (@johnatilljohnso), CEO, Nemertes.

Our judges for the final episode were:

The four contestants in the final episode were:

Check out the contestants, our shows, links to subscribe to the podcast, and all the vendors demo videos on the Capture the CISO show page.

We welcome active discussion and debate about all vendor contestants. 

Got feedback? Join the conversation on LinkedIn here and also here.

Huge thanks to all our contestants who are also sponsors of Capture the CISO

Feroot

Inspector
Through automation and “synthetic users,” Feroot Security Inspector helps you identify all your JavaScript web applications, third-party scripts, digital assets, and their data access. Manage your client-side attack surface and secure web applications from Magecart, e-skimming, XSS, and other client-side threats. Visit www.feroot.com/inspector/

PageGuard
Stop Magecart, e-skimming, XSS, and other client-side attacks with automated JavaScript security permissions and policies. Based on the Zero Trust model, Feroot Security’s PageGuard automates JavaScript security policies to detect and block unauthorized scripts, client-side malware, and anomalous code behavior to better protect websites and web applications. Visit: www.feroot.com/pageguard/

Feroot

Lightspin

Lightspin’s next-gen cloud security platform built on Neo4j graph database prioritizes risk in cloud and Kubernetes environments focusing DevSecOps efforts on the critical issues that matter most. Our developer friendly platform provides plug and play remediation in the form of IaC, and scans pre-production code to catch misconfigurations, which are the main cause of breaches. Lighstpin proudly focuses on small and medium-sized businesses running workloads in the cloud, offering a free version of the platform including the industry’s only graph-based Attack Path risk prioritization. For an affordable, efficient, and secure cloud experience loved by engineers learn more at www.lightspin.io.

Lightspin

Torq

Torq is a no-code automation platform for security teams. It helps people of any skill level automate workflows to streamline and reinforce security processes, using a drag-and-drop editor and guided configurations. Workflows can be built with templates from our ever-growing library, helping users automate even the most complex processes with ease. The platform readily integrates with any other system out of the box—no special connectors, just limitless integrations. With Torq, teams maximize protection while minimizing complexity, creating a more dynamic and enduring security posture.

Votiro

Can you trust the files and content entering your organization? Votiro Cloud’s Zero Trust open API proactively disarms files of known, unknown, & zero-day malware threats at scale without adding friction, interrupting user or application workflows, or impacting file fidelity. Votiro reduces work, alerts, & risk for IT and security teams while enabling the seamless flow of safe files.

Votiro is tool-agnostic, and provides virtually limitless auto-scale capabilities to handle any file throughput and the greatest span of file formats, preventing malicious files uploaded to web apps, portals, data management platforms, and cloud services.

Full transcript

[Voiceover] Capture the CISO begins now.

[Johna Till Johnson] Welcome to Capture the CISO. I’m your host, Johna Till Johnson, and I’d like to introduce this episode’s CISO judges – Yaron Levi, who is the CISO for Dolby. Yaron, thank you for joining us.

[Yaron Levi] Thank you for having me.

[Johna Till Johnson] And John Overbaugh, who is the CISO for ASG. John, welcome.

[John Overbaugh] Thanks. Nice to be here.

[Johna Till Johnson] Yaron and John will be judging this season’s finalists – Feroot, Lightspin, Torq, and Votiro. Just a reminder, these companies are not direct competitors. They all have different facets of security, but they are all being judged on the following three factors – is their solution innovative, does it solve a real need, and how easy is it to deploy. The good news here is that our judges come prepared for digging deep into these companies. They have already watched short demos of each company’s product. They know what the products do, and they’ve come armed with questions. You, too, can watch the demos of our contestant’s products. Please go to our site, CISOseries.com, and then click the blue Capture the CISO icon, and you’ll see the demos. Before we start bringing on the contestants, I’d like to ask the CISOs, Yaron, John…maybe Yaron, you can start, what did you find most interesting in some of the earlier episodes?

[Yaron Levi] A couple of things. I think just the fact that it does something I’m always looking at for new companies and new startups is people who think differently about problems we’re trying to solve. I think there’s a lot of rehashing of the same problems or old problems, and I like the out of the box thinking and the new approaches. I thought some of the products that we have here and also that we have seen on other episodes have some clever ideas and clever thoughts about how they’re addressing maybe an old problem but in a new, different way.

[Johna Till Johnson] Yeah, I think that’s actually quite insightful. Because some of the problems are old problems with a new approach, and some are problems we didn’t even realize we had until we got the solutions for them. John, what about you?

[John Overbaugh] I agree with Yaron there. I think that these are age old problems that we’ve been dealing with, but I like the fact that they’ve really… Some of the solutions have flipped the script on how to approach them even. So, I’m excited to see more and talk more with the organizations to just kind of get a sense of their mindset and how they approach the problem from a new perspective.

[Johna Till Johnson] Yeah, it’s always interesting to find out from the contestants how they decided to start a company to solve a problem or launch a new product to solve a problem. So, yeah, that’ll be fun. Okay, before we go ahead and kick off, I’m going to be asking the CISOs to score the contestants. In the unlikely event of a tie, I will be the tiebreaker. Contestants, I just want to thank you again for being so brave as to come on the show, to sponsor a show, to compete in this first season and take a risk on something that’s brand new. We really appreciate that. So, those of you who are watching this, please let’s throw some love at them. Go check out the demos, find out what they do, find out how they are solving these problems, and investigate a little bit more about them.

Feroot

3:06.721

[Johna Till Johnson] Ivan, welcome. Glad to see you.

[Ivan Tsarynny] Thank you for having me.

[Johna Till Johnson] This is Ivan Tsarynny. He is the CEO of Feroot Security, where they help businesses protect their client’s side to provide safe and secure online experiences for their customers. Yaron, John, who wants to go first and start asking Ivan questions?

[John Overbaugh] I watched the demo, dug in a little bit on it. One question I have for you is doesn’t this product presuppose that organizations don’t know what their developers are even doing? A lot of what your tool captures is information around passwords being collected and so forth. So, help me understand – why tackle that problem.

[Ivan Tsarynny] Developers usually…they are really good at what they do, so they know what they’re doing. And the gap usually…it happens when developers develop something, and then business takes over. And the marketing adds their tech stack. And then customer success or support add their tech stack. That’s where the changes and the gaps really start to occur.

[John Overbaugh] Okay, so the problem space you’re solving here is just function creep.

[Ivan Tsarynny] Exactly, function creep, code creep, tech stack creep.

[Yaron Levi] To add to that… So, you talked about in the demo about visibility and giving the visibility to the developers, but I also noticed that at the end of that video, you also had another product or another model which is called Protect. So, is there a value, and what’s the value of that visibility only, or do I have to have both modules?

[Ivan Tsarynny] So, why we mentioned that is basically it’s aligned with the way a program or client set security program is usually rolled out. App sec teams first they want to know what do we have – what is our kind of posture looking like. So, once they see that then there’s maybe some issues or some weaknesses they want to take care of. Maybe there’s a data leak. They fix this. The next phase is we don’t want those problems to ever come back, and that’s where Protect comes in. First phase – fine issues, resolve them. Very easy. Like you get results in five minutes. Nothing to deploy. Very easy to operate. And then moving to prevention.

[Yaron Levi] So, how do you make it actionable?

[Ivan Tsarynny] On the first phase is detection and make those detections actionable. So, it’s actually what we help is we help create a prioritized list of issues or things that need attention. Maybe there is a data leak happening. Maybe there is something malicious already. Maybe there’s some weaknesses or security kind of back doors open. And they’re listed in a prioritized way – first, second, third issue. Once they’re tackled, those actually issues become the priorities for prevention. So, moving to the phase two and phase three – how do we prevent this, and how do we make sure that never happens or it never comes back and never happens again. So, prioritized list of issues, and then action items around it with red buttons.

[Johna Till Johnson] Ivan, just to clarify, you’re saying step one is detection – find out what’s going on. Step two is to prioritize what you’ve found so that you can see what has to happen first, second, third. And step three is that recommended remediation – hit that red button so it never comes back.

[Ivan Tsarynny] That’s right.

[John Overbaugh] Let me ask a follow up question on that. when you say prioritize, what are the criteria for prioritizing one finding over another? What meta data do you have about the applications or just how do you do it?

[Ivan Tsarynny] At a high level because we can go on and on for a lot of time about this, we start with a kind of risk based approach. Because every risk has a dollar if a company knows what’s the dollar value for risk. They look at it as what data assets do we have, what sensitive information do we collect, what is the dollar value assigned to it if it leaks out. Let’s say passwords and bank IDs or social security numbers. So, first we identify. We do discovery classification. “Here’s the most sensitive information that we have, and here’s the risks associated.” Maybe there’s a data leak around it. And that’s how we prioritize it.

[John Overbaugh] So, it’s based on the data around that control or in that script?

[Ivan Tsarynny] Yes. And then there’s maybe some malicious…maybe there’s something sketchy already going on. But we prioritize it based on sensitivity of the information that can be exposed.

[Johna Till Johnson] Do the end users have…I mean the actual users have the ability to override the prioritization with their own insights?

[Ivan Tsarynny] Yes and no. Yes, there is some customization. And no, because we constantly hear more and more input, how to prioritize. And we are adding more and more items to the immediate roadmap to help make it even easier.

[Yaron Levi] So, this is not a new problem, right? It’s been around for a very long time. There’s a lot of products in the market that are doing this – some old, some newer. What is the innovation that you bring here? What is the killer feature that you guys have compared to others?

[Ivan Tsarynny] I think it’s the killer feature is the business context, first of all, and visibility. The approach we take is almost like a crawler. Like synthetic user like Google bot that crawls websites. And we understand contextually what is on a page – is there password information, is there credit card information, health records, or anything else that is collected. Then put a context around it. And then identify and find everything that is hidden in all the in line scripts, all the CSS elements, the entire third, fourth, fifth part of the supply chain. And then we are adding threat intelligence on on top of it. We use DUST [Phonetic 00:08:23] and ISP to do this – to find all kinds of other issues. We are basically… What’s unique is we are combining a lot of technologies to solve the business problem hopefully once and for all. That’s from the detection side. Then we also added protection like including CSP, JavaScript controls, and real time collection. So, we combined both outside in and inside out approaches.

[John Overbaugh] Yeah, and I don’t want to get into a pricing conversation, but what is your pricing model? Is it you want to make…sell 50 times for 100K or 500 times for 10K? Big market, small market?

[Ivan Tsarynny] We have packages for all.

Lightspin

9:03.223

[Johna Till Johnson] Here we have Vladi Sandler, who is the CEO of Lightspin, where they do graph based Cloud security built by and for Cloud engineers. Welcome, Vladi.

[Vladi Sandler] Thank you very much.

[Johna Till Johnson] Yaron, I’m going to put you on the spot. You kick off the questions for Vladi.

[Yaron Levi] Okay. Vladi, good to see you again.

[Vladi Sandler] Like always.

[Yaron Levi] My question is… This space has been fairly new probably within the last three or four years. There’s obviously some big companies and big names. There’s a lot of competition in this market. What is the differentiator for Lightspin compared to the other big competitors in this market?

[Vladi Sandler] We see it from day to day more and more. Basically three things. First of all, our main unique value proposition is the ability to click to prioritize and click to remediate any risk you have in your Cloud environment from your infrastructure service to Kubernetes, from CI/CI security to run time [Phonetic 00:10:00] in one holistic solution using our graph-based algorithm we developed. It’s pretty much like the [Inaudible 00:10:06] defensive Cloud security. The second one that’s…we have this angle of full engineer solution. We have stuff for free. You don’t need a sales team. Click on the button, get access, get the value. We’re really big believers in value oriented sales, which proves ourselves. And three, as I mentioned before, is the holistic approach for all your needs including integration to your current security stack. So, we can prioritize everything. I can provide you with proactive vulnerability management, or compliance, or just posture management. Or you can integrate your own. I can provide you with [Inaudible 00:10:41] protection or you can integrate your own. But what I will do is I will prioritize any kind of feed you will put on my graph technology, and I am not recommending remediation but will build for you the remediation by providing you the [Inaudible 00:10:54] tailor made for you infrastructure [Inaudible 00:10:55] using algorithms root cause analysis.

[John Overbaugh] So, first of all, I love that you set prioritization, and you explain why in the system. I also love that your prioritization matches mine. So, for instance, the first question you ask in your prioritization is, “Is this asset exposed, and is it actively being exploited?” So, here’s my question – can I add meta data to my assets? So, for instance can I tag it with a business owner so I can deliver that to the business owner and not feel like I’m taking responsibility for it?

[Vladi Sandler] Good point. Two things about asset management. Okay? S lot of people talk about asset management, and a lot talk about visibility. Let me give you visibility. The question in Cloud is we always need to remember everyone uses the same data. The question is what you do with this data. And understanding of our angle is, first of all, give an ability to give you tagging on your assets. So, define the sensitive asset. My algorithm will take it under consideration. Open [Inaudible 00:11:50] ticket, awesome. So, let’s forward it to the relevant project, the relevant point of contact. Because otherwise as you mentioned before, you will become the main person who needs to handle and [Inaudible 00:12:02] of all of it, which is impossible.

[Yaron Levi] So, to add to that, often times a lot of the security tools that we have we get the visibility. We get some protections. But as a security team, and we can’t do anything about it. We have to find some engineer. We have to find somebody in the business who can actually get the answer. How do you figure or how do you make the findings actionable for engineering teams, for example, who may be responsible for them?

[Vladi Sandler] Yeah, so what we see a lot of times in case of Lightspin is that even though the target buyer is the CISO, the hands on person who is using really the solution will be the sec ops security engineer or even the dev ops. Which means once we integrated the platform and we build for you the critical attack pos, which helps you prioritize, and you can also build the remediation which builds for you the root cause analysis, when you open the [Inaudible 00:12:50] ticket again you can allocate to the relevant dev ops team. So, imagine that I show you the problem. I give you visibility. I give you prioritization. I give you coverage, but you don’t have the clue how to solve the problem. That’s what we help you to do. So, we reduce the time to market for your dev ops teams. Another angle we brought our solution is the infrastructure, is the code approach of the CI/CD angle. So, I can integrate your GitHub now. And every time someone will do a pull request, I will scan and notify you for all the critical risk going to be done by the pull request. So, you, the CISO, knows exactly who is the user, who is the developer who did the mistake, what is the risk it’s going to do. And it’s easier to stop the pull request or even give some training. Maybe we’ll learn… We see from time to time he improved his security skills, but he still continues to do mistakes. And we can work with him better.

[John Overbaugh] Can that feed into Jenkins, and can we have Jenkins rules that say, “Oh, you got five errors. You’re not going to prod.”

[Vladi Sandler] Yeah, so what we can do… Two things. We can integrate to GitHub, scan your repositories, A, for…scanning your infrastructures as a code. Any kind. It can be [Inaudible 00:14:05] use and give you a list of misconfigurations, [Inaudible 00:14:09] credentials, and etc. Option number two, every time developer do a pull request, I will see it, and I will notify you about all the critical risks, so you can handle that. C, I can run on your Azure, CI/CD, CI, Jenkins, [Inaudible 00:14:25] and then you can implement your policy enforcement by saying, “Okay, my organization, no chance are you having an S3 bucket, which is unencrypted.” So, once it’s happened, I will [Inaudible 00:14:35] So, this system will have better power from the relationship with the developers instead of an [Inaudible 00:14:40] deployment [Inaudible 00:14:42] now to fix.

[Johna Till Johnson] So, that actually just backs up what I was going to observe, which is in a sense what you’re really doing is automating the addition of sec in a dev sec ops.

[Vladi Sandler] I don’t like automation. I like automation, but I hate when people say auto remediation and stuff like that.

[Johna Till Johnson] Yeah.

[Vladi Sandler] We build for you…automatically we generate for you everything you need to do, but I still give the power to the developers and to the customer to do his or her own review and verification before deployment is done. Because for the root cause analysis, we will map for you the critical point but still…and build the platform, but I want you to review it.

[John Overbaugh] Well, I like that you’re dropping it into Jenkins. I can decide what to do with it in Jenkins. I’ll automate it there.

Torq

15:26.574

[Johna Till Johnson] We have Leonid Belkind, who is the cofounder and chief technology officer a, where they help security teams move faster with no code automation.

[John Overbaugh] Leonid, thanks. Had an insightful demo that I watched. Question for you – what do you…? Is this just automating manual response in the Elastic security stack, or does it go beyond that? Because that’s what it looked like to me.

[Leonid Belkind] So, in essence we look at security automation in a wide sense. When I say wide sense I mean that there are many repeating processes today for different role players in the security program. It could be incident response. It can be alerts from Elastic stack, for example. But also things such as application security events coming from a SaaS, an Open Source security events and identity and life cycle management, asset management, and many, many more. So, no, it’s not just automating events in an Elastic security stack or actually response to these events but taking any repetitive process that any security professional takes as a result of something happening somewhere and turning it into an automation.

[Yaron Levi] Sora [Phonetic] is not new. It probably was five years ago. But since then we’ve seen several companies out there with source solutions. What lessons did you learn from other companies in that space that makes your product different?

[Leonid Belkind] I think three main things are the lessons learned. First and foremost, one of the biggest challenges of Source was introducing the need in a middleman. The security expert was not really capable of implementing things themselves, and this hindered the velocity, increased the costs, and eventually did not make an impact that it could have made. At the end of the day, the idea is this – we strive to turn organizations that work by manual operational procedures – you do A, you do B, you do C if something happens – into people who think about building mechanisms. And if you introduce a middleman, and it’s not your identity analyst, application security analyst, Cloud security analyst that does it, you miss the deep value of transforming your organization from operations into engineering. This is the only solution, the way we see it, in going to Cloud scale, getting more events, getting events for a different environment, different types of events. So, that’s the main thing actually that Sora missed. Second part is purely [Inaudible 00:17:53]. Due to high costs, Sora went to high end only. Look at the organizations you would see relatively successful Sora implementations in. it would be the high end. What about the vast majority of the market? The [Inaudible 00:18:04] enterprises, nothing. Too costly, too slow. And the third point is that Sora completely missed the transformational value of Open Source. You and I…you, John, you, Yaron, would you like to battle similar problems on your own or solely together as an industry? The same we solved it in various pillars of software engineering. This is the third thing I think that was completely missed by Sora.

[John Overbaugh] Follow up question to that – do you provide customers with a baseline rule pack to get them up and running quickly? In other words, can I bypass starting from scratch and manually combing my logs for anomalous behavior with sort of a kickstart from you?

[Leonid Belkind] It’s not a rule pack. What we do is even more than that. Many of our customers ask a question of, “Wait, I can automate many things. But what is it that I should automate?” And the beauty is that, guys, this industry already has created frameworks such as NIST [Phonetic 00:18:59], such as MITRE Defense, such as CIS benchmark that tell you what to secure and how. What we are offering is a template of blueprints. You may need to adjust them to your environment. Don’t expect them to be turnkey. But they are all aligned to these frameworks depending on the pillar of your cyber security problem that you’re doing. And this is the best way in our humble opinion to start not from scratch but from a pre mapped, not something that cames up from my mind but from an industry accepted framework.

[Yaron Levi] Adding to that – if you reflect back on your other clients that you have, what are the key factors to successful implementation and making sure this is not becoming a shelf ware?

[Leonid Belkind] Well, one of the things we set as a goal to ourselves when building this platform is that it has to be incredibly low friction in adoption. One of the KPI factors that we judge ourselves by is how quickly can an organization… And by the way, we are engaged with Fortune VPs and SMEs alike…how quickly does it see a value? How quickly do they start having the system work for them instead of working for the system? And the outcome is, Yaron…is that usually we leave our first onboarding session done on Zoom with a working end to end process. And it also serves as a training and onboarding thing. Now generally from this point on, it kind of begins depending on how many people are engaged. Is it a single team, two or three people, that dictates the pace? We work with organizations with three or four different people – your Cloud ops, your app sec, even your GRC – adopt this approach. And this multiplies the impact of adopting such an automation on the program.

[John Overbaugh] My question for you, Leonid, is do you process your customer logs in their native US region, or do they have to send their logs to you? In other words, are we going to keep that inter-region cost low?

[Leonid Belkind] We have an architecture that can keep the data plane either inside the customer’s environment, and it doesn’t even have to be an AWS region. Maybe you are hybrid environment, and you still have your own on premises data center. That’s perfectly acceptable. So, you can have the data plane completely germinate inside your environment. Or if you’re a sort of completely Cloud native organization and you literally do not want to have anything in your own environment, it could be a pure SaaS, in which case we have an architecture that tries to reduce such costs by being and having the initial hub of processing as close to your environment as possible. If it’s an infrastructure as a service region, AWS, Azure will be there, on prem data center will be as close as we can.

[Johna Till Johnson] Anything else you want to add, Leonid, before we wrap?

[Leonid Belkind] We saw a transformational impact that no code has on other disciplines. It could be marketing automation, HR automation, sales automation, and so on. Now, why did it have an impact on this discipline? Well, because it took people who are not necessarily engineers, and it allowed them to express themselves and do something they couldn’t before with this easy look and feel. We enabled these people to deliver engineering outcomes. Today we are doing the same for security.

Votiro

22:14.316

[Johna Till Johnson] And now last but far from least, we’ve got Votiro. We have Aviv Grafi, who is the founder and CTO of Votiro where they disarm weaponized content of known and unknown malware without impacting file fidelity or removing active content. Take it away. I think, Yaron, this is yours to start.

[Yaron Levi] Okay. First of all, how did you come up with this idea? And second, why did you decide to solve this problem?

[Aviv Grafi] Great. So, first, thank you very much for having me today. I think that as for the first question, before I founded Votiro, I was doing penetration testing audits for customers, for clients. And that was after I was finishing my A200 army service [Phonetic 00:23:01], and I was traveling around the world. It was a pretty fun job. And one of the things that I found that was working for me 100% of the times is to just send a weaponized resume document to the recruiting department saying, “Hey, I want to apply to this position. By the way, I know Yaron Levy from the company. If you want, I’d be happy to bring some references. Please call me back.” And that was working 100% of the time because that’s the tension between security and productivity. We’re telling our recruiters, “Screen hundreds of resumes a week because we need to have those hires.” But at the same time, we’re saying, “Oh, think before you open those documents.” And that was the moment I said, “Look, for the last 30 years we tried to solve a problem, but we’re probably doing something different.” And that’s how I came up with the Votiro. I was trying actually to solve that problem completely differently.

[John Overbaugh] What I love about your demo is that you start out with the premise that it is security’s job to enable the business. I subscribe to that theory wholeheartedly. Let me ask you one question. This maybe kind of maybe more technical, but how do you know a macro isn’t malicious? Code is just code. What is it that tips you off to that?

[Aviv Grafi] If we’re thinking about content… So, for example documents like Excel spreadsheets or Word document, there are two types of vulnerabilities. One is a file format vulnerability, which we know how to actually take the content out of those documents, pasting them on a clean template of the document and then deliver that immediately. This has been done in milliseconds. Then there’s the other piece of the weaponized macros that we know that especially in our industry, I think it was a problem or is a problem for quite some time. What we developed in order to accomplish that solution is we actually took the macros… And we know that is a benign macro because we analyzed the benign macro codes. And then by building a machine learning model but not trying to find the bad macros. But we know what are the good macros. We can say, “Look, we see that this is benign. We saw that multiple times, and this was in the chain, in the organization. Okay, this is a legit macro.” So, it’s kind of a whitelisted machine learning assisted model in order to really solve that weaponized macro problem, which is with us for quite some time.

[Yaron Levi] Is this a product, or is it just a feature? Because I would expect to have some capability like that in the big Proofpoint of the old Microsoft, Google, everybody [Inaudible 00:25:26] for example emails to me. Should it not be a feature just kind of built into their platforms?

[Aviv Grafi] When we started it was a technology, and then it moved to be like a feature. But we as expanded our offering, we now know to be the [Inaudible 00:25:38] security gateway of the organization. So, the way that we see that is that we connect to all those files that those giants sometimes are not doing. For example if you have S3 buckets in Cloud applications, today you want to make sure that all the content that you move to the S3 bucket is being secured. But in the same way, you want to have the policy on your incoming emails, on your web downloads…you want to have that for web applications. For example think about insurance companies who are now receiving tons of claims that are being filed online. Someone needs to make sure that all those documents, for example, doctor reports, or damage kind of information…you want to make sure that on the other side, the business as you said…they need to work. So, we see ourselves as the gateway to this secure content for anything that goes into the organization no matter where it comes from and at scale as we’re providing that as a Cloud service as well.

[John Overbaugh] Product or feature, I don’t really care. All I have to say is as soon as I saw the demo, it was just a forehead slap and said, “Why didn’t I think of that?” It’s such a cool way to turn things upside down, and it seems like such a logical approach.

[Yaron Levi] Maybe to add to that as well… We talked about the email use case on one hand. And you also mentioned the S3 buckets and things like that. So, how easy is it or is it possible to go and connect the solution to existing storage solutions or repositories and clean basically what I have? Because I have no idea if I have malicious files kind of sitting in my S3 buckets, or my Net App [Phonetic 00:27:14], or wherever.

[Aviv Grafi] Actually when I first heard that question from one of our clients, I said, “Look, maybe that is an esoteric use case.” But actually I’ve found that a lot of the customers, they wanted to have that. Actually they moved their old file servers that we had in the data center…they move all the files to the Cloud, and no one really can know whether they’re 20 years old, 30 years old Word document, whether it’s malicious or not. So, we do have a native integration with S3 buckets, and SharePoint, and One Drive, all those files repositories and also Box to make sure and to… In three clicks it connects to the native API of those platforms. Then it allows you to scan and to sanitize all the content that is already there. So, this can be done… It depends on the volume, but this can be done easily by enabling that integration in your platform.

[Johna Till Johnson] Aviv, I just want to echo something one of the commentors is asking – can you use this to protect outbound documents to protect against reputation risk?

[Aviv Grafi] We’re currently focusing mostly on the inbound, so that’s the focus currently. As we see that this is the threat landscape, we’re not dealing today with reputation. But of course as we have an API, you can connect that to any platform.

What do our CISOs think?

28:30.497

[Johna Till Johnson] Excellent. Well, that was a great deal of fun. And now we are going to be dropping all the contestants from the Crowdcast, and it is just us. So, Yaron and John, without giving any numbers, can you give us a little bit of feedback on the four contestants, particularly as it pertains to the three axis that we’re looking at – innovation, real need, and ease of deployments?

[John Overbaugh] Yeah, I think for me Votiro stands out as innovative. Like I said, it was just a forehead smack. “Why didn’t I think of that?” And yet I think on ease of deployment I’m really big on Torq. I just loved how easy it was to set up the logic to respond to a security event. That’s the biggest challenge. We see thousands of events, hundreds of thousands of events a day. But to be able to actually really easily do a no code solution for those events, that was amazing to me.

[Johna Till Johnson] Yeah, that no code automation to me, that was actually my forehead slap there. I was sort of like, “Yeah, you can do no code automation everywhere else. Why not for security processes?” Yaron, what about you?

[Yaron Levi] Yeah, I concur. I like Votiro. I slapped my forehead as well the first time when I saw that. And it’s not a sexy problem. It’s kind of a boring problem if you will. But how many boring problems we have in security that we all hate dealing with and we have to deal with. This seems like a nice, elegant, kind of clean solution for that. So, I love the innovation there. I also agree with the no code premise. This is something where if I reflect back on previous source solutions and some of the early adopters of some of the older source solutions, it’s one of those things that great idea, definitely something that we need to have as an industry. But then we had to get security engineer or programmer inside our team, and now good luck trying to find one or good luck trying to hire one if you’re not in a highly engineering company. I used to work in healthcare before, and it was a very, very tough conversation to go and say, “Hey, I need a programmer on my security team.” So, I think that’s the fact that you kind of lower the bar for entry, and you’re enabling a lot of people who may not have that skillset or other people even outside of security to put their hands on tools like that and actually contribute to the overall effort. I think that’s a great way to do that.

[John Overbaugh] That having all been said, I just want to say one thing. I think Lightspin is in probably the biggest problem space right now. What do they say? 98% of all your Cloud compromises are caused by human error. So, to have a solution that can go and poke around in the Cloud and come back with configuration issues is very valuable. So, tough call.

Final Scores

31:08.921

[Johna Till Johnson] Now the fun begins. What I would like you to do is as we’ve discussed we have a private channel for sharing the scores so that we can all deliberate behind the scenes. So, I’d like you both to go ahead and give us the scores – one total score. So, just to be clear, we’re not going to be sharing the splits across innovation, real need, how easy it is to deploy. And while you’re doing that, I would like to highlight something kind of interesting. We talked a lot about innovation and how easy it is to deploy. I think it’s sort of table stakes that we agree that anyone that’s gotten to this point is solving a real need, whether or not we call it a boring need. It is a real need.

[Laughter]

[John Overbaugh] Yeah, there’s no boring needs when it comes to compromise.

[Johna Till Johnson] Well, we have some very interesting news. Here are the scores. Feroot has a 46. Lightspin has a 48. Torq has a 52. And Votiro has a 52. Which means we have a tie. And I am casting the tiebreaker vote for Votiro, given the forehead slap reaction that we’ve gotten from the judges. So, we now have as a grand winner Votiro.

[John Overbaugh] Yay. Do we have clap? Is that appropriate?

[Yaron Levi] Yeah.

[Johna Till Johnson] Aviv, well done. Well done. And actually well done, everyone. Ivan, Vladi, Leonid, those are great companies solving really, really, real problems. You just edged out by a tiny hair. Aviv, congratulations. And thank you very much to everyone for participating. One other thing… I think you may know this, but you have also won the grand prize, which is you are invited to be a guest on an upcoming episode of the CISO Series podcast. So, congratulations, Aviv.

[Aviv Grafi] Thank you very much. I just want to thank all the participants, and thank you, judges, and of course the team at Votiro for making this working well.

[Johna Till Johnson] And a special shoutout to Torq because you guys were terrific. We just had to break the tie somehow. So, I wish we could have had four grand winners to be perfectly honest. So, huge thank you to all the companies who participated and particularly Ivan at Feroot, Vladi at Lightspin, Leonid at Torq, and of course Aviv at Votiro. And audience, thank you so much for showing up today. You really made our Friday. And please, if anyone wants to register for season two to be a contestant or a judge, please contact info@CISOseries.com or go to the site, and there’s a contact button there. Thank you all very much.

[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, Virtual Meetup, and Cyber Security Headlines – Week in Review. All contestants of the show are sponsors of the podcast. If you’d like to sponsor and be a contestant, contact David Spark directly at David@CISOseries.com. Thank you for listening to Capture the CISO. 

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.