In this episode of Cybersecurity (Marketing) Unplugged, Shua also discusses:
- His idea of a Cloud Security solution: Asset and infrastructure visibility;
- Cloud Orchestration and how Orca Security mediates the problem of extra layers and confusion;
- How using the solution helps to identify risk sensitive data and speeds up the process.
Avi Shua is the brilliant CEO and co founder of Orca Security and leader of Instant-On Cloud Security with 25 years of experience in the cybersecurity industry. Previously, Shua was the chief technologist at Check Point where he built and scaled cybersecurity solutions that continue to protect thousands of organizations to this day. Prior to founding Orca, Shua earned his cyber defense chops at IDF as a software team leader and member of the Unit 8200, the Israeli equivalent of our NSA.
With security tools, it’s essential to provide full coverage and full security visibility for the environment. Avi Shua uses his expertise in Cloud Security and innovation to find solutions to these challenges that arise.
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Steve King 00:13
Good day everyone, I’m Steve King, the managing director of CyberTheory. Today’s episode is going to focus on cloud security and innovation. Joining me today is Abby Shua, the brilliant CEO and co founder of orca security, the leader in instant on cloud security.
Avi Shua 00:33
Prior to founding Orca, Avi was the Chief Technologist, the checkpoint software an earlier earned his cyber defense chops at the IDF as a software team leader and member of the unit at 200, the Israeli equivalent of our NSA. So welcome, Avi. I’m glad you could join me today. Thanks for having me. Sure. So a critical component in your cloud security solution at Orca. Is asset and infrastructure visibility. You accomplish this uniquely, I think with your side scanning technology, can you explain a bit about how that works and the design thinking that went into its development? Sure, but maybe it makes sense to explain what problems we’re trying to solve. And why this dis technology essentially solve this problem. And so, if you don’t mind, I’d love to share the thought process that we’ve put into this problem and how we came up with this with a solution that we are currently providing, you know, a security. Sure. So if you think about that, in terms of security, one of the top items that we’re trying to maximize is coverage. At the end of the day, it doesn’t matter how well your security tools are, how strong your defenses are, if you don’t know that you have it for 100% of the environment, in most of the cases organization are not breached, because the walls are not high enough, but simply that are not covering the entire environment. So the item that we really wanted to optimize is to be able to provide full covered full security visibility for all of the environment. And usually, the thing that limits that is the organization friction. If you’re one developer with 10, workloads, one Kubernetes clusters, it’s usually easy to install things, you just go and install them. But once you scale, and you talk about organization that may have 1000s of developer, hundreds of 1000s of workloads, it’s not feasible, you can’t really go talk with each one of them, tell them go install this piece of software, deploy the agents in order to secure the environment. These are processes that can take years and almost never completely succeed. So with that understanding in mind, in sync, the frustration of security teams that are trying to get the visibility and ending up in trampers. But in 10 practitioners, we look at the issue them a physics of a cloud environment. And we ask ourselves, what are these a way that we can get the visibility needed, without any friction at all, without the need to install agents without the need to install network scanner without the need to authenticate to the workload themselves. And the way that we thought about it is that all of the tools that existed pre orca were rooted in the physical environment. When you’re trying to scan a physical environment, you don’t have too many options, you can either install an agent or use a network based scanner, because it’s a box in different tomb. There is no other way to reach that. But current workloads are materially different. So we looked at the options that we can assess the environment, and found the fact that due to the fact that these are virtual workload, we can use the virtualization environment itself, the fact that they’re running on virtualized storage, and scan them from that approach. And this is essentially the idea by inside scanning, taking a forensic style approach without any organizational friction, to provide this deep visibility for all of the environment.
Steve King 04:20
I see. That makes a lot of sense. In our fragmented it world today, we we often see variations on hybrid combination cloud orchestration, some of its running on Azure, and others may be running on AWS or GCP. This would seem to us to create extra layers of complexity and confusion in managing our entire cloud estate. How does orca mitigate this problem? So definitely, when you’re having more cloud environment, each one of them have dozens and sometimes hundreds of services that organization use it
Avi Shua 05:00
add complexity. And it makes it dramatically harder for the practitioner to speak a single language. For example, think of yourself as practitioners want to see all of the workloads in the environment. In each cloud provider, they have different themes. One of them is called the VM in other it may call may be called in different name. And the when you are trying to ask more complex question about it, for example, show me all my assets that can be accessed from the internet, this becomes extremely hard, because each service have its own definition, the way that it can be exposed, either directly or indirectly. And if you go to multi cloud, then you multiply it by multiple amount of environments. And the way that we are helping is that we are modeling all of the customer data from the different cloud environments in a simple data model that speak a common language. So in orca customer can, for example, ask a question like, show me all of the workloads that have in my cloud environment that are exposed to the internet. And it will show that regardless of whether they AWS GCP, or Azure, or even show me all of the services that are overprivileged, all of the services that can be accessed from the outside in, and we’re able to answer these questions. Yeah, and you do that I assume, by some sort of scanning mechanism, you don’t require any input from your, from your customers. Exactly. It’s all based on decide scanning in the matter that the scanning that we are performing via the read only access to the environment. And then we are essentially putting it in our graph database, to be able to come with more genuine understanding over the environment. So rather than just given a very long list of alerts, or assets, we can essentially provide visibility to whether they’re, which one of them are more important, for example, we can tell you things like this is a vulnerable web server that is exposed to the internet, in this case that can allow access in your internal environment. And this is a critical attack vector versus for example, just an alert about an internal asset that cannot be utilized in any meaningful way. Right. And I don’t know whether you are a fan of the zero trust movement or whether you think that’s a good idea. But we certainly are here. And that’s why the cyber theory Institute has been has been built around that initiative is our initial initiative here. And one of the keys to zero trust is a reduced attack surface. And then the elimination of excessive trust throughout the throughout the network. Orca has a misconfiguration detection capability, I think, that seems to be able to identify flaws and permission management schemes. Could you explain to our listeners how you do that and how important you think that is to is to your overall solution offering. So one of the main things that we do is to look for a deviation from best practices and misconfiguration. And misconfigurations are many times looked as a compliance issue, for example, you are trying to find the security groups that are too often to find users that are not using multi factor authentication, etc. And this is important, but the main problem with that is that it really results in alert fatigue. One of the shocking factors is that if for example, you just create an AWS account, when you just put your credit card and install most of the tools in the market today, they’ll give you a one to 100 critical alerts, even if you don’t have anything in it, because the default configuration deviates from best practices. But just because something deviates from best practice, and every mis configuration doesn’t mean it’s critical. So our approach to that is to look at it as a vector. So yes, you can see all of the MIS configuration and if you need to eat for compliance reasons, you can go over them. But the way that we recommend the customer to look at it is not just to look at the list of misconfiguration. But to look at it as attack vectors is cases that these misconfiguration can actually be exploited. For example, you have an open port, and behind this open port, there is a machine that doesn’t have multi factor authentication is dramatically more important than the misconfiguration for open port 20 is nothing listening to Dysport. Right, right? So you differentiate between the IDS access to the critical assets that are vulnerable versus those that may be vulnerable, but don’t have that same access, even the combination of data because think about that if you take a more siloed approach to security, for example, Do you just look at vulnerabilities separately, we looked at misconfiguration look at identity, then you don’t see the actual risk that encompasses all two of them that there is an exposed vulnerable asset with credentials, you just see all of the vulnerability, all of the open assets, all of the over privileged roles. And usually you need a combination of issues, for it to be actually impactful for an organization, right. And identifying critical assets and then building, building small protect surfaces around them, and then segmenting them away from the broader networks attack surfaces, another fundamental principle of zero trust model, Can folks actually use your solution to find and identify their risk sensitive data and speed that process along? So yes, we can definitely detect in a sensitive data such as PII we do these searches ourselves. And we have the UV sticks that essentially prioritize the attack vectors based on their ability to access this sensitive data to pin 2.4 conditioners into the wrist that actually matter. In the environment. Yeah, that’s great. Just as an aside here, did you you can see much of this while you were working away at checkpoint, or did this or was this sort of a lifelong effort on your part to, to move to a solution that didn’t exist before. So I’ve been in checkpoint for many years, more than 11 years. A but a, and I’ve learned a lot in the spirit of seen the actual struggles of organization, the friction that they’re facing, in certain sick insecurity tools, the problems that the actually trying to enter everyday. And it’s very different, walking on death from a security vendor for many years, rather than as a developer that sees a much narrower point, a much narrower view of the issues. But all of and we did, understanding this experience. I and additional seven co founders started orca security. But the way that we employ the idea that our insights can get the graph theory that we use is all stuff that we created afterwards, as we were digging into the space and building Orca. Did you start in a small garage somewhere in Sunnyvale? In fact, is based in Tel Aviv base then it was a coffee shop near the beach, my great view, but and not take advantage.
Steve King 12:38
And then all of a sudden, a few weeks ago, you raised 550 million and over six oversubscribe seerah. That that must be that’s must be a fabulous feeling and incredible sense of accomplishment from from a coffee shop to 500 million. See, what’s the one thing that you would name that you would attribute your success to hear so far?
Avi Shua 13:03
Well, I think there’s one thing that is important and this to be extremely obsessed on the customer challenges on the real ones. People don’t buy technology because it’s cool. They buy it because it actually solves a real pain point. Just look at the look for J vulnerability that have been in the news. In the last week or two organizations that were using older technologies literally had to struggle, update agents over the weekends, follow up the environments or install them. And this is a daunting tasks that usually don’t finish all customers. And we are fortunate enough to allow many organization between our customer to use the platform, these in these two weeks, simply connected, got the full list of the vulnerable assets. And that’s it, this is a real problem that we solved for them. And this is the one thing that matters, the rest doesn’t matter in order to to build a successful company that’s focused on actually solving the real customer challenges.
Steve King 14:04
Is your messaging directed at the outcomes, or CISOs and other security practitioner buyers, is when you say focus on the things that matter. The things that matter usually are interpreted as you know what, what outcome do I want? What What am I trying to achieve here?
Avi Shua 14:23
Exactly. So it’s about solving these challenges, and solving it in a way that makes their life easier. The interesting thing about Orca, theoretically, we haven’t solved a new problem, the problems that to solve existed before we simply solve them in a dramatically better way. This is also what caused us to want to and be able to accelerate that fast because it’s not like we’re telling customers that you need to find new budget for new problems. These are problems that was 12 videos struggling with for you We simply created a dramatically better way to solve these challenges.
Steve King 15:05
Yeah, it sounds like it. And I mean, don’t you think that I mean, from my point of view, the cloud, you know, it’s not the glass fault, but the cloud the app, the opportunity in the cloud, has brought along with it. Some significant changes in the complexity of the of the problem space. From my point of view, I don’t know that there was there has been any clear leadership in the cloud space to address that kind of complexity do.
Avi Shua 15:36
So I think that my the main mistake that most vendors do here is to try to treat the cloud as an extension of the existing environment of the on prem environment. And they just took mostly their approaches that was that existed on the on prem, to solve. And these approaches were probably sub optimal for the on prem. But this is what this is what we add, but we’re definitely dramatically sub optimal for the cloud. I think that one thing that we saw, and it’s not only with security, it’s also with migration in our tools is almost every time we just tried to take the tools and the paradigms that we had for the on prem and move them to the cloud, we failed, it’s all new word justify taking new approaches,
Steve King 16:23
right, some of the marketing messages that have permeated space over the last, let’s say year and a half or so, have been focused on cloud native, from my point of view, and I think, folks generally understand what that means and what the benefit is, can you explain in your, from your point of view, what what cloud native actually means in terms of both the technical approaches and the outcomes for the buyer?
Avi Shua 16:54
So you know, I think a negative is, in many cases, something that marketers love to use in order to say that their product works well for the cloud. Right. And many times, it’s simply just a marketing terms to say it was suited for the cloud, where behind the scenes is something that is built for the on prem and at some cloud, put on it as an afterthought, in my opinion, cloud native is something that actually leverage the capabilities of the cloud, in order to do his job in a way that is ATL, and optimized for the cloud. For example, orca sites, canning, doesn’t work on on prem, they simply cannot work. It assumes the physical of the cloud. This is cloud native taking an agent that existed for 20 years, and putting an AWS lock on, it doesn’t make it cloud native.
Steve King 17:48
Right? How would you describe the physics of the cloud, as you say?
Avi Shua 17:53
So these are virtual workloads, they have the different physical manifestations form a on prem environment, the one sometimes four milliseconds versus on prem workloads can run usually man for years. They are, they may have the same IP addresses over and over, there’s so many differences in it. And when you take tools that are not cloud native, usually face the obstacle because it was never planned for that, for example, I’ve seen people trying to install agents and Agent filling catastrophically because they’re the workloads were running only four minutes. And nobody needs five mind at the data center, where agents are the only one in four minutes. And these tools were planned for different roles. So I really think that cloud native are things that were designed from scratch to support the very different environments of public cloud.
Steve King 18:47
And do you think is container? are containers a part of that difference as well? And in other words, you know, containers would behave very differently if, if at all, in an on prem environment versus versus the cloud environment? Is that a good example in your mind of the differences there between cloud native and non?
Avi Shua 19:10
It is one example of containers is definitely an example. But it’s not only there. It’s not the only example of virtual networking, the different the managed services are different. They’re extremely, it’s a very long list of things that living different in cloud environment in the long run.
Steve King 19:27
Yeah. So what are you gonna do with that 550 million.
Avi Shua 19:32
We’re continuing to execute on our vision. We are playing to the medically we grew from Around 40 people last year to more than 250. Now, we are growing in 1,000% year over year for two years now. And so are continuing to invest both in r&d and in making sure that our product is available around the world. We saw huge demand for a product we have been later The selling get to organization all over the world where we have absolutely no local teams. And we are trying to change that. So we’re continuing to invest in all parts of the business. Yeah.
Steve King 20:11
So my final question here, and I’m conscious of the time I’ll be is, now you see what are the effects of growing from 40 to 250? People in a very short period of time, or what, as a CEO. And, I mean, you were the founding CEO, now you’re the, you know, the ongoing CEO. What effect is it going to have is that expanded scope and scale going to have on your ability to manage everything they used to manage with your hands on
Avi Shua 20:45
these tons of fair differences of things that talk differently when you’re supporting hundreds of customers versus a few, for example, when you have, and your sales team become 100 people versus two people. So you must delegate, you must be when people that you trust, there’s absolutely no way that you can do it all by your own, it doesn’t scale, and shrinking the leaders that trust and can scale the business is the most important thing. Building the company is not to one main job, it’s all about the people.
Steve King 21:20
Yeah, and then finding those people and knowing whether you can trust them to do the work that you used to do is, is a very challenging task, because it requires that you let go of some of your, some of your biases, right.
Avi Shua 21:36
So it is a challenging task. But I think it’s a lot about finding people that agree with division. Once this is the most important thing, if someone don’t agree division, it’s not in, it won’t be good fit. Life in start up can be challenging. There is tons of work. There’s a lot of both good and hard moments, and you must be lying together to make it a success.
Steve King 22:01
Yeah, no kidding. Well, listen, I really appreciate you taking the time today. This was a great discussion. I thought it was fascinating to learn how you guys put this together and and what your leadership position in the spaces and you know, just mega congratulations on that round. That’s been out. Phenomenal investor confidence. Surely you guys are the leader in the space. So thank you for for taking the time out of your schedule to join me and given our listeners something to think about. Thanks for having me. Yeah, and thank you to our listeners for joining us in another one of cyber theories unplugged reviews of the complex and crazy world of cybersecurity, technology and the new digital reality in which we all live. Until next time, I’m your host, Steve King, signing out.