Reimagining Cyber - real world perspectives on cybersecurity
Explore the critical intersection of cybersecurity and business impact while gaining insights into CISO priorities with "Reimagining Cyber." Stay informed on the latest cybersecurity news, trends, and solutions tailored for today's CISOs and CIOs. Episodes cover a range of topics, including the role of AI in cyber security, technology, preventive measures to stop cyber attacks, response strategies for cyber attack victims, cybersecurity challenges in healthcare, the future landscape of cyber security, computer security essentials, managing cybersecurity budgets, and the implications of SEC rulings.
Engage with industry experts and CISOs who share their perspectives on what matters most in the cybersecurity landscape. Hosted by Rob Aragao a seasoned security strategist with CyberRes, this podcast is your go-to resource for staying updated on cybersecurity developments and addressing common challenges in the rapidly evolving digital landscape.
Reimagining Cyber - real world perspectives on cybersecurity
Martin Roesch’s Insights: Multi-Cloud Network Security - Ep 105
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Stan Wisseman: Welcome to another episode of Reimagining Cyber. This is Stan Wissman with my co host, Rob Arago. And Rob, we've occasionally, each of us been a bit remote when we recorded episodes, but this time you've gone a little bit further south than normal. Where are you right now?
[00:00:16] Rob Aragao: Well, today's theme, my name is actually Roberto Aragão, which is Rob Aragão in Portuguese, or Robert Aragão in Portuguese.
[00:00:22] We can talk about, uh, cybersecuridad, if we'd like, because I am down in Brazil, and so, therefore, the Portuguese in me comes out. And, um, yeah, it's all about cybersecurity all over the world. As we know, we've talked to many different guests. We need to get someone down here, actually.
[00:00:38] Stan Wisseman: While you're there, you can, you can go in and flesh out, you know, you can try to find out who the cybersecurity experts are.
[00:00:44] Rob Aragao: That's what I'm gonna do. I'm going to go recruit and see what we can do and pull someone in. Absolutely.
[00:00:48] Stan Wisseman: Yeah.
[00:00:49] Rob Aragao: Now onto this episode, Stan, who is going to
[00:00:51] Stan Wisseman: join us today? Well, Rob, today we're joined by Martin Resch. Martin is a renowned cybersecurity expert and entrepreneur with over 25 years of experience.
[00:01:02] He's currently the CEO of Netography, who is leading the charge on innovative network observability and security solutions. Martin is also the creator of Snort. The widely used open source intrusion detection and prevention system. I don't know if you remember Rob, but I certainly recall the opportunity of leveraging snort and solutions in the past.
[00:01:23] He also founded SourceFire, which as we both know, was pivotal in the whole dancing of IDPS. Martin, it's great to have you on the podcast. Um, your, your contributions certainly have, you know, made you a visionary and thought leader in cybersecurity. And, uh, is there anything else you'd like to add? for our listeners about your extensive background.
[00:01:42] Martin Roesch: Um, that was, uh, that was pretty, pretty good. I guess, uh, you know, I, I served, uh, for six years as the chief architect for the, uh, security business group at Cisco after Sourcefire got acquired. But yeah, I think you, you hit the highlights, uh, for the most part, but, uh, you know, great to be here. Thanks for having me.
[00:01:59] Um, appreciate the opportunity to speak with you guys.
[00:02:03] Stan Wisseman: Well, you, you, you got your start in, in, in network security and you're still focusing on and trying to improve it. And I want to, you know, basically start with that whole question about, um, visibility into what's going on in the network, you know, so what's, if you look at the role and importance of network security and invisibility and what's going on in the network, how do you think it's evolved over the years, especially in the context of some of the emergent technologies we've seen and increasing cyber threats?
[00:02:30] Martin Roesch: Yeah, well, you know, so, uh, obviously kind of the network observability thing has been my, uh, my jam for most of my career and, um, It's pretty interesting how it kind of, how it has evolved and waxes and wanes to some degree, you know. So, back in the old days with, uh, Snort and Sourcefire and things like that, we're essentially writing packet.
[00:02:52] Um, inspection systems, DPAC inspection systems and putting them on the network. And, you know, one of the funny things. So when I first started writing Snort, um, I was just writing it for my own needs to keep track of what's going on in my home network. And then I released it as open source and it kind of snowballed from there.
[00:03:08] But as it snowballed, and as I started Sourcefire and got things, uh, going at Sourcefire, I became, like, increasingly aware, so I thought, um, you know, I'm a self taught security guy, right, so back in the 90s, if you want to learn cyber security, you taught yourself. So I always felt like I was way behind the curve on, like, knowledge and, like, just Oh,
[00:03:29] Stan Wisseman: interesting.
[00:03:30] Martin Roesch: Uphill battle to, like, understand how things worked and I always felt like there was this, you know, this pantheon of Titans out there of people who just knew, uh, you know, what was going on. I expected everybody just knew like what their networks were doing and what was on them and all this other stuff.
[00:03:45] And as Sourcefire got going, we started interfacing with more and more customers. I became kind of, uh, horrified
[00:03:52] Stan Wisseman: realizing that the, the, the emperor had no clothes on that.
[00:03:55] Martin Roesch: Nobody knew what was going on. Yeah, that's right. No one did. Nobody knew on the network or what I was doing. I was like, Holy crap, this is, this is bad.
[00:04:02] Um, so yeah, we built tools to do that. And you know, Snort was obviously a part of it. And we had some other technologies we built there that do like passive network mapping, looking at the packets and things like that, but you fast forward 25 years and it's like, We still have the same problem. Like now, now it's to some degree worst because you've got these, you know, these hybrid multi cloud enterprises now that are like, we're in AWS, we're in Azure and we still got stuff on prime.
[00:04:28] And, you know, and when you ask the question of what have you got, what's doing, they're like, I have no idea. I can't even tell you what's happening on the network I take care of. There are these other networks out there that I have no remit over and no ability to see into. And even if I did like the technologies that are out there for doing it, um, you know, sniffer based technologies, deep packet inspection.
[00:04:48] Barely exists. The cloud doesn't want you looking at packets. You can do eBPF where you've got to do, um, agents everywhere, or you can do, you know, kind of some sort of, Um, you know, cloud appliance that nobody wants because it's like, you know, it's the, it's the old architecture kind of poured into the cloud.
[00:05:03] And, and then in the on prem world, you know, you have this, this problem of, as we deployed all this DPI infrastructure, you ended up with, you know, just inspecting the, the ingress, egress, aka the north south environment, not paying attention to what was going on inside the networks at all. So. The problems were kind of solved approximately, you know, whatever, call it 15, 20 years ago.
[00:05:27] And then as networks have dispersed to these multi cloud plus hybrid enterprise models and the traffic has become more and more encrypted and things like that. Um, it's, uh, become ever more problematic to, you know, just fundamentally understand what you got and what it's doing. So. You know, and that, that's, that's kind of the whole premise of why I'm working again.
[00:05:46] Right. Sourcefire was a big success. Why the heck would I want to get back in the, in the saddle? Right.
[00:05:52] Rob Aragao: Let's kind of delve into a little bit more because you just touched upon it. So Deepak inspection, it is essence at this point, I'm facing that challenge of, you know, network encryption being kind of, you know, a way of not making it that easy any longer.
[00:06:05] Right. You've alluded to some other approaches, but what would you say is. The one or a couple that you're seeing be more effective at this point in time.
[00:06:12] Martin Roesch: Well, you know, I think people are, um, so, so, you know, to encapsulate the and crystallize the problems of deep packet inspection, because of the dispersed nature of networks today, and because the cloud really doesn't want you looking at packets, we're into a problem now where deep packet inspection kind of has this narrowing set of use cases because.
[00:06:33] Getting the sensors in the right place to look at traffic is hard. And even if you do, you've got this, this ramping total cost of ownership, right? TCR required to actually like inspect the packets. Cause you got to break decryption somehow or get yourself into a topological place where traffic isn't encrypted, which is, uh, Basically becoming impossible.
[00:06:51] So, um, if you are going to attack the problem in this world, you need to really rethink what you're doing and kind of what's important to people. And, you know, to some degree, um, you know, when I, when I started developing 25 years ago, I didn't really ask people what they needed. I built what I thought was right.
[00:07:11] And then people kind of said, Ooh, I like this. Could you add that? Or could you change that? And stuff like that. So, um, you know, I'm kind of, of the, you know, if people ask me what, or if I'd asked people what they wanted, it was a faster horse, uh, you know, Henry Ford quote, kind of guy. Um, so you have to have opinions and you have to like form them and then, you know, kind of bring them forth and then start iterating on them and riffing on them as you expose them to the people that are out there.
[00:07:35] So, um, yeah, so to me, as I started looking at and actually quite a long time ago, over a decade ago. What was going to happen to DPI based solutions? Uh, if all these trends of encryption and dispersion, uh, and the ephemeral nature of things in the, in the cloud, let's not forget that, uh, continued, how are you going to do this?
[00:07:54] And, you know, the approaches that made sense to me, um, especially at the network layer was essentially, you're going to have to start operating off of a metadata and you're going to have to start taking the information about what's happening in the environment, not trying to inspect the, uh, the, the things as they were happening on the wire, because.
[00:08:12] If you want to a metadata approach, you can start leveraging all the infrastructure that's there that all these multi cloud plus hybrid environments are built on, um, which means you're gonna have a very different deployment modality, but you're also going to have the ability to start seeing again at scale across everything without having to have these kind of, um, You know, it's Byzantine slash bespoke sensor architectures that are only inspecting very small segments of the environment for very specific things.
[00:08:40] You know, your ability to really have observability changes when you go to this kind of model where you're letting the environment tell you about itself. Kind of like we did 20 years ago, but you're using very different data types to make it happen.
[00:08:53] Stan Wisseman: We'll dive into the metadata aspect in a second, Martin.
[00:08:55] But if you, if you look at what the service providers. The CSPs are providing a lot of them are providing log analysis kind of services, right? Or access to the logs. Um, and you know, again, not being able to necessarily do DPI anymore in these cloud environments, especially multi cloud, right? But, um, long analysis being an alternative service they're offering.
[00:09:18] Um, do you do you see that as less effective or, you know, perhaps not getting you that real time perspective? On what's going on?
[00:09:27] Martin Roesch: Yeah, well, you know, it's always been a triad, right? The network, the logs and the host slash endpoint, right? Um, and as we move to the cloud, and this is, you know, kind of a quip I had to my friends, um, probably 10, 15 years ago, as things were starting to evolve this way.
[00:09:42] I started to look at, you know, oh, they're encrypting all the traffic and oh, they're moving to the cloud and the cloud doesn't want you sniffing and stuff like that and I said, boy, these trends that are happening right now, if you can believe this is the way the security is going, then you better love endpoint defense and log analysis because that's basically all you have unless you come up with a new network.
[00:10:00] And look what happened. Yeah, right. Um, so do I think it's enough? Well, It's good, but it's not great. I mean, you're, you're essentially, especially in the, in the case of compromise, you're depending on the reporting system, you know, on self reporting from the system that's been compromised in many cases say, Hey, I got hacked and of course the attackers know this and you know, they're going to do to make sure that doesn't happen.
[00:10:23] So you've got that problem and you've got, you know, it's somewhat mitigated by, uh, you know, running workloads on VPCs and things like that, where you have the ability to kind of be outside the machine, but But you're still, in many cases, all this data gets shipped off to a data lake, and you're operating on very different timescales than we've been able to operate on at network speeds when we're looking at things in real time and near real time when we're talking, um, you know, uh, In the case of the old technologies, microseconds, you know, seeing things as they happen to maybe a couple of minutes and typically in these data lake models, you've got dashboarding and reporting and you really don't have a whole lot else.
[00:10:56] So you've got things kind of grinding away in the background. It could take hours to get a notification that hey, something fishy is going on. You might want to look into that. So, um, Yeah, I think, you know, a lot of money has been spent on app security. A lot of money has been spent on building these massive data lake environments in the cloud and stuff like that.
[00:11:13] But, um, to date, nobody's really come up with, uh, an architecture that's appropriate for working across these networks that we have today and providing that third leg of the triad that we've, uh, that we've had really for all of security history up until very recently.
[00:11:29] Rob Aragao: You see, you kind of talked about this as well a little earlier.
[00:11:31] I want to delve into it a bit deeper, which is the metadata aspects of it and leveraging that, um, you know, to, to, to help really kind of get more of an understanding because when you, I mean, listen, when I look at it, the metadata is going to give you, you kind of just said it to you, right? It's going to say, Hey, something's happening here, right?
[00:11:49] There's been a compromise. But like, where does it get into the depth of understanding of what's really occurring one and two? How does it help kind of shape the response strategies, the changes that need to happen in essence, the response strategies going forward? Like, what perspective do you see? In the metadata aspects playing a role to make things that much better, if you will.
[00:12:07] Martin Roesch: Yeah, well, it's interesting. So to some degree, um, you know, the first step to getting better is just admitting you've got a problem, right? We've all heard that before. Uh, and I think one of the things that we as an industry maybe need to have some introspection about, let's just put it that way. And I'm one of the people who's responsible for the state of things.
[00:12:30] Things as they are today, I will admit that, um, is that 25 years of threat detection has given us 25 years of largely vast piles of false positives that, you know, you play massive amounts of people in process and technology, AKA money,
[00:12:47] Stan Wisseman: it can, it can be noisy, right? It can be noisy. Yeah.
[00:12:50] Martin Roesch: To figuring out kind of what's going on.
[00:12:52] And at the end of the day, uh, I get an indication that essentially, Oh, I've got a compromise here. I need to kick off my IRA playbook. So when you go to a metadata approach, what you're not going to be doing is detecting the threats the way that we have before, so you're not going to say, oh, I just saw a log4j attack.
[00:13:07] Now, you kind of have to ask the question, okay, if I knew that it was a log4j attack, would it change my response? Um, if I had other mechanisms telling me that, hey, this thing is, you know, all of a sudden changing its behaviors, it's doing things that it hasn't done before, it's, you know, turned into a port scanner or whatever, you know, this printer just started scanning the network, things like that.
[00:13:26] Um, you know, if the answer is probably not really right, because I go from vast pile of events, Through this people process technology pipeline to here's an incident that gets me to kick off my IR playbook. So part of the thesis here is why do I have to do all that the time delta between when i'm going to Have an initial determination that something's up and when i'm actually going to do something about it.
[00:13:48] It's typically measured in, you know, at least hours Um, so my detection timeline like horizon threshold The the microsecond that it happens or you know a minute later for most organizations You Isn't going to have a massive amount of impact, and we can do so many more interesting things when we start looking at detecting the compromises instead of just saying, I just saw 10, 000 threats.
[00:14:13] Here they are. Have a nice day because now I can start asking answering questions like, okay, like, why, why did Marty's laptop ship 20 gigs of data to a vending machine in the break room? That's something we really need to dig into here. And you're never going to do that with a threat based system because that's threat based systems aren't going to be set up in a way that allows you to even ask that question.
[00:14:33] Hey, am I seeing anybody doing anomalous, uh, transfers of data between, you know, uh, management network and, you know, operate anything that's, you know, not these, uh, functional areas of the, uh, environment? You can ask that question when you start doing metadata based analysis, when you can start building Business logic based rules in addition to kind of intrinsic technical logic based rules.
[00:14:54] Uh, so it really kind of changes the game of, um, how you can do things. And I think that's very important, especially in today's networks that are so dispersed because you just can't get that kind of coverage. DPI based systems or even agent based systems. Um, just because of the nature of, uh, both of them.
[00:15:10] Stan Wisseman: And in fact, you've written about some of this complexity, especially in again, this hybrid or multi cloud environment. And that volume of, of attack data could be overwhelming to a SOC. And again, not being able to act, uh, effectively or any differently than if you just knew there was a compromise on a particular asset within an environment.
[00:15:31] Right. And so can you speak to the, challenge of, uh, again, needing to have that coherent kind of perspective across cloud environments to be able to apply security effectively and then also be able to respond effectively to those and perhaps that many data. Uh, approach is part of that answer.
[00:15:53] Martin Roesch: Yeah. So one of the problems that, um, we're having kind of industry wide, I would say, um, is that the security for the different kind of, uh, functional areas of our environments is very siloed.
[00:16:07] So this is, should not surprise anybody that I'm saying this, right? So in the on prem IT world, I've got one set of solutions. In the AWS world, I've got a different set of solutions and yet another one in the Azure world. And, you know, I'll probably have a different technology in the OT environment as well.
[00:16:23] So, you know, this way lies madness. Obviously, we're just going to, um, staff all of these tools, maybe with the same people, maybe not. Everybody's got to be trained up on all these disparate technologies. Um, they've got to get their data back to someplace where they can kind of share what they're seeing that has to be interpreted and turned into analysis and response and so on and so forth.
[00:16:42] Um, And it's very complicated, right? So, you know, the old tropes, right? Complexity is the enemy of security. If I'm trying to accomplish the same, if I'm trying to deliver the same capabilities across all these environments, why would I want to do that with different tools? Um, if I had one thing that could do it all, and you know, the answer obviously, and this is self serving, uh, I know, uh, is that there are ways you can do that, but you need to rethink how you're attacking the problem, and that's, that's essentially, um, what I've been doing for the last several years, uh, in my, uh, my day job, and, uh, it's, uh, You know, that's what notography was built around.
[00:17:21] It was this whole idea. Hey, there's, there's a different architecture for doing this in this world, and you can actually build a unified experience and things like that. And I think it's impactful because all of those different pieces add friction. To the, to the problem space. Right? So if I've got a cloud ops team and I've got a security ops team and I've got an OT ops team, let's just call it.
[00:17:40] Uh, and they're all different teams that are all trained on different tools. Like that is so much friction you're adding. And anytime something goes off the rails, like, you know, the IT guys see something fishy in the OT environment, but the OT guys didn't pick it up. Now you've got, you know, this kind of built in systemic friction.
[00:17:54] Oh, what do you mean? We didn't see it. We paid real close attention.
[00:17:57] Rob Aragao: One of the other things that'd be interesting to kind of get your perspective on is looking at. You know, these complexities in essence that we've been discussing around these multi cloud environments and again, that evolution of, you know, a customer of ours, for example, may have started working with Azure Martin, and they kind of say, okay, you know, there's these other things that we need to accomplish.
[00:18:16] And we think that our costs are capabilities for that particular use case or city use cases or better to go back to maybe an AWS or G. C. P. You pick it. And so they get this hodgepodge now of, you know, cloud service providers that they're having to work with. Um, It becomes difficult for incident response is another example that and especially when you think about kind of this lateral movement, you know, opportunities, the attackers now have going across the different cloud environments.
[00:18:41] I guess. Do you have any thoughts and maybe best practices that you could share with the audience on on how to help deal with that?
[00:18:47] Martin Roesch: Yeah. Well, I think, you know, Yeah. Interestingly enough, I think, and this is, um, you know, this is the product of a lot of thinking about it, but also, you know, we're trying to do something about it in autography.
[00:18:59] I think lateral motion has become one of the most interesting and underserved problems in security right now. Um, and the reason that I say that is if you look at most of the defenses that are out there, Um, they're either not in real time, or they're not looking at the right things, or, you know, they're only looking at north south traffic, or, uh, they're only looking at the workload level of what's going on, and so on and so forth.
[00:19:20] So that seeing lateral motion, especially cross cloud lateral motion, is virtually impossible. Especially in kind of relevant timescales. If you're doing an incident response, you can dig through all the data and unsynthesize where, you know, Oh, I saw this at GCP and then I saw this at AWS. Oh, those are the same thing.
[00:19:38] That's problematic. That whole motion of trying to do that, there's, you know, it's hugely complicated and there's high friction between getting, you know, making that determination because once again, the tools aren't just aren't there. And this is, you know, this is one of the things that I think is really.
[00:19:54] Been interesting about this, this kind of journey that I've been on is that, you know, we've been building out the cloud for, you know, call it 15 plus years. And there's great AppSec tools. There's great, you know, uh, CSPM and there's, you know, the native tools and stuff like that, that are okay. They're the basic job done and things like that.
[00:20:14] But we've got, you know, all the AppSec stuff. We've got the CNAPs and the CDP, all the C's, CDP, C, WPP, um, but nothing looking at the, at the network layer. And because of that. You have really low ability to kind of into it. Uh, or simply answer questions. Has there been little motion between point A and point B, both in the multi cloud world as well as in the on prem world?
[00:20:38] And I think it's really fascinating because. In the Zero Trust environments that we're trying to build now, Zero Trust is kind of like the fundamental assumption that most people have. Zero Trust is all about containing the blast radius, right? So they can break in, but they can't get out because the identity and access management system won't grant them access to get to anything else.
[00:20:57] The attackers know this. It's the first thing they go after when they get into a place.
[00:21:01] Stan Wisseman: And that whole escalation of privilege is part of the game plan, right?
[00:21:05] Martin Roesch: Exactly. That's the absolute first thing they're going to do. And when they break containment, what have you got that can see it? If you're not instrumenting the east west environment in the network, the lateral motion environment in the network, your, your barriers to entry to, to observe this activity goes very high, very quickly.
[00:21:22] And the other problem with doing it, this is why we DPI days. Is because if you're doing a packet based, it's impossible to scale.
[00:21:30] Stan Wisseman: Well, especially with appliances, right? I mean, if you had the appliance model that you had back then,
[00:21:34] Martin Roesch: you know, or really any sensor infrastructure. So, you know, a little inside baseball, we have, you know, a large organization who's looking at instrumenting their entire east west environment, um, with us.
[00:21:45] And they have tens of thousands of switches. Across and this is their own prime environments, not cloud tens of thousands of switches, right? Tens of thousands of points of monitoring. If you really want to see the East West traffic cross switch traffic, that's where you've got to be. And there's like, nobody has that.
[00:22:02] There's not that much money on the planet to do that unless you do an approach where you're leveraging metadata.
[00:22:07] Stan Wisseman: So one of the things that's happened in the last month is, you know, we've had a major breach associated with a cloud service provider, Snowflake. Right. And, and granted, the, the, you know, the avenue of attack was through a, an account that was, you know, um, perhaps they had poor identity governance in this context, but it wasn't necessarily a weakness per se in the Snowflake controls, but they were able to escalate and able to take advantage of, um, and get access to a lot of information.
[00:22:36] Do you think that the network level detection capabilities you're talking about would have helped in that instant response? They wouldn't have hurt. I mean, again, part of that is trying to figure out that lateral movement, right?
[00:22:52] Martin Roesch: Yeah. Visibility and observability are kind of, you know, they're, they're a bit of a journey on the one hand, but on the other hand, if you've got the infrastructure there, it's very simple to ask and answer the question of, Hey, this happens.
[00:23:05] What do we see surrounding that? What's happened at a network level? And if you didn't have the infrastructure there in the first place to, to collect that information and be able to. Provide the insights and things like that. Then you're just, uh, you know, you're kind of back to looking at log file.
[00:23:20] Stan Wisseman: The corollary I think of is on the software side as a, again, you know, in the context of S bombs, right?
[00:23:26] You're, you're, you're trying to get visibility is what software is running in your environment. So if you have a log for J. And you want to know what other apps are exposed because using this particular library, then you can actually respond to it more effectively, you know, so at each layer, you certainly need to have that, uh, visibility into what's going on to be able to react more effectively.
[00:23:46] Martin Roesch: Yeah, absolutely. And it's, it's extremely. Uh, important. If you don't have it, you're effectively in many cases just flying blind, right? You're just depending on app logs and system logs and things like that. So you've got to be able to kind of put the pieces together and follow the breadcrumbs as opposed to, Hey, man, this thing got compromised.
[00:24:03] Show me everything is it's talked to in the last, you know, the last two weeks. And being able to get that footprint and then start chasing down. Okay. What does it usually talk to? Cause you're not asking, answer that question. And then, okay. One of these things is not like the other, which one is it? And then kind of start digging from there and the tools that you need to do that, especially if you want to be able to do, you know, really high speed instant response and I shouldn't, I shouldn't, uh, Make fun of data lakes, because they do provide a lot of value.
[00:24:35] But like, especially if you're looking at a network level, this is one of the things that we've done very specifically is not build a data lake, but build a data store that's set up specifically for the data types that we're dealing with. So instead of, you know, asking a question to the back end and getting an answer back in, you know, hours plus, Um, you know, you get an answer back in, you know, a few seconds.
[00:24:54] Um, and that allows you to start pivoting through the data, right? It's not, you know, we're operating on human brain time scales where, oh, okay, I saw that, click, pivot, click, pivot, click, pivot, and, you know, build a picture, or you have the analytics tools to show, uh, graphically represent what's going on and show it, not just in terms of this box talked to that box, but show it, like, geographically, like, oh, man, that box was in, Um, you know, that box was in Peru.
[00:25:19] We don't have any assets in Peru. What's going on here?
[00:25:21] Rob Aragao: So here's a question I ask every now and then at the end of an episode, Martin, I think I know the answer that you're going to get, but I'm going to ask it. Look into that crystal ball. And as you do, and we think about multi cloud security that we've been talking about and the problems and challenges that there are out there.
[00:25:40] What do you believe the key emerging threats are going to be out there? Uh, and technologies really support those identification of those threats. We'll center around what's the anchor point. What's where it is. You know, that take us at this point in time going further to be very specific against the multi cloud kind of environment aspects we've been discussing.
[00:25:59] Martin Roesch: Yeah. Well, you know, I think to some degree, um, you know, this whole concept of identity as a perimeter or as the perimeter has has kind of, uh, Yeah. gotten its exposure to the actual battlefield and been shown to be kind of like, it's nice theory, but doesn't actually work in application the way that we hoped it would.
[00:26:20] Um, I think there's really interesting work going on in data security right now, uh, actually. Um, and I think that will be helpful, uh, for sure. Um, but I, I think that especially in these multi cloud environments, Having, uh, unified tool sets that can, uh, operate kind of equivalently across all the different cloud environments or as equivalently as possible is going to be very, very important because, you know, you're going to use different cloud environments for different things.
[00:26:47] Maybe you run your apps at, uh, AWS and you're doing your enterprise stuff and, uh,
[00:26:53] Stan Wisseman: it depends on the use case, right? I mean, it depends on what's what's optimal.
[00:26:57] Martin Roesch: Like almost every enterprise is going multi cloud and you know, you'd be a fool not to, right? You want to have some leverage against your AWS
[00:27:03] Rob Aragao: bill, right?
[00:27:04] Martin Roesch: Um, so that being the case, like removing friction from the system, it's really kind of fascinating because, you know, we talk about frictionless. Platforms and, you know, frictionless software and all these other things. And it's important, right? And we talk about ourselves, our stuff's frictionless. We have nothing, no agents, no hardware.
[00:27:20] Great. Cool. Um, but removing friction from security, like especially in multi cloud environments, being able to like actively remove friction between your operational elements of your organization, as well as remove friction between the deployability. And the scaling, uh, and, you know, being able to, um, ask and answer questions from the systems that you deploy and things like that, it's going to become critically important because the scale, the scale of these networks is increasing so rapidly, you know, whether they're multi cloud or multi cloud hybrid with, you know, plus on prem, um, the scale of these networks is growing so rapidly.
[00:27:59] And the, the, you know, your kind of quote unquote location, your, your footprint in, uh, On the Internet is so fungible now that you have to have low friction architectures for security that can follow the problem, follow the enterprise, follow where the capabilities are needed when they're needed. Because if you don't have something like that, if you have old school sensor architectures where I got to roll out this, you know, this appliance image in this cloud.
[00:28:25] To get my, you know, do my compliance checkbox and stuff like that. I mean, that is like, it's super 20th century thinking. You've got to be able to move at the speed of the cloud. You've got to be able to move at the speed of the, um, of the customers. And the only way to do that is to be as frictionless as possible.
[00:28:42] Not just the deployability of the system, but reducing friction across kind of the, the operational domains that the system provides its capability and utility within. So I think that's really going to be where you're going to see the. The biggest and probably most interesting opportunities is companies that can deliver unified multi cloud capabilities, um, that scale to any size, uh, and that are as frictionless as possible.
[00:29:07] And that's, you know, that's obviously what we're doing from our vantage point of rebuilding the third leg of the triad of, you know, network security, essentially, uh, for the multi cloud world.
[00:29:18] Rob Aragao: Well, Martin, appreciate you coming on and kind of shining that light on something. Honestly, in some case, I think people aren't really paying attention to any longer the network piece and the reasons why it's important, but also the approaches that one should be considering and taking to help solve for that problem.
[00:29:32] So we really appreciate it. Great to have you on. Look forward to maybe talking to you again in the future.
[00:29:37] Martin Roesch: Excellent. Thanks for having me, guys. I really appreciate it.