🤔 Wondering how to simplify network management and enhance security?
Join Max Clark, founder of ITBroker.com, and our expert guests, Jim Finnerty, Director of Channel, and Lior Mazor, Global Head of Information and Physical Security from Perimeter 81, on the Tech Deep Dive podcast! Learn how to bid farewell to tedious setup and manual configurations while ensuring the safety of your organization's assets. We'll explore SASE, Firewall, VPN, and more.
Tune in and take your network to the next level! 🚀
Max:00:08
I just finished recording with perimeter 80 1. Jim and Lior were kind enough to spend an hour and a half of their day with me, talking about Premiere 81 and their approach to Sassy and what that looks like for their customers. I was really excited to have this conversation and going into it and actually delayed delayed doing this recording for, a little bit over a month. So that way I could be at my desk and in my office and, not while I was traveling. What's exciting about this for me is there's been a big bifurcation of capabilities of, you know, of security of sassy, you know, in the marketplace.Max:00:42
What I mean by bifurcation is we see a lot of solutions that are really targeting the low end of the consumer, the prosumer, the SMB space. And when you dig into and you start actually using and trying to configure and and and use these systems and these tools, you find the capabilities aren't wonderful or the product isn't great or the service isn't good or you know the agent the way the agent deploys isn't wonderful and and then you go to the other side which is typically a requirement for a much larger organization so you know once you're over a1000 say you know a1000 users this this other thing opens up for you becomes feasible based on costs and deployment professional services that come into it. And for myself, you know, we're a small organization. So and but we're aware of capabilities. So even in the same situation where you look at it and say okay the entrance in the small and the S and B targeted, tools are not wonderful and we don't wanna run them for ourselves but yet, you know, even with the knowledge and understanding awareness and technical chops to go out and run and come to market with you know, the larger players and those in these larger oriented solutions.
Max:01:40
That's not a good fit for us either, just because of the the the effort and the energy necessary in order to run it. So perimeter 81 is a very interesting supplier for us. It was it was a fantastic conversation. I was very happy, that this we were able to get this done. And by the way, Jim from PREMIER 81 on the sales side as he talks about multiple times.
Max:01:59
And then Lior, is the CSO for PREMIER 81. And whenever you have a conversation, you can actually talk to a a seasoned CISO about what they're doing for the organization for security. And then if it's a CISO that is working for security company that has to deal with their organization security as well as be the security ambassador, so to speak, for their customers as well. It always becomes very interesting. So, I hope you enjoy this conversation with perimeter 81 because I sure did.
Max:02:23
Hi. I'm Max Clark. This is an IT broker tech deep dive. I'm with perimeter 81, specifically, Jim Finnerty. Jim Finnerty.
Max:02:31
See, I'm already I'm I'm 5 seconds in. I'm already messing up. Jim Finnerty is director of channel. And Lior Mazur who is, Lior actually have a fun title. He's a the CSO for perimeter 81 but it's also very important to say that he's the global head of information and physical security.
Max:02:47
Lourd joins us from his his bunker, his safe house in his house. I am not in a safe room. I'm just in my normal room and I have no idea where Jim is. But anyways, with that aside, from from a little the sidebar that we had before I press the recording button. So perimeter 81 is, you guys designate yourself, I guess, in the sassy space.
Max:03:09
I don't wanna I don't wanna typecast you too much. I'll let you actually speak directly and and talk about this a little bit. But, I've been very excited to have this conversation. Once I've once I've discovered perimeter 81, I've been wanting to do this for a while. Thank you for accommodating me and my traveling schedule over the summer and making this happen as soon as I was stationary again.
Max:03:29
So so guys, appreciate it. Thank you very much for joining.
Jim:03:32
100%. Glad you got to, enjoy some some time off. Hopefully, you went somewhere warm and, the palm trees and, and little umbrellas and the drinks.
Max:03:41
I'm I'm in Dallas. Warm isn't the problem right now for the summer. It's I think everybody everybody's seeking out something cold is
Jim:03:47
Maybe somewhere it's temperate would be.
Max:03:49
Yeah. So, perimeter 81, like so many companies found and started in Israel, really focused on the security space and I think the best way and actually the the first question I would lead in with is what was the impetus or like the inception thought with the the company and with the service that you're delivering? What, you know, what was the pain point that when you looked out in the market and said, okay, great. Let's go out and solve this and we can do this better.
Jim:04:18
Sure. Lior, we'll we'll, I don't know how exactly we'll we'll pass things off, but I'll take a stab at this one. And the first thing I'll I'll say is it wasn't my idea. I wish it was. I wish I had the the wherewithal, but our founders, Amit and Saghi, their story was that they had started a company that was essentially a consumer facing VPN.
Jim:04:40
It was a cloud based VPN that they were selling to end users directly. And through that, they built a lot of infrastructure and, I think tackled a lot of the the challenge of securing connections, but realized that there was a bigger problem to be solved within the corporate world. And their vision was, hey, we have a lot of resources moving to the cloud. And at the same time, we have workers that are becoming more and more remote working from the road or working from home even before the the pandemic, which really accelerated that motion. There should be a better approach to network security that would better secure with better performance, those organizations in their workforce.
Jim:05:22
And so that was their initial vision as I understood it or understand it to deliver network security for this more modern working environment. I
Max:05:31
mean, my one of my favorite things about security and the security ecosphere is just endless acronyms. Right? So we we talk about it. We look at it. We see things like An
Jim:05:39
alphabet soup.
Max:05:40
It's an alphabet soup. Right? So so SWG secure web gateways or, you know, now what we kind of put into is, Internet access, secured Internet access, ZTNA, private access, VPN, CASB, DLP. I mean, you kinda just, you know, run through this, like, just just soup and, you know, I will I will talk trash about Gartner a lot, but they threw all this together and said, okay. Now it's called Sassy.
Max:06:06
You know, basically, everything is now just just this, like, Sassy thing. I mean, you kinda touched on a little bit, Jim. I mean, perimeter a 1 is, you know, coming out of like this VPN endpoint, you know, and and structure. I mean, I I think that's what what maybe is lost in a lot of these situations is that VPN becomes a core technology that then like enables the client to connect to something to do something else. Right?
Max:06:25
Like it's it's coming across some sort of encrypted tunnel. So great. You have a VPN now to go somewhere but then there's a whole lot more that can, you know, packs into this. And, you know, let's let's talk about that. Like, what is the whole lot more that starts being created?
Max:06:40
Because, I mean, you can go out and you can get a VPN. You can go get a consumer VPN. There's lots of people advertising. I mean, the VPN space is really popular in terms of, like, you know, ad spend on in in any search engine or any platform you look at. But this this isn't just a VPN.
Max:06:53
We're talking about a lot more here. Right?
Jim:06:55
For sure. And I Jim, if I can Yeah, please. I don't wanna
Lior:07:00
You you know you know, eventually and you are totally correct, Mark. There's lots of, you know, buzz rules, things like that. But, eventually, if you are thinking about it, the corporate network has changed, starting from, on prem, inside your organization. Now the Ethernet has become the new corporate network. And, eventually, everyone is connecting on one to connect to the resource, to internal resource.
Lior:07:27
And you also have lots of resources. Like, it's not just your resource or the data are inside your corporate network. It's also designed on your cloud providers or SaaS application and others. So, eventually, you have many people or many employees in your organization, want to get access to your, to your data source, to your application, to your database, and you need somehow to secure this, Internet or the new corporate network, which is the Internet. So you need to have better and better suit solution, in order to protect this, increased attack surface.
Lior:08:09
Because, eventually, you are providing this kind of secure connection, but, also, you want to reduce the attack surface of an hacker that will come into your resource and steal your data. So on top of that, there are many solution which went out from the corporate network, the on prem to the cloud, and to your edge security, which is called the SaaS.
Max:08:32
So, I mean, within this alphabet soup, you know, there there was a once upon a time where you would go out and you would actually buy, you know, a web proxy, some sort of filtering firewall. You know, you would talk about, you know, firewall vendors wanna sell you like a UTM or DPI, you know, functionality on the firewall and the physical appliance. And then you had, you know, a remote access VPN to the corporate environment or your data center where you were putting everything through that. And then there's there's architectural issues with that. We can we can talk about it.
Max:09:00
We don't have to talk about it. We can just say there's problems with that. But but looking at and, like, thinking about where these things have kinda gone, it was okay. You had to go out and you had to buy an SPG. And then maybe you had, you know, what we would call what was called, like, a software defined perimeter, an SDP, which was really kinda like this, you know, slash, like, ZTNA, you know, 0 trust network access kind of component, which was usually implemented by as an SDP.
Max:09:24
You know, you start to run-in all these other things. Like, what's what are you doing around malware prevention or detection or what are you doing around, you know, policy enforcement for remote users. And this isn't a platform that was built and then cobbled together. This was, you know, you guys are very much in a different state of, like, okay, we have this platform which just happens to run in the I hate the term cloud. In the cloud.
Max:09:47
Right? And and now you get all these things with it. So so the shift for, I guess, the company, let's say, the IT teams or than the actual corporate knowledge worker, you know, is is substantial. What how far into this world? How deep are you going?
Max:10:01
You know, we see a vendor say, hey, we have a ZTNA solution now, but you dig into it and you're like, you don't really have a ZTNA solution. You have something that you call ZTNA because it's the buzzword. Like, how how deep into these different things are you know, and are you doing and I'll stop there. I'll I'll I'll I'll try to only give you one question at a time, although I wanna ask you, like, 30.
Jim:10:20
Lior, I'll let you start with that one if you'd like. Would you want me to take a stab at it?
Lior:10:23
So so I I think we have a product roadmap. And, yes, we we we started with, with the ZTA, and we have the the SaaS solution. We have the secure web gateway and malware protection, and we are adding additional layer of security because we we understand the use cases. We understand the attack surface, and we are building a product that can give you a full secure solution eventually in order to give you the capability of becoming or changing the world from on prem to the Internet, as as the new corporate network. Because, eventually, if someone is, logging into your resources, you want to validate his policy.
Lior:11:01
You want to validate that he is secured, identified, authenticated, authorized. And then you're also getting into traffic itself, understanding it has the permissions. Or next page will be, if there are any leakage or implementing data leakage prevention system. And you are doing a firewall log because you want to monitor all the actions and have some visibility of what the endpoints are doing, where does it serve there is a secure web gateway to validate that the the endpoint is not being affected by a malware that might be affect your network. So, eventually, it's an overall solution, that provides you the the accessibility, for the business use because we can see, the market are going to bring your own device, and and connect from wherever, wherever place which each device you can connect from your laptop, computer, phone.
Lior:12:01
Doesn't matter. However, everything is becoming, the new corporate network, and and we as a security company want to protect, and we have several solution and other parts of our AI of corporate world. Now do you want to elaborate on that?
Max:12:16
Let me let me back up here because I'm I'm realizing I'm, like, so excited to do this that I'm, like, probably skipping some really basic stuff, which is Liar, can you start by just explaining, on a high level what perimeter eighty one is? What it is that you do? And what are the different like sub pieces that you do? And so that way somebody that's watching or listening to this that maybe, you know, isn't as like like excited as I am right now because I've been geeking out on this for a couple months, you know, has a maybe a foundation for us to get into some depth.
Lior:12:45
So I'll probably lead to Jim because it's a product point of view. And Jim, you want to give this pitch of, what is perimeter 81. You know?
Jim:12:52
Sure. So I would summarize perimeter 81 as a a network security solution that's designed for the modern workplace. And the the the characteristics of that modern workplace are resources in the cloud, people outside of the office. The big shift is that there's there's less or in some cases, nothing on premise. And so from a network security perspective, before this type of solution, we were placing boxes in environments that were protecting nothing there.
Jim:13:24
And so the, the the workaround would be VPNs. Right? Let's get let's virtually get those users back into the network, and that wasn't what those appliances were designed for. And so perimeter 81 in Synry, I believe, is that perimeter security capability that will follow users wherever they are, will, control and protect access to environments wherever they are. Right?
Jim:13:50
Whether it's still some legacy equipment that's or servers that are on premise or what is more and more the case, resources that are deployed in a a VPC, a cloud environment, or on the web. And so how deep are we going is the is kind of the one of the questions that you'd asked previously. It's an iterative process for sure. I've been with the organization for nearly 4 years now, and I can say the product has come a long way from, you know, the first the first calls I was making about 3 and a half, 4 years ago, and the capabilities we had, have become much deeper today than they were then. And and frankly, we we still have more, that I get excited about in our road map that that is coming, that really delivers on that full that Sassy vision that that as Gartner would define it.
Jim:14:34
But we want it to be all the protection you need in one unified holistic platform, because it's really challenging to have lots of attack surface that's been introduced with these new working conditions and the the various solutions that are needed to be cobbled together to to come up with some some protection. But they don't all work well together unless it's designed as a as a holistic platform like we've been pursuing.
Max:14:58
Security doesn't have direct ROI. There are I I think there's a tendency when purchasing technology to look for an ROI or, you know, what is this thing actually gonna return to us in terms of value? And and, you know, if if you there's a lot of things that you can go out and you can purchase and you can say this is gonna do x, y, and z z for us which is gonna, you know, make the business better and generate more revenue or or make us move faster, whatever those things are. In a lot of cases, security doesn't actually give you a direct ROI. Like, if you go out and you buy an MDR, you know, or EDR with an MDR service, you know, you're you're you're not buying, like, ROI.
Max:15:33
You're you're mitigating risk and you're lowering risk. Firewalls, almost all firewalls I've ever encountered in any corporate environment were there to provide a function which was we have private IP space in our office unlimited number of public IPs IP space. So we need this device to do a NAT function for us and just happens to be a firewall. And maybe in some cases, if you're really old, you know, it's it's got a rule to allow us some TPN. So that way our email server works.
Max:15:56
Right? But, like, they weren't really sophisticated even though they were selling these UTM and DT DPI and all these other things that you could enable. When I when I see companies deploying, you know, what's now becoming is, like, sassy category of service, Usually, I'm finding that company is solving a different problem that just happens to be solved with, you know, this thing. Right? Like, we need we have a remote workforce now that needs to connect from home.
Max:16:21
We've got a an office on the West Coast, but we've got a bunch of people working in Europe and we can't pin their traffic back to Los Angeles. We need to be able to provide, you know, what are people actually signing in? Where are they not? Are they geo fenced? Are they not?
Max:16:34
Right? Like, those those become like business issues that then say, okay, here's your technology and here's your security solution that actually solves this problem for you. And so I'm kinda curious from your side of that, how much of what you're seeing with adoption is a company that's already decided they understand that they need the ZTNA or an SWG or whatever whatever term it is, right, versus saying, oh, we have this business problem that we wanna go solve and enable or or or add capability. And now we found the solution, and perimeter a one is doing that for us.
Jim:17:02
I think the the question of ROI, is is a broader question that can be applied to anything in the security space. Right? You brought up an EDR as a as an example. You're right. It's it's a it's a cost without a a an immediate return, and it's a hidden return.
Jim:17:17
Right? If you're not you only really know if your security stack is not working, if, you know, you suffer a breach and, nobody wants to go through that. So it's almost it's almost like purchasing insurance. You hope you don't have to use it, but you're glad it's there, if if you have if you have to. And I think from an adoption, it's been a lot of conversations that I'm having are around replacement cost.
Jim:17:41
Right? What what part of the stack or what parts of the stack would this replace and and or are we needing to come up with new budget to, to enable this protection? In short, I think SASE is a little bit of both. Right? Because it's responding to changes in the workplace, remote users, more resources in the cloud.
Jim:17:58
This is different from what it was. So it is a little bit of both. Right? We're replacing certain elements of the stack, with a a SaaS solution that includes, like, web filter, that includes VPN, obviously, being, kind of a classic use case. And the costs associated with that can vary from direct costs of, you know, what is the licensing cost on a legacy system that allows us to do it to some degree of what we can accomplish with a SaaS platform like perimeter already 1.
Jim:18:25
But then there's also hidden costs, like the cost of labor. Right? There's a lot of complexity in how we're creating VPN tunnels from a a a remote geographically dispersed team, users in another country, on others other parts of the world back to a a site that's in California. How do you address that with legacy equipment, and how cumbersome can that be, in the man hours and the costs, to to stand something like that up? And so I think it it can be viewed in terms of ROI by factoring in all of those replacement costs, licensing, and time, and and then ability.
Jim:19:03
Right? Are we going to enable, better performance to have more productive workforce? Are we are we going to enable more restrictive access controls than we would have with legacy systems? You know, and and that would that would serve this new these new working conditions well, right, with remote users and the the limitations that legacy, security solutions can offer. So coming up with your buyer and you're trying to calculate, how do I bring this to the board and and ask for this budget?
Jim:19:32
It is, in most cases, in my experience, it's been a combination of replacement costs directly with licensing on or appliances that you would have otherwise been purchasing or that you're replacing, and the new capabilities that it offers or that it affords you with these with the new style of working. It is a combination of those 2, I think.
Max:19:49
Lior, CSOs have an interesting job, which is trying to measure and mitigate risk to their organization. I had a conversation with a director of security operations for a very large company and he was sharing a conversation he had with a CTO. Basically, the CTO asked him for a budget. What do you need in order for us to protect our environment and do what we should be doing? And I think he came, you know, it was like, tell me everything.
Max:20:12
Give me give me your wish list. Right? And, and he went back to the CTO with a with a I think it was a $1,000,000 request. Nothing really crazy, but, you know, you what you would what you would deploy. And the feedback that push pushed back to him was this, you you have $50,000.
Max:20:26
And, you know, that they figured it out. Right? And there's a lot of noise and chatter that comes into this about what do you actually deploy and what and what, you know, and what pace. Right? And I I I have this conversation a bunch, right, where it's like, do you invest in an EDR?
Max:20:38
Do you invest in email filtering? Do you invest in an SWG? And I'm I'm kinda curious, you know, from your viewpoint now, obviously, you're working for a company that is, you know, on the, you know, the the more perimeter. I don't want
Lior:20:51
you okay.
Max:20:51
No pun intended. But, you know, enabling that that side. Right? So, you know, if if you're in a situation, what I've kinda started wondering about is, you know, there's there's a certain amount of, you know, EDR is almost like it's it's not it's a little bit preventative, but it's almost more reactionary. Right?
Max:21:06
You know, you've got this tool that allows you to figure out what happened and then try to unwind what happened, but not try to prevent what happened. And, you know, is there a time to, like, start thinking about this differently of, you know, is your is your threat factor really stop it from happening in the 1st place? Don't try to, like, catch it and then unwind it. But, you know, is there a technology or techniques to to start looking at this? And and, you know, should we be focused around, you know, preventing stuff from actually reaching the devices as opposed to trying to unwind it after it does?
Lior:21:35
So so first of all, I'm I'm in the in the cybersecurity industry for the past 18 years, and I saw the the movement and the shift. Back days, back then, we had a very little solution. So if you will want to be secure, you need to do this and that, and that's it. Nowadays, we are like a tailor. We need to tailor a specific cybersecurity suit, let's call it like that, for our organization.
Lior:22:06
Eventually, from from the story you told, it's a risk management. So I'm a CISCO, I think, and this is my attitude also internally. I'm managing the risk for my company. In order to become a business enabler, you need to be a Verintas parent and actually tailor made the solution to the organization, to the risk posture of your organization. I can tell you that I'm also using we are also using our product as one of the our protection layer.
Lior:22:38
And specific to the question that you asked, so as a CISO, I'm building security layers. So layered in that, defense in their attitude, we state, yes. We need to build a control. Eventually, the outdoor, the perimeter control. But there are additional controls there because we understand that hackers, it's not a matter of, time.
Lior:23:06
It's a matter of if. It's a matter of when they will attack us. And, eventually, as a as a CISO, I want to protect my company and put the correct defense in layer in order to if one layer will be broken, I have another one. So this is what I'm doing in order to protect the data eventually. So I'm building those risk for sure and understanding what are the risks from business perspective.
Lior:23:32
I think the parameter is one of the the biggest layer because it's actually the entry point to the organization. So you need to have a really strong solution over there, hopefully with the parameter a p one, solution. But you need to have more control. It's not the it's not the one control and that's it. You need to build your your approach from risk perspective.
Lior:23:55
And I can tell you that some control can be detected. Some can be corrected. Some can be just, you know, alerting of deterrent. But as a security professional, you need to set the the risk posture or understand the risk posture of the your organization and bull build the world and in defense their approach, okay, eventually, in order to, present the ROI, the security ROI to the organization. But, yes, it's a it's a tough job.
Lior:24:25
You are correct, Max.
Max:24:26
Thing that I like about Sassy is it's almost, it's it's I don't wanna say subversive. It's like almost like a Trojan horse, you know, where you end up with functionality. As an organization looks to modernize it, you don't wanna maintain firewalls anymore. They have a licensing issue. They're putting up new offices.
Max:24:42
Whatever the whatever the trigger event is. Right? You say, okay, let's take you to a modern, you know, sassy SD WAN, you know, edge and your offices. So much comes along with that that that you just like you you gain by default with it that it's, you know, it's really, you know, for me, it's really exciting because I love having conversations down the road where it's like, oh, you already have all these things. You know, you have this, like, we need to do acting.
Max:25:01
You're like, no, you already have that. You know, you got that when you did this thing. You already have it. And it becomes these, like, accidental discoveries almost. You know, what I was thinking about, Lou, when when you were talking is there was a, a CICD company that had a a breach Is that a year ago?
Max:25:16
My mind is so messy at this point. Who knows? And I'm not I won't say names. I've I've I've complained about them already enough. But, you know, reading through the first off, their their system, they were notified that they had a suspicious activity on their platform from customers.
Max:25:29
So one of their customers actually noticed that something was weird and going on and then actually tracked it back to them and then notified them and told them. So they didn't know or or figure this out on their own. So that's, like, strike 1. And then they post this this this after action, you know, investigation, like what happened to what we're doing, you know, kind of response. And they're using really curious terms.
Max:25:48
It's like, you know, our antivirus software didn't detect it, you know, and one of our contractors. And then and then we had connections back to a VR VPN from IP addresses and these systems over here in these countries that we didn't notice. And and you read through it, and you're like, it's like almost just like it it's like watching this train wreck in slow motion of, like, if you just did anything at any step along this way, like, if you just chose anything, it would have prevented this from from being becoming what it became. And I kinda I'm curious, like, how you know, obviously, that organization before they had this event didn't see any value in these things or they didn't know that these things were available to them. Them.
Max:26:22
They didn't know, you know, you don't don't run an antivirus or an EDR. They didn't know, you know, they needed to have strong I'm They didn't know they needed ZTNA and geo geo fence remote access for their employees. They didn't know they needed this, you know, or they knew when they chose not to do it. But I'm I'm gonna go with they didn't know. So how how do you go through that in terms of, like, an education cycle around?
Max:26:40
I mean, I don't like the term education cycle but, you you know, like, this is what you're I mean, you know, this goes back to my earlier question. Like, how do you enable like, what's the actual business? Like, your business actually needs this so we can give you this and in addition, you also get all this other stuff as well. And, like, oops, you just gained security because you were trying to solve this other problem.
Lior:26:57
So so as a CISO, this is one of the parts. You know, CISO has several hats. Let's call it like that. It could be like a one end, it could be a it should be a lawyer. On the other end, it should be a technology.
Lior:27:08
Why? On the other end, it needs to be a marketing, person. Think very seriously. Eventually, I I would say I will talk about parameter 81. So we are as a security company who's protecting our customers and have a security product.
Lior:27:22
We need to be aligned with the with the best practice, the most restricted best practices. And we are certified, for example, for the SOC 2, Type 2. We've been audited. We're also certified for the ISO 27,000 and 1, which we are also audited. We are doing lots of security, risk assessment, penetration tests internally and externally.
Lior:27:42
In order to validate that we are protected. So my advice, take the best practices. Be aligned with the security standards. Not something as 18 years ago, there were no standards. There were one solution.
Lior:27:55
Nowadays, there is standard and solution for everything. Even when you are going to the cloud, there is best practices. If you are developing, you have the secure software developing, best practices, the secure coding for every developing language. So, yes, you need to be aligned with the best practice. However, you need to fine tune the control that we talked about, the security control, the detective, corrective, and others, in order to implement and and adapt it to your organization.
Lior:28:21
Because if you are taking, for example, the s the Microsoft SDLC out of the box, it's not aligned with your puzzle developing life cycle. So you need to adapt the security controls and the security risk posture to your organization. Because what is right for, for example, for my company is not related to a company which is, I don't know, selling to the to the army. Okay? So there are different grades of security and and risk posture.
Lior:28:48
On one hand, the the last the last thing will be the the people. You know, you are we are investing in technology. As I said, we are investing in in process, but the the third will, will be the people. So if you are not investing in the people, and I'm calling it awareness and training, eventually, the weakest link in cybersecurity is the the people. So they need to be aware.
Lior:29:07
I can I can tell you that from my own experience, when people are aware, they're also coming to you with some security issue they found, and you can use this power? But, eventually, they need to know why they are doing security. And when they will knew that the the last person in your company, the the secretary, will know why he needs to do, cybersecurity and why he needs to report, an email phishing because he can protect all other company. That's huge adventures and, becoming or or changing everyone once mindset in order to become more secure. The company will be more secure and resilience.
Max:29:43
Before I've got a couple of follow ups on that one. So let's do the first one. Right? Ultimately, people are the threat vector. Right?
Max:29:48
I mean, when it comes down to it, it's it's, everything comes back to, you know, a human event at some point. Right? Even if it's just misconfiguration of device, it's still you know, the human is the link. I mean, how to put this. Right?
Max:29:59
If you put me on a soccer field with Ronaldo or, like, in a game of 101 with LeBron, I'm gonna get smoked. You know? Like, it's just I I don't even know if I get one one one I I touched the ball. Right? Like, probably not.
Max:30:09
Like, I'm just smoked. And there's a certain amount of activity that happens in the world of cyber that's just, you know, just noise and garbage that's always circulating. You know, put a put a device on the Internet and and count to 5 before it gets its first, you know, probe. Right? But we're talking about asymmetric, expertise.
Max:30:24
You know, people that are trying to penetrate resources for companies and whether it's just a random we're just we're just looking for something or professionals and the people that are, you know, on the other side of it are not professionals in cybersecurity. You know. And so I feel bad in those cases because the human threat factor it's not even, you know, I think I think for a long time it was really positioned as more like an ignorance or or, you know, like a non caring kind of response is kind of how people talked about it. But it's just really, you know, they're they're so outclassed in that situation that there's just, you know, you have no hope. You have no shot.
Max:30:56
Right? I think the other form that really drives me crazy within security now is this idea of, like, the security maturity model and, like, you know, like, this, like, layers you say, okay, you know, measuring risk and and appropriateness, you know, for a company, you know, versus, like, the army, of course, a huge difference. And everybody understands that. Like, I'm not a bank. I don't need bank level security.
Max:31:14
I'm not the government. I'm not the DOD. I don't need DOD level security. But there's very little actual information that says if you wanna have, you know so if if, if the CIA is 10 and a bank is 7, you know, and you wanna be a 4, like, what does that mean for you in terms of what you actually need to do? There's there's these ideas of, like, oh, you need to go start here and then you do this, you get to that, and then you get to soar and you have this whole thing and it, like, works around.
Max:31:36
But, like, what does that actually mean for people? There's no real, like, oh, you know, you are a normal business operating a knowledge space with some intellectual property that has bank accounts and employee access to do x, y, and z and, you know, you can be vulnerable phishing attacks and computer resource and all these things and you should be, like, it's called a 4, you should be a 4 and what does a 4 actually mean? A 4 means you need these things and you should do these things in this order. Like you've done nothing, start with this thing and then do this next thing and then do this third thing. Right?
Max:32:03
And I I find I I find that to be the interest I mean, I don't know. Tell me I'm wrong because I'm I'm I'm usually wrong about these things but that's that's kind of the perception I'm getting with this is just we're not helping non security professionals understand what they're supposed to do and why not that, like, they know they need to do something. It's just like, why do you know, like, what what should I do and why?
Lior:32:23
So so I I I think that there are frameworks that you can use, like ISO 27,000 and 1. And and, actually, you need to you need to understand on which, what what is your business case. So, for example, if your business is, dealing with you are an ecommerce and you have credit card, so you you must know that you need to be aligned with the PCI DSS, the payment card industry data Security Standard. Or if you, are working or selling in the the EU, you need to be aligned with the GDPR, the General Data Protection Regulation. And each and every regulation has its side inside its security requirement.
Lior:32:59
So if you are asking me which should I follow, I would, start with with the one the regulation that needs to be aligned with. If I'm selling to the to the US or the Germany, they have their own private tools. So we need to validate which kind of regulation you need to be comply with. Following that, you can also do a self assessment. So if you are not familiar what your risk posture, bring the the expert, do the the security risk assessment.
Lior:33:25
However, follow a specific path. For example, there are some mandatory requirements. For example, if you have an employee working all around the world that needs to connect to a internal network, you must have some SaaS solution. You need to lower the risk with with a a good solution, enable the business in one hand, and reduce the risk of someone or some hacker that will misuse, the attack surface and get your data or your details. So we need to map all the data or the sensitive data and understand what are the risks.
Lior:33:57
For example, if there is a risk that someone will send the efficient email and and, an employee will, deploy or install some software, so you need to have some, endpoint protection or antivirus or, some other detection or prevention system in order to validate that you are not in risk or even lower the risk or alert accordingly. But I think nowadays, there are more standards that you can you can get. For example, lists and sums has specific security guidelines for each and every, field. There is the Cloud Security Alliance. If you are a cloud product, you are going to the cloud, go to the best practices, to Cloud Security Alliance.
Lior:34:37
See what is the best parties over there. I know that also Gartner has some best practices related to SASE. For example, if you want to choose a SASE solution, there is, you know, the checklist. You don't need to invent the wheel. There is a built in checklist.
Lior:34:49
And I can tell you that we are also part of Cloud Security Alliance as as a company that want to achieve this kind of standard. Okay?
Jim:34:57
I I've definitely been deferring to to Lior for, for security expertise on this, but I will share I'll I'll add to to what you've said with my opinion on it is, Max, I think the challenge of, hey. You're this type of organization. You should be at a 4, and defining that and what that means is so challenging. Regulations and frameworks have done a a good job, but I think what's difficult is that things are changing so quickly. So I don't think I I I don't think, an organization deploys a security stack and says, that's it.
Jim:35:28
We're done. Because the the environment continues to change and the threats continue to change. And so it has to be a a continuous effort and an iterative effort to, to continue to protect as threats, are are enhanced by AI capabilities as an example. But changing environment as I was speaking about, with the remote workforce, with, movement to the cloud, All of these changes represent a need to update those regulations and and use those frameworks for sure. There's a lot of available frameworks out there for different types of organizations, but that should be the minimum.
Jim:36:06
The other thing that's changing is is how, you know, the marketplace and and, players like us and, and other you know, it's it's a very broad market, develops capabilities that make these protections more accessible to different types of organizations. I think there there's an analogy that I really love. I know I'm not the one that invented this. I'm sure it's been used, plenty of times, but I I love thinking of, like, medieval times and you have your castle as the the protection. And and the analogy that I've always I've I've spoken with, customers and partners about is you have EDR, for example.
Jim:36:43
In in my sense, that would be representative of the sentinels that are roaming the streets and looking for for bad bad apples that have already entered the the castle grounds. Or perhaps you don't even have, you know, a castle because you're a small organization that's at a level 4, and so you don't have a castle. Right? You don't have the, you don't have the resources to build a castle, so you do what you can for your as organization. Now the castle walls, the moat, these would be representative of a perimeter security solution.
Jim:37:17
Let's keep everything contained. Let's let's ensure that we're not, open to anyone who wants to walk the grounds, and and have their their way with, you know, with with the people that are, you know, in in the village. But as vendors like us have built new technologies, SASE is a good example, and I think this is an area that we play very well within the SASE market. We've reduced the complexity of entering that level of protection. And so we've made this type of perimeter security solution very attainable for an organization that's as small as 5 5 employees.
Jim:37:56
Right? For a village that small, it would have been prohibitively expensive to to stand up the physical infrastructure just given the competence and the the talent that you need to to do that. And so there's changes on the threat side that we need to be aware of and and keep up with, but then there's the good news is there's changes and there's development, on the, on the, you know, on on the product side, on the protection side that is making a more robust security stack accessible to different level organizations. So I think using those frameworks as a minimum is is would be my recommendation. Definitely, those are the the best places to start, but evaluate for yourself what what else is possible, what is now available to us that can enhance our security that much more given, you know, all the the the funds that have been poured into this, quickly growing and broad market.
Max:38:57
I'm I'm smiling because, Jim, you've you've walked into 2 things, and I wasn't gonna give you this just yet, but now I'm gonna give you the hard ball
Lior:39:04
Okay.
Max:39:04
Because you walked into it.
Jim:39:05
I did it to myself. Thank you.
Max:39:06
You you did it yourself. So I I was gonna I was I was trying to avoid it, but now here we are. So your analogy of, you know, the the the EDR is a centuries inside the castle walls and the, you know, perimeter being the walls and the moat, right, and the outside. So if you've got a a reasonable size organization, let's call it a newer company. Right?
Max:39:24
So you can use newer stacks. You know, they're using Mac laptops, their Google Workspace customers. They everything is is web based SaaS applications that they're accessing, you know, etcetera. Right? And and this company is maturing to a point where they realize that they have to adhere to a security framework and they can't do 0 to a 100.
Max:39:43
They're gonna they have to take choices. They have to implement, you know, at steps. And that company is looking at and deciding, okay, do we go and deploy an EDR? Because that's what we're supposed to do. You know, everybody's supposed to run an EDR.
Max:39:54
Or do we go get a Sassy solution and deploy, you know, this, a secure web you know, get the benefits and have a secure web gateway and malware protection and URI URI inspection and and, you know, ZTNA and whatever else is coming along with it and why. Right? So that company can only buy 1. They can only buy an EDR. They can buy a Sassy, you know, system.
Max:40:14
And, you know, of course, the the precursor to this is this meant this idea of, like, we're running Mac. We and we run Google Workspace. So we're perfectly fine in the first place because there's no there's no known exploits against Mac and Google Workspace that we have to worry about. Right? There's no threat vector to us whatsoever, which we know isn't true.
Max:40:29
But, I I I wanna hear your argument for your side of this.
Jim:40:33
So good news is we don't live in medieval times anymore. We have, we have enhanced capabilities. We but I I will do my best to kind of extend the analogy out to this what what you've described is assets and resources that are available on the web. Right? They're not contained within the castle walls.
Jim:40:52
They're they're, outside of the village. And so there's a couple of ways that I would extend the analogy for a solution, a Sassy solution. One thing that has been very commonplace for clients perimeter 81 is taking what are representative IPs of this perimeter 81 network for that organization. These are dedicated IP addresses. They're static.
Jim:41:15
They're they're not shared by other clients. That represents, you know, if a user is browsing the web through from their secure connection to the perimeter 81 private network, they have the benefit of, you know, an IP address that is, is is coming from that network. Right? That says something about their traffic when they're visiting a web based property like, you know, like G Suite. Right?
Jim:41:37
And so, you know, this is an extension of you know, people used to have static IP addresses in the office, and being able to achieve that represents, I believe, in some way on this analogy that you can prove to a vendor that's outside of the castle walls. Right? Maybe you're going to the market in, in a village in a neighboring village, and you can represent yourself as coming from as somebody that's coming from that secured castle environment. Right? You call it an ID card that says, you know, I'm from I'm from this home village, and so I have these permissions to do what I want to.
Jim:42:11
That would be the the extension, I think, using conditional access, as a as a way of of extending that. CASB is another. Right? This is another capability that extends from it as well as okay. Great.
Jim:42:24
You're from that village, so we'll allow you into our marketplace. And and given the permissions that you're allowed through CASB technology, we can determine what you're able to purchase, what areas you know, what what are you able to take with you from this marketplace? I do think, you know, I IDs and such in medieval times may have been, underutilized or not not available technology. So we have some benefits afforded to us, but I think that does kind of extend the analogy, and and gives you know, relates to what kind of control, what kind of protection do you wanna have in place, when we have so many assets that are no longer just contained within the the four walls of the of the the building or the castle? There are ways, given this newer technology, to contain or or retain that level of control over your, what I call them subjects, your users, your employees, and the assets that they
Max:43:19
can reach
Jim:43:21
outside of the the castle walls.
Max:43:23
I'm gonna start referring to all my all my team as my subjects. Leroy, you wanna chime in on this, or should I
Lior:43:30
Yes. Yes. I do I do want to add on what, Jean said. Eventually, you need to understand what are your assets. So if your assets are designed in the endpoint, so maybe you need to protect it.
Lior:43:40
However, most of the assets, most of the data, sensitive information, credit cards, and others are not resigned on the end. They are resigned on your database, on your cloud environments, on your servers, and and others. So they are it's called what, Jim said. They are in the castle. Okay?
Lior:43:57
However, you need to first deal with the outer layers. And, actually, the first layer of defense is the is the network. It's it's coming from external to the internal, okay, to your data. So, eventually, I will I will set a protection layer, a good protection layer, in that, network environment before coming from external to internal or to the resource itself, putting a software solution, and mitigate the risk by maybe shifting local data to to the cloud. And this is how I can mitigate I could mitigate the risk on on your example.
Lior:44:30
Moreover, I can tell you that there there's broad solution. So there are also EDR, which are free of charge, or maybe you can use a specific license. But, eventually, I I think you first need to protect your assets.
Max:44:43
I love that response. And the softball version of this, Jim, is it is very difficult to deploy an EDR if you're too small. And if you're if you're talking about organizations that are sub a 100 seats, deploying an EDR in the first place is very complicated, and who's gonna manage it? There's a reason why there's a lot of companies in the space. They're pushing MDR solutions where the e d you know, they're they're a managed detection response company on top of an EDR for companies because companies can you know, it's it's very difficult to deploy and manage an EDR on your own.
Max:45:11
Not to mention licensing. Love the the practicality and reality of licensing even within the Microsoft, you know, e 5 security world. Until you're at a certain seat count, like, you're not, you know, looking at e 5 licensing or looking at extending and doing a E5 secondurity licensing on top of it, which would get you their EDR or looking at, like, a CrowdStrike or Sentinel. And there are some EDR solutions that are really targeting smaller organizations, you know, 25 seat kinda deals. But, you still have to figure out how to install and manage it and maintain that skill set and skill base internally to install and manage at that size.
Max:45:41
It's just not practical. Like, it's it's an unrealistic expectation to say, you've got 1 or 2, technical resources internally, and you're gonna deploy and manage an EDR. Like, it's just it's just not happening. So your your softball version of that is is starting at 5 seats means that everybody can have a very high degree of additional security and protection features for them. Let's let's dive into I wanna talk about, like, the technical, you know, like, the the actual, like, how the this product builds out.
Max:46:07
Because you you also kinda got into a little bit of the the CASB and DLP functionality a little bit. So I think it'd be interesting to talk about, like like, the layers of this onion. And and I'll I'll start with, like, the first layer. The first layer, of course, is you install your software, you know, a device. So, you know, computer device, a mobile device, right, which connects to the PREMETER eighty one network, and then and then everything builds builds from that out.
Max:46:30
So how much how much of this platform is included by default? And and and what if anything becomes additional licensing? Like, is there anything where a customer would come and say, okay, we're gonna license just the SWG, but not the ZTNA? Or do they get everything in one shot in one license? They don't even have to think about it.
Jim:46:47
I'll start by saying where we came from, where we started. Right? Because the vision has been, this full SASE capability. But that's not you know, we started with really coming from a ZTNA perspective. And so I'd say right now, the solution has matured right over the time that I've been here, and it and there's more to be done.
Jim:47:06
It has two components. There's 2 types of licenses. There's secure access and there's secure Internet, or broadly what we refer to as. And so from its inception, it was an agent, and actually for a long time since I've been here, we have an agentless component as well, that facilitates a secure connection back to the network, back to network resources, providing protection like a VPN would through, you know, the coffee shop network being the the the classic example. And then the controls that you have in place over that, which come on our on our most common package.
Jim:47:39
Right? There's different packages that we we bundle them, into 3 main years, if you will. But the most common one is gonna allow for firewall policies, so access control, following 0 trust principles of default deny, and, very granular access control that is based on identity. And as as well as identity, I mentioned, so integrations with identity providers. Right?
Jim:48:02
This is a peripheral feature, that we're we're gonna integrate with your Okta or your your OneLogin or most commonly Azure AD or G Suite, so that it's it's a a single sign on for, for the users and, and identity based policy making. And then device posturing. Right? That's the context of what device is this user on. Is the EDR running on this device?
Jim:48:24
Is the disk encrypted? Are are the conditions that satisfy us from a security perspective being met? And, again, the zero trust principle on a continuous basis, we're checking this.
Max:48:33
Let me narrate you for a second. I wanna make sure that we talk about this. This is one of the big differentiators for me for something that's actually like an SDP or ZTNA solution versus what what people are used to with VPNs. And you you you talked about it for just a second, but I want you expand on it, which is enforcing conditions are met on the device. And you gave an example of is it does it have an EDR?
Max:48:51
So what what is the example like, give me an example and build this out in terms of conditions and policies that somebody would build for secure access through perimeter 81 using your z t n a environment?
Jim:49:04
So I think the first approach is the firewall, the access control. Right? And basing that on identity is as the the the primary the kernel of truth is, who is this user? What can they access? Is what helps you limit the impact of any kind of malicious insider or compromised endpoint.
Jim:49:20
You know, the the ultimate attack vector, as you said, is the user. So let's be restrictive in what users can access. They shouldn't access anything. They shouldn't be able to access or even know that something exists in the network if they don't need it to do their job. And in that way, we're gonna minimize the impact of any kind of error, any kind of, a misstep by a user or yeah.
Jim:49:41
So so that is the, I think, the first step. And a zero trust principle is I kinda feel I feel like zero trust is a marketing term. Right? But I I would define it as, a a few different characteristics. The first being, we're taking a default of no.
Jim:49:56
That would be the first that I think applies to different types of solutions that, you know, that use 0 trust in their marketing is default is blanket. No. You don't get access to anything. And that allows you to build very granular allow policies on top of that. Much better than the reverse, which is, okay, what do we wanna deny?
Jim:50:12
You're more likely to come up with, make some errors and and, and and provide facilitate unfettered access for some malicious insider or or a compromised endpoint.
Max:50:23
So then a customer could do something like, is this a corporate owned device? You know? Is there is there a corporate issued certificate on the device? You said, is there an e is software running? Is the EDR running?
Max:50:34
Is the MDM running? Probably the other example of that. Right? You'd say, is the user authenticated? That becomes a foundation.
Max:50:40
So is are they signed in to Google? I would or or or Azure. Right? So then you'd probably do another one which would be, have they done, you know, multi factor authentication of some sort? Or can you trigger, like, you've already authenticated, but we wanna ask you for your passkey or whatever?
Max:50:56
So then, then then other policies that we see people ask for or talk about. Can you geofence? You know, only allow this connection if this person is in this country or not in these other countries.
Jim:51:10
So these are And these are all capabilities within the platform and a 100%. And this is I mean, it's following a zero trust, model. I think one of the other elements of this is it's not just a one time check, you know. And so another element that I think that resonates for me in in the definition of 0 trust is that it's not we're not just checking once and then you're in and you you can do what you need to. It's continuously gonna monitor and check.
Jim:51:32
Is this are are these conditions still being met? We can do that every 20 minutes on, on our devices.
Max:51:37
I'm being explicit in pointing this out because as you're responding, nodding, you're both nodding and and Jim, you're going, yep. Yep. Yep. I've I've been doing this for a long time and, like, I I'm in the same boat. Like, you you like, you should just have this.
Max:51:48
Right? Like, this is just, like, why wouldn't you want this for your environment? It is amazing how many companies do not have this capability. As in, like, they have just they just don't have this capability. It doesn't exist.
Max:51:57
Oh, we can check and make sure, you know, I've I've had I've had customers ask me because they're going through audits with their customer and they have a requirement that says something as simple as we need to ensure that customer data is only on company owned devices. How do we do that? You know? And that's the question. And they and and and I don't you know, it's they've just never done this before.
Max:52:16
They've never and you're like, well, what you need is you need a, you know, like, and and you you need this. Just go get this. It's really simple. And and that's where I say, well, I don't think we do a good job in the in this world of saying, okay. Here's the actual end use case that's required.
Max:52:28
You know, some IT guy just got this ask that came down because the CRO wants to close this deal. And in order to close the deal, they need to check this box. And they're like, well, how do we do this? Well, the answer is you deploy a real SDP with a zero trust network access, and you do this other thing, and then boom, you're done. You know?
Max:52:42
And then, oh, by the way, you get all this other stuff too that's really cool that you're gonna want.
Jim:52:46
Right. And I I think to your earlier point, sometimes it's we can actually do this with what we have. You know, I I see it it's interesting. You know, I've seen customers that will, sign on with us to to set up restrictive access, but maybe they just weren't thinking when they deployed it that, hey. Device posturing is a good idea.
Jim:53:05
Let's let's use that aspect too. It's something that our our customer success managers and, our account managers work on to you have certain capabilities that are available to you. Let's make sure you're using them all. Right? Let's let's protect you as much as possible.
Jim:53:19
Get the full value so that that ROI calculation, however you're doing it, is is is coming out positive as positive as it can be, but most importantly, that you're protecting, as much as you can given what you've already put in place.
Max:53:33
So okay. So so so first package. Right? So foundational identity authentication, you know, etcetera, and then firewall, and then 0 trust. And then you said another package was, Internet access.
Max:53:45
Let's let's
Jim:53:45
We have, so this this is contained within that same agent that's facilitating the the network access, which is a nice, characteristic, I think, so that you can reduce the complexity of agents running on your on your managed devices. But, it has 22 components right now. It's some, web filter capabilities and a malware engine. So this is the, let's start with the malware engine just being identifying risks, that users are encountering in their web journey through, you know, looking for malicious signatures, looking for malicious behaviors. It is it is doing both of those, types of checks to to verify that any of the files that a user might be downloading are blocked in transit.
Jim:54:25
Right? So before it reaches the device, we're doing these checks and ensuring that they're blocked from from ever reaching the endpoint, so that the EDR system is only there in reserve. Is
Max:54:35
this something that you built or something you partnered?
Jim:54:37
We partnered on that one. The the two things that are partnered, so the web filter and the malware engine. Malware engine, I I I won't share whom because one of them, I'm I'm allowed to share, and the other one, I'm not allowed to share, and I I don't remember which is which. So for this publication, I'll I'll keep it. But, yes, we we partnered on that.
Jim:54:57
You know, I I think and, Lior, I'll be interested in your take on this too, but I think, that problem has been solved. Right? And, and it's it's a continuously updated, problem. So we were we were happy to partner on that and delivering it through this platform, this holistic platform, was was the preference, the preferred approach.
Max:55:15
This this is where I kinda go back to my earlier question of, like, asking about, like, modern security and approach. Right? Because if you're when you start looking at you say URL filtering and a malware engine and, and even remote browser inspection, you know, like RBI, are you actually unpacking and exploding a payload and looking in what it does and, like, you you know, on a on a simulated device. You know, this idea of, like, okay. Do we have antivirus running on the computer?
Max:55:39
Well, you're like, well, no. You don't have antivirus running the computer because you have all that capability running over here now. More importantly to you, it's getting a lot of data from a lot of different things all at the same time. And the more data that ingest, the better it can become because it can see more things and it can see things that other people saw beforehand that you're not gonna see yet. So by time it hits you, you've already you know?
Max:55:57
And it's that that becomes, like, such a simplistic no brainer for me in terms of capability of saying, you know, why why wouldn't you want this? Like, how is this how is this not, like, just I I mean, I don't know. Tell me I'm wrong. Right? Like, Leora, like, when you think about this and you start talking about, like, security and scale.
Max:56:13
Right? You know, one organization trying to defend against attacks it sees versus bringing in a service provider that sees aggregate attacks or aggregate traffic across, you know, tens, 100, thousands, you know, millions of endpoints. Like, am I wrong to say there's value in that?
Lior:56:26
I think you should you shouldn't say intend to win. You know, for example, I I take a a different different, size as to, you can develop an encryption, algorithm, okay, out of scratch. You can develop it. It will take you x amount of time. However, someone already developed a secure algorithm.
Lior:56:43
Someone developed an encryption mechanism. The only thing you need to do is to download and use, this, secure mechanism, post the the right key length, and then you will get an encrypted data. You will be able to decrypt encrypt, of course, use it in a secure way, the best practice. However, if somebody already invented it, someone already build this security device or it it can assist you to increase your security level, we use this capability. You know, you don't need to invent the wheel.
Lior:57:10
So so for sure, just see what all the tools as a as a security professional, I'm always being updated and going to webinar and understand the the new technology, for example, AI capabilities and other, to better understand how I can protect my organization for those new, attack scenarios. And I think, SaaS, nowadays, it's a mandatory when everyone is working from home. I think it's a it's a best practice. So it's a standard. It's becoming a a standard, a well known standard.
Lior:57:40
However, there might be more. So you need to be updated. You need to validate your risk posture every time a new technology emerged or a new attack, is emerging. You need to validate what had happened, what are the new techniques that hacker are using, and vice versa to protect the organization.
Max:57:57
And ML. I mean, this is this changes the game both offensively and defensively for within within security. I'm curious about, you know, this idea, like, for a long time, antivirus and and malware detection was is signature based. Right? Like, okay, we found this virus that has an embedded excel macro that's gonna do something horrible to you, you know, and and we're gonna look for that signature and we're gonna prevent it.
Max:58:20
Right? But it's very easy to change and manipulate the packages and then signatures don't match and then things things don't work. Right? But then I I look at it and I think about in terms of my customer base. Right?
Max:58:30
Where, you know, in some cases, it would be unusual for a company in Los Angeles to talk to a city in, Nigeria. Except I've got one that builds desalination plants and they have a project in Nigeria. Right? So they're in Los Angeles company with operations and people in Nigeria and they actually have to send data back and forth between, you know, LA and Nigeria. So it it it kinda introduces like 2 things.
Max:58:54
Right? Where in the one hand you say, okay, there's this like broad approach of saying it's it's probably bad for, you know, this this LA based office to be sending traffic to Nigeria. But the other side you say, okay, well, this LA company does need to send traffic to to Nigeria. And then when you look at that, you start exploding that up into, you know, more and more customers that you guys are now security and protecting. How do you how do you look at this from a, you know, let's say, bucket of, like, this is overall might be bad versus, like, this is what you normally do or you would fit in this bucket that this would be normally good, but, like, you've never done this before so it's bad and we need to do something about it?
Max:59:29
Like, how do these classification rules at a high level start to to apply? And how do you think about this with Premier eighty 1, you know, as you're looking at these things with your product?
Lior:59:40
I I think if I may ask, may may answer the question, Jim. I think a zero trust approach will be the best way. You cannot trust anyone. You're thinking that you're receiving an email from your colleague in Nigeria. However, there might be a hacker sending you a phishing email that actually being, showed or present himself like your colleagues.
Lior:01:00:01
So our attitude is 0 trust. Don't trust anyone. Inspect, do your malware protection, scan the data, don't connect links, that you are not familiar, don't download the software. So 0 task approach will be a good, a good way of, of protection. And, also, awareness and training.
Lior:01:00:20
We we talked about it. Be more aware that, you know, maybe it's not the the real colleague that is sending you an email. Maybe you shouldn't click the link. However, you need additional protection layer. So if you have, like, something that can also scan the email, notify you it seems malicious, have some security grids or phishing campaign in order to increase the awareness.
Lior:01:00:45
So I think, eventually, you need to combine the the technology, the right forces process of how you are receiving an email. Maybe it should be in encrypted tunnel with the mTLS. So there are technology, the technology of of securing email out there. For example, if you want to have, like, a a secure transfer of files, there are some solution for that. And so there are technology.
Lior:01:01:08
There is the technology. So deposit the technology and, eventually, also the the people, which you need to gain their awareness. It's this phishing email and not to, for example, expose specific sensitive data to some unauthorized person, even if he's asking your username and password in order to assist you with an IT problem. So never send it via email, for example, or never state your username and password. But 0 task.
Lior:01:01:34
I task. I think 0 task is not just a a a buzzword. It's a a real way of, of living nowadays. You cannot trust anyone. Sorry for saying that.
Max:01:01:42
What so what do you do what do you do with the, like, legacy office environment? You know, the things that cannot have an agent installed on it. Like, how do you how do you what do you what do you do about, like, the light bulb in the fish tank in the office gets hacked because it's got an IoT sensor on it and is now, you know, beaconing something to command and control somewhere else off of your corporate network? Like, how do you deal with those kind of scenarios?
Lior:01:02:06
Okay. So I think you you should you should build a defense in their approach as I as I mentioned. Because eventually, an IoT in your in your internal network with command and control internally, shouldn't be exposed to some external resource without any proxy. So, from architectural point of view, you need to set those 3 layer approach, 3 layer of security, and, of course, monitor everything. So if there is any anomaly, you should detect it.
Lior:01:02:33
If someone wants to penetrate your organization from external, you need to have some logs and alerts over there, for anomaly detection. But you need to also build your, defense in their approach. So, for example, validate who is the access with the correct policy to the organization, which computer, and which policy you enforce when connecting to the organization or even, even after validating the the policy and validated the endpoint as the as the, you know, the capability or the security capabilities, even less if it's permitted or authorized to gain this access. So there should be several layers of approach and several layers of defense. And put your first defense in the in the external network, then you can or should have some internal network capabilities in order to detect, like IDS, IPS, etcetera, also protect your data layer and, of course, IoT.
Lior:01:03:28
Some will be also, advise you to have some separation between IoT network to other network. So separation of segregation of, of networks. And there are also several approach how to protect IoT. I know that's also ISO has some security, standards on how to protect IoT. Also, NIST and SANs will follow those standard.
Lior:01:03:50
It's just in general. Eventually, also, if you have an IoT device in your system, go to the manufacturer. Ask them how to protect. How should I protect? Or which protection mechanism?
Lior:01:04:00
We also advise on what will be the secure architecture because, nowadays, the security could be out of the box. And if your manufacturers doesn't give you those security best practices, maybe his, his IoT device is not so secure. Maybe you should, consider take another one.
Max:01:04:15
Are you building integrations with SD WAN firewall? You know, I mean, if I wanted if somebody wanted just to shove their entire corporate traffic into, you know, at perimeter, you know, and and take, whatever they have on-site and build an IPSec tunnel from their firewall, their NAT device, or SD WAN, whatever it is to your service. And just say, this entire office now is gonna flow through Premiere 80 1. And, you know, if we've got some rogue IoT devices, somebody plugged into a power outlet somewhere, we're gonna see it now and be able to deal with it. Is that something that's that you have or coming down the pipeline?
Max:01:04:44
I mean, you know, I mean, is is there, like, you say, like, don't trust anybody. Is there, like, just a, like, a default stat, you know, status that people can get into or a company can get into here?
Jim:01:04:53
I would say we we do. Right? We we have, we have a kind of an SD WAN light capability in that You can you can push all your traffic from a site through this network, and that's gonna make, that traffic available through logs. It's gonna allow you controls firewall policy controls from you know, based on IP address. I I will say, though, I don't I don't think it's the it's it's not the primary use case that I've seen.
Jim:01:05:17
It's I think the the solution we we have is it's much more, it's much more focused on identity based policy setting. Who is this person? What are they allowed to access? But, to answer your question, yes. It it would it would work in that way, and we do we do see this often layered on top of, like, an SD WAN solution, but it is typically, providing that security layer for, in those cases, for users that are outside of the SD WAN environment.
Jim:01:05:44
I don't know if that exactly answers your question.
Max:01:05:47
No. It get that does. So, you said there were 3 packages. Right? We talk about, 0 trust remote access, Internet access.
Max:01:05:55
I'm I'm fascinated. What is the 3rd package here? Is it just a comb combination of those 2 together?
Jim:01:05:59
So I I should, I should rephrase. There are 3 there are 3 different packages that, have different levels of those 2 kind of components. Actually, the the secure Internet packages, it was introduced we started with the secure access. That was our inception. Secure Internet is something that we started going to market with probably a little over a year ago, I wanna say.
Jim:01:06:21
And and so that has been an add on to that secure access package. I don't I don't think, I'm breaking any rules to say we we have had a lot of interest in having those 2 different capabilities available separately, and we are planning to deliver that to market so that you can go one or the other. And it wouldn't necessarily be secure access and then add on Internet. It might go the other way. So those those are kind of the 2 different types of SKUs that we have is the, secure access and all the controls that you are required to have to protect your environment, in that way and then secure Internet, which today is web filter and, and malware protection.
Jim:01:07:00
And that in the, in the near future, we'll we're speaking about road map. It's gonna have more of those types of controls related to, like, CASB, DLP, and and how you wanna control, access to web based assets. Those are the 2 ways that I categorize it.
Max:01:07:13
Leo, this is kind of a product question here, but also how you guys think about this. I've seen a lot of requests for CASB and DLP functionality, And it it it feels like most of them are really kinda like this CASB or DLP light kind of need, where it's more like, hey. I want to I wanna put a rule on Salesforce that only allows my known IP addresses to connect to our Salesforce instance or, you know, 365 or workspace or whatever. Right? Like, there's this there's this when you read, like, CASB as a spec, it it does a whole lot more than, like, just limit you to one IP.
Max:01:07:44
Right? And then also within the DLP space, you know, there's this thing of, like, oh, I don't want, you know, somebody downloading, an Excel spreadsheet with Social Security numbers onto their laptop and, like, walking out the office with it. Right? You know, it becomes kinda like this this this, like, kinda like idea around DLP. You know, so so within when we talk about CASB and DLP in the perimeter eighty one world, like, what functionality and features are you delivering?
Max:01:08:08
And how do you think about CASB and DLP for somebody that's that's that's asking you for it?
Jim:01:08:13
So I I'll start, briefly with, you know, just from the product side of what we have today and what's road map. And and then, Lior, I would love to get your your kinda take on what what we what you see us kinda developing and and how you see this evolving. Because today, we I wouldn't I don't go to market and say that we have a CASB or DLP capability today. I I would say that's road map.
Max:01:08:35
I don't even know what they mean anymore. So Yeah.
Jim:01:08:37
It's kinda weird. Like Well, to your point, I mean, that that initial that CASB to lite capability where, hey, we wanna make sure that you can only get into Salesforce from a secured connection, from our IP address, with a secured device. That's very much something that we have the capability today and that we have probably half of our customers are employing that type of capability in some way. So it's great to hear you say if you define that as CASB lite, I'll I'll take it. But then the the greater controls that you asked for, I think there's a great business case.
Jim:01:09:08
This is this goes back to, hey. The CRO came back to the IT, team. The security team said, hey. We wanna get this deal. We need to have we need to make sure that no user can download a a file that has Social Security numbers on it.
Jim:01:09:21
Not a control that we're able to enforce today through this platform, but these are these are road map features that we are you know, we we get the the request funny. So these are the the top top features that we're working on right now. I'll leave it at that, and, Lior, let you add kinda what you see as the important capabilities and what you've heard.
Lior:01:09:39
So so I I can tell you that DLP. Let's let's start with the DLP. Data leakage prevention is a it's a known, known product or line of product can prevent, extracting or sending, organizational data or sensitive data outside of the the organization. So those systems have their own, let's call it, market and and a use case. I truly believe, as Jim said, will be part of our road map.
Lior:01:10:08
We can see customers or use cases, of our customers that, requesting it, and and and it's part of our road map. Even even if even even, even if you are going outside of the the organizational's regular structure, like the the on prem, you know, going to the to the cloud and you want to shift data and data is shifting between edge to to the network and resources. DLP is something that that is well known and is part of our road map. Also, Kavi, I think, when you are when you are performing, we are already there. We are already performing the identity, the authentication, the users.
Lior:01:10:43
So I think the next step would be what will be, what will be, what authorized what authorization rights do you have on a specific applications? I don't think those are very strong use case. However, we are hearing that. And as Jim said, we are, we are moving forward. Actually, we are driven by use cases.
Lior:01:11:02
So CASB is a is a wide range of solution. Nobody really knows what is a full CASB. However, we are collect our customers' use cases and and followed by experience. So we are developing. We have it also in our road map.
Lior:01:11:17
So I don't think it will have, you know, full blown everything CASB included. However, yes, we will have, this kind of, of, of security capabilities, what you are authorized to see, which application. Also, inside the application itself, what are you authorized to perform or not authorized. So, yes, we are building those capabilities also. I think it's also mandatory, because eventually, all the data are designed in software, in application.
Lior:01:11:44
In order to get this applicate to get, to specific data, change the data, retrieve the sensitive data, things like that. And it goes inside this channel of of connecting to, the organization. So, yes, we have also those capabilities will be, as part of our product roadmap as the agent said.
Max:01:12:03
We kinda glossed over identity and I I I just wanna point this out here for for the sake of it. Colonial Pipeline, you know, we've got some great imagery of people with, you know, filling putting gasoline in the back of their trucks and tarps. Right? Because nobody can get gas out. And Colonial Pipeline was a, compromised VPN account as the source, for a employee that was no longer with the company for, I think, over a year.
Max:01:12:26
So it it it becomes this funny thing where we talk about identity. We we I've I've really focused on a lot of other features, but having strong identity connection between your Internet and remote access product back into your actual, like, source of truth being, you know, these accounts actually still exist and people work here and and should should be doing something on our platform in the first place, again, becomes one of these, like, such a basic thing where if it's just in place for a company, it eliminates so much stuff from potential threat factors that, like, you you know, it's it's it it really deserves to be its own product. Right? We don't we just kinda but we we you know, it's, like, naturally, you're like, oh, let's talk about secure access and z t and a and all these things can do with provisioning and everything else I wanna talk about. But, you know, it's it's it it really is really important.
Max:01:13:06
You know? Identity is a a a a big factor in all this. I promise both of you at the beginning of this that this would be 60 minutes. So in 60 to 80 minutes, and we're over 60 to 80 minutes, and I could keep going probably for more for hours to come. But, you know, that's just because I'm I'm gonna nerd out about this.
Max:01:13:21
I'm looking forward to getting on the platform and kicking the tires and, you know, putting it through the paces and everything else. I'm very excited also that you guys are coming to market or or shouldn't say come to market or in market with a low license count, you know, requirement for customers. I'm very much a everybody should have access to sophisticated security options in an easy to consume way. You know, it's frustrating that, you know, the the the small companies can't access a lot of the email security tools because they're not licensed properly. They're not running Google Enterprise.
Max:01:13:56
They're not running, you know, an e five, e five license for e 3, E5 license for Microsoft. And I'm really was really excited to, you know, to hear that, Jim, earlier and without, like, you know, harping that to the end of the world. I've got a lot of situations where I've seen companies have big problems, and they were under licensing thresholds that kept them out of different platforms with EDR vendors because they were just too small for it. And they need the sophistication. I need the capability for it, and they just couldn't get it because they just didn't meet the requirement, and it wasn't feasible for them.
Max:01:14:23
Thank you guys very much for doing that. Thank you both very much, for for joining me. I will I will say, you know, any last words, anything that you wanna leave with or that we didn't touch about, you know, now is now is probably a great time.
Jim:01:14:35
Oh, I appreciate the kind words and for having us. And, absolutely, we'd love to have you using the the solution too. Kick the tires. You know, hit hit it as hard as you as you can and like, get to know it. And, the as far as I will comment on kind of the license count and the, the low barrier to entry for for organizations that I I get excited about this because I feel like small organizations are are are in as, threatening a position as large enterprise, if not more so because they don't have access to a lot of the the security capabilities that a large enterprise does with the confidence of the teams that a large enterprise enterprise can employ.
Jim:01:15:13
It's felt good to be able to deliver a a solution to smaller organizations that I think are underserved from the, from the security, marketplace. And we have worked really hard. I think what sets us apart from other we've talked a lot about SASE in general, and, I'm I'm a sales guy, so I'll say, you know, where yeah. Where I find distinguished most in this space is that we, have worked hard to make it as intuitive to deploy and manage as possible, that it can be consumed easily by a small organization. So it's not just the lower barrier to license counts.
Jim:01:15:45
It's, hey, with with a a a more stripped down team with, with more limited competence and with less man hours to configure and and and keep it running and keep it secure. We've worked hard to make it attainable for for organizations of that size. So, appreciate you mentioning that, and, again, appreciate you having us. Excited to be working with you, and let me know if you ever want us to come back. This was fun.
Max:01:16:07
Larry, thank you, Weswell. It's been a pleasure. I've had a lot of fun with us.
