SquareX CISO Series: David Malicoat & Vivek Ramachandran

[00:00:01] Welcome to the Phillip Wylie Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive security professional, educator, mentor and author, Phillip Wylie.

[00:00:33] Hello, welcome to another episode today. I'm excited to be joined by David Malicoat and Vivek Ramachadarin. Kind of picking back up on our discussion on SquareX and in the series with CISOs. So David Malicoat is a CISO. One of our previous episodes we had Robert Pace. So we're going to kind of have a little discussion around what David sees as a CISO.

[00:00:57] And hopefully this, this conversation will, will help you out in your day to day challenges with your security program. So David, if you wouldn't mind sharing about your background, I know you're a CISO and you're also the host of the professional CISO podcast. So if you wouldn't mind sharing about your background with our audience.

[00:01:16] David Malicoat, Ph.D.: For sure. And thanks Phillip. Thanks for having me on today. So I'm the CISO at a company called Direct Marketing Solutions. It's out of Portland, Oregon, and also another satellite office there outside of Pittsburgh.

[00:01:26] David Malicoat, Ph.D.: We are a direct and digital marketing company. And the best way I describe it to particularly folks that are practitioners in the security field, we handle about 80 billion pieces of PII a year.

[00:01:37] And so there's a unique challenge that comes with that. I think, you know, a lot of times the eyebrows raise when it's that amount, but a lot of it is, is serial. It's single use. So that, that explains why there's such a volume.

[00:01:50] David Malicoat, Ph.D.: But in the end, we're, we have an interesting way to go when it comes to protecting that data.

[00:01:57] David Malicoat, Ph.D.: It's, it's, you know, we have an enclave architecture. And so ultimately we bring it in, we, we use it, we do what we need to do with it, whether it's analysis and then get ready for the marketing aspect of things.

[00:02:09] David Malicoat, Ph.D.: And then either we send it for print or digital and then turn around and, and then it goes away. So, and then also more recently, we've decided to go into the broker area when it comes to data.

[00:02:20] David Malicoat, Ph.D.: And so now I get the fun of having a privacy on my plate as well, which is just a, you know, there's interleaving there. There's, there's interweaving there, but there's also a lot of separation also background by way of prior to this, I was a consultant.

[00:02:36] David Malicoat, Ph.D.: I had my own MSSP for a while that I eventually sold because I decided to start right before code, right as COVID was coming online, which made it a challenge. Prior to that did consulting road warrior five years out on Monday, back on Thursday.

[00:02:53] David Malicoat, Ph.D.: That's where I'd say you get the experience in dog years. So if you're, you ever decided to go the consultant route, you're going to get some pretty quick and impactful experience over time.

[00:03:03] David Malicoat, Ph.D.: Prior to that, it was IT services and security services, which is where I met Robert Pace and I've known him for a long time. And he's my mentor, by the way, like to throw that out there all the time. And prior to that, I'm a veteran. So I was in the United States Marine Corps. And that's where I got my start in technology as a, as I did rifleman. I did some imagery intelligence, but then also that's where I, in the intelligence fields where I got my computer started as a unique system systems administrator.

[00:03:31] David Malicoat, Ph.D.: Very cool. So what kind of directed you towards becoming a CISO?

[00:03:35] David Malicoat, Ph.D.: I've always been a leader. I think that started back when I was in the Marine Corps, of course, that's, they, they teach it from the very beginning. And I was a leader in the IT services field and believe it or not, I mean, come full circle. I think we've, we've told the story on my podcast with Robert Pace. Robert's the one that got me into cybersecurity.

[00:03:54] David Malicoat, Ph.D.: So I was a leader over a large area, lots of different services that we were at the EPROS systems and Dell services back in the day. And I led a lot of different services to the delivery of those services. Robert actually was my ISO on an account.

[00:04:13] David Malicoat, Ph.D.: And we got to hang out with one another quite a bit because as we were taking over this account, we were, we were kind of pinned at the hip, so to speak, relative to making sure that the security was where it needed to be.

[00:04:24] David Malicoat, Ph.D.: And after, after getting to know one another, he just, he looked at me and said, Dave, you need to get into security. I'd say your, your personality is perfect for it. And the way of the way that you think about things, the way, and of course, you know, and I've said this on my podcast many times, veterans have this kind of unique plug in. They, they have the training, they have the, the mentality that's really conducive to being a cybersecurity practitioner.

[00:04:48] David Malicoat, Ph.D.: And so that's how that kind of started. And then as I moved into the consulting area, I was consulting at higher levels and it naturally kind of found me. It was one of those where the demand was there. I was put in those situations to help advise folks. I had already led the delivery of, of cybersecurity services for a lot of companies, a lot of large companies, Fortune 500.

[00:05:14] David Malicoat, Ph.D.: And so to go in and be able to advise folks and then it just, that the path was there. And I said, that that's really put a stake in the ground at one point around 2016, I think it's that that's, that's where I'm headed. And it happened a little faster than I kind of thought. Maybe that's the leadership side. Maybe that's the, you know, the executive side. I'm not too sure on that, but in the end, go in, you help people, you pay it forward. You, you, you learn and do good things, you know, make good decisions. And ultimately the work finds you.

[00:05:45] David Malicoat, Ph.D.: Very good. And also what kind of got you into podcasting?

[00:05:50] David Malicoat, Ph.D.: So I'll give you the, the quick rundown on that. Last year when Tim Brown of SolarWinds received his Wells notice as a sitting CISO, that made me uncomfortable. I didn't like the fact that the federal government of any which way was, was trying to hold us personally accountable as a role, particularly him, where he was four layers, he was four layers deep in the organization.

[00:06:15] David Malicoat, Ph.D.: Where's the accountability for the CIO, the CTO and the CEO of said company, right? And so I went on a personal journey just to say like, okay, I want to get in front of this. How do I get myself better? How do I make sure that I am developing myself to the place where this is headed? And so took the summer into the fall, books, articles, really landed on podcasts because the, the, the, how quickly the information comes out, right? And the, and the nuance that you can get around it and the depth that you can get around it.

[00:06:44] David Malicoat, Ph.D.: And so I was listening to all kinds of podcasts, but I was kind of seeing one, one, I don't want to call it fatal flaw, but maybe, you know, strong statement there. But one of the things I feel that a lot of the podcasts targeted at CISOs was lacking is it was very transaction. It was this idea that we would have people on from the sponsor, no offense to sponsors. This is not, you know, this is not me railing against sponsors because I, I have them too. But in the end it was, we're going to talk about the problem space. And then it becomes kind of this veiled infomercial.

[00:07:14] David Malicoat, Ph.D.: And my, that always kind of frustrated me a little bit because I don't, I didn't think we were having the provocative conversations that probably should be happening or we're not progressing these conversations as fast and effectively as we could. So it really culminated with a conversation with Robert Pace again. It's amazing how this guy just happens to, you know, have such an influence.

[00:07:33] David Malicoat, Ph.D.: And it was supposed to be a 15 minute check-in. He's my mentor, right? So 15 minute check-in. But what happened was I hung up that phone an hour and a half later. And if you're listening to Robert's podcast, you know, as a guest on your show, Philip, you're going to, okay, that makes sense. Robert, he's great talker, great storyteller. And so we were talking and it was dynamic and it was just looking forth and we were solving the world's problems.

[00:07:56] David Malicoat, Ph.D.: And when I hung up that phone after 90 minutes, I said, I wish I would have recorded that. I, every, everybody needed to hear that, that, that phone call, you know, should be out for the world to hear. And then about five minutes later, it dawned on me. I'm like, well, if you do that, that's called a podcast, right? It's, it's, you know, what we're doing right here, right now. So that kind of started it. And my initial thought was, well, I'm not a limelight seeker. That's not my, that's not my deal. That's not how I like to do things. I don't like to be known as that.

[00:08:24] David Malicoat, Ph.D.: But as I saw this nexus to kind of come together, I sit in my head, I'm like, if not me, then who, if not when, then now. And so I started kind of exploring it, got pulled into some different areas and developed. And I think we dropped episode 46 this week. So had some really great folks on. I interviewed Joe Sullivan, former CSO Uber, which was very impactful. It was a great conversation. I, I'm a different.

[00:08:54] leader now because of that conversation. I've, I've definitely had the pleasure of being able to interview a lot of great thinkers and make a difference. I've had CISOs reach out to me, say, Hey, I am now reporting into a different place in my organization based upon what you've covered in your pod. I now have the ammunition to go to my leadership and make that happen and, and have all the finer points. So, uh, and that's a direct, you know, paraphrase from a text that I received from

[00:09:24] CISO. So, so that it's that kind of thing. It's a, and it's the provocative conversations. It's being able to just go call it, call it for what it is and make sure that we, we can have these conversations and get that information out faster.

[00:09:37] And so, uh, Vivek, some, just for the, in case people haven't heard of you yet, if you wouldn't mind introducing yourself, kind of sharing a little bit about your background and what the problem that you're solving with SquareX.

[00:09:51] Yeah. Thanks. Thanks, Philip. And, and David, thanks for that amazing kind of like journey. I think, uh, it's always great to kind of figure out like what motivates someone and how someone, you know, kind of start something which kind of becomes a mission.

[00:10:03] And I think, you know, as you mentioned, you know, that podcast is now a mission for you and that's always very, very exciting to hear. I mean, just like Philip, you know, I'm, I'm a big admirer of his as well.

[00:10:12] I mean, he's someone who's just kind of going on and on with like every single episode. And, you know, when Philip reached out a while back and said, look, try my best to see how we can kind of like support you. Right. So yeah. Uh, thank you for that amazing story.

[00:10:26] So yeah, I'm, I'm Vivek Ramachandran, you know, I've been in cybersecurity now 25 years, started more on the offensive side. So, you know, started by breaking systems, discovered a bunch of zero day vulnerabilities, uh, you know, and wireless and others spoken at Defcon and Black Hat, you know, many, many years.

[00:10:43] And from there, I very quickly realized that there's this big gap between, you know, how people thought about how security should be put out versus how hackers were roughly around 2010 was when I created a wireless monitoring device for 802.11 AC.

[00:10:58] Primarily customers were, you know, defense agencies in the U S and from their transition to creating an education company, you know, which was eventually Pentester Academy.

[00:11:07] I think at its peak, we, we had customers from over 140, 150 countries, all big U S banks, financial institutions.

[00:11:15] I mean, Philip, one of your previous employers was also a customer.

[00:11:18] And I guess that was roughly the time that we ended up meeting as well.

[00:11:22] And then post that, I think ran it for a good 10 years.

[00:11:26] And then I said, Hey, here I am, you know, sitting and telling people how to solve security problems.

[00:11:32] But I mean, David, just like what you had seen is I was getting frustrated with the fact that why weren't people solving these problems in a certain way?

[00:11:40] Right.

[00:11:41] And that is when I said, okay, enough of me just being like, you know, a preacher, a trainer in a, in a Shaolin, you know, temple, teaching people Kung Fu and martial arts.

[00:11:51] Instead, let me actually go out there and start to, you know, go out there and actually fight it out.

[00:11:56] So that company got acquired Pentecost Academy, you know, by IME eventually think Providence Equity was the acquirer.

[00:12:03] And from there, I took a little bit of a break and then started with SquareX.

[00:12:08] And primarily what was the motivation?

[00:12:10] I think when we ran Pentecost Academy for over a decade, primarily spoke to red teams from all over North America, Europe, other parts in the world as well.

[00:12:19] We figured that initial access was starting to target end users and employees of organizations.

[00:12:25] And almost all of these attacks were starting to happen via the browser, whether it's spear phishing, malicious extensions, SSO, session hijacking, now shadow SaaS, all of that stuff.

[00:12:36] So we looked at the solutions and we said, look, EDRs and XDRs unfortunately have zero visibility in the browser.

[00:12:42] And that is really where they wait for a malicious file to drop.

[00:12:46] And that's when they light up.

[00:12:48] So unfortunately, NME is already at the gates.

[00:12:51] And at the very same time, SASE, SSC, unfortunately, does not cover most of these attacks anymore.

[00:12:56] And we looked at it and said, could we build a browser native, a browser first class citizen security product?

[00:13:03] And we zeroed down on the fact that the way we should do this is deploy a browser extension, which will actually work on Chrome, Edge, Firefox, Safari, every single browser out there.

[00:13:13] And then act as a security product, being able to look at what is going on, block attacks and all.

[00:13:19] So I think that's how it started.

[00:13:22] I already had a relationship with Sequoia Capital because they were investors in my previous company when we exited.

[00:13:27] So, you know, ended up raising $6 million from them in seed, you know, another $3 to $4 million, eventually angels.

[00:13:33] And as I mentioned, Philip, literally yours, the only podcast I've ever mentioned is just about closing a Series A funding round for an additional $20 million, which you'll probably announce late Jan beginning February.

[00:13:45] So that's been the journey so far, close to around 20 months right now into the company.

[00:13:52] Yeah, it's pretty cool.

[00:13:53] One of the things too that David, you may not be aware of, their initial offering was a free browser plugin.

[00:13:58] So now they've got an enterprise version of the tool, but it works pretty well.

[00:14:02] I was by accident, just kind of checked it out one time and it's the barrier to entry to learn how to use it is pretty simple.

[00:14:09] I had a DM on social media through Twitter and I said there, the URL looks suspicious because a lot of people send links trying to phish people through DMs.

[00:14:20] And I used URL scanner and it was coming back as safe, but I opened it in a sandbox browser using the plugin.

[00:14:27] And I was able to open that up, end up being a website hosted in Russia and it was some kind of malware.

[00:14:33] But this other trusted resource said it was fine.

[00:14:36] So the cool thing is I was using a free product and it was that easy to use.

[00:14:41] And now they've launched their enterprise product back during RSA.

[00:14:47] Nice.

[00:14:47] Very nice.

[00:14:48] Yeah.

[00:14:49] Thanks.

[00:14:49] Thanks for looking.

[00:14:50] So kind of getting into some of the industry specific things.

[00:14:54] So what kind of challenges are you seeing working for a direct marketing company with, you know, handling sensitive data, customer data and so forth?

[00:15:02] What are the challenges that you're seeing?

[00:15:04] I love the challenges.

[00:15:06] I mean, standard security program, you know, what is that anymore?

[00:15:12] I guess it'd be one way to put it, right?

[00:15:14] For us, our challenge sits around we decisively live in on-prem as well as in the cloud, almost 100% separately from these kind of two lines of business.

[00:15:26] Digital is really in the cloud and the traditional business, the direct marketing is more on-prem.

[00:15:31] And so it is us trying to keep both of those feet in both of those worlds.

[00:15:39] And it's radically different, right?

[00:15:42] I think everybody can say that.

[00:15:43] And a lot of times when people talk about that, they'll say, well, yeah, we're 80% in the cloud and, you know, 20% on-prem.

[00:15:50] Not that that 20% is any less, but, you know, again, there's a concentration.

[00:15:56] And we are almost 50%, like literally.

[00:16:00] And so the challenge there is to keep up and to be able to be effective in both of those different worlds.

[00:16:07] And they are radically different.

[00:16:09] And I think because your approach is different, right?

[00:16:11] The architecture, the first principles that you use are just radically different.

[00:16:17] And then, of course, we have users that span both of those worlds as well.

[00:16:21] And so, you know, funny enough, we're talking about a browser, right?

[00:16:26] And a browser extension or, you know, security tools.

[00:16:30] That is one of our big challenges right now is making sure that we can check all the boxes across both of those different worlds to pretty much the same level as necessary.

[00:16:42] So that's where we sit right now as far as challenge goes.

[00:16:46] Yeah, just out of curiosity, you're doing direct marketing.

[00:16:49] Are you actually still doing printed direct marketing?

[00:16:52] Yes, yes, we are.

[00:16:53] That's what it's a veiled term.

[00:16:56] But ultimately, I tell folks, it's fascinating.

[00:16:58] I say, think of us as a manufacturer because we print.

[00:17:01] We print and mail.

[00:17:03] We can print and mail up to about 70 million pieces of mail.

[00:17:07] Wow.

[00:17:08] Wow.

[00:17:09] And from two locations.

[00:17:11] Yeah, that's a lot.

[00:17:11] And from two locations.

[00:17:12] So we cover between Portland and Pittsburgh.

[00:17:15] We cover the entire country and have mail in the mailbox within two days from either of those locations.

[00:17:21] Yeah, that's definitely a business that's really changed a lot over the years.

[00:17:24] I remember back, I believe there used to be a direct marketing company in my hometown.

[00:17:28] It was just basically printing stuff and sending it out.

[00:17:31] I'm not really sure back then if they were using any kind of computers or not or just the old school type printing.

[00:17:36] But I'm sure there's a lot more challenges when you're doing it the new or modern method where you're storing data.

[00:17:42] It's not just printing out directly.

[00:17:44] You've got data that's on servers that you have to protect.

[00:17:48] Well, and now it's the analytics, right?

[00:17:49] I think that's the big piece is a large portion of our business is around pulling in the data, yes, but it's not a direct pass through.

[00:17:58] It's a part of the value that we provide is who should you be marketing to?

[00:18:03] When should you be marketing it?

[00:18:04] What's the decision basis on when that person should get?

[00:18:07] Now, we work also with quite a lot of financial institutions also.

[00:18:11] And so it's when should that offer of credit maybe?

[00:18:15] There's a lot of that that we print in mail.

[00:18:17] When should that be in the mailbox?

[00:18:18] When's the best time?

[00:18:20] Is it a Monday, right?

[00:18:21] Or is it a Thursday or something like that?

[00:18:24] So plenty of analytics to go along with everything.

[00:18:27] And then, of course, on the digital side, it is we have now become more of a broker as well.

[00:18:33] So we can actually sell our own lists.

[00:18:36] So we actually now pull in data, maintain data on our own.

[00:18:40] Totally different set of circumstances there.

[00:18:42] And that's been unique challenges as well.

[00:18:46] So Vivek, based on what David was saying, how can SquareX address their vulnerabilities that are browser-based that might lead to data leakage?

[00:18:57] Yeah.

[00:18:58] Yeah.

[00:18:58] I think almost everyone is spending, you know, 90% of their time in the browser, right?

[00:19:02] Pretty much all your applications, as you mentioned.

[00:19:05] The on-prem one is different, you know, but you have a cloud one where people are accessing cloud storage.

[00:19:10] There's also SaaS applications, which probably they are logging into, you know, maybe to go about, like, creating, I don't know, images, mailers, and things like that.

[00:19:19] And that is really where I think attackers have realized the same thing and kind of targeting people when they're in the browser.

[00:19:25] And I can give you a very interesting attack.

[00:19:27] I think, you know, given you're in the business of, you know, creating these mailers, sending it out to people, I'm very sure a lot of folks in the company now leverage AI in a very big way, right?

[00:19:36] Use chat GP to summarize, come up with interesting ideas and all of that.

[00:19:40] So one of the attacks, and just to give, you know, viewers an example, we've seen is people go out on social media and then talk about a new version of chat GPT, which just got released.

[00:19:51] And they say, hey, if you install this browser extension, you can immediately get free access to it without having to pay.

[00:19:59] And of course, everyone wants to be more productive.

[00:20:02] And given that browsers themselves aren't very monitored for what it's worth at this point, people can just go to the Chrome store, click install, and for what it's worth at that point, maybe that extension even gives them free access.

[00:20:14] But we found that attackers are using these methodologies to go about then siphoning out data, siphoning credentials, automatically trying to connect to cloud storage, because most users are always logged into the browser and they have all of these multiple identities at the same time.

[00:20:33] They're logged into the company account, they're logged into their personal Gmail.

[00:20:36] And what most people don't realize is browser extensions have superpowers, where they can not just look into every single page, they can pick up things like, you know, session cookies and whatnot, and actually make automated queries to exfiltrate data.

[00:20:52] Now, apart from this, we have that age old spear phishing problem and session hijacking, shadow SaaS, shadow IT and all of that.

[00:20:59] So, when we looked at it, the way we decided to solve this is, we sit in the browser and we are able to differentiate between multiple identities.

[00:21:08] So, an organization can go about applying a different policy for your own corporate websites versus the rest of the internet.

[00:21:18] Almost being able to create like a line of trust, where you could say, here are 20 websites which we've approved.

[00:21:25] And this is something we can connect to your IDP and automatically pull out as well.

[00:21:29] And you could say, hey, download, upload, copy, paste, all of that should work within this ecosystem.

[00:21:35] But anytime a user, let's say, tries to copy some data from a CRM web app, but now tries to paste it in his personal Gmail or any other random website, block it and go report it to us.

[00:21:47] So, our key, the way we can visualize ourselves is, what EDRs and XDRs are to the host.

[00:21:55] SquareX is a BDR or a browser detection response to the browser.

[00:21:59] And if we believe the browser is fast becoming the new endpoint, then it kind of makes sense that, you know, you have something browser native, which understands all these workflows, is able to monitor, intercept, allow organizations to block, isolate these workloads.

[00:22:16] The last thing I'd like to mention is, everyone runs security awareness trainings, right?

[00:22:21] And unfortunately, it's a one size fits all where people are filling up multiple choice questions and watching some videos.

[00:22:28] And even the whole spear phishing simulation tests that we end up doing, it's the exact same mail going to everybody.

[00:22:35] Now, interestingly, because we sit in the browser, we are able to give organizations a threat model on a per user basis.

[00:22:44] So, we can literally bubble up and say, here are your more vulnerable users or here are users who are doing more risky activities while they are online.

[00:22:54] And in a way, allowing an organization to target them with different security awareness programs.

[00:22:59] And this is something which is not possible today because you really aren't sitting and understanding, like, you know, what behavior each individual person in your organization is exhibiting when they're online.

[00:23:12] Yeah, kind of pivoted off the topic of AI.

[00:23:16] Just kind of want to throw this out there.

[00:23:17] So, AI and automation is really kind of needed to scale what people are doing.

[00:23:22] We don't have enough people to do the work or the budgets.

[00:23:25] And AI and automation are really affecting the threat landscape.

[00:23:28] So, David, kind of what are you seeing are some things that you're kind of seeing that could be risks from AI and some of the challenges that you may be seeing there at DMS?

[00:23:42] Yeah, the big challenge we have is, yes, people want to use it, right?

[00:23:46] I think that's one of the big ones.

[00:23:48] And a policy only gets you, you know, a written policy only gets you so far.

[00:23:52] And so, in doing cursory, I don't even call it cursory.

[00:23:55] I wouldn't say it in-depth, but a decent look at what security tools offer right now, pretty limited.

[00:24:01] And so, the ability to have something, obviously, that's usually going to be something from the browser.

[00:24:07] Why?

[00:24:08] Because we're not going to allow you to download, you know, the GPT client.

[00:24:12] So, we do have that control, right?

[00:24:14] But, yeah, I think the challenge there, and there's a valid business case.

[00:24:18] I don't think that's, you know, that's not an argument.

[00:24:20] I think you can only be a denialist for so long.

[00:24:23] And so, to find a way to safely and securely operate or allow folks to use these type of tools are going to be key.

[00:24:33] Because, in the end, the business demand is going to just continue to rise, particularly as, you know, you have something as simple as ChatGPT.

[00:24:42] But then, as these other large language models come online that are more robust, and in our world, for sure, you think copy editing.

[00:24:52] I know, I don't know about you, Philip, I use it for my ship, right?

[00:24:56] Yeah.

[00:24:57] It made a task that used to take 30 minutes that I can now do in five.

[00:25:01] Well, I mean, it just makes sense, right?

[00:25:04] And I would say, as the image generators come online as well, it would be more robust.

[00:25:09] Again, that demand is going to be there.

[00:25:11] Why not have original artwork that looks like something somebody had done?

[00:25:16] We have a whole creative department.

[00:25:17] And I know that they are testing right now in that world.

[00:25:21] So, but of course, it doesn't diminish my concerns and my, you know, my wrist meter in my head goes, okay, we've got to get our arms around this on how we're going to make sure that we're doing it safely.

[00:25:32] Because I don't want an accidental data leakage where, oh, it was just the wrong copy.

[00:25:38] And, you know, oh, we pasted it in there.

[00:25:40] Now we have potentially, I wouldn't say sensitive customer data, but customer data of any sort that's considered confidential data, as we'll call it that.

[00:25:49] Because I'm not worried about the PII as much because of how it sits in the enclave.

[00:25:55] But at the same time, the ability of people to do that work and do it effectively.

[00:26:00] Your business is going to say, you're telling me I'm going to get a, you know, 50% reduction in labor because, you know, we're using these tools.

[00:26:09] I'm in.

[00:26:10] Figure it out, David.

[00:26:11] That's what they're going to tell me.

[00:26:12] And so that's where it's at.

[00:26:14] So the risk is there.

[00:26:15] But to the company, they don't care.

[00:26:18] They do, but they don't.

[00:26:20] They want the benefit.

[00:26:21] It's my job to figure out how to make sure we're secure.

[00:26:25] Yeah.

[00:26:25] And that's the good, that's the kind of culture you want someone that comes to you to help you help them do it the right way, because otherwise you let them just do it on your own.

[00:26:33] You're open yourself up to so many risks.

[00:26:36] Correct.

[00:26:36] And from our perspective, when I came in, I had a, I was very privileged in that I came in as a consultant, helped solve some problems.

[00:26:44] Initially, they asked me to stay and be their first CISO.

[00:26:46] One of my requirements was I was able to stand at the risk committee and that risk committee weighs all these decisions.

[00:26:52] And so that's a place where we have an open forum where I can bring things like that, or they can bring things like that.

[00:26:58] They know now that we need to bring that to that forum to be able to discuss, well, not only what are the risks, but what is, what are the business drivers and what, how bad does the business want it?

[00:27:09] Right.

[00:27:10] I'm not, I wouldn't push it on them if they didn't want it.

[00:27:12] They're like, yeah, it'd be nice, but you know, it's not in our workflow.

[00:27:14] We're okay.

[00:27:15] Then I'm, that's something I can push down my line when it comes to my program and my strategic planning, but turn that around to no.

[00:27:21] We're going to save 50% in labor.

[00:27:23] We, you need to look at it.

[00:27:26] So Vivek, how could David leverage SquareX to help reduce those risks with AI and automation?

[00:27:33] Yeah, I think that's a, it's a great question.

[00:27:35] And David, the use case which you brought up, I mean, very interestingly, given we live in AI times, I think a lot of CISOs face the same dilemma, right?

[00:27:42] Is it, these are amazingly powerful tools.

[00:27:45] You don't want your organization to be left behind, but the very same time, like, you know, how do you use it, but in a secure way?

[00:27:51] Now, interestingly, what we ended up discovering is that your regular DLP solutions sitting in the endpoint with some browser integration barely do anything in the browser.

[00:28:02] Yeah, exactly.

[00:28:03] And so one of the things we did is we went in and we actually created extremely fine-grained policies available to do browser DLP.

[00:28:11] Now, in the browser, what that really means is the ability to monitor the clipboard, copy-pastes, the ability to monitor mic, camera, where people turn on, what is allowed, what isn't allowed, file uploads and file downloads.

[00:28:25] I mean, drive.google.com or, you know, OneDrive, they have the same URL, regardless of whether you're using the personal edition or the enterprise edition.

[00:28:34] And a lot of times people inadvertently might just end up uploading something to their personal Google Drive or OneDrive.

[00:28:39] So, by sitting in the browser, monitoring identities, monitoring data flow, literally we help organizations deploy policies like block uploading of confidential files or company files to personal SaaS applications,

[00:28:55] where you could create a whitelist and say only these ecosystem of websites are allowed where you can download, upload, copy-paste.

[00:29:03] Interestingly, we also have data masking capabilities and the ability to figure out what is being copy-pasted.

[00:29:09] You know, a CISO could go in and say, hey, you can define what confidential means in your organization.

[00:29:16] And based upon that, the product can automatically see if the copy-paste contains any of it.

[00:29:21] We can mask it, which means when they paste it into ChatGPD, it'll probably not show up as, you know, whatever original information it was.

[00:29:28] Very simple example. Let's say, as you mentioned, you know, copy-editing, somebody's creating a mailer and maybe they have a massive list of email addresses.

[00:29:36] I'm just picking like the most lame example possible.

[00:29:38] And they just copy an entire Microsoft Word document with like 100 emails at the bottom.

[00:29:43] But when they paste it, those emails would get automatically masked.

[00:29:49] And this way, you actually know that even when something is getting fed into one of these LLMs, it isn't data that you'd be concerned about.

[00:29:57] So that is one.

[00:29:58] Second interesting thing we've kind of figured is because the browser has not been monitored, it's also very difficult for people to figure out what kind of bad behavior.

[00:30:08] And I kind of use that term fairly loosely.

[00:30:11] Are employees in the organization kind of like indulging in?

[00:30:14] And simple example, I've seen even in our company, when people have to transfer files and something doesn't work properly, they might just upload it to a free sharing service and then send a link.

[00:30:25] Or they might just share something with an external contractor and say, here you go.

[00:30:30] So, you know, I've uploaded the file, go have it.

[00:30:33] I think these are workflows also we end up monitoring, blocking and doing all of that.

[00:30:38] So including watermarking.

[00:30:40] So at any given point, if you're afraid that somebody could screenshot, maybe you have third party contractors.

[00:30:45] So we can do that.

[00:30:46] We can even block people from actually taking screenshots just with a browser extension at this point in time.

[00:30:51] And anyway, so the summary basically is having very fine-grained ability to monitor workflows and give organization browser DLP controls rather than generic ones either sitting in the cloud or on the endpoint.

[00:31:08] So with, you know, the sophisticated browser threats that have been happening over the years.

[00:31:14] So David, how do you feel that traditional security solutions are equipped to prevent those type of attacks?

[00:31:23] Well, I'm going to keep with my reputation.

[00:31:26] They don't.

[00:31:27] Very simply put, I can tell you if you're, if I think we've already kind of all snickered at the idea of DLP already.

[00:31:35] So, and I think I know several of my colleagues that I speak to very similarly.

[00:31:40] It's ironic that it's a compliance thing that you have to have, but ultimately it's virtually ineffective.

[00:31:46] It's almost more of a pain in the rear to deploy and try to manage than it is the efficacy that you get out of.

[00:31:53] So I'll start there.

[00:31:55] And then from a, from a browser perspective in the end, ultimately anything that's coming through the browser, you're, you might as well skip over as far from a security perspective and already go to your EDR or, or any antivirus or anything like that on, on the local system to catch.

[00:32:11] It just doesn't exist from our perspective.

[00:32:16] Yeah.

[00:32:16] Yeah.

[00:32:16] So it was kind of interesting at DEF CON this year, Vivek shared some research they did on secure gateways.

[00:32:23] So if you wouldn't mind kind of sharing that with us, Vivek.

[00:32:27] Yeah.

[00:32:27] Yeah.

[00:32:27] So I think for a very long time, when it came to client side web attacks happening in the browser, people have been relying on SAS C, SSE secure web gateways as a way to do web filtering, detection of some, you know, attacks and all of that.

[00:32:41] Right. Now, what we kind of saw is most of these technologies had their inception 14, 15 years back.

[00:32:48] And at that point, the browser was basically just a rendering application, right?

[00:32:52] You can see HTML, CSS JS, it'll show it up.

[00:32:55] I mean, we remember the days where we had to press the refresh button on Gmail just to check if there were new mail, but now browsers have come a long way.

[00:33:04] And this is really where today browsers are full blown application platforms capable of using technologies like WebAssembly and whatnot.

[00:33:11] And the big example that I give people is if you look back 14, 15 years, you needed to install Adobe Photoshop, the entire Adobe creator suite, Microsoft Word and all of that.

[00:33:21] And that was the only way to work with these heavy duty RAM intensive CPU intensive applications.

[00:33:27] But now literally everything has moved to a very simple SAS app where you could just go to Adobe online and go about using it.

[00:33:35] The big reason is browsers overall are much more functional, allow for complex applications to run within them.

[00:33:43] Now, what this also comes with is attackers can leverage that same powerful application platform and hide attacks a lot more capability.

[00:33:53] So to give you an idea, let's say I'll give you two examples.

[00:33:56] One is a malicious file and the second is a malicious website.

[00:33:59] So when you are on any form of SASy, SSE, Secure Web Gateway proxy and one of your users clicks on a file, the gateway in the cloud is going to cache it, wait for the whole file to download for the most part, run its AV scan and then allow or disallow.

[00:34:17] And similarly, once a malicious website has been detected, it's going to learn the HTML, CSS, JavaScript and try to block any other occurrence, even if the attacker posted the same site on a different domain.

[00:34:30] And this worked well for a whole decade.

[00:34:33] So what we showed at DEF CON this year main stage was that this model is completely broken architecturally.

[00:34:39] And here is why the same malicious file rather than the attacker hosting it somewhere and the user downloading it where a proxy can clearly see what it is.

[00:34:50] Imagine just on the client side in the browser with JavaScript, the attacker can completely piece together Excel with a malicious macro completely client side programmatically and then drop it down onto the user system.

[00:35:05] So in this example, a SASy, SSE, Secure Web Gateway is completely blind because a file never really downloaded through it.

[00:35:12] Now, when a malicious file downloads, we still have an EDR, XDR possibility.

[00:35:16] But when we come to malicious websites, our web filtering is pretty much what like most organizations depend on.

[00:35:23] The best way I describe the attack is a malicious website in all its full glory, HTML, CSS, JavaScript is like a painting being shipped through customs.

[00:35:34] Right?

[00:35:34] So you see through the scanner, you see the whole painting and you're like, hey, that is a malicious website in my thread feed.

[00:35:39] I'm going to go block it.

[00:35:40] So the way last mile reassembly attacks, the ones we showed in DEF CON work, is you don't ship the painting.

[00:35:53] It comes down to your site and paints the whole thing back.

[00:35:56] And this is what we showed with a web canvas attack, where we said, look, all the attacker is sending is coordinates of what to do.

[00:36:03] And then in the browser, using web as a canvas, the attacker can completely redraw the entire malicious website.

[00:36:11] But that is something nothing server side can ever pick up.

[00:36:15] So a bunch of other architectural vulnerabilities which we disclose, which aren't, I mean, which can't be fixed.

[00:36:20] And, you know, I told there in the talk, like I bet my reputation, that if somebody saw this server side, I mean, just in a way it is gravity defying,

[00:36:30] simply because you just lack all of that rich DOM context, DOM data, user interactivity, you know, browser engine nuances, and all of that,

[00:36:40] to be able to emulate perfectly what is really happening on the user's browser.

[00:36:45] So that was a big disclosure.

[00:36:46] You know, we got massive press, all the big vendors came to us.

[00:36:51] We gave them test websites, and we currently host something called browser.security, where you could literally just click and try the attacks yourself.

[00:37:01] Well, I think too, and I don't know about anybody else here, but SASE, it was great promise, but I think the uptake was limited.

[00:37:09] And so a lot of folks are still back there on the web proxy, right?

[00:37:12] And then I think the space of the enterprise browser, the secure browser, really ramped up a lot faster than I think anybody expected.

[00:37:22] Obviously, Vivek, with your company, with SquareX, as well as a few others, I don't, I, and I'm not seeing it, and I don't know, you know,

[00:37:28] and maybe other people can disagree with me in the comments or whatever, but I haven't seen the uptake on SASE that I expected as of six years ago, let's say,

[00:37:36] that, you know, the promise was there. And so it makes sense that you have to do something because we're now in a position where we have a technology that is so far older as in the web proxy.

[00:37:52] I mean, how many, 20, 25 years, whatever it is.

[00:37:55] And so to have that ability to say, yeah, SASE is a good idea, but the uptakes just hadn't been there to the same degree as what you'd expect.

[00:38:04] And we need something like a web browser security tool that will, and of course, there's the explosion of the web browser, generally, like you're saying, as an application in and of itself,

[00:38:18] but not just the app, you know, you're actually deploying applications inside the web browser, right?

[00:38:23] Every time you click on anything. Just an observation there, I think SASE has been, it was a great promise, but it just never arrived in the way that I think everybody thought it was going to do.

[00:38:34] Yeah, I think David, you bring up a very good point. And that's really where I mean, like, you know, my two cents on the whole SASE-SSE wave is,

[00:38:42] they started at a time when everybody wanted to move away from on-prem and just outsource the management of everything IT and security to the cloud.

[00:38:51] So, started off with a great promise because, you know, I think technical teams, security teams, IT teams, you know, everybody was fed up having to manage those appliances all by themselves.

[00:39:02] And now all you had to do was set a little proxy in your browser and fire and forget, and it was somebody else's headache.

[00:39:09] But to your point, even though that happened, I think people inherently forgot that, well, all your web attacks happening on the user's browser is a client-side thing.

[00:39:18] There's only so much that you can do by looking at network traffic and figuring out application layer attacks.

[00:39:25] 100%.

[00:39:25] Yeah. And I can tell you, you know, we've had so many discussions with companies across the world.

[00:39:31] A lot of times, unfortunately, people have invested millions and tens of millions of dollars in buying SASE-SSE solutions.

[00:39:39] And many a times, it's very difficult for them to go back to the board and basically say, look, the whole landscape has changed.

[00:39:45] And my $10 million investment isn't going to cover us, you know, perfectly.

[00:39:50] And we need all of these other solutions which are going to act as a band-aid and maybe eventually fully replace them.

[00:39:58] Agreed.

[00:39:59] So, yeah, since, uh, since David, you host the Professional CISO Show and you speak to a lot of CISOs, what are some of the challenges that you're hearing from CISOs?

[00:40:12] Threat in context.

[00:40:14] That's the big one right now.

[00:40:15] They want to know.

[00:40:16] And of course, you know, there's a whole bunch of others.

[00:40:18] Don't get me wrong, but Philip, with you having a more technically focused, a more attacker focused podcast.

[00:40:25] Threat in context, I think, is, is the big one that I hear from a lot of folks that sit in the chair across from me.

[00:40:30] Where I need to understand, you know, yes, threat feeds are good.

[00:40:35] CTI is good.

[00:40:36] But I need to understand it in any given tool that I have.

[00:40:39] I need to roll it up as well.

[00:40:41] But I also need to understand how that threat looks in the context of the tools that I'm deploying or my, my tool sets that I have deployed specific to me and my industry.

[00:40:53] So I think that's the, that's the big one that I get.

[00:40:55] And that's the push that I hear that a lot of the CISOs that I talk to on and off the show, they want to see that more and more.

[00:41:04] And we don't know where it goes.

[00:41:05] I can tell you that.

[00:41:06] I think that's one of the things like we, you know, we're not, we're, we're smart people, but we're not the smart people that solve that problem.

[00:41:12] So to be able to go and say, how, how vendors can you help me continue to get greater granularity of that context?

[00:41:21] And again, not just general context.

[00:41:24] I need it specific to me and to, to the tools that I have deployed.

[00:41:30] Yeah.

[00:41:31] Since we're getting down towards the end of the episode, Vivek, can you kind of share with us what excites you most about the future of SquareX and what CISOs can expect from SquareX in the new year?

[00:41:42] Yeah.

[00:41:44] So I think of course, you know, it's been as a fantastic, like 19, 20 month ride for the company, you know, we are, we're compounding growing.

[00:41:50] So I think of course, as a founder of a company, it's, it's also very demanding, but at the very same time, I think, you know, the excitement is something which pushes the team and me.

[00:41:59] I think 2025 is going to be primarily very defining for SquareX.

[00:42:03] And I'll tell you why.

[00:42:04] If you look at the entire space, when it comes to browser security, you have the enterprise browsers and primarily they are looking at things like private app access, VDI replacement, access control, and a lot of other things.

[00:42:17] Then you have the whole browser DLP thing, which, you know, enterprise browsers cover a little bit.

[00:42:22] Traditional DLP solutions are also trying to break in.

[00:42:25] And then you have this entire browser detection response, which is purely attack threat detection.

[00:42:32] And that I kind of break it up into three parts.

[00:42:34] One is, you know, ensuring that employees adder to company policies, insider threats and external threats.

[00:42:41] So I think our focus has been more on the whole browser detection response, threat detection, threat intel.

[00:42:48] And David, you brought up a great point.

[00:42:49] You know, this is something we are trying to do on a per industry basis is look at typical attacks that they get compromised with and try to kind of build a model around like what to expect.

[00:43:00] So you brought up an amazingly, you know, pertinent point.

[00:43:03] So I think, Philip, our obsession is actually going to be around this threat modeling, threat detection, threat hunting.

[00:43:11] Of course, we still have our, like, you know, browser DLP and private app access and VDI replacement stuff and all of that.

[00:43:17] So I think that's the focus.

[00:43:19] We are already helping a lot of customers detect these.

[00:43:22] And I can give you an example.

[00:43:24] A very big county in America, you know, right before the elections, they were getting attacked.

[00:43:29] They came to us.

[00:43:30] They showed us some of the attacks.

[00:43:32] And within a day, we were able to deploy policies.

[00:43:34] So I think we are going to double down on this entire threat prevention from a browser security perspective.

[00:43:42] But most importantly, try to see if we can also tie it up with threat actors and see if there is some semblance of attribution, which is possible.

[00:43:49] So I think that's going to be the primary focus of the company, you know, that super excites me.

[00:43:55] And so, David, kind of getting your opinion, what do you think is going to be, in your opinion, what's going to be the biggest challenge for CISOs in 2025?

[00:44:02] Oh, wow.

[00:44:06] I think the challenge is going to be, I think we need to make strides in AppSec holistically is the best way that I can put it.

[00:44:19] The trend that I'm seeing and the folks that I'm talking to, we as a group, and, you know, you look at the standard bell curve, right?

[00:44:26] Most of us come from infrastructure and or network, right?

[00:44:29] And we're just not natively great on the AppSec side.

[00:44:34] So I think there's AppSec opportunity there.

[00:44:37] I think it's a great challenge and we still have a ways to go.

[00:44:41] I really like what CISA put out at RSAC with the responsible development side of things.

[00:44:46] But at the same time, I think we have that ability to have our vendors instantiate that into what they're doing as well, allowing us almost like a superpower to some degree, you know, to really accelerate what we're doing around that.

[00:45:03] So I would love to see, you know, like a SquareX or other vendors say, now we're going to help complement, you know, you guys, coders, guys are, people are coding in browsers, right?

[00:45:14] I mean, and you've got GitHub and you've got all those, you know, the repositories.

[00:45:17] That's how you access them a lot of times.

[00:45:19] And so having that ability of more and better visibility, better security is, you know, how can we do that better holistically?

[00:45:27] I think is one of the big challenges for 25.

[00:45:31] Yeah, I have to agree with that.

[00:45:33] So thanks, gentlemen, for joining.

[00:45:35] It was great having this insightful conversation with you guys.

[00:45:39] Absolutely.

[00:45:40] Thank you.

[00:45:41] Thank you so much, Philip.

[00:45:41] Thanks to you, William.

[00:45:43] Thank you.

[00:45:44] And thanks to the listeners and we'll see you in the next episode.

[00:45:50] Thank you for listening to The Philip Wiley Show.

[00:45:53] Make sure you subscribe so you don't miss any future episodes.

[00:45:57] In the meantime, to learn more about Philip, go to thehackermaker.com and connect with him on LinkedIn and Twitter at Philip Wiley.

[00:46:06] Until next time.