Ashland CISO Bob Schuetter on brainstorming secure enterprise browsers in their startup's incubation period. Bob discusses building the cloud’s secure edge, and how new web browsers like Island’s (@island_io) will disrupt Data Loss Prevention (DLP), and the Virtual Desktop Infrastructure (VDI) industries. Bob and Paul explore exactly why DLP failed and if there should be optimism for the SASE vision. They wrap up by discussing automation with the suddenly emerging AI virtual assistant startups, and Robotic Process Automation (RPA). Lastly, Bob gives us insight into what it’s like to incubate startup tech for Cyberstarts and YL Ventures (@ylventures).
Find CISO Bob Schuetter at Linkedin.com/bob-schuetter. The other startups mentioned were Talon Cyber Security (@TalonCyber) and Cado Security (@CadoSecurity). Send feedback to host Paul Shomo @ShomoBits or at LinkedIn.com/paulshomo.
Ashland CISO Bob Schuetter on brainstorming secure enterprise browsers in their startup's incubation period. Bob discusses building the cloud’s secure edge, and how new web browsers like Island’s (@island_io) will disrupt Data Loss Prevention (DLP), and the Virtual Desktop Infrastructure (VDI) industries. Bob and Paul explore exactly why DLP failed and if there should be optimism for the SASE vision. They wrap up by discussing automation with the suddenly emerging AI virtual assistant startups, and Robotic Process Automation (RPA). Lastly, Bob gives us insight into what it’s like to incubate startup tech for Cyberstarts and YL Ventures (@ylventures).
Find CISO Bob Schuetter at Linkedin.com/bob-schuetter. The other startups mentioned were Talon Cyber Security (@TalonCyber) and Cado Security (@CadoSecurity). Send feedback to host Paul Shomo @ShomoBits or at LinkedIn.com/paulshomo.
Genealogy of innovation is a new kind of cybersecurity podcast, focusing on emerging tech. We'll interview top entrepreneurs, startup advising cisos, analysts, and more. Our topic, what's wrong with cybersecurity? The security arms race is full of hype, but when you focus on the inception point of innovation, you encounter the brightest minds who have a better feel for what's important in cybersecurity. Welcome to the genealogy of innovation. Cybersecurity startup and emerging tech podcast. I'm Paul shomo. All right, we're going to have on Ashland ciso, bob shooter. He's a startup advising ciso that is on the advisory board for cyber starts and while ventures. And this is really a signature episode, and when you listen to this episode, you're going to understand what the genealogy of innovation is all about. There is a hidden incubation space that not many in the industry know about. And in practice, what I'm talking about is around investment firms. They bring in panels of cisos. The industry's top cisos, sisters that are very good at having big brainstorming discussions and outlining the problems of cybersecurity. Why pass solutions have failed? Entrepreneurs and founders attend these sessions, they interact with them. They come back, they give pitches, these cisos obviously see product demos, do beta testing. They're a way for the investment firms to gauge demand and whether the ideas are good or not. And anytime there's something big happening in cybersecurity, like for instance, last year, the enterprise browsers took the industry by storm, talon, cybersecurity one, innovation sandbox at RSA conference. You had island. You had lots of press, lots of investor interest. Anytime something like that happens, I'm going to reach back into the inception point of these big ideas. And I'm going to bring out the analysts or preferably and mostly it's going to be the startup advising cisos that had early access that were part of building up the idea and vetting the idea. And that's what ashlyn Cisco bob shooter on today's episode and our discussions is all about. He's going to discuss the new enterprise browsers. He's going to discuss robotic process automation or RPA a little bit inside the browsers, but mostly we're going to be discussing data loss prevention. Why DLP data loss prevention has been such a really failure of a category? Why it's been so difficult to get data controls around your assets. And what does that even mean in the cloud? That's another topic of discussion we're going to have from a cisos perspective, a top cis perspective of what it means to put a perimeter around the cloud, which is something a lot of analysts have proposed different standards and approaches for, but a secure edge is something that I don't think a lot of people believe we yet have. And just to catch those up who weren't following the enterprise browser announcements last year, the idea behind enterprise browsers, I was really surprised little startups wanted to jump into compete in the browser market, but I didn't notice that in 2019, Microsoft went on Google's chromium open-source code base. So that opens the door for companies to build on top of that code base, which is going to render the web everywhere, which is going to be able to be installed in all devices because it's a widely used open-source code based. And that the security idea behind it is it's very difficult. If you're defending your cloud, to push out agents or controls on all the devices reaching into your cloud. But it's easy to push out a web browser. It's easy to get your employees to install a web browser. Even on their own personal devices, you can get partners you can get contractors. Franchisees, et cetera. So that's a big part of it. And once an enterprise browser registered to your company is on their device, then it only then can they reach your cloud, and you can basically contain the data in the browser, downloads, cut and paste save as screen caps, role based access, enforce all this stuff. So without further ado, let's listen to ashlyn ciso bob shooter. Talk about those early conversations around the island browser and talk about this general area of securing the edge of the cloud and security and a few other topics. Tell me about yourself. Many, many years in security now, it seems. Was there kind of at the early start when the U.S. government finally decided to show some of the defense contractors, what the heck's going on? Because their entire losing data, so I was with GE at the time, became ciso, GE for the aviation military business, was at GE for 9 years, and you know I was kind of challenged with buying one of every product. And said, you know, what if we missed this thing because we have the wrong products? Guess what? Nothing at the time could detect the attacks that we're seeing. And a buddy of mine was challenged with what if the reason we missed it is because nothing can detect it. So go create your own platform and sure enough, they may be to the punch every time. So that's really kind of formed our understanding of what we're here for. So in 2013, moved on to Ashland and kind of created recreated that many innovation hub. I have a team that's outsourced that's looking at the normal I call it commercially available security. And then I've got a team that says looking at specifically what gets past that. We generate more threat intelligence than we consume from all the other sources out there, right? It's about what's attacking us, not necessarily what's attacking the world. And how do you find those things that nothing else finds? It's been one that I've been trying to solve for a long time is how do we fix the industry and how do we help the industry actually get better at what they do and get faster at it? And what we find is you'll see on the startup world is where a lot of the innovation and new attempts at trying things differently are worth really happening. And then in regards to your work with the startup world, so you have a certain venture capital firms you tend to prefer to work with? Yeah, I'm on the advisory committee for both cyber starts and Y element ventures. You take part in when you do this type of advising capacities. Are you more coming into kind of due diligence on startups that they noticed or brainstorming with entrepreneurs or guiding products? What is that like? Yeah, cyber starts a little bit different in that their sunrise process is really trying to formulate the idea of what they're trying to solve while they're still in stealth. So most of the groups that I worked with and talked to is really about, I've got an idea, does that idea even have any type of merit in the real world, right? Before we come out of stealth and actually start creating products or things like that. So we get an opportunity early on to see and to think about the space and think about what we're trying to solve, and then put some thought into, okay, so what kind of products would even do that? What does it need to do? And then we'll connect back with them and around coming out of stealth and in a series a rounds. To actually start creating kind of the commercialization of the idea, right? So with island on the enterprise browser side, were you involved that earlier? Yeah. Yes and no. So they were a little bit different in that they already had a lot of good ideas of what the use cases might be. It was kind of fun that they you know the first slide they showed was enterprise browser. I'm like, I'm sorry. Well, stop right there. You're trying to sell me an enterprise browser. This thing that we all get for free, right? Yep. But two or three slides into it. I actually stuck them and said, well, guys, wait, you know, this is way bigger than you realize. This is solving a lot more problems and a very unique way that it changes how we think about solving problems. I think that was a big aha moment for me is we can actually think about solving problems in a very, very intuitive, it's already embedded into the app structure of the app workflow versus trying to strap things on. Because what we've always done is the applications out there, it's a great application. But for one reason another security is not built in, right? So we're breaking it. We're putting things into it. We're injecting it, right? We're trying to force it into the secure posture. That if we actually control the browser, we don't have to do that for a lot of my apps. So yeah, I saw talent at the competition. I have the same reaction. I was like, enterprise browser, but then for me, I actually wasn't paying attention that everything went on chrome, Microsoft went on chrome. So when I heard that, then all of a sudden the penny dropped. So do you were there were there other industries like I've heard people comment that this is like the natural replacement for the failed industry of DLP? Do you see other do you see something like that or other major categories? So that's why for me, it's disruptive in two different worlds. So one world is the way we think about solving problems and the way we think of what we can solve. Has dramatically changed. In other words, just the technology world, right? So if you look at the obvious ones are DLP casb, that type of stuff, right? We want to get that inspection point between the user and the outside world, awesome. Pretty straightforward. VDI? Remote access? Can really get disrupted here, right? Because a lot of the applications that we publish in Citrix, guys, I can do that through a private access type of thing. VPN replacement, kind of the sassy world, right? So sassy is kind of been disrupting that whole network security layer. I think this one is a disruptor for those components too. But I also think there's a lot of oddball things. Once you own and be able to manipulate the presentation layer, you can do things like, you know, privacy. If I'm going to display a social security number, why would you do that? Yeah. Buzz it out, shade it. You can still cut and paste it. You can still manipulate and still work with it, but you don't necessarily need to show it. Right? RPA. If you're going to do a rope, right now, if you look at our HR process, for example, it's workday. It's benefits packages. And I'm in two different browsers or two different windows, cutting pacing from one to the other. Guys. If the browser already sees that, why do I need to do that? Why can't I do an RPA type of solution there to automatically cut and paste that for you? To have it just ready there. So you're not flipping back and forth between Windows. You know, so it's that type of stuff that I think absolutely. It's definitely going to be the DLP, the casb world. But I think as you think through those scenarios, I think that's part of what's unique about this thing. It's not one target. It's not one industry. Is that one use case even, right? It's just got a lot of different opportunities that you can go after. Yeah, for some reason, I wasn't thinking there's a whole data masking category too that you're referring to. I think I referred to it under the general category of core core IT infrastructure in the cloud just changed. Well, Pam, or public access management, right? So if it is and we're doing all these fire call IDs or whatever you want to call it one time passwords, if I integrate that into the browser, why does the user even need to see that password ever? Right. Why can't I just have the platform injected? The browser injected for me. And oh, by the way, I can capture that entire browser session. So I can record everything they're doing. I can see everything they're doing, right? I get full visibility into it. And I can ensure that it's coming from this area that I want. As I sorry, I like this one, as you can tell. Keep going. So from the interesting use case that we've got, too, is kind of twofold. One, it's certainly the BYOD side, right? So I can't tell you who's on it, but we got a lot of executives doing all bring your own device. And I think that's a great, great scenario for them, because I just need to load up this browser. It's not an agent. It's not going to sit there and watch forever, right? When you need to access it, use the browser itself. The other piece of that, though, when you think about that, is how many untrusted stuff do we have? I came from a world where I had la franchisees. And it'd be a great franchisee. Your third party, we call them told, or is there a third party manufacturers or warehouses, give them a browser? A lot easier to install that. Mergers and acquisitions. And I can give you a browser. Are you guys okay with that? Definitely not an agent. I can't do agents, can't do connections, can't do all these things, but yeah, I'll do a browser. And what's interesting is when you own that piece of it, you can also control by app or buying target what DNS you're using. What you know you can in the middle of browsing change direction here. So all of a sudden, you can have applications that are only visible to this browser or nothing else. That's kind of cool stuff. It's completely hidden unless you have a browser that's registered to this company, registered to you, right? Now all of a sudden it's visible and you can get to it. Yeah, I can tell you thought a lot about the implications of this because to be honest, I've now talked to two founders to startups here and more than one pass on at least one of them. And some of the stuff I don't think they were even talking about. Yeah. No, it was just when I stopped you know the island guys and they're great guys, right? If you understand how big this is and how much we can do now. Because we've been trying to solve a lot of these things forever. Also, just the idea of you can install a security control this easily, any user can do it, you don't need elevated privileges and it's amazing the one thought of this before. And that's why we all keep on saying like, it's so obvious. Of course you do that. Why wouldn't you put the inspection instead of breaking SSL trying to inspect then repackaging SSL and getting back out? Not much legacy stuff that breaks. You made apps that breaks? It's great that all these staff providers are getting end to end encryption, but all of our network scanning is just more and more of it is going right by it because it's fully encrypted. Good job on them. Absolutely. That's the right way to go. We get into that now. Obviously, you get in front of it. So how would you characterize and I think you'd be an excellent person to characterize this? How would you characterize from a big picture why data loss access controls of not really gotten the job done in the past? And as best as you can, I think you can probably do it. That was a tough one. If you look at how we've been trying to do because there was always an argument as to whether that should be an end point control or a network control. Or a host control or a data control, right? And we've been and there's limitations with each of those ways to look at in each of the ways to do that. Endpoint side is a problem with really with all agents. You're having to integrate into an OS that is constantly constantly changing. So really getting control at that point has always been difficult. Getting control at the network layer has been tough because of the encryption pieces because the apps keep on and getting better. Security, which is awesome. So to me, it's a little bit about data is water. As much as we could try to contain it, it's constantly moving it's constantly going. In the new world, as we're looking at more and more SaaS and more and more third parties and more and more pieces outside of your domain. I don't think the legacy platforms that they've ever done well. Do well in that new world where our boundaries aren't well defined. This is one of those first pieces that actually combines together the endpoint with the network. All in a single spot. Right. So that visibility and those controls, all of a sudden our combined together and you can talk about both of them at the same time. That was awesome. I knew you could do it. I don't know if that's right or not. It's the combination of all those things. The simplification of all those things that give us a fighting chance. I think what you just said about combining the network and the endpoints is extremely fun too. Because the browser really is its own runtime environment. It's not it's not called its own OS yet, but it's not going to say the browser to us is the new OS. Yeah, it is the new we always call it secure edge, right? It was never secure edge. It was the secure network. Maybe you had an agent. This one to me is actually the final leg of it, right? It's the final piece of that secure edge vision, which I really believe in that vision. We just never got to the actual end of it. So how many do you tend to focus on one area or do you get used for a lot of different startups or areas? I mean, you're obviously a busy guy. So no offense to the startups, because I do love the startup world. What we see with in venture capital and with a lot of pieces is they're looking for an easy exit. They're looking for a kind of a smaller solution, right? I always call them plus ones. I don't really get excited about the plus ones. I don't really get excited about one more feature of a CSPM or one more feature of pick your favorite piece of it. What we're always looking for, what we really get excited about is that industry changing technology. It's that new thought if the new way of looking at the problem, because that's where the problem is really gets solved, right? That's where the industry really moves forward. And I think the enterprise browser is one of those first ones that I got to see, and I'm like, no, that's different. That's a whole different way of thinking about it. Being there at the start of a new industry, a new feature is a new capability. That's the interesting pieces. Yeah, there is something about that. When you're the first to recognize someone's genius idea, there's kind of a bond you have a relationship going forward that you recognize me first, kind of thing. Yeah. The other thing that's been that has been interesting to me, let's see what we've got in time. In the cloud, the cloud workload is getting visibility into those has been a big issue. Agent deployment, there are ephemeral, they're high availability, agents use CPU, monitoring network traffic, the utilities want to charge you for a copy of the metadata. So they're expensive. And so for those reasons, there hasn't been like a universal EDR or something like that. So I was quite curious, I don't know if you've got a chance to look into Cato security at all, but their concept was you can get a point in time image of workloads in the cloud. That's what the cloud does, like it stops and starts images. So images of disk and memory and make sure they go in the right computing components. And so their thing was, well, we can do offline forensics on those even high availability servers without putting something inside, which is work on the offline image. So that's one kind of area I'm writing about, and then I'm writing up the automation space. And I'm curious if you have any comments on that or automation or what do you think? So just as two side comments, because it's something that I've been wanting to solve forever. If you look at what we call cloud security right now, it's not security. It's cloud governance, is cloud compliance, right? It's making sure that you set the cloud up properly. And that's where I keep on waiting. There's a new startup that's actually looking at trying to do cloud detection and response. So if you set it all up correctly, and you have all these privilege, and you have all these great things, can you actually do detection of an attack that isn't going outside the boundaries of a misconfigured instance, for example? That's interesting to me. I think that's going to be a big piece as we move out of all these legacy data centers. How do you start detecting things actually happening? The offline forensics piece is interesting. I haven't heard that one yet. There could be something there yet of because, again, how do you do the forensic piece of it after the fact? But I'm interested in how do you detect it early on? So there would be this would be more the response so you'd have some you would know there was some alert and then you would say, okay, give me the image. Right around that time, then look at it as part of your response. But you get the deep access inside. Yeah. And interesting. But automation. So our piece on automation is we did sore before sora was a thing. The idea that we have behind it is, again, we automate absolutely everything that the analyst is going to need to do and need field C, right? So I'm paying very, very expensive analysts to do great things, not to go gather logs and data off of platforms, right? So all of our platforms will feed in, do all of the upfront work for you, pop up a alert, give you the understanding of what's the fidelity of that alert. How many times has it false positive? What's the effectiveness and efficiency of that alert? How well can you believe it? Don't show you all the pcap, show you all the sandbox outputs. Are you all everything that you possibly can? But I'm still a big believer in that the human capability to determine what's real or what's not is still a very, very important piece of it, right? So you gather up as much as possible. You show it all to the person. He says, or she says, yeah, yes, no. Right. And then automate the living heck out of everything after that. Yeah. So one button containment, one button sandboxing, one button, honey pots, whatever you need to have after that. So I'm not a big one yet on automating all the way through. But I still believe in putting a human into the mix, but just at the right spot. Well, that was ashlyn ciso. Bob shooter, you can reach him on LinkedIn. Bob is a great example of the kind of guest so that I'm going to have on this show. Talk to you next time. This has been the genealogy of innovation with Paul shomo. Before you do anything else, go to Apple, Google, Spotify or your favorite podcast app and hit follow to get this show delivered automatically. Support the show and give us a review. If it's a 5 star, I'll give the early adopters a shout out on the show. I also love to hear feedback. Samuel message on Twitter. I'm at shomo bits. Thank you for listening. Go forth and innovate.