Tal Kollender is the CEO, co-founder and CISO of GYTPOL, a company whose product monitors and remediates risks caused by misconfigurations. GYTPOL changes the way organizations protect themselves by seeing their network through the eyes of a hacker.
Kollender started her career as a teenage hacker who was later recruited to the IT Corp Cyber Security Systems Division, where she served as a cyber specialist in the IDF. She also served for more than five years as the CISO and IT security architect for Dell EMC.
There has been an epidemic of ransomware attacks in the past year. Many have targeted sophisticated security vendors, signaling that endpoint detection and response is not enough to prevent being hacked. Tal Kollender believes we need a digital response comparable to the vaccine rollout in the physical world.
“If we take the the physical world and try to compare it or to take it to the virtual world, then we understand that computers, devices, cloud resources, on-premises infrastructure, it is not secure. … In reality, we know that if you do not take the vaccine, you are in danger to get COVID-19. And if you do not use a misconfiguration tool, you are in some at risk in order to have some hack.”
In this episode of Cybersecurity Unplugged, Tal Kollender discusses:
- The lessons learned from the Colonial Pipeline attack;
- How GYTPOL “thinks like a hacker” in order to prevent hacks;
- How misconfiguration is the largest attack vector and how to fix it;
- Marketing noise in the cybersecurity space.
CLICK HERE for a full transcript of the conversation.
Steve King 00:13
Good day everyone. I’m Steve King, the managing director at CyberTheory. Today’s episode is going to examine the current state of cybersecurity readiness in the wake of the Colonial Pipeline attack, and how another approach – one that works like a vaccination – might make the most sense. Joining me today is Tal Kollender, the CEO and CFO and co-founder of GYTPOL, a company whose product monitors and remediates risks caused by misconfigurations. GYTPOL changes the way organizations protect themselves by seeing their network through the eyes of a hacker.
Steve King 00:52
Tal started her career as a teenage hacker who was later recruited to the IT Corp Cyber Security Systems Division, where she served as a cyber specialist in the IDF. After a couple of stints as CISO, Tal served for more than five years as the CISO and security architect for Dell computers. So welcome, Tal, I’m glad you could join me today.
Tal Kollender 01:17
Thank you very much for having me.
Steve King 01:19
Sure. I understand you also were going to be a fighter pilot when you were contemplating the year service in the IDF.
Tal Kollender 01:28
Well I wanted to. But after a few months, I dropped and in the army, they don’t really ask you. So they didn’t ask me where I want to go after they dropped me. So they said, okay, you will go to the computer unit, since you have a background, but usually they don’t do that at all, but they can. So, it was kind of a favor.
Steve King 01:51
Well, turns out it’s a welcome twist of fate, I guess, right? Otherwise, you might be doing something entirely different.
Tal Kollender 01:58
Steve King 01:59
You also likely have some observations and reactions of the Colonial Pipeline attack back on May 7. Does that event spotlight a horrific lack of preparedness in our global critical infrastructure? And if so what is your estimation about what can and should be done about it?
Tal Kollender 02:16
So as we can see, the May 7 attack is one of many attacks that happened recently. We all know the SolarWinds, the Exchange and other famous attacks that we just heard about, but there are thousands or tens of of thousands of attacks that we don’t even know about. Because the issue is that today the attacks become way more sophisticated, rather than what we used to know. Rather than once it was like some virus in a file or some malicious email that you’ve got, and you just need to click on it. The thing is that you need to understand the risks today, and to measure them correctly. Because today, we have so many things to deal with, so many risks to take into consolidation, that we really need to prioritize. And unfortunately, not everything today is wrapped into one product that takes it all. So I do think that CISOs and CIOs, they need to take into consideration the fact that they know the risks. And they work closely with a database, or at least with some trusted advisor that will let them know what they need to do. And with a very, very strong team, or at least products that will do the job for them.
Steve King 03:41
Yeah, the threats are definitely more sophisticated. But it seems also that our attack surfaces are more complicated as well. And it’s got to be contributing. GYTPOL’s an interesting company, you guys have been asked by Check Point to become a detection and auto remediation solution for misconfigurations. To me, that’s a big deal. Can you tell us a little bit about how GYTPOL works and your relationship with Check Point?
Tal Kollender 04:08
Yes. So our motto is “Think like a hacker.” The reason why we think like hackers is we are a group of hackers, we know exactly what they do, how they think, how they move laterally in the network. And our approach is to detect them or to detect the misconfiguration that we know that hackers use and to stop it even before they will even think about it. So we stop everything upfront because we don’t want anyone to move laterally or to gain control over our computer, server, any kind of network resource because it is super important.
Tal Kollender 04:53
When CheckPpoint found us they were amazed to see that our product – I mean, everyone thinks that they are super protected and compliant. And when they implemented the product, they finally saw that everything is open. And when they understand that EDR is not enough, as the other customers of ours do as well, they understand that EDR today is not enough, because they know that Microsoft got hacked Cisco, SolarWinds and other important vendors that they are all security vendors. So if they got hacked, they sure have EDR. So what else? I mean, what else do I need to do in order to protect my resources? And that is where misconfiguration is taking place.
Tal Kollender 05:46
Today we find this configuration more and more in the cloud, because we hear about solutions like CWPP or CSPM, and other other solutions. But still, the endpoint is lack of solution like that of misconfiguration. And unfortunately, most of the endpoints today, they play a major part. And that is why we defined endpoint as an entry point for attackers.
Steve King 06:13
The misconfiguration problem has is led to a lot of serious breaches, you know that Capital One breaches seems to me to be the most prevalent in that regard. Tell us how big the misconfiguration problem is these days and why it continues to happen a given that it has so much visibility in terms of its capacity for cyberattack.
So from what we (GYTPOL) say, misconfiguration is the number one pain attack vector but according to Dark Reading, and RSM, they both did their research, they published that around 40% of all successful attacks are due to misconfiguration. But again, we do believe that it is not 40%, we believe it is much higher. Just to give you an example, the SolarWinds attack was a very famous attack, and also Capital One and other big firms. And just for you to know that the SolarWinds attack could have been prevented if there was some misconfiguration disabled on the SolarWinds main server. So everything could have been remediated or not even initiated. If only the misconfiguration was closed from the beginning.
Steve King 07:40
Yeah, I’m sure that’s true. Has that happened because we’re under-resourced? Does it happen for the same reason that the rest of our hygienics are bad, that we don’t seem to be able to get to the foundational issues and address them?
Tal Kollender 07:57
I do think that marketing is the new name is the new brand. If you market your product, so you’ll get more hits, you’ll get more leads, you’ll get more buyers. GYTPOL, we do have many, many customers. And we are not all over the rainbow yet. And the awareness of misconfigurations is now mainly focused on the cloud. But I can tell you that again, most of the breaches, although the cloud is a huge attack vector, most of the breaches begin on the endpoint. So yet, we don’t really care about how many – I mean people buy products, because other customers buy them. And you know, you have “Oh, my partner has this. So maybe I should buy it as well.” But sometimes there is no legit or any reason behind it, just because someone told you to. And the awareness of misconfiguration, it is starting to be more and more popular. So like it moves from the cloud to the endpoint. And again, I mean, every time when we go and deploy GYTPOL on some site, on some organization, then we see immediately shocked faces all over the people that are in their from security, from the IT and from even different departments that sometimes just are there to take a look.
Steve King 09:38
So tell me Tal, as a former hacker, can you share some insights that you might have as to the nature and personality of cyber criminals and how their minds are wired?
Tal Kollender 09:50
Yeah, so the hackers today you have two main types of hackers. And two of them are bad. Okay. Both of them both of the types. So The first type is the criminals that, you know, they try to make money fast. And then the second type is the geopolitical hackers, countries and they are backed by the government. We all know which countries the the hackers are coming from, like SolarWinds and the Exchange attacks. They weren’t, like, just like that, okay? It wasn’t like kind of a zero day, it was something very, very unique, and very, very smart. So only a government can afford it.
Tal Kollender 10:35
And the first hackers, they really want to make quick money. Okay, they really want to make it as fast as possible. So today, we all use some cryptocurrency, we all use some some kind of these coins to to get our money to get paid if we hack somewhere. So you need to think, if we take it to the physical world, if someone is trying to enter your house, I mean, it’s okay that you have a door, it’s okay that you have heavy locks. But when you leave the door open, it doesn’t really matter if you have heavy locks, so it’s pretty much the same in cyber. It’s not that everyone leaves the door open, but it’s so easy, if it’s not the door, it’s the window, if it is not the window, then it is the balcony door or whatever. But again, there is a simple way for hackers to get into the computer or wherever they need if they are doing a good job in order to take control and to get at the end of the day good money.
Steve King 11:45
Is the solution to shut down the whole cryptocurrency movement because that seems to be the easiest way. The only way maybe that the bad guys can launder the ransomware piece?
Tal Kollender 11:59
Exactly. And I don’t know if you know, but China, they have about 80 percent of all of this cryptocurrency. Of all of the Bitcoin in the world, they have the most so. And they need to stop it first, or to do something about it.
Steve King 12:15
Yeah, why am I not surprised? So back to GYTPOL, you’ve described a little bit about how your product overcomes the EDR vulnerabilities. But it looks to me like this is a market that says, you know, we should have one XDR product that integrates all of this functionality into a single platform. Does that make sense to you? Or no?
Tal Kollender 12:41
that is something that totally makes sense to me, I really like the concept that everything will be under the same umbrella. When everything is monitored via the same UI, I mean, no need to open like 1000s of UIs, I mean, this monitors that. And this monitor that I mean, you need to focus and you know, you have your team, and it is a limited team, you need to tell them to do something, but you need to tell them to do something, right. They cannot chase after their tail all day long. They need to be focused on a mission. And when you have EDR, DLP, firewalls, GYTPOL, and if you have so many agents, and of course cloud tools and other agents on the device, it’s like, you can’t see the forest for the trees, because you have so many things you don’t know what to focus on. And sometimes you are focusing on insignificant things. I mean, you’re focusing on some small details that you can really leave it. If there was a product that could do it all, it would be for me, the most common-sense thing to do again in my mind.
Tal Kollender 13:58
But you need to understand that we compliment EDR and the reason why we compliment EDR is that they are focusing on malware, real time attacks, they do see some next generation of the antivirals like antivirus on steroids with of course malware and other things that they can they can do but they don’t preempt. So it now EDRs are moving into the vulnerability assessment approach, which is another field that I do think that they need to take. So let’s call it the Qualys and Rapid7 and other VA products that they really need to do something about it and maybe they need to develop their own EDR because it seems like they’re going to be in the minority.
Tal Kollender 14:51
This is something and also about the VA we also complement VA is because they deal with patching, patching, patching. But even if you are patched, you can still be misconfigured. So we know that misconfiguration is there and will always be there because it’s okay to have an EDR and VA and other 10 agents. But at the end of the day, if you leave your door open, then it doesn’t really matter what kind of new locks you buy, the fact that your door is open is there and I can do whatever I want. Because of that.
Steve King 15:27
Yeah, the human factor continues to be central to most of these successful breaches. And it seems to me that we’re well overdue for an application of artificial intelligence to apply to the configuration issue and make that somehow go away. And maybe that’s too simplistic, I don’t know. So, final question Tal, tell our listeners about the concept -your concept – of a digital vaccine, and how this recent pandemic of ransomware attacks can be treated in the same way we vaccinate in the physical world.
Tal Kollender 16:05
The way we treat the virtual world should be the same way we treat COVID in our physical world. And well, dealing with COVID is kind of a new disease and like all new diseases, the new vaccine kind of proved to the world that it works. And it just proved to the world that, no matter if you’re a woman or man, I mean, it doesn’t really matter who you are, I mean, your body should be vaccinated, it’s either you are vaccinated at some at some point or you you take the vaccine and then you are more protected.
Tal Kollender 16:55
So, if we take the physical world and try to compare it or to take it to the virtual world, then we understand that again, computers, devices, our cloud resources, our on-premises infrastructure, it is not secure. So people think that they have the antibodies of any disease. So they can deal with everything. Because they think that if they have EDR, if they have on vulnerability assessment, and if they have DLP, for example, they are well protected. I mean, nothing will hurt us. But it’s not true. In reality, we know that if you do not use the correct tools of if you do not take the vaccine, you are in danger of getting COVID-19. And if you do not use a misconfiguration tool, you are at some risk of having some hack. And that can be of course, ransom it can be some kind of very, very sophisticated attack that your organization can be compromised. But by some, I don’t know, innocent email or clicking on some device or I don’t know, even if you are on your home Wi Fi and you make some mistakes, even if it’s not in your computer, but it’s in your other family member’s computer, then it affects you, because you are in the same network. And if you are not protected, if you are not vaccinated, then most probably that you are at a bigger risk rather than people that already have the help to protect against misconfiguration.
Steve King 18:45
GYTPOL sounds like a sort of silver bullet for a lot the threat vectors. Tell me just a bit about your relationship with Check Point? Is your solution now embedded in the Check Point stack? Or are you an acquisition candidate? Or are you a partner? How does that all work?
Tal Kollender 19:08
Check Point is a family for us. They really love our product. They use it every day. They rely on its findings. And they have daily meetings about the findings. So Check Point met us in CPX. And they saw the product and they were amazed. And then even the incident response team took our product as part of their assessment to other organizations. We are a partner a partner of Check Points. And so they use it both internally and they even take it out of GYTPOL in an incredible way. And we really really love it.
Steve King 19:56
Great and congratulations for that. That’s quite an accomplishment. So best of luck in the future. And we’re out of time today. I do want to thank our guest Tal Kollender for taking time out of your crazy schedule to join me and what I thought was a pretty cool exchange. Thank you Tal.
Tal Kollender 20:14
Thank you. It was a pleasure. And thank you very much for your time.
Steve King 20:20
And thank you to our listeners for joining us in another episode of CyberTheory’s exploration into the complex world of cybersecurity, technology and digital realities. Until next time, I’m your host, Steve King, signing out.