Transcript
Hi Mike Matchett with Small World Big Data. We are here talking security today. We are looking at the external threats that you might have, particularly on your web applications. We all know about firewalls. Uh, but uh, we're going to learn something today about web application firewall technologies and how to really look at and get a handle on all the new external threats that you might have on your vulnerability attacks. Attackable surface, we might say we've got CyCognito here today. Just just hold on a second. We'll dive right into it. So. Hi, Amit, welcome to our show. I'm glad to be here. All right, all right. Uh, so there's a lot of big words. I just used, uh, to introduce this. Um, we are talking about, uh, really a way to protect, uh, an insidiously growing vulnerability surface that a company has, right? I mean, this is really the heart of it. Like, we think of normal firewalls, and we think of normal protections. And all the other 37 security tools we've already invested in are sufficient. Uh, but we're still missing something. Uh, what is that? Can you explain that a little bit to us? Yeah, I think what happens, uh, let's say two dimensions. One is we have so many tools, and on the top of the tools, we have an expanding attack surface. However, what we do miss is the attackers view. Because you can have a lot of vulnerabilities. You can have a lot of issues, but in the end of the day, attackers might not necessarily, might not necessarily, uh, take the vulnerability path that they maybe they have, uh, other ways to attack your attack surface. So I think what we see now, and it's a growing need that having that attackers perspective, uh, looking at your attack surface and looking for that points, that insertion points, uh, in your, in your fortress, in your firewalls, in your equipment to actually get into the organization. So that sounds a little bit like penetration testing or pen testing. How does this compare to that or is it a. It is very similar. It is very similar. Um, in the end of the day, what we are doing is some kind of a pen testing. So we are doing it in a more continuously way. I mean, you have the attack surface and you have the pen testing themselves. So pen testing actually is coping some area and then trying actually to, to um, to pen test it, to, to penetrate it. But we are doing is actually taking your entire attack surface and actually performing an active testing across your entire attack surface, which is much more broader and deeper, um, activity and actually allow us to, uh, pinpoint or discover more, um, more vulnerabilities or more, uh, penetration test or penetration points rather than just focusing in one area. Right. And we sort of redefining vulnerability here to not just mean the known vulns or so, but ways in which somebody externally could, you know, exfiltrate data or hijack data, or do things that might not be considered a regular kind of vulnerability that other tools are really looking for, right? They're looking for how do I get in? And we're just we're looking for like, how can you be corrupted or how can you be hijacked? Or how can you be, uh, taken advantage of? Right. Or how can your reputation be damaged? There's some other things here going on. Yeah. I think one of the things that we see today is that the unknown unknowns. So the fluctuation of your attack surface is now so high that in some cases, you don't know that these assets belong to you because someone in marketing decided that he wants to deploy or launch a new, uh, campaign. So they use they build a new application, use white coding, and here they are with, um, new asset, which is connected to the internal customer database of the organization. So customers are actually fighting with these unknown unknowns. And this is, I think what what is the big challenge that they are facing. Are you saying vibe coding might lead to additional vulnerabilities there? Right. I mean, you can see that now. Vibe coding leave the vulnerabilities aside, but vibe coding first. Um, there is a challenge to secure it. This is one this is not our domain. But in the end of the day, you are giving an AI the power of creating a code. But without any monitoring or without any inspection. You don't know what what it includes. Yeah, I like your example where somebody in marketing might make a new campaign page or registration page or something like that and think, this is harmless. And I just open it up and put it as a subdomain somewhere on the website. But really, that can open up instantly a number of problems in it. And the security people have no idea that that page even exists. It might only be there for three weeks and then it goes away. They might not have even seen it was there, but data could have leaked and gotten out in the time frame. So our timing cycle is also getting smaller for how we have to find these problems. In some cases, one day or one hour might be enough to To do the damage. All right. Uh, when when when I think of when I think of this, though, um, so CyCognito is is helping automate this idea of scanning the vulnerability surface, doing landscape mapping and reporting this. Where does that information go, and how does that link up with what a company might already be doing in the security space? And there are other tools and their Siem tools and their, um, uh, cloud tools. How you if you're on the outside looking in, how do you how do you work with what's happening with the rest of their security environment? I think from, from its beginning, security is an ecosystem. So all tools should be should be talked to each other. So what Cycode is doing is creating an, um, holistic exposure management while integrating with other whether it's internal, uh, asset management, whether it's cloud vendors. Uh, we are also integrating with ways in order to monitor the cloud and actually expose things that they don't see. Mainly because in Cspm it's actually working based on APIs. It's actually not APIs, but it's integrated with the cloud accounts and actually take all the data. But what if you have an unregistered account in the cspm. So that creates some kind of a blind spot. So this is where, for instance, we're helping with uh, to complete that to complete to close this visibility gap. So this is one type of integration. The other type is actually creating automated workflows. So at the end of the day, once you find something you want to we find something. We identify the owner. We want to deliver this finding to the owner. So you need integration with ticketing systems. You need integration with seams with source. You want to create all this flow. So once you actually identify and send this you want to create that automation that this remediation is being taken care of. Um in the most, um, efficient and quickest way. And I'd just like to, you know, like, understand a little bit if you are creating a lot of tickets or a lot of a lot of adding more to somebody's scene, uh, you I mean, some people could be like, wait, we already have too much. We already don't know how to prioritize what we're doing. Uh, are you able to help somebody really understand what they should look at first, or is this is adding more fuel, throwing more wood on their fire, so to speak? I think one of the main advantages that we bring is the element of validation and the active testing. So the normal way of vulnerabilities, uh, or other tools are working is that this is the software, these are the vulnerabilities, and it's kind of a cvss or they are being prioritized by some kind of the severity. They are adding some kind of a, uh, context, whether it's a production or a user, but we are actually adding more, um, on the exploitability side, and what are the probability that it will actually create damage? So we are adding the business context, the exploitability context we are adding on top of that, which actually helps to reduce the noise rather than actually create more alerts. All right. So really, really boil that down helping someone prioritize what they should try to remediate first. And that can be a big thing in a large company uh, with an unknown size tax service. Uh, I still have a question, though. When I think about discovery, um, there's there's I mean, are you are you just really going back through and scanning, like, what are you looking at? Uh, traffic that's happened. How are you really doing? Discovery there? Uh. So when we are talking, when we're talking discovery, I mean, everybody is going back to Nmap or Nessus. I mean, network scanning. I think what we are doing is much more than that. Uh, we are doing seedless discovery. We need only your domain. Your company domain. And we will actually get all your other organizations brands, subsidiaries. We will continue from there and actually discover all, all, all your so to say, digital assets, whether they are applications, whether they are physical. Um, we will take it from there. And it's more than a discovery process rather than a scanning per se. Because again, scanning is when you have a defined area and you are actually going backward and forward. We are actually going over the entire, almost the entire internet, but a much broader set of assets to find, uh, your assets. And of course, since it's such a broader, uh, discovery, we're also providing the evidence. So it's not only actually we found something which belongs to, you know, you need to know also why it belongs to you. All right, all right. Uh, just sort of thinking about this. How long would this take to get going? If someone said, hey, we need to add this to our portfolio or this. Is this something? The deployment is very quick. I think it's a matter of between days to weeks again, depending on the organization depends on what we want to do. But it should be very, uh, very quick and not with a lot of effort. Again, because everything is being done on our side. And it's very external. So this is not it's not something that needs to be permitted and running. Yeah. Getting credentials and keys to run inside. Exactly. Uh, which is, which is very cool. Okay. And then, uh, if someone, uh, wants to maybe take a deeper look at this. I mean, everyone has an attack surface or attackable surface, right? Uh, is there some way they should, uh, think about getting started? Should they start your website. In the first place? The first place should be in our website, which is Cycode. Com and over there they can push the button and actually ask for us from us for a demo. And we will be gladly, um, contact them and, um, have the conversation. See what's what, what what they're looking for, and, um, gladly, we'll perform, uh, whether it's a demo or, uh, something which is more, um, personalized to their needs. Right. So you can actually, um, scan, do do a discovery and show people some things wrong in a limited way. Exactly. So this is an easy way to kick the tires, so to speak, on this and find out if you actually do have attack surface that you're not tracking at the moment. And exactly. And I think you did you did a survey, uh, on that. And so what what just as a final question, what kind of what kind of coverage do most people have today on their attack surface? It depends. It depends on the level of maturity, because I think many organizations, um, you'll see that they might scanning 10% of the attack surfaces once a year, mainly because they are doing the, let's say, traditional pen testing because they are required for regulation, uh, or compliance stuff, but we can see more and more organizations which our customers are doing much more than that on a much shorter cadences. I mean, whether it's going to be 100%, which is being done weekly or daily, so, um, you can actually have it more condensed and more efficient rather than doing it one time and then don't wait the gaps being created on your security, uh, and while securing your attack surface. All right. Uh, thank you so much for being here. Thank you. Uh, and, folks, uh, you know, we talked about vibe coding. I don't think we said AI once on it, but we I'll say it here at the end. Uh, bad guys are using it. The good guys are using it. Uh, your attack surfaces are growing, uh, and the things are just getting faster and faster. Both the bad guys and the good guys. Now, CyCognito helped me speed that up. So check it out. Um, and thanks for being here. And, uh, stay tuned.
