Snake Oilers 11 part 1: MongoDB's new encryption plus AlphaSOC and SecureStack

Automatic TRANSCRIPT

Hi everyone and welcome to this special snake. Oil Edition of the risky business podcast. My Name's Patrick Grains snake. Oil is I wholly sponsored. Podcast WE DO here at risk off his way of indoors. Come onto the show to pitch. They're wonderful wonderful magical snake oil to you the listeners and yeah we basically do this with six vendors twice a year and we split h edition into two parts side here from three vendors to and from three vendors next week or the week off something on fat sorry in today's podcast be hearing from Mongo DB very interesting one that actually Alpha sock and secure Stack Alpha sock. Make a network Traffic analytics engine. I guess but they do some other more sophisticated stuff these days. You hear all about that Secure Stack. Make a cloud security tools for developers Managing resources cloud resources for developers. But yeah we're GONNA kick things off with our interview with Ken. Wash from Mongo. Db and Mongo DB has released a new encryption feature A bunch of you compliance heavy for out there. You're gonNA find a really interesting and valuable. Imagine just some generally security conscious People among you will find this interesting as well start. Basically what they've done is they've built tools to allow you to encrypt sensitive fields in your databases So if you know God forbid someone were to access your database. Somehow they wouldn't be able to just dump the whole thing and get access to sensitive information and sure if someone can pop show on your like you know if this is hooked up to a web application if someone POPs up observer. Yeah they're still going to be able to access that information but then you're in a position to actually introduce some extra controls like query limits for certain things So it's a step forward it's a meaningful step forward. So Ken what he worked on this feature. He joined me to talk about it and he started off by explaining why you don't want to encrypt every single field in a database. His explaining why enjoy. It's not intended to encrypt everything. Because there's some things where you need the database to do a better job if if you said give me every I dunno sales that happened within five kilometers of this coffee shop the base would have to have the GEO location clear text and it would have to have the the clear text of everything around it within five kilometers. I G locations one of the strict ones where it's really hard to do encrypted search in any meaningful way so what this allows you to do is say just those fields that are sensitive. And you can. You can just tag. Every single field in the entire database and say these are all encrypted but typically what people would do. Is You know customer number Record number You know invoice number things like that customer knives date of birth anything. Pi Right. I mean you can still you fenced Dada base there but just encrypt the right and this is a hard conversation but some that the thing about. Pin's it's it's the link to who you are if I said HIV positive HIV status negative pregnant Positive those are useless data unless they're tied to an actual person otherwise they're just sort of free floating dies if I said bank balance. Twenty seven million. Three hundred seventy five thousand. That Bennett. Self isn't really personally identified data. It's only when it's linked to something else. So there may be scenarios where you wouldn't encrypt financial values. You wouldn't crippling most of the cases you would that there's sometimes where you need clear text to do certain kinds of Sir filters or they like less than greater than that sort of stuff in the case of this right until like for banks. It's very common. They use this thing called Tokens Ation. Which is yeah. It's funny that you mentioned that because as we've been talking about this I'm like a kind of sounds like along the same lines as talking is Asian and we similar. But if you've actually talked to anybody WHO's implemented you know they need to go to a bar and start drinking because it's like. It's so painfully horrible experience. I'd say I've date. I can't risk it. And you had token ization will now. You've got sensitive data in two places you've got the original and you've got this conversion thing that says your social security number which is whatever the value is. Here's the token. I'm going to send that token over here but you just duplicated your sensitive data right now you deal with this third thinks the token ization it has its applications and a lot of the banking world will use it. It's painful though. So if you can make that some of those kind of security properties just kind of work for free like the way that you develop normally run queries. That's a huge win. And and that that that is one of the nice benefits in this well. Yeah so it's I mean it's been a hell of a journey right Mongo. Db Mongo DB has bound up with the headlines. The same is S. three buckets the same as elastic search. And this is what I believe led to you. Launching the managed service the Atlas Service. Where you take care of all of that all of that busy work of making the less work and you know setting reasonable default and all of that sort of stuff. I guess this feature is just an extension of that same trajectory right of taking something that people were misusing and trying to make it better. I think it's an intersection of things. I think I think there's there's none of that but I think there's an certainly when there's some story about You know a big breach if it's just a random person on the Internet who had a- unsecured server sometimes. Yeah we'll we'll actually get a call from a customer like a major fortune five hundred say should we be concerned about this Mongo? Db thing we'll know that was just you know this was a configuration by default if you right now today and for the last like five or six years if you install going to be out of the box. It's it's secure. It's not listening to the public interface. You it's not accessible. The problem is if you can half way go there you open up all of the entire Internet to be able to come and go and and you don't so you sort of change the default configuration half way that you don't set a password or you don't have a web service account or something like that then yeah. That's that's a problem but it will be a problem anything's but the other kind of perfect storm that can lead to this was customers like this is hard we some we customer bank customers do sixty billion dollars a day transactions among. They're like we we do not want to do. We don't WanNa have teams of engineers whose only job is reduced security patches and updates and os updates and all this you know. Keep these clusters running worldwide. Yes we do that but it's painful. It's usually capital capital Capex expenses. So you've got you've got major major major enterprise in that cloud service. I'd say half the more more than half the fortune. Five Hundred Ryan muggy gaming forms I'm kind of hesitant because I'm not sure not that's fine. You don't need to know they know who does it this way. If you have a mobile phone in your pocket you're running along it'd be right now Unless it's like some it's obscure like you know one off thing Banking healthcare the biggest retail You pharmacies insurance gaming like I got the obvious. Let me let me ask my next question. Which is you this. A feature? The new encryption feature was this requested by those type of customers or was this something the Mongo of of its own volition. It sounds like a feature request to me. It sounds like something that a few customers said can build this for us. It was an answer to a problem and the problem was. We're using your systems for lines of business applications for analytics. We like it. It's fast. It's great our plans are risk. People say we can't. It's not you personally. It's not that we don't trust you but we just don't. We can't tolerate the risk profile of putting sensitive information at third already. You or anyone else. So how could we kind of address that and that's where we started? So this was a huge effort. I mean this was one of the biggest engineering investments in the company. This was twenty six engineers over two years. You know on every major platform so its query security. The core engineering all these different language teams. I mean there's a massive. I imagine this would would come back a bit to compliance as well right so this I know. We can't in case some engineer at Amazon. Or whatever Runs Away with the disk right and some of and so if anything. I've kind of learned to be very patient and understanding because some of the scenarios that people will contrive is like it's it's probably pretty far fetched but you still have to kind of go down that path. I had a great chant with with her own me recently on the show where he gets asked often by his customers. Like if we have a canary on network. Can you hack us? And he's like of course I can but so we can all your other providers like why are we having this conversation but you have to be patient right right. I mean I would say is that. Having having looked in depth at the security engineering for the big three cloud providers they are so heads and shoulders above ninety nine percent of the fortune. Five hundred. I'm talking about companies that have spent billions of dollars on security. If you're a little guy it's really hard to keep up. I mean it's just you know you. Just it's very to have the security maturity the visibility the I mean some of the stuff that they're doing With the big three would suppose I mean they're doing custom built Tiki M.'s. Their custom making hardware to assure you know full. You know full supply chain security from Buddha. All the way to the container side. I mean that's doing all sorts of crazy stuff eventually with your own you could rent like FPG IRA's and like there. There is just like nutty stuff happening. on the on the cloud side of things but look let's go back to the encryption features here how how did you actually go about building this because spoiler alert? I already know because we spoke about before. But you implemented this as like. It's totally in line right like when you walk the listeners through how this how this actually works sure so whether you're whether there's an existing application or or you building something new you start with the language right you're you're writing your application some language and so whatever languages there's a driver that connects you know your program framework to the database. We did is. We moved all that encryption logic into the into the drivers so that they'd be a lot of the hard lifting you don't have to understand all of the mechanics of the Amazon. Api for management. You don't have to understand. Always different. Blocked roads encryption. You'd have to you. Don't have twenty seven options of like you know crypto settings and things. We wanted strong You know secure defaults with you know kind of opinionated and also you know. We think we're pretty good at building distributed systems. But we're not like professional cryptography engineers and so one of the things we early on was look. We're going to reach out to people who are experts at breaking databases doing Krypton surge at You know at understanding authenticated encryption and help have them come in and take a look how we're thinking through design as we build it up you know run some audits you know beat it up and then once we actually have the ship platforms whether it's jobbers sharp. Or whatever really just beat the heck out of it and try to find any subtle vulnerability because as you know. It's it's a tiny. Coding error away from just complete undermining encrypted. You know data store really coding. Errors can just make the whole thing. Come TUMBLING DOWN. So we were acutely aware of that and we don't make any claims that this is you know some some the all end all we we try to use boring safe conservative like well established you know nist recognized corruption standards and things like this But the Engineering Challenges. Making this work on you know everything. Ibm Mainframe to a brand new windows. Server to Canada ancient. You know twelve thirteen year. Old Red Hat service. See this is. This is a small business decision because if you can pull that off you become the default because developers again unlock you. Because they can they can take with them between jobs right. Our number one goal was to make developers safer for these sensitive confidence workloads. Just make it easy to use. 'cause THERE'S NO SHORTAGE OF TECHNICAL OPTION. You can get right now and there's you know thousands of encryption. Sdk'S AND PLUG INS and mind but they're all a pain and in general you can't search database so we wanted to kind of make a lot of those things. Go make easy built in First Class citizen and I think we've done a pretty good job. There's always ruined improvement And there's new technologies sort of always around the band. Part of the problem though is when you work with you know enterprise and federal clients and you know big institutions that. They're not interested in bleeding edge. They don't WanNa see the latest. You know you know visit. Five thousand crypto construction. That just came out last week from some academic. They want something that's like well understood well. Recognized well characterized ready boring stable or again if people want more information on this what they google is just Mongo being Christian or is if you go to brand Florida like a name for the feature called client side fill level encryption. The entire cryptographic framework is on get habits all Apache licensed. So you know the whole thing's out there to take a look back tires. We get real short. Hello worlds just like ten lines of code to get up and going you know whether it's in go or python or note or whatever so yeah we love to have people beat it up tried out. I think it was all right. Well I'm going to drop linked into the show notes for this podcast Ken. What has been a real pleasure to chat to you about this. It's something different. I mean often. We're talking about an uprising detection. Response and Prevention Ghia. This is just a interesting concept and I wish you all the best with it. Cheers appreciate thank you. That was Ken. What of Mongo? Db there talking about client side. Field level encryption. Big thanks to Ken for that and big thanks to your Mongo. Db FOR BEING ICE NYC. Let's I have dropped I link into this week's show for those of you who are interested in finding out more about that. But Yeah I mean even if you just Google for Mongo. Db client side field level encryption. You GotTa get the Info you need. You're not gonNA get a page a website about banana distribution and logistics. I think you can find the right stuff onto the next snake oil of today's podcast now and our next guest is someone. I love. Risky business. Listeners would remember hearing on the show before Chris McNab Here's the founder of Alpha. Salk used to be an incident response late at NC group. I think he commun- via the Isaac Path basically. He realized a lot of the workflow he was doing on incident response. Gigs COULD BE AUTOMATED. So he turned that workflow into detection. Basically and so I mean really. This whole thing started with demand. Analytics saw simple tricks like when there's a box on your network connecting regularly to a two week old domain beginning to a two week old the main. You've probably got a problem there. I mean basically. Chris has figured out how to pull all sorts of really high quality signaling out of DNS Dada. I mean that's one thing but like as you're gonNA hear it's broadened out quite a bit these days. It's it's more of a fully-fledged network traffic an analysis engine. It's been broadened out to cover. Ip analytics. That's something we've spoken to Chris about on the show before but now does tell us and http processing user agent processing curb processing and even some important stuff So Yeah Chris McNab. Very Very Smart Guy. Joined me to talk about what Alpha stock has been up to more recently. And here's what he had to say so so yes so years ago now we started just solving an talking with the NS on lyrics Problem flagging a beacon behavior young demands within suspicious. Dod's and doing all kinds of other layered behavioral analytics with DNS That problem has been solved as far as we're concerned for for a number of years now and since then we've we've just extended as you say beyond the NSO now we process Ip Telemetry H. E. Telemetry T. L. S. telemetry. We starts now correlate with. Dhcp looking cobras next and unreligious going with going too slowly but surely work our way through the whole protocol stack eventually ending up with A. Maybe maybe another bureau now endpoint telemetry and then we can marry everything together and really help you know Detection response teams identify. You know infected systems and COMP Incidents with with high high fidelity and and and and high utility. That's really the the point of what we're trying to. We're trying to do so. What is the output of your analysis? Engine actually looked like right because when it's DNS okay. This is a bad demand right. That's one thing well. This is a young domain. Or there are indications that this domain is bad and then that's an indication that you would then feed onwards upwards into a same but you know you're you're broadening it out. Is it still the same idea that this is and this is where it gets really confusing? Because you got your collection agents like Zeke right. Now you've got this analytics engine that you're making and then you've got your same. You're not trying to replace the collection. You're not trying to replace the same. You're trying to sit somewhere in the Middle Anya. And we essentially a good way of thinking of it. Is that we automate. The work that tier two tier three sock analyst would be doing so the engine flags like I said things like beckoning to a young man within a suspicious. Tld or maybe on the ATP side it will flag A weird post Operation To its destination may be combined within the same few minutes with like an Ip look up or some other You sick notes. Storrow really what? What would a good thinking of? It is is what we're trying to do is what we doing is What's amazing that menu work? The way that we do that absolutely we take the telemetry that's collected through through Z. Surata spunk wherever you have the cemetery oil data lake we process telemetry. And then we kick that out in Native E that usage at Jason Formats. But we can also use a CEO. We can ship stuff over of assists log into your Sim an essentially which is generating hyphen alerts. Such as you know. Oh by the way. This machine is now beginning to this. This wacky destination that has a positive virus. Tokyo score and unloaded by the interesting signals. That's that's generally think you want to know about. I'll grant you that you don't need you. Machine learning in that one out right precisely so but but a lot of Osvaldo detection response analytics tools with with the market today that the very dependence on on threat feeds and an indicates lists to provide any kind of context or Generates alert so there we. We just found out or I've I've found post nature doing incident response and forensics and Sauk work now for for years. I've just found that there. Are you know large blind spots and gaps with indicator? Listen feed so you to then apply skype behavioral layering Which actually is tricky problem to solve because lots of the sims a lot of the systems if not all of them as far as I'm concerned that are out there today. The the the customers and enterprise using our reliance on you know threat feeds indicates a lists so that they're brutal With with which is you. You might want to use this Mike so if someone wanted to just get going and trial this thing. They don't have a full seem. Set Up. Like how would you actually go about? Just using the engine. To give you an output you know some of these indicators hopefully the bad boys Wade set this up your great great question so so we have the rubber bones perspective. We haven't agent schooled. Nf Awe which is network flight recorder. That was a trademark that the checkpoint abandoned two thousand five did you. Did you pick up the NFL trademark? How'd you swing that? Would checkpoint abandoned the trademark in two thousand five so we served people haven't been insecurity way too long network flight recorder is the name of basically one of the first ever network? Ids's was marcus. Random involved in that one. I think he was wasn't he so marcus than sold the business. I believe to checkpoint in one thousand nine hundred ninety nine and then they kind of wrote it into their product line. Then you end of life. That's awesome okay anyway. Sorry that was a tangent but you have networks like recorder now. This is your local collection agent. I'm guessing so from the START FOR THE LISTENERS. To help dot com slash offer salk slash. Nfl just open sources is is in you. Pull it down It runs you know. It's just an agent a local agent as you say that runs for Windows Lennox Mac Nfl can then pick up Dayton a number of ways and ship it to us so one of the ways is that some some uses set up is just as as a sniffer. So she's using Lupi Cup and just sniffing data locally so it can run as a sensor it can also run as an agent pickup lochfo. So if you have. Let's say Zeke also ricotta output. Like Zeke like Denniston low convert logger and kind of output like that you can Monitor those falls with NFL and ship them to our API for scoring and then the the alerts will make their way back down through NFL down to file or you can ship them overseas logo heavy on ship them from NF. Aw as I said in in Jason Oh cf format and you and you kind of courses look at the raw jason and use it. We do then have because we run the services a cloud service for for the majority of our customers and uses. We do then have a web console so almost like a synchronised you chip that's limited to US using an F. Aw locally you know within your environment set up and get that shipping that's limited to the office oak analytics engine and then we can set you up with a web console. Ui Element so you can then interact with the with the material. Maybe maybe in twenty years when they let the trademark expire. You can call it back story mostly. So that's the way that you can do it kind of Cheaply and chiefly if you do have spunk Our preferred option is to just drop our spunk up into your environments in and set that up with which is like a tool three minute exercise. Which ends does all of the above natively within spunk. So that's kind of pretty seventy percents of our customers. US. That's spunk. Actually has this really vibrant marketplace is full of APPS whose sole goal is to make spunk. Actually usable talk doing this right. So you know all of these areas that you've expanded into your. We're talking about less processing. You use her agent processing and you know you're looking at curb. Ross events I believe queries Coming up as well fake endpoint stuff like what's yielding the most interesting results from your perspective. When you start feeding stuff into your Indiana lyrics engine. Dns has always been great for us just because of the depth of off processing that we have there in that we've extended over you know six seven years now so if you take. Let's say in a beacon ing too young demane within a suspicious tld that's unique to a customer environments for for a competing or arrival products to produce that results would require like a big relief factor of that code and telling it on its head because telling it upside down because it is not a lot of these other tools in order to even flag. Young Maine's they aw. Dependence on newly observed domain feeds and material coming in in order to make those make those decisions. So one of the dike. Ns has always been great for us in an improvised the biggest bang for the buck. So if any of the telemetry types you know you have to pick one to go with a DNS for sure will give you the biggest bank this. This is kind of a kind of reminds me of the you know the whole concept of putting the rocks in the jar and the jazz full but then you can pull the smaller rocks into the jar and then you know smaller and smaller until you down to sand and then dust in it. Sounds like what you're saying the DNS analytics represent the big rocks and one of one of my favorite exercises. If you look at twitter account you offer on twitter One of the things that I'm always doing is looking at live indicators and research the MAUI researchers at doing around trick bolts and Ta Five Oh five and ABC thirty-three and these other groups and real. Time I'm then throwing all his indicators into the Atlantic Stack to see whether the engine negativity out of the box you know on the fly without she generates alerts an influx those campaigns and consistently the system the just using host names and guest lemon tree. The system is is capable of flagging sophisticated threat groups actors and this is the reason that we love having you back. Chris is because you've actually done something that works. It's not rocket science. It doesn't use machine learning at doesn't have tigers in its marketing but it actually works and it's just based on the sort of work for you do when you when you try and as a as a human operator figure out if a domain is good or bad because it's not that can heart. Is it exactly and we have. What one if one of the new classifies we have in the stack is Is imposter detection so we do. Have we have a bit of AMMO and measurements that we're doing but I'm guessing you catch the bulk of it with the simple stuff right. Absolute absolutely absolutely but the the the importance of this section for example then flag trademarks and An labels within much larger string so if an actor sets up in a sharp point dash secure Calm the engine within recognize that as a lucky imposter than of also. Maybe it's a young main with an upgraded again. If it's may be doing some be coming off. The pattern is weird or unique to a customer with an upgraded further. So we just PRA- practically Patrick. We get great results with the staff that we have in place Now that we have to see us the http processing we can do a lot more interesting stuff without identifying outliers. You Know Joe Three An ESA SELF-SUFFICIENT HASHES. The may be unique or we haven't seen before on ubiquitous. It's all of the you know the environments of the that were protecting our Chris McNab. I'll drop some links into the Shire. Basically you can self prevision a key. If you WANNA get going with this and give it a go and I would heartily recommend you do. Because why wouldn't you very easy to set up Very easy to get going with Alpha and got to say I have never seen a vendor or don't with endo that has as good documentation as you. Chris and I know that you would have put a lot of work into that. And it's more right there on the geared hub. Thank you so much for joining us on the show to update us on on where you're at and we'll look forward to doing it again probably next year. Of course that was Chris McNab. Big thanks to him for that. You can check out. Alpha Sock Alpha SOCK DOT COM spelled of course L. P. H. A. S. C. dot com. I time for our final snake. Oil is segment for the day. Now and we're talking to Paul. Mccarty of secure stack. Secure Stack is an Australia. Based Company. Twice a year the Australian information security industry body ost cyber nominates one of the companies. It works with to participate in a snake oil as podcast and yet this time they nominated secure stack and basically the idea behind secure stack is to help develop his spin up secure by default cloud resources and to give them the ability to manage all of those cloud resources as the developments and as they businesses scale. Paul McCartney join me for this interview and started off by telling me who this is four and this is secure stack is apparently for developers and yeah started off by telling me what it is developers currently doing that. They're trying to put a stop to his what he had to say. Traditionally juries are going on building something a special snowflake on the spot that they need right Al Right. Then it doesn't have any standardisation doesn't have any repeatability. It's not like that. Last one they built so first and foremost we give them the ability to build the same secure thing that same secure unit every single time plus all the additional security benefits and scale do it benefits. We put on top of that. Okay so when you talk about building secure units. What does that look like? Is that doing some basic highest hardening like the talk us through what you would do an individual. I think we we have an idea in. Secure sack of a abstracted workload we call it a cloud to the product and that includes I a hardened operating system either Olympics or windows hard numbering system we then have an integration layer that applies security controls agents applications user access to those instances then. We've wrapped around that workload any cloud native security that you need to be included security groups. I am so and so forth. And that then abstracted workload you can deploy anywhere you want to. So what people typically using this for right. What's the problem that they're solving with? With secure tech developers there are metric of success is how quickly they can deploy features right there. Metric of success is not how scalable or secure things that they're delivering our right and that's what I really wanted to address was accused i. I wanted to build a platform that said. Hey listen we can give you scale you give you security and we can give it to you in a very easy to consume way. So I mean you talk about stopping sprawl right But you know what you've mostly told me now is that you know you can make these things reproducible and scalable which tells me that you can spin up basically limitless instances of like how is that. How is that helping with sprawl? Yeah well first and foremost part of sprawl is the diff between the different yet. So sprawl is effectively. How I manage all these instances across a disparate environment. Maybe if they're all in a one percent difference across thousands of instances that's a lot of what we do first and foremost as we make sure that every single one of those instances looks the same is repeatable and you can then manage security and scale ability across those the same and that's an important thing right when they all look the same they have our immigration layer Inside them we can then apply security controls across all of them in the same man. So when you say your integration layer what is it? It's combination of endpoint configuration management. As well as some really really deep. Api work that. We've done with the Cleveland providers and also for that matter. Vm. Ware an open. Step two as well. So essentially what you're talking about this an agent that you can deploy on these workloads and use that agent to manage them through your console. Essentially that's the product. They're well we do. We do have an agent but we can run agents. Motoo as well for rebel for example like some of our customers in the states bought us because they had large auto scaling environments right. The point Asian in those environments isn't necessarily realistic right. So what we did early on. We wanted to say we want to be able to apply our technology for those auto scaling environments. Just like we can for for the other type environments right so we support an agent but we can run as well and what you know what? What's the sort of stuff that you can do with an agent that you can't do agent lists in your case because I imagine you would be some stuff you know you're just not going to be able to? Yeah it's the typical stuff. Volunteers monitoring a ps the usual kind of stuff. But for example. There's a bunch of things that we used to do Using agent that we no longer do so as we move towards more. Api centric model at secure stack a lot of things we used to do with agent. We don't do anymore so for example user access we actually now create that through our native. Api calls rather than using eight. Yeah I mean that makes sense to have a blend of the two right and I'm guessing that yeah. What does the customer yet? They're going to get some sort of control panel. I mean you know. We're seeing these new businesses like yours pop up and it's basically see panel for twenty twenty. Don't take that the wrong way because we know it's not going to be as awful as a panel but I mean that's that's essentially way companies like yours sitting isn't it. You're the panel. Well Yeah I mean. I can't speak to those kinds of things. We're a lot more than that. So we have integration into the cloud providers end the private cloud providers like I said via an open stack but beyond that we have technology including a host based firewall security groups that we can manage from the same policy built into our platform to as well so There's a lot more than just Jesse Panel and just about spinning up the resources. It's about having some sort of control on observability onto them as well. I know everytime showed a customer. They've got sure they have sure. We addressed the Greenfield but they also have thousands and thousands of Brownfield address. And we need to be able to manage those. Who had it? How do you do that right when a customer calls you in and they've already got an environment that some quite big? I mean what does it? What does it look like trying to get you into that environment? Do you just get provisioned with some fairly powerful access keys. And then you know your software goes in herds. All of these instances and analyze them. Somehow I mean how do you? How do you even stop? Yeah no that's actually not. How usually start a hell? We end up so after we built trust with a customer. That's where we you know we end up. We start out out by actually getting read only access to the US for example made up. Yes we use the security audit policy. And basically what we do is we're going scanned the instances and the ATS accounts involved and find security gaps. We identify security gaps in security gaps. Do you mean so. For example if basically every web application or every applications essentially it's the components there in right so it's Diaz it servers. It's I'm it's all kinds of stuff right. So the great thing about US having visibility at the cloud native layer as well as at the operating system endpoint layer as we can see all that stuff right so we can see for example. Hey you know. Firewall Wide Open on the endpoint. But Hey is security. Group is blocking us. Let's now match the firewall on the endpoint to security group? Or I'm way to somebody sticks Stuck a bunch of Asterix in the eye on policy. Let's let's address that. What is the real? What is the real requirements for this particular application right? So that's one of the things had having that visibility at the cloud native layer which base which is very unique right because most most applications kind of concentrate on either end point management or cloud native. Cspan kind of stuff. We do both okay. That makes sense and you know where. Where is this stuff proving popular? I mean we spoke a little bit before we hit record. And you were telling me that. This is a popular in sort of scaling and Medium-sized business. It is we. We're finding a lot of success with scallops. In larger startups organizations that are developer driven. Like one of our customers for example has forty developers in zero ops zero security people. Right this common. This is common for starks scallops so for those organizations that that's a good thing I'm not saying I'm not saying I'm not going to disagree with you. But that's the real. We HAVE NO OBSTACLE. They have no security people so they have they have two or three developers that have taken over. Aws account up and they're just trying to get by right so what we do. Is WE GIVE THEM THIS? Ability to embed security across the disparate number of services in aws and inside of the compute environment really easily. Really really use me. Paul McCartney thank you very much for joining us on risky base. Good chat what you're doing over there. It's accused at nor is made. Thanks for having me. That was Paul McCartney off secure. Stack the big. Thanks to him for that you can check them out at secure stack dot com. There are links to everything we talked about in the show. Notes this podcast. But yeah that is it for part one of this edition of snake oils back next week with a weekly news edition of the podcast. But until then I've been Patrick Thankfully

Coming up next