Techzine Talks on Tour

From encryption to exfiltration: how do you secure and protect your data?

Coen or Sander Season 1 Episode 14

Organizations invest $200 billion globally in IT security. However, data breaches and ransomware attacks are still rampant. How can that be? What does this say about the impact of all those investments? We discuss these and other topics with Filip Verloy, Field CTO at Rubrik, one of the big players in this space. 

At RSA Conference earlier this year, we recorded a number of episodes for our relatively new Techzine Talks on Tour podcast series. Data security is without a doubt one of the big themes for organizations to get right. As is the case for virtually all other components of cyber security, it turns out to be quite a daunting task to do so.  
 
According to Verloy, one of the key things to do as an organization is to assume a so-called 'assume breach' attitude. This is especially important when it comes to the data of an organization, as that usually is very valuable. One of the trends Verloy signals in this respect is that attackers are shifting from traditional encryption methods to sophisticated data exfiltration techniques. That fundamentally changes the game. It shifts the focus from prevention to resilience, among other things. 

Tune in to this new episode of Techzine Talks on Tour to hear much more about what's happening in data security. It's a very important topic that should be near the top of the list of priorities for organizations. Especially with AI and new regulations like NIS2 being added to the equation, effective security posture management is of paramount importance.    

Speaker 1:

Welcome to this new episode of Techzine Talks on Tour. My name is Sander and I'm at the RSA conference in San Francisco. I'm here with Philippe Verlooy, who is a field CTO at EMEA for Rubrik X. Welcome to the show.

Speaker 2:

Yeah, thank you.

Speaker 1:

Well, you work for Rubrik, so we're probably going to talk about data security, I would imagine. But just let's start with a bit of a wider lens. What do you see in general happening, especially in the area of ransomware and the threats around that?

Speaker 2:

Yeah, so Rubrik, of course, is very much focused on that ransomware angle. So I think, in general, if you look at data security, there's more and more talk about resiliency now. So I think, in general, if you look at data security, there's more and more talk about resiliency now. So I think, if you look at security in general, it used to be focused quite a bit and still is on preventative capabilities, but because of regulatory pressure and just what's happening in the news almost each and every day there's data exfiltration, there's ransomware news so people want to talk about resilience, more like how do you bounce back quickly and successfully? So I think most data security vendors- are sort of going in that direction.

Speaker 1:

To be clear, exfiltration is something different than ransomware, I mean because it's probably part of it, but not always.

Speaker 2:

Yeah.

Speaker 1:

Do you see a trend there towards exfiltration more?

Speaker 2:

Yeah, I think we see a clear evolution there towards exaltation. More than yeah, I think we see a clear evolution, um, like initial initial first wave of ransomware, let's say sort of happened in 2017. Um, of course, we had this whole patch not patch monokai type ransomware and then it sort of proliferated to enterprises as well, and that's mostly, I think, a result of the shadow broker leak the NSA shadow broker leak in 2017, and they had this nice tool called eternal blue. It's all in the open now, so malicious actors can use that tool to infect companies and that's sort of what kicked off that real big first initial wave, I think, of ransomware which was purely focused on encryption or mostly focused on encryption.

Speaker 2:

Yeah, of course, these, you malicious people, they are after profit usually, so the more shots they have at holding somebody for ransom, the more chance they have to get the ultimate payment. So exfiltration is sort of ransomware 2.0. That's how I think about it. So typically they exfiltrate your data, then they encrypt your data and then you have two shots to hold you for ransom. There's, of course, other techniques as well, like doing double encryption and so on, but we see that the amount of exfiltration in a typical ransomware campaign went from less than 40% two years ago to now more than 80%.

Speaker 1:

And it gives them an extra angle as well. Right, they can always say we will release your data anyway afterwards, because they've exfiltrated the data itself.

Speaker 2:

Yeah, I mean, at the end of the day, you still have to trust somebody with bad intentions, right? So how much can you trust that they won't leak the data anyway if you have paid them, and we see that happening as well?

Speaker 1:

Well, it's also. Maybe, especially as you work for Rubrik, it could also be the result of being successful in having people back up their stuff better, Because if it's back in the day when it was only encryption, you keep it. I will just back up from where my backups are. But now that's obviously. They have another tool to actually hit you with right.

Speaker 2:

Yeah, yeah, but I think even initially, when we saw people successfully backing up these large enterprises and sort of trying to recover from ransomware, typically what we still see in those ransomware attacks is that people will go after the backup repository first. So if you don't have some, let's say, security capabilities typically it's an immutable copy of the data somewhere then they will hit your backup and recovery capabilities first because they know that's what you're going to attempt to do. But to your point, yeah, I think it does play a role where they now think okay, maybe they have recovery capabilities, so what is our next best shot here is if we exfiltrate the data, and I think but it can still make a big difference between paying or not paying right, because I seem to remember the two big casino chains being attacked in what was it?

Speaker 2:

November or?

Speaker 1:

something like that, and one of them actually had a good recovery in place and they didn't pay, and the others apparently didn't have their systems in order and they paid. Yeah, that's the difference.

Speaker 2:

Yeah, no, absolutely, absolutely. We see the same thing now with UnitedHealth, for example, in the US. It's sort of slowly being publicized like what the actual impact was, but also the amount of cost they generated by not having that capability of recovery.

Speaker 1:

So yeah, so and it gave you and companies like Rubrik obviously more of a cybersecurity angle into the market, which is, I mean, do you consider yourself a security company?

Speaker 2:

Yeah, we do.

Speaker 1:

Yeah, I remember I saw I think it was from your CEO downwards right, because he was actually actively calling yourself a cybersecurity company on LinkedIn and all the posts starting a couple of years ago. Does that make sense for a company like Rubik to do this, because the security environment is already huge in the industry. Why do you want to be part of that?

Speaker 2:

Yeah, I see where you're coming from, but I think our thesis is a little bit that data security is sort of the future of cybersecurity. That's sort of the idea on which we sort of built this new platform that we've created. I think if you look at what attackers are typically after, it's the data right. It's the most valuable commodity that most organizations have, next to people. I would say so. If you don't have application availability and you don't have data, then your company is not operational, and these malicious actors, they know that, so they're going after the data. So I think if you want to truly be a security company, you have to have that data security angle as well, but it is part of a larger defense in that strategy.

Speaker 1:

You being a data company by nature or from a foundation, it's a logical step for you to take up that baton, Because you could also say well, why don't the normal big security players become data security players as well?

Speaker 2:

Yeah, yeah, yeah. So I think the way that we architected the solution sort of from day one in 2014 is we built an immutable file system, and the immutable file system is still the basis of a lot of our capabilities here. And so if you take that reverse angle and you say like why don't you know typical, let's say, perimeter security companies build a data security strategy, is they don't own that data. So they can potentially see data flows and so on, but they don't have a copy of the data.

Speaker 1:

But, to be clear, data security is only part of your security stack, right? So you still need all the other stuff as well.

Speaker 2:

Yeah, absolutely.

Speaker 1:

And it integrates with them as well, right, yeah?

Speaker 2:

Yeah, I think that's. The other important bit is that we're trying to build a platform, and the core of the platform is that data analytics capability that we have on top of backed up data, and that's where we are adding on those security capabilities like threat hunting and so on, ransomware detection, ransomware investigation. But next to that, we also have security capabilities that don't require a copy of the data either, like that can work at the level of data at rest as well. So that's, I think, why we can legitimately claim we are a security company.

Speaker 1:

And what about the from your perspective? What about the ways attackers get into an environment? Right Is that? I think identity plays a large role in that, from my perspective at least. What can you do against that? I mean from a data security standpoint.

Speaker 2:

Yeah, no, I think I definitely agree with that standpoint, like, identity is probably the number one attack factor today. That's how people get in, especially in the cloud. I think I don't know who that stat came from. Identity is probably the number one attack factor today. That's how people get in, especially in the cloud. I think I don't know who that stat came from. It might be unit 42 of Palo Alto, but I think more than 90% of the initial intrusion vector is identity in the cloud.

Speaker 2:

You can find identity and account information almost anywhere these days. There's more than 12 million accounts on GitHub that were publicly available like account information. So there's things like Redliner Stealer campaigns, where you can just download a bunch of corporate identities out of a Telegram channel or a Discord channel. So that's the easy way in for most attackers now. It used to be how can I breach the perimeter? How can I take advantage of a security misconfiguration or maybe even a zero day or something like that, getting into the system? Or even if you think about phishing somebody versus just trying to log in, if you phish somebody, they still need to click on that link, somehow get a compromised device and then you can get in, maybe as an attacker, but if you have the credentials, you don't have to do anything.

Speaker 1:

You just log in. Logging in is a new breaking in.

Speaker 2:

Yeah, logging in is a new breaking in, and because it's a legitimate credential, your security tools won't trigger anything.

Speaker 1:

Well, there are some companies that are actually focusing on this Azure AD and Entra-ID kind of environment, and I just had a chat with one of them and they have 150 indicators of compromise, even with normal logins.

Speaker 2:

So something is happening in that space, but it's very hard in that space, but it's very hard, yeah, I think even from the data angle, you can see a couple of things related to identity in terms of, for example, let's say, you capture the full backup of Android ID and you do this on a regular basis, like each and every day, and you start comparing access of a specific user or a group one day to the next and you suddenly see a very weird change, an anomalous change. Somebody all of a sudden in the engineering department got full admin rights on the entire environment. So things like that could be an indication something is about to happen, let's say so you could definitely react to that, so that's also something we, from a data angle, can see.

Speaker 1:

It's a very hard problem to fix, because how do you determine for certain that something is wrong? It's extremely hard to do.

Speaker 2:

Yeah, I think even just mapping out what the effective permissions are for a user today has become very difficult. Like we have Active Directory, that's true, but there's permissions and roles and stuff in the public cloud and these things are mapped together. So how do you understand assigned permissions versus effective permissions?

Speaker 1:

That's already a serious issue, and then you get into the IAM space and the privileged access and how these things interact with each other. It gets confusing quite quickly. I think, yeah, and you mentioned earlier that you see more about resilience now. On the one hand, I think that's a good evolution, but it also comes across a little bit as let's just not bother too much with prevention anymore, because we're I mean from your standpoint, where you are the last line of defense with all your data, then I get that.

Speaker 1:

But in general, do you think that's a good evolution to not necessarily focus on prevention that much anymore?

Speaker 2:

If you agree with that, yeah, I wouldn't necessarily put it that strong as in don't focus on prevention anymore. I still think defense in depth is the right strategy, so it needs to be prevention plus recovery to get to cyber resilience. But if you look at how much money end users in general are spending on IT security, IT risk management and implementation services, it's over $200 billion a year. And then if you see all of the data breaches and ransomware attacks in the news, it's sort of not like it's not matching up. So we're spending quite a lot of money on preventative measures and these things keep happening. So that's why it needs to become a combination.

Speaker 1:

That means if you spend so much money and this still happens, it means it's not really working very well.

Speaker 2:

the prevention or you could say without spending that $200 billion, it might be even worse. Proving a negative is always very hard. Today we see there's a ransomware operation every 40 seconds and every 10 seconds. It's successful Without those preventative measures. Maybe it's successful like every two seconds.

Speaker 1:

That's always quite hard to do but there is a certain inevitability about this right that you need to just accept. Yeah.

Speaker 2:

I think, if you sort of assume breaches, this is sort of how people are starting to look at it, so typically thinking it's not a matter of if it's going to be, a matter of when and these days it's not only a matter of when, it's how many times it will.

Speaker 1:

it will happen, yeah it's a bit of a depressing thought yeah, yeah, yeah, no, that's that's, that's that's true?

Speaker 2:

uh. So I recently saw a stat from from proof point and they say 94 percent of all uh cloud, uh environments are are attacked on a weekly basis.

Speaker 2:

And two-thirds of them are successfully breached. So it is happening. It's sort of happening to everybody. But I think if you go into this, assume breach mentality, it sort of can remove some mental roadblocks on how you think about security in general. So it sort of extends your vision from focusing purely on the preventative side but also incorporating the resilient side. And if you know you have recovery capabilities, it sort of eases your mind a little bit in the sense that, okay, if it happens and it probably will happen we can bounce back.

Speaker 1:

Companies still need to find a certain balance between one and the other. Right, so pulling all of the 200 billion a year on the preventative measures? But companies still need to find a certain balance between one and the other, right? Yeah, so pulling all of the $200 billion a year on the preventative measures? That's probably not the solution as well. Right, because, as you correctly mentioned, maybe it would have been even worse if we didn't have all the prevention going on.

Speaker 1:

So how do you do that as a company or as an organization? How do you determine the balance between resilience, prevention and all the other kind of security related things for your company?

Speaker 2:

Yeah, I think you look at this through the lens of risk. So you try to determine what is the actual risk and what is the attack surface that I have and what does the combination of that mean. So if you think about risk, typically the way I look at it is what is the likelihood that something will happen and, if it happens, what is the impact for my organization? And then what can I cover off with preventative tools and what can't I cover with preventative tools and need resilience for.

Speaker 1:

So that's and the effect of something like this. Do you measure that in a monetary kind of value, or in reputation or in I don't know any other?

Speaker 2:

yeah, yeah, I think. I think it can be a combination of of both and it and it typically is, I think, um. So risk at a higher level in the organization is is not only determined by it risk of course there's other types of risk, but so, example if you look at what are the chances that my factory floor will burn down and what are the chances that a cyber attack will happen against my factory environment, and it turns out like it's five times more likely that a cyber event will happen than it burning down. But that's how you need to think through risk. So what can likely happen? That's what we're going to invest and protect against.

Speaker 1:

And then from a backup perspective. That's obviously. That's why backups were initially invented. Right To say well, what if a plane falls on my data center? I need to be able to back up everything, and those are very unlikely things. So you need to have a complete shift in your head about how you think about backing up your data and securing your data and all that stuff.

Speaker 2:

Yeah, absolutely so. That's why you see things like people building resilient environments and that's why the cloud has redundancy and high availability and all those things. But that backup copy is sort of, like you pointed out before, the last line of defense. So if everything else fails and you have an immutable backup copy and you have the capability to recover quickly but also intelligently meaning what if there's still malware in that backup data that you have and you're going to just restore it back to a production server and reinfect your entire environment? So those types of additional security capabilities you need to layer in, but it's still the last line of defense.

Speaker 1:

More generically, right, Because I think a lot of people, a lot of companies one of the biggest risks is still being attacked by ransomware, whether that is because of encryption purposes or for exaltation purposes. That's a different topic we already covered. How can you determine the risk for that, right? So I think they all think, they all know that they're vulnerable, right?

Speaker 2:

Yeah.

Speaker 1:

But it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's. I mean, what I'm trying to say is, paying when you're attacked is always on the table for some companies. Do you think we need some sort of a prohibition on paying for ransom? Paying the ransom for a ransomware attack? Yeah, it's a sort of double-edged sword, of course.

Speaker 2:

Paying the ransom for a ransomware attack. Yeah, it's a sort of double-edged sword, of course. So if you pay, you signal to the malicious actor that you're open to paying and you might become a victim again down the line because they know for you it's an option to do that. So I think it. You know it does more harm than good, but if there's no other option you can't just you know stop.

Speaker 1:

It's also you have to be realistic as well. Right? Because I once had a chat with someone and he said well, for us, paying has always been an option. We kept it on the table because if we cannot accept orders in our environment for more than a week, we're basically done, we're bankrupt and we're going to go away, and that means 50 people don't have a job anymore. So there are some voices in the world saying we should just ban all ban the payment of ransomware attacks, but that's not very realistic.

Speaker 2:

Yeah, generally I would agree with that. I think let's say you're a hospital and there's 1,000 people in 1,000 beds in your hospital and you get ransomware and you're not allowed to pay a ransom and that's the only option you have to recover. What are you you going to do by then? It's a matter of literal life and death. So yeah, to some extent it should still be, it should still be possible. But I I do agree that you know we need more regulatory scrutiny there to sort of figure out, like, is this really our last resort to pay ransom, or should we force companies to come up with some sort of resilience plan?

Speaker 1:

That brings me to my next, because that was actually the lead-in to the rules and regulations part of this issue. Obviously, we're going to get a lot of stuff in Europe at least. We're going to get NIST, too, and we're going to get DORA, and there are already other things in place and probably a lot more coming, because we love to make rules in Brussels. What will that do for data security? Will it help? What's your view on it?

Speaker 2:

I think it will help in a way that it allows security people to have a conversation with the grown-ups in the organization, meaning with business leadership, because to some extent they're now being forced to take action. There's potential fines associated with these regulations, potentially serious fines associated with them, but we've seen in the past with things like GDPR that that's not always enough to force people to take appropriate action. But still, now I think it becomes part of that risk calculation. So if we are on the line for, let's say, $10 million, if it's DORA or NISTU, for example, or 2% to 5% of your yearly turnover, those are serious numbers for a large organization, so they can take that into their risk calculation and then figure out how to respond. So I do believe it can help. On the other side, we have to avoid it becoming like a sort of checkbox operation where people say yeah, compliance is never a good solution.

Speaker 2:

No, I'm just going to do it because they want me to do it, but in reality I've not really implemented it in a decent way.

Speaker 1:

My question is also how realistic is, for example, something like NIST 2, where some of the articles you have the reporting duty right. So on the one hand you have to tell people within 24 hours of detecting a breach that you've been breached, but you also have to have a full report available within 72 hours. I don't know all the companies in the world, but I think over half of them will just plainly be unable to do that. This regulation will come with a lot of extra investment to actually be able to just prove you were breached and do the full reporting right.

Speaker 2:

Yeah, no, I absolutely agree with that. I think that's probably one of the bigger challenges is the reporting duties that you have. Like I mentioned UnitedHealth before as an example, they are still not able to report exactly on what was impacted right, and it's weeks later because it's extremely difficult and typically what happens is they bring in a third-party solution provider, investigation organization to help them figure it out what went wrong. So that's another thing we have to sort of make part of the platform is build capabilities that make that really easy, because we now know regulation requires it. So an organization should build in their platform the capability to report on that.

Speaker 1:

But that indirectly means that they're going to have to do some very heavy investing into their estate in general, because they probably have to throw out lots of legacy stuff and replace it with something more modern and more up to the task of actually getting all the data that you need to do the reporting.

Speaker 2:

Yeah, and if you think about the changes in infrastructure, are playing against organizations as well, right? So if you create the majority of your data on-premises, let's say there are probably tools available that can relatively easily help you with those things. But what we see is that most data today is created either in the cloud or in sas applications, and typically, if it's cloud, it's multi-cloud. So how do you now understand what data was impacted after the breach if it's across all those environments?

Speaker 1:

so, yeah, that's up to modern data security tooling to help them, yeah, but I think also again an example of a very ambitious sort of rule or regulation or a directive and in this case NISTU is a directive that's not entirely realistic for many companies, at least not before 17th of October. Realistic for many companies, at least not before 17th of October.

Speaker 2:

No, I would definitely agree with that. Yeah, so it first needs to be put into local law, of course, and then we'll see you know how watered down some of these things become, but I think the concept is valid.

Speaker 1:

The reporting concept is valid.

Speaker 2:

But yeah, regulation and reality are typically two different things.

Speaker 1:

And, on the other hand, I think it came officially already. It came into force in the beginning of 2023, right?

Speaker 2:

Yeah.

Speaker 1:

But then obviously the local regulation has to do with local law and all that stuff. So companies have had quite a number of months, and maybe even years, to do something about it.

Speaker 2:

Yeah, yeah, you can't be surprised anymore. No, no, no, that's true, that's true. That's true. Yeah, sometimes you need a forcing function and and like running out of time could be a good forcing function for people, but then maybe you won't have the, the best implementation of of uh, because you're you're, you're rushing into things, but yeah yeah, that's a different problem, yeah, so yeah, so we have one.

Speaker 1:

We solve one problem with another problem. It's a is maybe not the best way of doing things, and obviously we cannot have a discussion in 2024 without talking about AI or Gen AI. What's your, through your lens of data security? How does it impact that, both from an attacker perspective and from a defensive kind of standpoint?

Speaker 2:

Yeah, I think in general, if you look at security or cybersecurity, it's a big data problem, typically right.

Speaker 2:

So you have a lot of systems live systems that generate a lot of logging information, for example and if you can intelligently leverage some of that logging information through AI capabilities or machine learning is maybe a better way to put it and sort of filter some of that signal out of that noise, I think there's an opportunity to build some interesting tooling using that. Of course, just like with what we saw with cloud before you had a lot of cloud washing going on, like all of a sudden, all solutions were cloud solutions. Today we're sort of seeing the same thing with AI and especially with generative AI. All of a sudden, everybody has a generative AI play and especially in cybersecurity it's prevalent. So I always feel you have to sort of step back and understand what is the reality here and what does it mean for a specific solution. But I think from a data security perspective, there's a lot of potential. Just because of all of the data and data growth that we're seeing, that's becoming a superhuman problem. You need some sort of automation there to help filter out.

Speaker 1:

That's something I hear a lot now and this week not only this week but also, I mean, in the past months and years toward sort of an automated AI kind of automated security kind of approach. That's not something, again, that a lot of companies like, because they see lots of things that can go wrong, especially in the more regulated sectors. Yeah, they don't really want, I mean, and we haven't even been able to solve the patching problem. Yeah, so that's something that could ideally be very easily tackled with automation. But there you have lots of exceptions why you don't want to or you can't, or you're not allowed, or blah, blah. All the patches, yeah. So if we can't solve that one, how are we in God's name going to solve the bigger one with automated cybersecurity?

Speaker 2:

Yeah, no, I would generally agree with that statement. I think people still want a human in the loop. If you talk about things like automated remediation, for example, on the basis of AI, a lot of people like the concept, but then they think through. Okay, so I go home at 6 pm in the evening, I come back to the office at 9, and some AI tool made 10 configuration changes in my environment because it detected something. Most people are uncomfortable with that scenario, so they still want to be informed by the AI, but they want to still make the decision themselves Some things you could actually just immediately remediate In your previous example.

Speaker 1:

When somebody who's not allowed to create an admin account for something, that's something that you could automatically say we're not doing this. I mean, they can create it, but it will never go into force. I could see some automation controls around that.

Speaker 2:

Yeah, I think some of those capabilities where you're not potentially impacting the availability of an application for an end user, I think those can be automated, automated away to a large extent. But, yeah, it's more about making sure that when the factory starts humming in the morning, people can actually do their work. So that's where automation is maybe, you know, not yet real, fully real today.

Speaker 1:

Banks. They want to keep trading. They don't want to say, oh, you can't trade for an hour because we're installing a patch, or whatever. That's not really a very good way to do it. All right, and then I think, as sort of a final topic, I've heard a lot about sort of DSPM, so sort of posture management, and then not only DSPM, but there are lots of PMs in the world nowadays. Ispm. I think that's also one identity security.

Speaker 2:

Yeah, sspm, sspm, cspm.

Speaker 1:

What's up with all that posture management? Yeah, yeah.

Speaker 2:

Yeah, I think it goes back to understanding an attack surface right.

Speaker 2:

So what we hear a lot today is sort of a drive to consolidate a lot of security tooling, but the reality is like we are onboarding new environments, like we're onboarding cloud services, we're onboarding SaaS applications, we're onboarding Genentech AI applications to some extent, and those come with their own sort of attack surface and vulnerabilities abilities.

Speaker 2:

So there's always going to be some sort of imbalance, or conflict, if you will, between the will to consolidate and the will to cover attack surfaces and newer attack surfaces. So I think that's sort of what we're seeing. What we are trying to do is you build a data security platform and with, let's say, traditional rubric capabilities, you bring recovery to the table, and then, where posture management comes in, is that preventative angle a little bit more. So if we assume it will happen, how can we make sure that it's almost zero consequence? So if people want to exfiltrate data? Going back to your point about identity and how difficult it is to secure identities, for example, what you can do with data security posture management is figure out which identities provide access to what data and in which manner.

Speaker 1:

So does that, then you're talking more about sort of attack path kind of stuff, yeah, exploit paths.

Speaker 2:

Yeah, it's more like data access governance to some extent, where you can see okay, if this person let's assume this account is part of an account leak next month, if somebody would have access to those credentials, what could they expose us as an organization to Like what data would potentially be exposed? So you can say things like okay, why does this person who works in HR have access to all engineering documents in the environment? And not only that, but they also have write permissions everywhere? So that's where you go back to the concept of least privilege. You sort of dial it down. So there's a lot of things you can do from a posture perspective to sort of, you know, make the breach that might still ultimately happen less impactful.

Speaker 1:

to the organization. But is it DSPM sort of a product that you need to buy? Or is it part of the platform and it's sort of a layer on top of it and it's just on your screen, but not necessarily a separate product?

Speaker 2:

Yeah, I think for us and sort of what we're seeing in the market now is a drive to more platformization.

Speaker 2:

Yeah, I think for us and sort of what we're seeing in the market now is a drive to more platformization. So for us, it's a data security platform and the SPM is a part of that, and the SPM can also inform the rest of the platform. So that's why we're so excited about making it a platform. So, for example, what you can do is use the SPM to identify all data assets that you have across the cloud, multi-cloud and SaaS, and then you have an understanding of how are those assets secured. Do they have a native backup assigned in AWS or Azure or GCP? For example, did somebody enable access logging on your buckets? Is there an encryption policy? So all of those things can be validated. But what we can then additionally do is why not have that influence the protection scheme as well? So if we find, you know, let's say, s3 buckets with a lot of sensitive data, why not automatically protect those and make sure they they have a fallback scenario?

Speaker 1:

and then you don't have to go back to the earlier point you made of doing a sort of a daily diff of identity kind of changes in the logs right. Because you're actually, because I take it that DSPM is continuously monitoring it, so it's sort of near real time. You can see what changes and what happened, and you can also roll them back or do something else with it. So it would make life a lot easier. You don't have to sort of manually compare to daily outputs anymore right, yeah, and especially for DSPM.

Speaker 2:

That's important because the idea is okay, you might have a security incident, so somebody might have credentials and is able to log into your environment, but the whole goal of the DSPM tooling is to prevent that incident from becoming a breach and you can't rely then on a daily diff, as you call it, because it has to happen in almost real time. So what you're doing is you're monitoring server logs, you're monitoring things like CloudWatch and AWS, and with those real-time signals you decide this doesn't feel like correct operational use of my data. So I'm going to inform the SOC team or whoever needs to remediate, let's say, so they can go ahead and potentially block access for that user. For example?

Speaker 1:

And is a DSPM a big extra investment for companies, not only in terms of monetary value, but also maybe in training or upskilling people? How does that work?

Speaker 2:

Yeah, I mean I can't necessarily talk for other DSPM vendors, but one of the benefits, I think, of the way that we're building solutions these days is most things are becoming highly automated from a solutioning perspective itself and that's also what you see with the DSPM tooling out of Rubrik anyway is that it's extremely low touch, like the concept of, for example, needing to install agents on all of your data assets to do sensitive data discovery. That's outdated, so that's not something we want. The cloud has APIs, the cloud has standard integrations, so that's what we need to and that's what we want. The cloud has APIs, the cloud has standard integrations, so that's what we need and that's what we want to leverage. So, from a, how do you operationalize it? It's actually extremely easy, and I think the other thing is we don't necessarily want to give you another user interface.

Speaker 1:

Well, that's my point, right. You don't want to complicate things even more.

Speaker 2:

Yeah, because who is the data security posture management engineer in the organization? So it's more about oh, you already have ITSM tooling, you already have SOC processes. It's just taking that additional intelligence about data security and feeding that into those existing systems so remediation can happen using an existing process. So that way you harden it even more yeah it's a previously unknown attack surface that you're now sort of exposing and protecting, which, again, looking at what's in the news each and every day, it seems to be very needed.

Speaker 1:

It seems to be very needed. Do you think if we change the balance a little bit more between what we talked about before, between prevention and resilience, and if we do that right, do you think we will see less of these breaches in the news? I mean, I'm not going to keep you to your promises, but at the end of the day, you need something to show for it, right? So are you optimistic about the future in that respect?

Speaker 2:

Yeah, I think it's more about minimizing the impact or making it almost zero impact. So incidents will happen, breaches will happen, data will get exfiltrated. But if we can make it so that it's not your complete organization's PII information that got leaked, so if we shield that important data in a much more capable manner than what we were doing before, the impact should be lower. So I'm definitely optimistic about that type of approach. So will it be in the news? It depends on how important people you know find reporting on a data breach If there's almost no consequence for, let's say let's maybe use an example Like there was a data breach at 23andMe a while ago, so potentially 23andMe has you know genetical information of people who sent in those samples. So that's you know. If we talk about TII information, it doesn't get more personal than that I think.

Speaker 2:

But let's say there's a data breach at 23andMe and it's not the customer's TII information that got leaked, but it's a bunch of marketing documents or whatever. Does that get reported on in the news? Probably not.

Speaker 1:

And it's not something you're going to pay for anyway. Yeah, because at the end of the day, we want the business model for the attackers to go away. Yeah yeah, as long as the business model is there, they're going to keep doing it right.

Speaker 2:

Yeah, exactly, they're all profit motivated. There was one it was reported on, I think, by UK's NCSC and the NSA as well, is that they sort of sent out this note that they're seeing Russian hackers shift from, you know, ombram to cloud and SaaS, because that's where your gold is Like, that's where you keep your crown jewels these days. So back to your point if, if there's no profit in them, in it for them anymore, they will probably shift tactics. But you can't prevent, you know you can't prevent an incident from happening.

Speaker 2:

I mean, look at the mitre uh issue a couple of days ago, like it's probably you know. I don't know what's happening inside of MITRE, but from the outside it looks to be a very competent and very cyber-capable organization, but there's still going to be zero days in tools that you're using and people can exploit those, so it's going to keep happening.

Speaker 1:

Okay, well, that may not be the most optimistic ending, but in general, the ending was optimistic, so that's nice to hear. Okay, I think we're out of time almost Well. Thank you for joining us.

Speaker 2:

Thanks for having me.

Speaker 1:

Until the next time.