Welcome to episode three of Capture the CISO, hosted by Johna Till Johnson (@JohnaTillJohnso), CEO, Nemertes.
Our judges are Dan Walsh, CISO, Village MD and Hadas Cassorla, CISO, M1.
Our contestants:
- Ivan Tsarynny, CEO, Feroot
- David Leone, Sr. Customer Success Manager, Perception Point
- Zack Ganot, CEO, Sunday Security
Please register for the finals, happening LIVE on June 17th, 2022 at 1 PM ET/10 AM PT.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to all our contestants who are also sponsors of Capture the CISO
Feroot
Inspector
Through automation and “synthetic users,” Feroot Security Inspector helps you identify all your JavaScript web applications, third-party scripts, digital assets, and their data access. Manage your client-side attack surface and secure web applications from Magecart, e-skimming, XSS, and other client-side threats. Visit www.feroot.com/inspector/
PageGuard
Stop Magecart, e-skimming, XSS, and other client-side attacks with automated JavaScript security permissions and policies. Based on the Zero Trust model, Feroot Security’s PageGuard automates JavaScript security policies to detect and block unauthorized scripts, client-side malware, and anomalous code behavior to better protect websites and web applications. Visit: www.feroot.com/pageguard/
Perception Point
Perception Point is a Prevention-as-a-Service company for the fastest and most accurate next-generation detection and response to threats across email and cloud collaboration channels, including cloud storage, cloud apps, and any proprietary application as well as the web. The solution’s integrated incident response service acts as a force multiplier to the SOC team, reducing management overhead, improving user experience and delivering continuous insights for best protection.
Deployed in minutes, the cloud-native and easy-to-use service outperforms legacy systems to prevent phishing, BEC, spam, malware, Zero-days, ATO, and other advanced attacks before they reach end-users. Fortune 500 enterprises and organizations across the globe are protected by Perception Point.
Sunday Security
Sunday is a personal cybersecurity platform, built to help the enterprise protect its executives and key personnel beyond the enterprise perimeter.
By continuously analyzing back-end data, user behaviour and account configurations, the platform is able to determine and improve the security level of personal SaaS accounts, identify anomalous activity that could indicate a breach, and use automated incident response tools to remediate a wide range of attacks.
Full Transcript
[Ivan Tsarynny] Client-side security made easy.
[Dave Leone] Prevention as a service for email and collaboration channel security.
[Zack Ganot] Security just got personal.
[Voiceover] Capture the CISO begins now.
[Johna Till Johnson] Hi, everybody. Welcome to Capture the CISO. I’m your host, Johna Till Johnson. We have three contestants for this episode – Feroot, Perception Point, and Sunday Security. Again, these companies are not direct competitors, but they’re all being judged equally on the following three factors or as I like to call them axis – is their solution innovation, does it solve a real need, how easy is it to deploy. Judging these solutions will be this episode’s CISO judges – Dan Walsh, CISO of VillageMD.
[Dan Walsh] Thanks for having me.
[Johna Till Johnson] And Hadas Cassorla, CISO of M1 Finance.
[Hadas Cassorla] Thanks for having us.
[Johna Till Johnson] Our judges have already watched short demos of each company’s product. They know what the products do, and they’ve come armed with questions. You, too, can watch the demos of our contestants’ products. Please go to our site, CISOseries.com, and click the blue “Capture the CISO” icon. And you will get to see those videos. Dan and Hadas, before we jump in and start peppering the contestants with questions, I’d like to ask each of you in turn which of the three factors resonates the most with you – is it innovative, does it solve a real problem, how easy is it to deploy. And Hadas, I’d like to start with you. Which one of the three resonates the most with you?
[Hadas Cassorla] I think the solving a real problem is the one that resonates the most with me. While I do like shiny objects, so innovation is important, I think that just bringing in shiny objects into my environment isn’t a very sound way to do business, so I want to make sure it’s solving a problem I actually have.
[Johna Till Johnson] Dan, what about you?
[Dan Walsh] I think solving a problem is important, but I also think just ease of deployment because I think for as many problems as security teams have, they also don’t have a lot of time. And so is it something that I can deploy very easily, is it something that’s going to reduce [Inaudible 00:02:04] on my team. I think that’s I think the factor that I’m most interested in.
[Johna Till Johnson] And of course we’ll be judging on all three factors. Or rather I should say you will be judging on all three factors. Now before we jump in with our first contestant, I just want to stress one more time how brave these companies are for taking a chance on a brand new show, for sponsoring and competing in the very first season. These are the ones who took the chance. So, let’s throw some love at them. Go look them up online. Watch the videos, check out the demo videos, and learn a bit more about the solutions. And hopefully that’s what we’ll be helping you to do here.
Feroot
2:42.072
[Ivan Tsarynny] We came up with the idea of Feroot one night when we were having pizza in New York. My cofounder, V, said, “What if we can develop a scanner that finds every JavaScript script loaded by the browser when the person is using a website? This way we can find all issues that are actually happening in real time at the user session.”
[Johna Till Johnson] I’d like to welcome Ivan Tsarynny, the CEO of Feroot. Ivan, why don’t we keep this off by you giving a 30-second explanation of what Feroot does?
[Ivan Tsarynny] Our mission is to help businesses provide secure user experiences to their customers on the web because the client side of today’s web apps and websites is no longer built from ed to end. Instead it’s assembled and compiled by the browser on the fly from a generally complex JavaScript supply chain. Number one, all the dynamic supply chain is blindly trusted by almost everyone, and how many of us have been already burned by blind trust. So, app sec teams use Feroot to automate the client side security of their web apps. Anything from discovery, to threat reporting, data leak prevention, and vulnerability management, and privacy reporting, and so on.
[Johna Till Johnson] Dan, you were nodding. You were smiling. So, why don’t you go ahead and ask Ivan any questions that are coming to mind?
[Dan Walsh] I think I know the answer to this, but why only JavaScript?
[Ivan Tsarynny] Not only JavaScript, but we started with JavaScript because everyone is asking about JavaScript.
[Dan Walsh] First of all, I do like the product. I think it does fill a need. What are the kind of hot use cases at the moment? Is it a certain industry? Is it everything is kind of Cloud based and accessed over the web? What are you kind of seeing from your perspective? What are your customers telling you?
[Ivan Tsarynny] A couple of topics here. Number one, industries. Generally anyone that is expecting to deliver web services to their users, patients, and so on, customers. So, anything from health care, financial, banking, tech, ecommerce as well. Now from use cases, it actually starts with simple things such as just discovering what do we actually have, what data do we collect, what is our supply chain looking like, where are those scripts being loaded from, which countries those scripts are sending information to. Are we leaking out data? Is our data being compromised? Maybe there is some malicious stuff going on. Just even getting visibility is…and numeration and management of the assets. That’s the number one use case. Then there’s a lot more advanced stuff like threat intel prevention and so on once we go a little bit deeper.
[Hadas Cassorla] I guess I need a better explanation of where it sits in the environment and how it’s looking at that application, that web app.
[Ivan Tsarynny] It sits both outside of the environment and inside of the environment. Why we’ve taken that approach is that number one, to give a completely unbiased outside in view. Here’s how basically client side is looking like, here is how the attack surface on the client side looks like, here is how it looks like for the US users, or French users, or German, or UK users. So, coming in from different countries and creating kind of visibility from each region. So, what that means is actually going back to many are asking how easy or how hard is it to deploy. It takes five minutes because there’s nothing to deploy. All you need is just a URL or a company name to help us find it. The inside part that’s kind of the step two is a little tag or a little piece of code that sits in their client side code base that monitors for threat at the run time.
[Hadas Cassorla] So, aside from speed and some automation, why would I want this if I have a robust bug bounty program?
[Ivan Tsarynny] The very ability of the client’s side code is something that companies have basically…app sec teams or even [Inaudible 00:06:40] is struggling. Why? It’s because code on the client’s side changes almost for every user, if not for every single user depending on your profile, if you’re male, female. Whatever your user session is profiled as, the JavaScript supply chain will reflect that. therefore you need to be…you cannot really rely on just [Inaudible 00:07:00] problem or even pen testing, security testing because client side changes every single second. Every single user session or usually has a different tag, different scripts. Therefore run time real time approach is needed to find those issues.
[Johna Till Johnson] Hadas, you don’t look convinced.
[Hadas Cassorla] I think that that’s true. I’m just wondering how impactful it would be. I think about everything through my lens in my environment on a day to day basis.
[Johna Till Johnson] I would like to sort of turn that question slightly. I know there are other products that are addressing this exact space. Not many of them. It’s not super crowded, but there is a focus. Ivan, what are you guys doing that’s different?
[Ivan Tsarynny] What’s different is the approach that starts with the discovery, first of all. Discovery of what data assets does the company have, and why it’s important is because front end teams, marketing teams, business teams generally add lots of landing pages, sign up pages, checkout pages, and so on. And they can edit on a daily basis or weekly basis.
[Johna Till Johnson] I’ll stop you there for one second because, Hadas, I think that may be an area of partly answering your question because your bug hunting program isn’t going to focus on building up an asset library.
[Hadas Cassorla] Sure.
[Johna Till Johnson] Now, maybe you don’t think that’s necessary, but it does strike me as one area of difference.
[Dan Walsh] The other thing, too, is a bug hunting program doesn’t care about GDPR, CCPA, or any sort of privacy as well.
[Johna Till Johnson] Okay, Ivan, continue. I jusdt wanted to highlight that for listeners.
[Ivan Tsarynny] Actually discovery helps build the risk profile. Like basically, “Here’s the data assets you have.” Second question that it helps answer, how can you quantify that risk in dollars. So, “Here’s what data assets you have. Here is potentially dollar kind of impact if there’s any incidents or any data leaks.” And then the third question we help answer is what is the risk profile, how likely that something bad could happen there, something that you don’t want to happen. And then help prioritize, “Focus on these assets first. Ignore everything else because you don’t have all the resources in the world.” So, focus on the most important areas. Then, Johna, to your question, what’s different is then we have more drills to walk through the security program. Maybe you start with discovery, threat intelligence. Maybe prevent some problems then deploy CSP or deploy JavaScript security permissioning and many other things. Do some patch management and so on. So, there is a step for everything in the security program.
Perception Point
9:39.170
[Dave Leone] We came up with the idea when our founders, who served together in the Elite Israeli Intelligence Corps, saw the opportunity to leverage hardware level data to create our patented technology to stop zero day threats in a rapid fashion, making the scanning of all content much more practical than slow sandbag [Phonetic 00:09:57] approaches that were only able to scan select pieces of content at the time.
[Johna Till Johnson] I’d welcome to our next contestant to the show. This is Dave Leone, senior customer success manager for Perception Point. Welcome, Dave.
[Dave Leone] Hi, Johna. Thanks for having me.
[Johna Till Johnson] We are delighted to. So, first question, hopefully the easiest, please give us a 30-second explanation of what Perception Point does.
[Dave Leone] Sure. So, Perception Point is on a mission to protect all organizations by detecting and intercepting cyber threats that may enter via text, files, URLs across email, application, and Cloud collaboration channels. So, this could be anything from regular emails to One Drive, Google Drive, or more recently exploited things like SharePoint, Teams, and Sales Force. And all of that is wrapped around with our 24/7 incident response team who helps reduce false positive, train the engines, and kind of add an extension to your internal security teams and take the load off of your staff.
[Johna Till Johnson] So, now we have the answer of what you do. Now it’s time to start the questions on how you do it, and how it works, and what problems specifically and use cases it solves. Hadas, do you want to take lead?
[Hadas Cassorla] I do want to know how this is different from other products in the market that do email filtering. I don’t want to name any of them, but there are some really good products that do a lot of the sandboxing that I see that you guys do, and URL blowing up, and things like that. So, can you tell me what’s different?
[Dave Leone] The largest difference here is that we dynamically scan 100% of content. So, we use all of our engines with every item that enters the organization. This is done because we have proprietary technology, which we call the HAP. It’s the hardware assisted platform that essentially reverse engineers the files. With the introduction of the skylight processors, we gain visibility into processor level data. And originally that was for performance reasons, but we took that and used it for security. And now we can reverse engineer a file. So, instead of a traditional sandbox taking around about 10 minutes for a file, we’re able to rip apart a file and detect zero days and N days in a matter of seconds, and we’re able to do that for every piece entering the organization. So, as recently as January we were accredited with finding a CVE in the [Inaudible 00:12:09] so that’s the kind of life protection that we’re providing here.
[Dan Walsh] Talk to me a little bit about the services side. It looks like that there’s kind of a service where there’s an extension of an organization SOC team. Talk to me a little bit about that.
[Dave Leone] The incident response team is part of every license, so we don’t piecemeal out engines or services. The goal here is to provide total protection. So, the incident response team sits on the back end, and they do a number of different tests, one of which is just reviewing anything that the system may have a low, medium confidence on. Just hand reviewing the data. It just takes a few seconds. And then for example a false positive would get released, or they just validate the decision. In the case of say there’s a false negative because we’re never going to claim 100% accuracy, if there is a false negative we’re able to remediate that by removing the mail from the inbox using APIs. The team does that. They expand the search to your whole organization. They also expand that search if it’s a campaign for any other organizations we protect. And then they immediately update and retrain the engine that should have caught it and then rerun the message through to validate that it’s patched going forward.
[Dan Walsh] So, does your product run off of a signature, or is it just training the machine?
[Dave Leone] There are a number of different engines. They all run on different types of technology. For example with phishing. We actually follow links and unpack things. So, when we click on a link in an email, we’ll follow all the redirects, click on multiple links on the page. And then we’ll look at for example with phishing…we’ll look at image recognition to identify branding on pages. Then if the branding associated for example Microsoft, but the page is not registered to Microsoft or something like that, we’re able to identify it. With the HAP, that’s training and looking through the actual process level data. Then BEC is looking for context. So, we’re looking for sense of urgency, talking about finance, known users in the environment that are sending from nondomain emails like not the work domain, protected domain email address, things like that. So, it depends on which facet we’re protecting against, but all of the engines have thousands of decisions that are dynamically learning and then are additionally trained by that IRT.
[Hadas Cassorla] And do you have integrations with any CRM platforms as well?
[Dave Leone] We have integrations with Sales Force at the moment. And then we also have an API so we can provide additional data for other programs that may not have a direct integration.
[Hadas Cassorla] And you said that you couldn’t say that you have 100% accuracy, but I’m sure you’ve tested your accuracy. What can you say it is?
[Dave Leone] SE Labs out of the UK did a test. They run a test every year for multiple security products. They put us up against a lot of the competitors that we were talking about earlier. And we were ranked number one last year at 94% total accuracy. And right now our false negative is at 99.95%. So, .05% of false negatives and about 6% overall in false positives. This year’s results are in but not published, so I can’t share it, but I can tell you that they did come in higher than 94.
[Hadas Cassorla] I don’t think you answered this, but how quickly is deployment? What’s involved in that?
[Dave Leone] We have a one-click deployment process for Office 365. So, it takes all of 120 seconds to be live. Even if you were to manually configure the rules in your environment, the video that I shot for showing someone how to do it and explaining it took nine minutes.
[Hadas Cassorla] That’s great. I can get it into my environment. And then tuning it?
[Dave Leone] Tuning it is a really simple process. Usually it happens during the POC. We say two weeks. Depending on your email volume, it could be even sooner than that. Again with the IR team, the biggest issue with tuning is false positives. But because we have the IR team, it just puts more work on them for the first two weeks. But your experience with that should [Inaudible 00:15:49]
[Johna Till Johnson] Okay, Dan. Do you have a final question before we wrap with Dave?
[Dan Walsh] I noticed that you acquired I think it’s called Hysolate.
[Dave Leone] Yeah.
[Dan Walsh] And one of the things that I noticed that they do is the workspace as a service security. Talk to me about kind of how that technology works and along with kind of the suite of tools that you have currently in your platform.
[Dave Leone] Perception Point is trying to expand to cover a number of things. We obviously have access to a lot of data. So, we have an ATO function that is beta right now. And then also the purchase of Hysolate gives us a few things. So, Hysolate has their isolated desktop, as you mentioned. The big attractive part for them…for us is they also had an isolated browser that sits in the sandbox and is transparent on the operating system. So, it’ll be in the background of Windows, for example. Ultra-lightweight. And then when you click on certain links depending on…it’s essentially like a GPO, but it’s Cloud managed by the agent. Certain links or certain programs would open up in this isolated browser to protect you from navigating to sites or downloading malicious attachments that end up in the sandbox. Our goal is to integrate that with our scanning capabilities. So, as you’re protecting BYOD devices and things like that, where you can’t necessarily control the computer, we could still add additional protections where we can’t be on the front end of everything for the end user. Additionally there is a goal to add a Chrome plugin later this year, I believe Q 4. And the goal of that is, again, to make it simpler to protect your end users. But also it allows us to protect Chrome OS. So, a lot of schools out there are using Chromebooks, and right now there’s really nothing to protect those affectively.
Sunday Security
17:36.245
[Zack Ganot] We came up with the idea for Sunday at our previous company, Pandora. At Pandora, we were protecting dozens of leading executives from attacks on their personal life in the manual B to C capacity. Working with these individuals, we quickly realized that personal cyber security, especially for executives and key personnel, needs to be addressed as an enterprise security problem.
[Johna Till Johnson] I’d like to welcome Zack Ganot, CEO of Sunday Security. Zack, welcome.
[Zack Ganot] Hi, it’s great being here.
[Johna Till Johnson] So, here’s the first question – can you give us a 30-second explanation for what Sunday Security does.
[Zack Ganot] Our mission at Sunday is to eliminate threats to the enterprise coming from the personal attack surface. Sunday is essentially a digital executive protection platform that protects the enterprise from targeted attacks on the personal attack surface. Our offering includes a first of its kind personal SSPM, so your executives and key personnel can easily secure their personal online accounts and interactions, an enterprise platform for the security team to manage and gain visibility into what we call the personal attack vector, and the personal SOC, available to you and your executives 24/7 to manage and respond to any personal cyber security incidents that could potentially impact the enterprise or its reputation.
[Johna Till Johnson] Dan, questions for Zack?
[Dan Walsh] I think about executive security protection as really two things. One is how do we keep their privacy online so the data harvesters just aren’t having a field day with everything they’ve put out there. Does Sunday Security scrub that data off of the web?
[Zack Ganot] I wouldn’t say it’s in the core of what we do, but it’s definitely an extension of our offering, and it’s actually in the roadmap. We used to do that manually actually as a service company, but now there are some really cool features coming out even in Google internally that they actually just announced it. We will be building automations around stuff like scrubbing their personal information. But really I would say the focus is a lot more on preventing things like account takeover on their personal online accounts. So, I would say security first, privacy second.
[Dan Walsh] So, if I know everything about a person and I know…then I can just purchase their [Inaudible 00:19:35] email dumps from their Yahoo account that they’ve had since 1998, how are you kind of protecting against that when I can just…if I’m an attacker I can just put a script together and just start hitting their accounts? I could call them impersonating a bank or something, asking them to give me their MFA code that just got text to them for security. How do you kind of guard against just the plethora of information that you’re going to be up against if you’re not putting privacy first?
[Zack Ganot] I do want to reiterate, privacy is very important, and I think privacy and security kind of go hand in hand. We don’t want our customers having their personal emails or phone numbers out there. But I will say privacy alone is definitely not the answer. And so Sunday take as whole new approach to the problem. I mean really our platform sits inside of their accounts. So, if you’re that attacker and you just purchased CEO of a Fortune 500 company’s personal email and password, and you try logging in, we’ll meet you at the door. We’ll recognize your device. We’ll say it’s unusual. We’ll see you’re probably using a VPN or an IP address that we don’t recognize. Basically what we do… And this is kind of a very dumbed down explanation. But we have hooks inside the accounts, and so we monitor the accounts, and the activity, and the security settings of the personal accounts in real time. And so if we see something like suspicious activity, we can actually compare it to all of our data. We unsilo the data from all the different accounts and compare it. Then we create like a personal security profile. This is Dave. These are his known devices, his known locations, his known IP addresses, his known behavior. And that really helps us in the situation like that. Although I will say our key goal is to prevent events like that. So, when people onboard to the platform, the first thing that we do is assess the level of security in each account and kind of walk them through a wizard of, “Just click on A, B, and C, and you’ll have your MFA enabled, and your password won’t be on a leak database because we check for that every day.” So, it’s kind of like a continuous pen test to the account.
[Dan Walsh] Got it. And it sounds like you’re using some risk scoring as well.
[Zack Ganot] Oh, yeah.
[Hadas Cassorla] So, if you do see something that is suspicious on a personal account, a login attempt, what then happens?
[Zack Ganot] That really depends. Our offering is built from three main components. So, component number one is actually an app. It sits on your executives phone. He would… Let’s just say we recognized an unusual login. He’s the first one that would get an alert. So and so logged into your account. Is this you? He may not see it. He may ignore it. Or she. That’s kind of component number one. Component number two is the enterprise platform, so that same alert would go to you, to your security team. Our thesis is that these kind of alerts need to go directly to the enterprise. He needs to know about this, but you need to know about it, too. And the third component, which is our personal SOC, also gets the alert. So, really you’re kind of getting all the main stakeholders on this event in real time as opposed to what happens today, which is the executive kind of has to deal with it alone. Maybe he calls up the CISO, maybe he doesn’t. Maybe he understands he’s being hacked. Maybe he doesn’t. So, it’s really kind of bringing all the stakeholders together onto the problem.
[Hadas Cassorla] My executives don’t remember that they opened up a Hotmail account in 1998. How do I make sure that their entire personal profiles that are online are covered under this?
[Zack Ganot] When you give us access to your accounts, one of the first things that we do is we scan your accounts for links to other accounts. So, if you set up that Hotmail, but you somehow connected it to your Gmail account, and we see it, we wills can your account and bring that up to you. We’ll say, “We recognize, Hadas, that you have accounts on Facebook, LinkedIn, Hotmail, Tumblr.” Now, that… You can’t really reach all peoples’ personal SaaS accounts. There are literally hundreds. But our main goal is to reach the main ones – the ones that are ecosystems, the ones that have a lot of risky data. If you opened up a Hotmail account in 1992, but there’s nothing there, it’s probably not a huge risk to you or to the enterprise.
[Johna Till Johnson] Dan, any final questions before we wrap up with Zack?
[Dan Walsh] How do you think about or delineate between personal accounts that an executive may not want to have their CISO or security team be aware of? So, as an example…
[Hadas Cassorla] Ashley Madison.
[Dan Walsh] Ashley Madison.
[Hadas Cassorla] Sorry.
[Laughter]
[Dan Walsh] Yeah. No, exactly. That’s what I was thinking.
[Johna Till Johnson] I love how both of you went to the same place at once.
[Dan Walsh] And obviously those can be huge vectors for attack. So, how does Sunday Security think about that delineation?
[Zack Ganot] We basically let the executive decide which accounts he wants to connect to the enterprise platform and which he doesn’t. And that doesn’t mean he won’t get protection. But he can put you in the loop, or he can have a loop directly with us. So, if he does have an Ashley Madison account and we protect it, we’ll be the ones dealing with the events. That’s actually a legal thing. He actually has to give consent for the information that we share with you
What do our CISOs think?
24:21.561
[Johna Till Johnson] Hadas, Dan, now we have the most fun part of the entire show, which is where we get to talk amongst ourselves, or rather you get to talk amongst yourselves and give us your honest opinions of the contestants. So, what I’d like everyone to do is give us a little bit of your thoughts onto how each of the companies compared on the three axis that we talked about – innovation, the need for the product, and the ability to deploy. Let’s start with Feroot. And Hadas, why don’t you take it away? Your thoughts on Feroot.
[Hadas Cassorla] I really thought they were quite innovative actually. I like the automation aspect to it. I love the discovery capabilities. It definitely solves problems that I have. And I think that as everybody is trying to keep leaner teams, having automation be available to do your application security is super helpful. Then finally it sounded like the deploy was pretty easy, especially from the external perspective. So, I was quite impressed with them.
[Johna Till Johnson] Dan?
[Dan Walsh] I would agree with Hadas. I thought that… I’m a big fan of security tools that kind of take multiple domains and loop them into one solution. So, when we think about this organization, this product, you have the bug bounty aspect that Hadas brought up. You have the governance aspect, the asset management aspect, and you also have the privacy compliance aspect. And so the fact that they kind of package that all together… I especially have a soft spot for what I would call asset management on the fringes or things that we don’t traditionally think about as asset management. So, I really like the way that they’re positioning that. I also thought it was a very innovative company, product. I thought that they handled the peppering of questions pretty well and explained the value proposition. So, I was also pretty impressed with that organization.
[Hadas Cassorla] Yes, the asset management. I forgot about the asset management. Also a plus on that.
[Johna Till Johnson] So, let’s move onto Perception Point. Dan, what are your thoughts on those three axis on Perception Point?
[Dan Walsh] I think with Perception Point, that’s probably one where of the three of them I would love to have spent a little more time with them. But I would say I feel like it’s innovative. Of course with all three of these we really didn’t get into sort of their price points, so that would be something that I would be very interested in. Does it solve a real need? Yeah, I think it does. I think the fact that they’re kind of expanding beyond your traditional BEC and email phishing I think is a good thing. Especially when we think about the rise of some of these attacks that we saw last year, especially if you think about the Microsoft SharePoint type of impersonation attacks. Ease of deployment, Perception Point is one that is I think pretty standard, as I think about some of the other tools that I have deployed recently where they kind of have a learning period that’s typically within the POC, which I think is standard. So, I thought overall it was very solid. But I do think that the space is crowded kind of overall, but I think they’re doing a fine job in terms of differentiating themselves.
[Hadas Cassorla] Yeah, I totally agree with that except that I would say that while they are being innovative, I think it’s incrementally innovative. While that’s great, because that’s how the industry moves is a little new thing at a time, and that’s fantastic, it didn’t blow my socks off like, “Oh, this is an absolutely new product.” There are competitors in the space, as Dan said. I would definitely look at them as a problem solver for this particular problem in my environment and test them against those other products in the space. They showed up really well. I think I may have been a little more conservative on the innovative portion just because it’s such an incremental innovation.
[Dan Walsh] It’s also kind of a commodity, too, if you think about it. I completely understand where you’re coming from.
[Johna Till Johnson] Yeah, it’s a little harder to be innovative in that space. Okay, last but not least, Hadas, why don’t you tell us what you think about Sunday Security?
[Hadas Cassorla] I’m of two minds. I absolutely love what they’re doing. The executive suite is obviously a huge target for spear phishing and having the capability to help them be more protective of their personal environment, personal threat landscape is very intriguing to me. I think that that is innovative, and I think it does solve problems. My concerns, I think, are on the deployment at the will of the executive themselves and not really knowing how much of that threat landscape I’m now responsible for. My other concern is now suddenly I’m more responsible for their personal security, and that’s something I would need to get more comfortable with. Then I think finally… We didn’t get a chance to talk to them about this, and I’m sorry to say about that, but I also have a mild concern on creating a threat vector on their personal accounts by adding this tool in. I’m sure that they have thought a lot about how to do that securely and how to maintain security. I wish we’d have been able to delve a little bit deeper into that specifically. But yeah, I’m going to keep watching them for sure.
[Dan Walsh] It’s very difficult for companies like Sunday Security to I would say comprehensively cover everything if they’re not going on the offense with the scrubbing of the executive’s data from the data aggregators. I just think there’s so much data out there. Think about how much data gets onto the data integration sites when you purchase a home, or when you purchase a car, or when you change addresses, or you change jobs, or through SCC filings. I just struggle with how can they be the most affective if they’re not reducing the attack surface. So, I think that’s one concern. I also share Hadas’ concern, which is do I trust my executives…not their intent certainly but their ability and kind of their knowledge…that’s why they hired Hadas and I…to be able to make the decision to delineate between what they would deem sensitive that could put them and the company in a bad position and what they would deem out of scope because they just don’t want me to know about their 1998 Hotmail email address or whatever. And so I don’t know. I think it could also potentially create a false sense of security, just the fact that they have it. But I do think that this is a space that is vital, particularly coming out of the pandemic, particularly coming out of the office network, basically being erased and people kind of going on to BYOD and work from anywhere, and jump on any network. And that line between professional and personal kind of being blurred or erased in some cases. So, I do think that this is a space that is ripe for innovation. And like Hadas said, just this is a company to keep an eye on.
[Johna Till Johnson] Yeah, I kind of share that feeling. When I was a chief technology officer, I think my reaction had they been around then would have been this is an absolutely necessity, I need to buy this for every executive in my company except me. [Laughs] Amusingly enough, our CEO actually was the source of an attack to our company. I actually think it was a staged attack. I don’t think we got really hacked. But so I know firsthand there’s very much a need for it. On the other hand, as a senior executive I would have felt squeamish about using it, and I think everyone would, too, for all the reasons that you cited.
[Hadas Cassorla] And if I put my former attorney hat on also, there is a part of me that is like if I’m accepting this as now my responsibility, what kind of liability am I now opening myself up to and my company to to protect their personal space. So, that’s another question that’s just kind of running around in my head.
Final Scores
32:07.196
[Johna Till Johnson] And now we come to the really fun part, which is where the judges give us their scores. I’d like each of you to just go through and give us the scores for each of the companies, and we’re going to start with you, Dan. Total them up and tell us what you’re giving Feroot.
[Dan Walsh] Feroot I’m giving a 27. For Perception Point, I’m going to give a 25. And for Sunday Security, I’m going to give a 24.
[Johna Till Johnson] Hadas, what about you for Feroot?
[Hadas Cassorla] 27. For Perception Point, 23. And for Sunday Security, 21.
[Johna Till Johnson] So, that means what we have for Feroot is a 54. For Perception Point, a 48. And for Sunday Security, a 45. Which makes Feroot our winner. Ivan Tsarynny, the CEO of Feroot, is not here and won’t hear the result until this episode airs. However, they will be joining us on June 17th for our live finale, which you can go ahead and register for right now by going to CISOseries.com and clicking the blue “Capture the CISO” logo. Huge thanks to our judges, Hadas Cassorla and Dan Walsh, and our contestants, Ivan Tsarynny, CEO of Feroot, Dave Leone, senior customer success manager, Perception Point, and Zack Ganot, CEO of Sunday Security. Thank you, guys, very much. Check out the demos for all of this season’s contestants. And again, register for the live finale on June 17th. Feroot will be competing against Votiro and last week’s tie between Light Spin and Torq to see who will capture the CISO.
[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, Virtual Meetup, and Cyber Security Headlines, Week in Review. All contestants of the show are sponsors of the podcast. If you’d like to sponsor and be a contestant, contact David Spark directly at David@CISOseries.com. Thank you for listening to Capture the CISO.