Snake Oilers 9 part 1: The best Snake Oilers edition we've ever run


Hi, everyone and welcome to this. The best edition of the snake oil is podcast series. We have ever done here at risky B's, h cured. My name is Patrick gray. And over the next forty five minutes. We'll sorry you're gonna hear about three different technology companies offering various products, at least one of the three is going to be very useful to you in your organization, which one, of course, depends on the job that you do in the organization that you work in. This isn't the regular weekly risky business. News podcast species nyc where we talk tech with van does the obvious. Disclaimer applies he everyone you hear on snake oil is paid to be here. But believe me when I say, this is actually the best collection of tech. We've ever had in one of these Nyquil as podcast, or at least like the most useful tech. I will be hearing from Siham d a new company they might kill a software for Lennox that lets you lockdown account actions not permissions act. Do all the default and service accounts that you have to run on your Lennox fleet. Terrify you well, this is a solution for that. And there's a visibility component to a lot of people who are dealing with Diane links plate issues. They're gonna love him d-, then we'll be hearing from alpha sock when we lost to them. I would just doing Demane based analytics for companies, but they've expanded their tech and now offer IP based and Haiti p request by Santa lyrics as well. You can deploy them as a split up or who to the API any other. Why you want they are offering free trials? But even when you paying for the service, it's actually pretty affordable. The Brian behind a sock is Chris McNab who used to run incident response at Isaac partners. Then later NCC group he's seen how the planes crash into the mountains, folks. And he has created a product that performs eminently sensible analysis in near real time on your traffic and metadata to alert you to badness. I don't miss that. One. And then finally, we'll be hearing from nucleus. This is a new company, and if your job is managing vulnerabilities involved scanning in your than straight up just like skip. Now skip right now to the nucleus interview. They have created a web. And essentially what it does is normalizes vulnerability scanning information, it'll take outputs from snick rapid seven check mocks net. Spock open vest twist, lock fortify burp, suite Nisus, Accu necks and others. It Lynn gist. All of that information, normalize it into a single panic loss. God, I nearly chart saying that. But then you can Plum those alerts through to the right people through a multitude of different ticketing systems. You can juror it you can slack at whatever you want. So, you know, right straight up if you Avante manager, and you're stuck in the seventh layer of share point or spread shape vulnerability management. Hell this is a solution to your problems, you will weep salty tears of relief and joy when you hear Scott Kufa. Later on telling us all about nucleus, and they're off retrials viable of that one as well. But first up we are going to hear from Jack king over at C M d. I've gotten to know Jake a little over the last few years. He's a listener of the podcast. I he's also in a stray leeann who's based in Canada. And he is the co founder of a company called CNBC MD is a Lennox security tool that is designed to better secure links fleets innocence, what the tool does is twofold, first up at provides excellent visibility into account actions. What accounts doing what you'll in accounts doing? And then it gives you the power to actually restrict what accounts can do it can even restrict brute right now as a lot of people running cloud based infrastructure already know, sometimes he kind of lumped with some high privilege accounts that you conscious nuke off your boxes, but with this you can look those accounts down, and as you lots of customers of finding novel ways to apply this tech. Jags got a really good example in here around far will rule changes Sam days just hike in fifteen million dollars from Google ventures. And it is my personal belief that they are on the fast track to somewhere. So here's AMD co-founded. Jake king talking about the day. We started to look at some of the problems associated with authentication authorization Linic systems decided to take a bit of a different approach. It saying how could lockdown records in cloud in data, we focused on real problems when it came to securing Lennox in that a lot of the controls that are out there today were little bit limiting we built an agent, which is deployed in pretty lightweight sense and focused on the ability to make that easy to control easy to understand the security teams operations teams in front of mentally the technologies built in a in a pretty short stint with come to market. Pretty recently announcing some great funding news as well. So you built an agent with the with the purpose of securing Lennox. But like what does that mean? What is your age do and what are these specific problems that you're trying to solve? Yeah. We we started to take a look at how people defending Lennox systems and a lot of the time it came down to implement. Eating access controls to the heist. It self so authorization was a was a bit of a second bullet. We like to think of of indication being where a lot of company stop when it comes to two point access deflates seventy they have in cloud. And when we started to take a bit of a deeper look at the problems that were would being faced by security teams. Let at the time it came down to attribution of people's activity or chronic gate, very sensitive actions on systems and always boil down to humans accessing flights. So we started by implementing a really flight recording technology, where we really clear picture of what was going on with user initiated sessions Lennox and then talk a bit of a different approach to try to control activity by not just looking at the log into the system being the only point of within occasion authorization, but looking at the commands in executions themselves to being able to engine like if this that to the command line, if we see an execution that sensitive we. Can I ask a question about that execution before we allow it to a really simple example is tying something like joy to adult unlock from the vault hash product, something that people using new technology today, and you can even like totally bottleneck lex anything suit? Right. Yes. So we we sit in a place in the system that allows us to control even read executions. And it gives us a really flexible approach to how we look down the workload. So for example. A lot of cloud, deployed instances that run pretty industry standard variance of Lennox are gonna come preloaded with some shed account. So she had access, you know, your Ubuntu use Ubuntu Boyd AWS EC to use a deployed into their EC two Lennox AM is and we wanted to think about ways to control access because they have very privileged access to the system. So the technology allows you to constrain even routes from performing executions. And it's it's built into the diamond in such a way that allows us to control that on the fly. So you can. Change the policies even when people logged into sessions without forcing them to log out, log back in new commissions or even recent systems. So it doesn't require any kind of high friction on that front. So fundamentally what we're talking about. Here is an agent that allows individual tasks and commands to be authorized and you've built like an authorization layer, in addition to typical like user account permissions. That's exactly right. So we can old bent, but native the permissions ev- already configured natively within Elesse and actually add extent on top of them with the tools that the Democrats the Democrats engineers in your environment going to be using ready. So any the standard what communication tools like slack can be leveraged to notify about sensitive events or even authorized to events was something like joy or even coach Huggins being used to to actually authorise very specific executions selves. I even saw a you had like a s app. Don't you wear? You can actually. Pipe. Yes. Nor do Suda requests like on your phone or have you been that? We've actually done it to rejoice. So we do some really interesting integrations with joy application right now. And it involves creative thinking about how easy they're API. So we've got a really great example of trigger that a lot of clients today. Webuye we can actually send a notification to these logged into the system request them for, you know, for proven to run say pseudo or a pseudo s use session through July. We do that with all of joys existing weapons as well. So if you've already deployed DOT environment in using those tokens, maybe with something like lived, we can extend a lot of that functionality into the commands of self and sometimes actually replace the joy agent itself. Log into the system we can make it pretty flexible if you've got some constraints around appoint pan modules or paramedics on the system that can sometimes be a little bit hard to do in hot manage in the long run. We've talked about what you do. You know, why do we wanna do this? Right. It seems like a fairly simple function. You know, just from wrapping your head around at point of view. But one of the problems that it actually solves really stick leads starts by providing that that flight recorder capability for a lot of companies in the first place. So a lot of companies will come in, you know, speak putting that out like with cease, log sort of style or how we can do it in a couple of different ways. We've got a user interface that we just fly session dater and commander at self in really fine granularity even more so than kind of tools audit take control, but a pretty lightweight volume. But we we have to console, but we also kind of integrate it with different services like GPS buckets is three stories so you can pull it into something like spunk pretty easily. And we let you attain that data forever as as long as you want to in urine buckets at console has the ability to Seth as the STA, and it's providing a hybrid control sevice anything you can see with console you can actually control, and that's really where a lot of the. The control starts to come into play for companies we work with today. If had a really hard time trying to manage all of these different solutions around who's doing what? And how they doing it. And why are they doing it? We can provide the answers to who want why. And then provide the control surface to actually control win. They're allowed to do it that also like an alternative directory is that how it works. You handle the provisioning and whatnot. Now, we don't handle any provisioning we tend to find that. There's so many different ways that people are already acting exiting these fleets sevices. So this tends to be kind of shouting into a very loud room already. When we looked at you know, how counts a provision them. Most cloud leads a lot of people alleging the cloud service providers ability to deploy this accounts during strap that strap process, we're actually finding also a lot of companies are trying to minimize the amount of accounts that have access to very sensitive environments, and they offering back to in a pretty specific. Environment specific accounts, they'll use to to maintain the systems we look at the existing accounts on the host already and provide that controls has Foley. The power really comes into the fact that if you are falling some maybe not so best practices bad practices when it comes to account situation or count management. We can really help you out and bring things like attribution of sessions, even three shed accounts in a couple of minutes with deployment. It's it's not rocket science in. It's it's it's pretty simple. So walk me through that walk me through that until me who the ideal customers for you, like what is the situation that they have to be in with I decide my God, I need this 'cause I can guarantee you there's going to be some of them. Yeah. You know, there's there's a lot of a lot of the organizations withheld down there, really great state of maturity they've got named accounts. They've implemented policies around key management's ticket management and all the rest of it. But they looking at controls in real time effect to look at really sensitive actions in end, that's really tying. Onto implementing best practices compliance into that that that very mature environment on the other side of the spectrum. We tend to find companies that have a less than Mitchell state of deployment can really take advantage of that flat. Recording technology provide to not only record actions that happening in production in the commands that are that are being tied. The executions being made the files being modified, the the changes they made to this late, but actually start to move the needle to to building a bit of practice around accessing that flight and mature people who are hyper paranoid. Then you've got the paper where everything's on fire, and they need something to to put flames. Yeah, exactly. It's it's the more gentle approach to doing. So it's not necessarily white list. It's not a blacklist in in less. You want it to it's really kind of something or in between the grey lists is a few flakes in sales tend to call it. But I don't really like that terminology. So I guess this is really just about more granular control of various actions. But I'm guessing that you have you know, I mean, it would ship with a with a sorta template of stuff that's like blocked by default or up to a default. Right. So this is kind of like a better permissions politic's emissions a hard, right? Like they are. So if you've got something like this with default permissions organization authorisation options around certain risky actions. That's going to get you a long way out of the guy at right, absolutely. Just highlighting sensitive actions around configuration changes, or, you know, very very sensitive use modification actions or our process of kitchen actions can can really provide companies a great picture of what's actually going on in the fleet, and you can escalate the the way that policy reacts in the environment very very easily. So a lot of the templates deploy start off. We'd simple. Let's hey, we're going to tell you when things attend to go wrong. Away, they might be suspicious or unusual behavior going on in the fleet. And you can cheat them in find chain into the to the to the liking of your environment in control element. But there's also a very much detection element. He from what you're saying. Absolutely. We we like to think a lot of companies that leveraging technology in in some ways today are actually saying the event sokaia and being able to react to that event occurring as opposed to trying to clean up the auto when we implemented the technology for some very early clients. A lot of them would just leveraging the engine to just hell when people were doing the wrong thing. Now, delivering the lead engine to get an approval sent to operations team about restarting service. It's really improving actually improving this fade that people can get things done in production. But creating a bit of a barrier around the things that they probably should not be doing for us. It's been pretty effective to learn alongside them and build some really amazing policies that that have helped people add some sticky situations now, I mean who you. Competing with here is that the people who are making God awful. Pam modules and stuff like that. Like is that kind of the competition to extent, we tend to find coming across different kind of observability tool session recording tools that were built for massive enterprise that getting kind of munched into cloud environments, and and it has a lot of those general like legacy visibility apps right that? That's right. He's hell. Yeah. Exactly. And I think we're being able to to improve the experience for the operations team is by providing a really clear picture of what's going on in language that they understand even in session. The inside console. It represents exactly as the shell would look like to the actually running that shell. So even if you've got junior analysts or analysts that may be kind of emerging into kind of intimate analyst role. They can actually see what the intent was behind the action and get the context Rodman just kind of make us options in group through day, logs or run. Some really complex queries. So give me an example of that. You could spit out that would tell someone something has gone seriously wrong. Yeah, we actually came across this a couple of weeks ago with proof of concept we were rolling out. And it was an interesting is the best when you rolling out a proof of concept, and it's like. Interesting. We had a customer ask. Hey, we've got state wear in a production environment to services stopped talking to each other. And the only thing we can pin it down to is something on the network. Hey, can you help us find the lost actions that changed a will say and to that specific distribution? It was just looking at UF w on the heist turned out that one of the engineers was trying to troubleshoot to see if the file was was actually closing problem in the place to ended up nailing that foul, and we're able to pinpoint it in a couple of minutes with them in a console and create some logic around it to prevent that follow being able to stable the change in production when the workload was running. So just goes through an authorization phase pups notification into a slack channel them in prevent some pretty click click around it more interesting cases that we've come across recently, our hosts that running docket containers. Where you've got administrative actions being performed on those containers within that environment within that hoist for longtime companies be managing. Access to contain is kind of shell access to containers three things like Kuban, Eddie's consoles, and he can create some really granular policies around that. But if you've got access to that underlying fleet running those pods, you can actually run Docker executions into the containers pretty easily with a couple of command line flags. So we created some policies for another client that was trying to lock down access to contain is even the they're administrators had access to the highest. We're able to create some really creative rules to not only notify the wind people trying to do it. But actually asked the question as to why what are you doing sounds like that whole thing about this is being reported to the administrator like this will actually report things to the administrator. That's actually, right. Yeah. It's it's that old message. Restore in the cookies a million years ago. All right, Jake king. Thank you very much. You guys have signed up as a sponsor for some weekly showers, which I'm very excited about you know, it's been it's been great watching this thing get there, right because I know you've been working very hard on this for few years. And now looks like you're in the fun. Hot of a startup where you've got your product. You've got the money now to take it to market, and and and you know, you've gone through that proof of concept phase, I'm I'm actually excited about this. I think it's about time. We saw some modern security tools for Lennox. Sorry. I'm going to start off the bat wishy the best of luck. And I'll be talking to you soon in the weekly slots, thanks time. Thanks that was king from Sam de there. And you can find them at C M d dot com. And I think they are gonna make a squadron dollars just quietly. So yeah, please. Remember the little people Jake. Remember us remember us. And yeah, if you're running a little inex- boxes, just really go. Check this out. They used to have a promo video on the website that was pretty mind blowing. But unfortunately, I don't think it's there anymore. But yeah, come on and bring back. The video is very cool. Now, the last window today is nucleus. I mentioned them in the intro to the podcast. Do make sure you hang around for that one. If you working in vulnerability management, but before that and right? Now, we're going to check in with alpha sock. So they can tell us about the elitest offering alpha Salk is one of those companies. That's just doing good conceptually. Simple stuff. Sorry. Many so-called threat intelligence products, essentially just to patent matching against known bad demands. An IP it is a blacklist approach and height. That's great. You should do that. But many of these products don't even do even a cursory analysis on DS look ups, and I pay metadata daughter. And that is where alpha comes in. They take you DNS look ups, your IP, metadata HTTP requests. And they perform analysis on those on that data in near real time. Then feed you alerting based on this stuff now. Most of for socks customers are spunk uses. So if you are a spunk user, you can literally go right now while you listen to this interview and provision yourself, a free trial K straight up all of alpha, socks documentation is online as is its pricing linked through to that documentation in the show notes. And yeah, considering the value they deliver. This is a really well priced product. It's actually quite cheap. Surprisingly, I think Chris McNab is the founder, but before that he ran incident response Isaac partners. And then NC group later on so, yeah, you know, what Chris has done. Here is taken some incident response workflow and turned it into a detection methodology. And in this interview, he explains why he's broadened Elvis socks offering to include more than just DNS. Analytics are here's Chris McNab. One of the challenges for us with with Luke's was we within that tree missing events and interesting indicates on other layers, for example, tics, we weren't able to flag tore circuit soul, kind of straight IP connections to commended control infrastructure. And then as well, you know, from an ACT perspective we weren't able to flag as she dig into the bureaucracy. So Florida the method was being used whether it was a weird extension for the follow. It was being downloaded. Did post request all or whatever was. So so yes, for sure we've just been working of less couple years now to extend coverage and densify, you know, threatening nominees across different different layers. Now when you say HTTP, I'm guessing you're getting fade of requests that are coming from tail proxies as well. So you not that's not a blind spot for you. Correct. So most of customers using spunk. So material come up into this Blunk environment from on the DNA side. It will be demand control is DNS infrastructure, like infra blocks on the IP side. It will then be a maybe like cut, bro idea. So full packet capture will follow coming up and then from she sighed. Yeah. It could be scaled Luke proxies. Any kind of you know, kind of HTTP aggregation point. Now, we should just point out how this works, right? Essentially, you run an API you Plum through. This information, and then you send back essentially like a badness school. I mean, it is that simple, isn't it? So we create a what we call the the office analytics engine the the analytics engine runs up in Google cloud is just an elastic scalable API that we operates an fundamentally it just speaks Jason. So our spunk up. We have integrations for elastic and all kinds of choline senses. No kinds of other kind of telemetry sources that material makes its way up in St. PI, so DNS events, I p connection events, you know, source piece was bought by pitas port time stamp and bites him by an HTTPS vents or that makes its way up into the API. We then school that material perform kinds of layered analytics, I'm sure we'll get into later in the podcast. And then we generates alerts and kind of you know, signals that. Make way back down into customer environments. If you using spunk up that gets rented very cleanly within spunk. However few using anything else century, whether it was yet curate all alien vote. Whatever the so maybe we can also provide those listen Jason formats, you can then integrate them into your existing sock. Okay. So let's talk about those analysts right because one thing that is conspicuously absent from your marketing is any mention of advanced auto official intelligence machine learning, and you know, look, I mean, one of the things I like about alpha Salk, right? You've got a long background. You had a long background incident response. You have seen how the planes crashed into the mountain Ryan and unpicking that you don't necessarily need an artificial intelligence cyber threat engine to be able to figure out what's gone wrong there. I mean that seems to be what's informed. The why that you've built these analytics, it's all pretty simple stuff. But you know, the difference between Salk moldable the kind of cyber machine learning. Use of Adrian, logistics companies is is that we reject she boots up the company back in two thousand thirteen picked up a first customer worked with them to actually build something. The gave true value and an useful. And then ever since we've just been improving, and it's raising upon the products. Really, you know, a good way of thinking about it is our ala customers and have actually become our investors foot for the most part. So because of that we then just naturally being in improving the product for the customers and producing producing kinds of useful kind of use cases without needing to drill to leeann sue machine learning or AI, the best to say that we don't have classifies all ordering on on those technologies from like, a marketing perspective, we really allergic to to kind of, you know, referring to cyber or a or. Or anything other these other both woods within. I think I think we should just replace discussions of machine learning with discussions of you know, sort of complicated statistics models. I think is it's. I'm so let's talk about some of the lyrics that you're doing. I mean one thing that you'll flagging on his communication with young demands. I mean that would be one of the simplest ones for people to understand. So even that one actually bushy every all the security tool that I've seen in in recent years is built mentioned it in such a way that it will ingest a threat feed information and threatened talents from like third party kind of indicates a list, and then it will be performing one dimensional correlation way. You just take the the the raw data. Whether it's, you know, web requests, the NS requests IP events, you correlate against the feed. And then we throw the against the wall. He sees Ican soups seal safe. So that that that's the kind of the existing legacy way of processing material what we've done it is turn that on its head. And so even she this use case, the you'll highlighting here, which is flanking beacon ING traffic too, young suspicious domain. If we are she unpack that there. There are times classifieds beneath the surface that I can dig into. So the the first one is then we have like a timing and classify where for every single source destination pair, we then track the time stamps of of the requests over up to seventy period. And if the timing delta starts fall into a regular pattern will inflict speaking. And we'll kind of upgrade the severity or the kind of interest level around around the the signal for maybe like a an informational to to a low severity. And then we then also who is in tens of thousands of demands every day. So when when when we see given domains. Dennis Mitchell coming into the engine. And if we haven't seen it to make before will actually reach out who is dementia and understand whether it's young or old, you know, figure out the creation date for that main who is registered by which country they were in. And then if that demand is less than sixty days old Letsie within up great severity again from say low to medium, so something like beacon ING too suspicious. Young main under the surface ner two or three classifies steps kind of almost like a work steps being performed if he was trying to do that work within a traditional sim. Whether it was, you know, spunk, proper, or, you know, oxide ralian vote one of the products is because there's products aunt built in that way is just not possible to to kind of performance this active work on the flight and some of them some of them are building like automate as an orchestrated way you can drill down into that sort of stuff, but you have to initiate that action. Right. This is Matt right? It's it's I mean, you know, the rich mogul actually use the term I'm on Twitter some time ago. Described. He describes some product is being blue collar security tool, which I really like because it's often my favorite approaches to infra Salinger's as well, the simple ones that just work. They don't need to be particularly complicated. The just as I mentioned before you've got a background in Iowa. And I'm guessing on a lot of gigs. You would have to you would eventually hit on demand. And the reason you would know it's shady is. Because of these reasons that you mentioned, you know, you would say, well, that's young Demane. And then you looking for certain doing certain timing analysis on it. And then, hey, okay. This is giving me something to work with you. I mean automating that at the time that this is all happening. It's not that hard. You would. In theory. It's not that hot. But as discovered through working with asset, you know, some of the simple stuff can be quite complicated. But yeah, you get where I'm coming from. I'm sure precisely so you we can agree that that it's not difficult, and this isn't anything special. But you'd be surprised I'm sure how difficult this is for for security teams at scale. So what what I've found then, you know, doing the incident response work doing previously chasing Russian GRU agents through through corporate networks, and so on and so on it was very clear to me that the existing kind of sim symbolic were being used by these teams they were producing useful. Interesting indicators and alerts, but but our missing a lot as well. Right. Yeah. An- an- as as getting into with the strength that we're currently on. There was an need for the security operation sensitive to be staffed with a number of analysts within take that material. Reach out look up the demand virus towed saw. Oh, look it up on passive DAS do kinds of additional manual steps. In order to form an opinion as to whether Demane or destination. Susan trophic pattern was was good bad or ugly. It's as simple as you know, automating bet and producing a refined results the analyst, and that really is is is what we're doing it office. Okay. If if you distill our work would way down to it's kind of fundamental truth. We really are then performing this multidimensional analytics on the fly in nitny realtime. And then what producing this this refined material that makes its way back into the Salk an at she at a number of customers reason taking this mature now feeding straight into saw an orchestration and even then freeing up the Unlis where where that there's no need for that to be a human, you know, human involved in in the loop. So so yes, that's the way the way this is hopefully moving into the future where it just become similar to what? Netflix of been doing for years with their final kind of infrastructure. They built out which is just a series of API's talking to API's and everything everything kind of runs runs runs. Runs at scale with. Which is which will says was happening AWS and some other large larger and prisons last time, we spark we were talking about, you know, DNS by stuff, you're doing IP as you mentioned, you're doing by STAN licks now and the high tape e based lyrics, can you give me just to ideas about like, I'm guessing for the IP stuff you looking for baking, and whatever, but what are some of the other indicators that you're looking for in IP's, and, you know, hesitating pay traffic if fullest if we see for example, traffic from from an address with an environment out to a destination using strange ports of its using mobile ports. Sixteen sixty five or seven seven seven seven. We will then run that piece Roussin boxing engines. So, you know, virus totes CISCO's right grit, kind of sun boxing engines to then figure out if there are known for samples associated with this nation. So again in terms of. A layered approach traffic to a destination. That's not for three or four eighty is interesting but not necessarily malicious. But then if we also have a positive score from the sandbox engines than that that that is interesting. And then also we have all kinds of other party, we using where Riva running things things through Google safe browsing where correllated on the side, according to Mainz against quote, nine and the other Guinness rep looking Reuters. And then finally, you know, a new set of features that we've we've only been building out over the last monthly. So now is where we will actually proactively reach out to these services and tried to fingerprint them out out our selves, so if it's a web service week, and then figure out whether it's returning like an open directory listing which is an interesting or whether it's like a WordPress jeweler or or triple. Service hiked EP request side. What do you what are you doing that? So primarily looking at get some post requests on the get side. If we see an eight she gets all of a file with with an audit extensions whoever. It's, you know, don't Ellen KO SEER HDA was some kind of strange looking. We don't know great that from you know, as like an informational to a low, but I can see what you're saying. I mean, that's where it's gonna get interesting. When you start seeing one agent one endpoint doing that. That's not good. Absolutely. So so again from a behavioral perspective, we're looking at volume of requests. So if we see posts to maybe a young main and hooking back into the SO if demand is young it has suspicious tail dot X Y XYZ, and then it has a positive socks engine school. Then we will upgrade that to look this is this is all making sense. Sorry, I'm pushing here, but we're running out of time. And I do want the listeners to understand that in enterprise terms, if the sort of organization that has a sock a sock is an expensive thing the cost of rolling. This out is bordering on trivial. Can you tell us how much this costs? There are few things were quite proud about. The first is that we don't have any mention of cyber on the website the second as I mentioned, they I will machine learning on the website. And then the third is a price is that she public within the documentation the way that we price. This is just based on the the size of the environments, and it starts off. At eight dollars per endpoint per year. So it's very very cheap. If you're an environment with two hundred and points, looking like sixteen hundred dollar dollar investment from an evaluation perspective. The one thing to mention there as the products and the engine itself is completely free and unrestricted to evaluate the thirty days. So you can use our various integrations self provision key. There's no need to he sells people, and then you can start evaluating the gala ticks, and that she said see whether but does does what it says on the tin will not Well, Chris McNab? Thank you very much for joining us. It's great to hear what you've been up to over the last couple years and building this thing out people who are interested can guard. Sue alpha sock dot com slash spunk to get some more information there. But yet it's been a pleasure to have you back on the show. And I wish you the best of luck with thanks much. That was Chris McNab there, and I have linked through to documentation in the show notes for this podcast. So if you wanna go and provision yourself, a free trial. You could do that yourself. Just go for it. If you're a spunky personally, I think it's a no brainer to go. Give it a plug it in see what comes out it is free trial. Okay. I lost snake oil for this week is nucleus. And this is one of those products that like a few percent of this audience is just gonna they're gonna hear this interview. And then just going to go out and buy it because it's one of those things that fills I get very nicely. It's not rocket science. It's just an excellent productivity tool. So yeah, if you are vulnerability program manage at dealing with myriad von scanners and not just the network scan is tenable and whatever I'm in web. Scanners software composition analysis tools. Whatever if you're someone who's trying to manage the output of all of these tools with some spreadsheet share point horror show. Well, no, one would blame you for hiding your life and your job right now. And. Nucleus has a solution for that. Basically what they do is they ingest the output of all of these tools, you'll hear a roll call of which of not even a comprehensive one. But a roll call of just how many tools I support. And. Yeah, it allows you to plumb through individual alerts out to the right people via ticketing system slack. Whatever. That's that's what they do. And this is a sort of stuff we love to promote on risky stuff that actually solves real problems that people actually have in their digests. Anyway, here is nucleus co founder Scott trooper joining us to give his best pitch for nucleus. Nucleus is a web application which was specifically designed to solve the problems that vulnerability management teams face on a daily basis. So what we do is we ingest the vulnerability scanning data from all of the vulnerability scanning tools that you use in your organization across the entire technology stacks. This can be anything from network scanners to with application scanners to eight I scanners on and on. So. What we do is. We actually help you normalize the vulnerability findings into one place. So that you can analyze them. We help you prioritize the findings. So that, you know, which ones need to be fixed first, and then we automates and orchestrate the workflows that surround the actual management of those vulnerabilities. Yeah. Now, the orchestration pod is interesting. So we'll get into which particular technologies you support because his quite a lot of them in you you've ticked quite a few boxes there. But the idea that you can set this thing is a connector, so you know, that you can sort of have rules different alerts like depending on where the alert has popped up you can sort of determine which team it needs to guard. So that sort of stuff I mean, that's a big selling point for you guys. Isn't it? Absolutely. So one of the big the big things that a lot of our clients like about nucleus is that they can use it in a multitude of ways. Right. So on the one hand you can use it as an analyst workbench to actually analyze and figure out what needs to be fixed first. But at the same time, you can also have nucleus running in the background almost as a connector between all of your different scanning tools, and then basically connecting them to the ticketing systems that you're using to actually remediate vulnerabilities. So you can set up. So I think this is a good time to actually. Mention which technologies you support right? Because you've spoken about, you know, connecting things right? And that can be a little bit abstract, but you support things like necessary net Spock next what else because quite a few on that side of the equation. Right. Absolutely. So we support basically network security. Scanners DASS Sast IS SEA open source. Vulnerability analysis containers, cloud, basically, all of the Volna r- ability scanning type technologies that you would use in your organization or that you would find for your different teams. So let's let's name some of them. Let's just do a bit of a roll call. Sure. So sneak rapid seven twist lock check marks fortify. Nets Barker open, Vaas, herb, sweets, necessarily that already mentioned esus Wallis cost you a asks. Right. So each of the the big the big three in network security to do containers compliance also. So we support that's we've got the Accu networks of the world's will also support custom data types. So. If you have custom tools that you built in house, you can actually form at the output of those into our nucleus schema and post that directly to us and basically build us into your CIC de pipeline. So that's why the reason I wanted to do to do it roll coal is just because like I'm pretty impressed actually by just how many different things you support. But on the output side, I mean, which ticketing systems do you support because you support quite a few of them yet? So we actually supports a variety of technologies on the output side. Also, so we integrate with this log so things like spunk. Gray, log, those sorts of things we also integrate with ticketing systems like JIRA service now sa- manage and then also other ticketing systems that are more like issue tracker. So bit buckets JIRA, get hub hip chat. Slack actually the deprecated hip chat. So you can disregard that one. But yes, Email SMS we've basically support all of the mediums that you would need to to be notified, basically your abilities. Depending on your organizational structure. Okay. So we've spoken about the types of data. The ingest spoken about the types of ticketing systems and various forms of communication on the output side. So let's talk about why that might be useful. Right. So can you give us a case study of a typical deployment maybe tell us like some of the problems that this actually solves people. Right. Absolutely. So kind of at the core of ability management team, you're doing vulnerability assessments, right? And that's kind of the basis of defensive cyber security program now with the huge influx technologies. The explosion of technologies that that exists. Now, you have a multitude of tools, and you may have a multitude of teams that are responsible for vulnerabilities in each of those categories, and they have no great way of actually sharing the information with each other in order to determine a kind of what your total vulnerability risk picture is one of the biggest problems and really the the way that most vulnerable teams do this is they actually run. From excel spreadsheets or PDF reports and they throw those excel spreadsheet and Email Nightman normally right, right or or the more commonly we see it thrown in a share point somewhere. And then people check that out and make changes in check it back in a so what we do is we actually ingest all that data and normalize it. And basically give you a standard place where you can everybody can go to get the information that they need. And then because we have all of that information kinda in one place in normalized format. We're able to essentially allow you to define rules that if the data meets certain criteria. It can be tasked automatically to users that are responsible for it. So the best example would be there is a web application that you're being you're scanning with check marks and a sequel injection vulnerability comes up and that asset has particularly been tagged as a critical assets than as nucleus ingesting. The. The vulnerability data for that scan. It will see this sequel injection vulnerability, and then shoot it over to the JIRA ticketing system that you have defined for those types of owner abilities. So we try to make it as granular as possible. So that you can actually let nucleus take care of all the administrative functionality for you. Now how much of a pain in the Aussies at to set up because that's the one thing. I'd be worried about is like oh my God. I'm going to have to ride him in in rules. So we basically have what we call dynamic rules where you can define the categories of how it works. Right. So if you have an application owner than you can say if there is a critical Volmer ability on an application, send it to its owner. So rather than saying you need to send a ticket to each individual person. And tag each of those assets, you can do it in kind of a more abstract way that allows you to write less rules. So it's really about going into the console and assigning responsibility for various types of bugs to different people. And then the categorization of those bug. Is something that you do on the nucleus, son. Correct. And then also we we have the ability to pull that from the various tools. So a lot of the output that we get. So for example, if used check marks a couple of times, they actually have the owner of the the application in the output. So we can we can pull some of that data from there. Also now, I'm curious to know what the competitive landscape looks like here because I can remember some products along similar lines from like God. What would I call the ones who would gonna get bought by talking fifteen years ago there were few companies doing similar stuff? It never really took off what what's the competitive landscape looked like now though in two thousand nineteen well, it's very interesting that you ask that because we actually have two classes of competitors that I would I would categorize so the first is kind of your traditional vulnerability scanning vendor. So they do obviously the ones that are doing the scanning the problem with them is that they don't really play well with others. So they they don't allow you to analyze all of your data. So they they argue that that they're the best at everything. So that three hundred sixty degree visibility. Right. It's like if you use out on which actually scan for all types of classes of bugs like tenable is not going to be as useful as something like snick for doing software. Composition analysis. Right. Absolutely. It's never gonna be as good at at open source vulnerability analysis, Nick is and so even though they have some decent dashboards. Those dashboards are pretty much useless when you're trying to you know, abstract it out and evaluate your entire vulnerability risk and then who's the second Claus. Yeah. The second class are basically two categories the categories we put them in our risk intelligence type platforms. So they're basically the the vendors that try to do threat modeling to help you figure out what to fix I which is good. But they really lacked the ability to analyze the volume ability data in such a way and at the correct level to actually be useful for analysts. Right. So they have that kind of high level view, which is not extensible for the actual analysts to do their job. No, it's a little bit fancy, right? This is more of a getting done product. Absolutely. We kind of we kinda split the middle between the two is what we like to say. So we provide all the analysis capabilities from your traditional scanning vendor, console accents across all of your technologies. And then we also provide the ability to prioritize and help you figure out what to fix first and to do some of that threat modeling on the side as well. Okay. Scott kufa. Thank you very much for joining us to give us a rundown on nucleus. I believe that anyone who's interested in this product can guard and trial it for free for couple of weeks. Really get a feel how it all works. People can head are the into the show podcast to check out a link to your website. Thanks for joining us. Absolutely. Thanks a lot. Appreciate it. That was got Kufa from nucleus there. And yeah, you can trial nucleus full free as well. Linked through in this week's show notes and one things getting touch with off towards to sign that being able to trivial assign individual application owners for this system. That is actually a couple months away. You can still do the same thing. Whoa complicated. Rules, the mega easy stupid quickly. Pointy rule. Set feature is coming light. But I am a big fan of nucleus as you can tell in fact on a big fan of all three of the vandals in this oil. Do y'all got something valuable out of that as well? But yeah, that is it for this addition of oil is pot two will be running. I think next week, but I will be back before then with another weekly show. But until then I've been Patrick, right? Thanks for listening.

Coming up next