Transcript
You might be asking yourself, what the heck is that? It is a cyber risk quantification engine or platform. Now before I jump into exactly the specifics on that, you might be thinking, well, Zsco you're a proxy, how can you possibly play in this game? Let me outline it for you. So let's have a little conversation about where your users, your applications all exist. So maybe you have some platform as a service, infrastructure as a service over here, a little S on there, and it's your usual suspects, the AWS of the world, GCP and Azure. It could be more than that, but we'll leave it right there. And you have applications that live over here, we'll call them applications one, two, and three, but also this is really where your enterprise data could exist. And that's kind of paramount when looking at RISC. Shifting gears, you also are adopting SaaS-based applications as well. And those are your usual suspects, great partners, M365 of the world, salesforce.com, and ServiceNow. But at the end of the day, again, this is where your enterprise data could exist. Where else should your data be? Well, that's kind of simple over here at the data center. Now whether you have one data center, two data centers, trying to get out of the data center game, not that big of a deal. And at the data center, you're going to have applications that live over here as well. Applications I don't know, X, Y, and Z, but critically here, this is where your data is. I mean, you have to think holistically when evaluating RISC, how do you kind of segment that? Where's one location in which your data probably shouldn't go? That's the obvious one. It'd be the internet. Maybe your employees are going out to AOL, checking their email. Maybe going out to nefarious websites like briandeach.com. And we have to think about where your user's at, where your workload's at, and that's kind of simple. You probably have some branch offices, warehouse, factories, clinics, all that good stuff. So we'll come over here and say we got a branch. But we also have users over here. Maybe you're doing some type of fancy segmentation. Maybe you have some OT networks, IoT as well, guest Wi-Fi. Then, of course, your users aren't always at the branch or a known location. They can be kind of working from anywhere. And that's at home, Starbucks, and abroad. And, of course, we can't forget about the last little piece of the puzzle, and that's the third parties that are coming in, partners, contractors that you might have in your environment. So we'll just come over here and say third party. And really what RISC 360 is about is trying to reduce the pressure on your teams, right? Better board reporting, streamlined compliance, and ultimately just reducing risk. And so Zscaler is the glue that kind of puts that all together. So we'll come over here, draw the Zscaler cloud. And we'll just refer to that as the Zero Trust Exchange, kind of keep a high level. And the narrative is simple. And the reason why we can help quantify risk is that all roads kind of point to Zscaler. For your users that are off the network, their traffic's coming through the Zscaler Zero Trust Exchange. Maybe you're doing some Zero Trust SD-WAN over here at your branch near factories. And, again, that traffic's coming over here. The underlying narrative when going out to the internet or SaaS is to allow the good, block the bad, and stop the stupid. And then for your internal applications, we don't do silly things like VPN, right? We do an inside-out connection here. We have our little connectors that reach outbound to the Zero Trust Exchange. Have that application adjacency to your enterprise applications and your data. Same thing over here. And, of course, we're not going to forget about the third parties that are in here. They, too, are going to go through the Zero Trust Exchange. So as we look at this, one thing becomes abundantly clear. If I'm kind of like that default gateway, I become a very strategic point of control. And then I also become a very strategic point of visibility. And the biggest reason there is that not only do I see all of your flows, your users, your contractors, your remote locations, and your data centers, but I also am doing the TLS inspection to give these more visibility. Now, if we think about the other risk players and how they do it, right? They just kind of have like a third-party thing, and they're just doing outside-in. They're scanning your perimeter. They're doing domain-based analysis. And the kind of the buck stops right there. And then you have to kind of integrate other products and other feeds in there to get a better view. And so Zscare looks at this a little bit different because we are sitting in line. When we do this, we're able to produce what we call an organization risk score. And it's based off these four pillars. One is your external attack surface. Two, the ability to evaluate compromise. So that's like looking at your policy. Are you doing SSL inspection? Are you scanning for botnets? Are you blocking malware? In addition to that, we're looking for lateral propagation, which means can your users talk to every single application? Or is it kind of narrowed down to just the applications they need to be able to talk to? And last but not least, what kind of data protection are you doing? Now, we're going to take this scoring. We're going to evaluate it over time. So looking at this risk score trend, you can see exactly where you're at for the last six months, last couple of months. Obviously, you want this score to be trending down. And what's nice about this is you can compare yourself against the industry peer average score as well. And if you're like me, you're probably hyper-competitive, and you want to make sure that you're below that curve and you're looking better. However, even though Zscaler does a ton of stuff in line, we also do things out of band. And let's kind of denote that here as a dotted line, which means I can come over here into both SaaS, Platform-as-a-Service, Private Cloud, Infrastructure-as-a-Service, and do API-based scans here as well and get us increased visibility. Now, we're going to take this information. We're going to pull data from external decoys. We're doing our external scans. We're looking at top-level domains. We're looking at subdomains. We're taking the IP addresses of the host. We're doing a reverse DNS on that. We're looking at your ASNs. We're looking for CVEs and evaluating TLS versioning as well. Now, the way that we evaluate this is we're looking at factors. There are about 100 granular factors that map to these four stages. Everything that we do, it's a factor-based model. Each factor has its own data pipeline, heuristic, and weighted score, all backed by real data. This is your data, not some fake stuff that's out there. Since we are in line and inspecting all things, not only do we see the threats, we block them, we can look at the internal segmentation and find out who has access to what. Leveraging out-of-band SSPM, we can see stuff like fail logins, bulk uploads, bulk downloads, into your SaaS-based applications like M365, Salesforce.com. We have the ability to weed out the anonymous behavior, score it, and assign risk. Now, once we have assigned risk, we have the ability to map this to a financial risk. We look at these things, and we tie it over here. One of my favorite things about this platform is I'm not trying to boil the ocean. As you can see, if your financial exposure is $10.35 million, it would probably be great to get rid of all of that. With our platform, we're looking at this particular scenario. We can reduce that by $4.1 million. Right now, I'm picking on some stuff like VPN usage, posture profiles, DLP, and risky cloud applications. Now we have the ability to showcase what we're finding and give you some reporting, whether it's an SCC disclosure, cybersecurity maturity assessment, attack surface reports. These are things you can hand off to your team so that way they can take action on it. Most importantly, we have CISO board-level slides ready to take to the board and have great conversations. What does that really mean? You can track stuff over time, and you can present this to the board saying, Hey, our risk score is a 27. We want to get that down to a one. 100 would be terrible. Our average against our peers is a 51, so we're doing pretty well. Then it goes into the scoring. What's nice about this is it shows it trending over time. As you're having those meetings with the board, it makes it easier to present this. You're not mucking around in our UI trying to find this information. Again, this is real data. This is your data, not some fabricated stuff. Now we're going to take this because that's great, but our score has gone down. What does that really mean? We take that information, and we put this into our top findings. If our score is a 27, and we're trying to get it down as low as possible, what are the top things we should put our time, focus, and energy into? Right here would be an external attack surface. We have a VPN. Maybe it's time to retire that VPN. Compromise, lateral propagation, and data loss. Let's find those risky applications. Let's minimize that. Again, that's one thing to look at, but let's prioritize it a little bit more. Now we're going to take this, the four stages that we look at, the top five factors, and the financial exposure. If you do this, if you get rid of that external attack surface, that VPN there, you should be able to prevent a lot of that lateral propagation. If you can drive down that risk, you drive down that financial exposure as well. Ultimately, what you're left with is the strategic point of visibility that helps you quantify that cyber risk that's out there, figure out where in this equation you need to focus your time and effort, and more importantly, the cost savings that are associated with it. With all that said, that's my time. That is Risk 360. My name is Brian Peach. Do me a favor, subscribe if you haven't already, like this video, and leave a comment. Thank you for your time.
