Transcript
Mike Matchett: Hi, Mike Matchett with Small World Big Data. I'm here today to talk about compliance and ensuring that your workloads are secure and compliant, no matter where they are. And when I say no matter where they are, that means running the same kinds of control on them and governance that you might do, whether they're in the data center or in the cloud or in different areas of your increasingly hybrid organization. We've got room cast here today to talk about this. So just hold on. Hey. Welcome, Marcus. Welcome to our show. Markus Strauss: Thanks, Mike. Thanks for having me. Good to be here. Mike Matchett: So this is an interesting area. You know, it's increasingly popular and sometimes even mandatory for people to get a better grip on their workloads and really look at what's going on with them. But I don't know that I used all the right words when I introduced Runecast here. How would you describe what Runicus does for people? Markus Strauss: It's very, very, very good. Yeah, actually you did use the right words, right? And really, you know, one of our key points is secure workloads anywhere, right? And you know, that includes the compliance aspect. Right. So if you if you were to look at some of the material from from us, but really the the bottom line is to make sure that no matter where within that ever increasing complexity you are with your workloads, that you have the same controls and the same measures, and you have a trusted partner that's with you in that journey and allows you to continuously be compliant and continuously be able to monitor your attack surface and your vulnerabilities and things of that nature. Mike Matchett: All right. This is this is going to get a little bit more technical in a second. But first I just want to find out what drew you into this part of it. How did you how did you get involved in in looking at, you know, the umbrella of workloads and trying to make bring them all into line? Markus Strauss: I might be dating myself a little bit, but my initial stab into the world of back then it was just called infosec was during the very late 90s, early 2000, working for America Online of all places at the time. And you know, that built the foundation for me, being interested in all things cybersecurity and all things protection. Right. And that's, you know, started from endpoints and went into regulatory compliance. I've spent some time around financial risk management and things like that. And yeah, finally ended up in in the compliance and workload protection space. Right. Mike Matchett: So is is this is this a security solution or a compliance solution for governance or, or an operations management solution. Where does Runecast fit in those areas? Markus Strauss: I would answer yes. Okay, okay. And that's and that's simply because I don't think everyday life is built in these silos. While organizationally we like to think of these as silos and as different places and different teams. In reality, though, on an everyday basis that's very often the same team, right? It's very often the same team that's running the infrastructure, whether that's VMware or AWS, Google Cloud or, you know, containerized workloads that will have to do the keeping it up and running and keeping the lights on, as well as making sure that, you know, any vulnerability is detected early on and there's some form of remediation in place all the way through, ensuring that, you know, any sort of regulatory compliance is adhered to and provide reporting and things like that. Back to senior management. So we fit in all of these categories just simply because that's generally the same team, and it's generally the same people who need to take care of all of these aspects of any given infrastructure. Right. Mike Matchett: All right. Let me let me explore that a little bit more. Just so it seems a little fuzzy yet to me. Let's take VMware for an example. What can you give me some practical examples of what you're going to do in a VMware environment for, for for an organization? Markus Strauss: Absolutely. Yeah. Um, it starts from just basically deploying into a VMware infrastructure and looking for potential problems from a troubleshooting perspective. So that's operational resiliency if you will. Right. So the understanding of where our potential problem spots right. And be proactive about it rather than waiting before the problem becomes a problem. Right. And potentially leads to outages or could spell more disaster, you know, in the future in terms of potentially granting access to things that, you know, nobody should have access to, all the way to running VMware security checks in your environment to make sure that you know everything is configured securely all the way to best practices and best practice guidelines. And that extends into vulnerability assessment of the VMs that are actually running, plus any sort of regulatory compliance checks. Let's assume you need to be N'est compliant or you need to be PCI compliant, things like that. That obviously extends to your VMware estate as well. And all of this is in one place, right? So going back to what I said earlier on, it's generally the same team. It's the same set of people who need to deal with all of these different problem sets. And within cast, it's one platform. It's one place, right? It's one place you can look. It's one place where you find all of the answers, and it's one place where you get a good idea of, you know, how well you are tracking within your infrastructure, both from a problem perspective. So again, operational resiliency, but also from a risk perspective. So you know, it's all in one. It's all in one place right. Mike Matchett: So we see we say all are we talking about you know a couple hundred rules here or what. And and how does someone manage that. Markus Strauss: It's a few more than a couple of hundred. We're currently standing somewhere around 35,000 automated, automated, automated checks that organizations can use from us to perform. Right. And the automated bit, I think is the really important part. Right. It's very easy to say, oh yeah, here are 10,000 things that you should check and do your infrastructure team. Good luck. Um, of course that's not the aim, right? The the aim for us has always been to automate these to the largest degree possible, so that the respective organization can basically rely on an automated process to check all of these things and provide the data and results back so that you can really focus your time on remediating the problems rather than searching for the problems. Right. Because searching for problems is not a very productive use of your time, right? You really want to spend that valuable time on remediating and preventing things from happening in the future, right. Mike Matchett: All right. So, you know, I've seen a couple pictures of the the interface. It looks like you put a lot of work into making, you know, management of this simple and easy, easy to consume on there. But what's what's behind that? Are you doing some clever things, I assume, to to to help people prioritize, for example, and get right to where they need to be getting. Markus Strauss: Yeah, absolutely. I mean, I think of course there is some secret sauce, right, in that sense. But I think first and foremost, what has always stood for was it's built by admins, for admins, right? And yes, that sounds like a very nice little tagline, but it's it's the truth in terms of we always try to understand what the everyday workloads of the. Is going to look like and try to provide ways to prioritize work. Right? So as an example, on the vulnerability side, for example, we don't just surface the fact that there is a vulnerability that's, you know, pretty straightforward, but we provide additional metadata for the teams then to prioritize, for example, the score of course. But then we also include the non Exploited Vulnerabilities catalog to allow you to see whether that particular has already been successfully used in the wild for data breach. We're also providing additional info around whether there is an exploit kit available for that particular, again giving you additional metadata to understand which one of these CVEs need to be addressed now and which one of these CVEs might have time until tomorrow or next week, or whatever the timeframe may be, depending on the risk appetite of the organization and how we do. This is some patented technology, of course, in the backend, but generally speaking, we call Raqqa its cast knowledge automation. And it's basically it's a way to automatically ingest what we call human readable knowledge. So texts of any sort, whether that's a security standard, compliance standard or data, take that, translate that through large language model and natural language processing into machine readable rules. So the things that run cast as product can go out in your environment and actually check against. So taking that rather vague way of looking at the data like something that's written and translating that into machine readable rules that then run cast can use to check against. And that's our backend. And you know, we've got a patent on the rules engine, things like that. But that's basically what enables us and our customers to basically make use of that and be able to automatically check all of these things. Right. Mike Matchett: All right. So does this is this something someone would do once or once? Once once a once a year, once a quarter to scan their environment? Or are you doing something more dynamic here and how and how how are you doing that. Is it lightweight or heavyweight? Markus Strauss: It's it's lightweight in the sense that the deployment and, you know, the initial setting up is we're talking 20 minutes, half an hour maybe. Right. The frequency depends a little bit on the organization's risk appetite. Right. So of course recommendation is you should scan depending on the category of your asset. Right. So if it's category A assets or high high high important assets you should definitely scan at least daily if not hourly. Right. Um, but customers generally set it up whatever way their internal auditing works. But the main goal, particularly from a compliance perspective, and that includes the vulnerability side of things as well, is continuous compliance, right. Because you don't want to be compliant just the six weeks around the time when the auditor shows up. You want to be compliant every day of the year. And that's historically always been very challenging because generally it requires quite a lot of manual tasks and manual finding of information. And with us you can automate that entirely, and it allows you to be compliant every day of the week. Right. Mike Matchett: So you're giving some some reporting and scoring for someone to actually manage where they're at on a continuous basis, instead of just throwing darts at it once a year and saying, I think we're here, right? Markus Strauss: Correct. And we provide customers with the ability to have very granular historical views as well. So at any given time, organizations can compare their performance today in terms of vulnerability assessment or compliance assessment with their performance six months ago or a year ago. Right. And this also really helps internally to build trust with the executive leadership team, for example, to really showcase that the teams are working towards one shared goal. And that's of course, you know, the the adherence to any sort of regulatory framework or, you know, the eradication of any sort of workload around vulnerabilities and things like that, but it gives you that ability to granularly go back in history and really compare that performance over time. Right. How did you address these problems and how can you prove back to the board? And I'm kind of looking at sizzles here. Right. How can you prove back to the board that, you know, you've implemented all of these steps and that you're actually starting to see improvement. Mike Matchett: Right. Right. I mean, I think a lot of people sort of stumble at that point and be like, well, you know, we've got this estimate, but, you know, here's now maybe a dashboard you can use every day and say, like, here's how we're improving. And and like you said, help prioritize, you know, what we should be doing every day to improve that score or improve that that game. You know, we talked about VMware I know, I know started in that sort of world of of that. But you've expanded outwards in the last dozen years or half dozen years. What's sort of the landscape that you cover today? Markus Strauss: Yeah, and of course, it's pretty well known that we started within the VMware space, and that's still largely where most of our customers at least partially, are. But as you said, we've expanded out and we always try to be where our customers are. Right. So currently when we look at what sort of the tech stack that Onecast supports, it's of course VMware. It's it's Google Cloud, it's Azure, we do Windows and Linux operating systems for the server workloads. We do any sort of Kubernetes flavor basically. What what are that's Tanzu or ECS and you know, all of the the hyperscaler Kubernetes workloads. So we really try to provide customers with the ability to, let's say, take one approach to vulnerability assessment or take one approach to regulatory compliance and apply that through one process, one tool, one set of reporting across all of the different workloads that are required that a modern, you know, organization today has. Right, because the times are gone. You know, we're all just sitting around the proverbial data center in the in the basement. Workloads tend to be in various different shapes and forms, some more ephemeral than others. And but there's still the the core requirement of having to provide vulnerability assessment and having to provide a way to ensure regulatory compliance stayed the same, and it will stay the same. Right? So Rancas provides that, you know, ability to do that across that entire tech stack through one platform, right? Mike Matchett: So tell me about the platform just real quick. I mean, we're kind of running down here. Is this something people install on premise or they get as a SaaS service? And I mean, are you running agents or not? I mean, how is this how is this thing really go out and impact assessment tools? Markus Strauss: And again, the perfect answer is again, yes, because there's multiple different deployment options. Right. One being a very straightforward virtual appliance. Right. That's download gets deployed in VMware on premises. No problem. Very quickly done. I've mentioned 15 20 minutes or so. Can run completely air gapped, doesn't require any internet connectivity. And that's one way. The other way is a containerized deployment through helm again can be deployed on premises. No problem. We have AWS and Azure images. So RMI to deploy it in the cloud. We also have a SaaS offering. So if customers do prefer to go down the route of a SaaS offering, we have an SaaS offering that allows you to choose the region that you would like to deploy in data sovereignty reasons. And they're like and again, it allows you where to deploy, where you need it, right. In terms of agents, we have both. Right. So if you look at let's say all of the orchestration layer for example. So that's VMware directly or GCP things like that. We've always been agentless. All of this has always been done via API endpoints and SDK and integrations and things like that. The operating system itself. So the server operating system, the Linux box or the windows box, we've traditionally required an agent to be installed. Pretty common. Unfortunately, in the industry it's just very difficult to get that information. We've now recently started to release early access for an agentless version of that, particularly also on on premises. There's been quite a lot of push in the industry to do that, mostly in the SaaS space. To my knowledge, there's very little success so far with vendors trying to do that on premises because of the the technical difficulties. And, you know, I'm really proud of the team to be able to to say, yeah, we've we've replicated that on premises and we're literally just now releasing the first early access version of doing vulnerability assessment and compliance assessment without the need of an agent within an on premises deployment. Mike Matchett: So, so, so further reducing the footprint, probably increasing the security and not having to violate the privileges. Absolutely. Yeah. Yeah. That's great. So I mean there's probably a lot more things we could dive into. You know, at some point maybe we could do a demonstration for the folks about, you know, like just what you're doing here because I think the workflows looks looks interesting, but for right for for this for this, if someone wants to learn a little bit more about Runecast and say, you know what, we could probably use that to get a handle on our environment and help prioritize what we should be doing in terms of. Security and compliance and governance and all those other things. What would where should they start? What would you what would be your first recommendation for that? Markus Strauss: Best way to to do that is first of all of course go to room cars.com. So that's okay. Run a.com run Cars.com. And then really the next two things that I would encourage everyone to do who is interested in looking at this is one. Check out the online demo. It's available for the public so everyone can log in to the online demo and can really look at it and, you know, get an initial feel for what Run Cars provides and the data it shows. And the other is to sign up for a free trial, right. We provide free trial licenses. That's no problem. That then takes that to the next level, and you can deploy it in your own environment and really kind of kick the tires and get an idea of what it what it can do for you as an organization. The online demo is a great initial look at it, but of course, that's, you know, staged in some shape or form, whereas the free trial is obviously in your environment. And I would absolutely, highly encourage anyone who's thinks this could be helpful, go and get a free trial, right? Mike Matchett: I mean, get an assessment, get an assessment, see how many thousands of things it can cover and what priorities it puts on things and what scores it gives you. I mean, that's a great way to just even get a self audit on on it. So that's that's a great offer Marcus. And you know I think I think there's a lot going on in this space right. Compliance regs and everything. You guys are staying on top staying on top of it and updating this regularly. It looks really looks really great. I think there's going to be a good couple of years for Runecast and I hope people take a look. So thank you for being here. Markus Strauss: Thank you for having me. It was great talking to you. Mike Matchett: All right guys, check it out. Get get get your own security and compliance check done for free. Go ahead. Take I dare you. Let me know how it goes. Take care guys. Bye.