Files are still the core of how people do business. How are you dealing with the onslaught of files coming into your network? People are sharing files across a multitude of platforms, and many for which you may not even know about. What checks and balances do you put in place to make sure you’ve got file integrity no matter the source?
Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Aviv Grafi, founder and CTO, Votiro.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Votiro
[David Spark] Files are still at the core of how people do business. How are you dealing with the onslaught of files coming into your network? People are sharing files across a multitude of platforms, many of which you don’t even know exist. What checks and balances do you put in place to make sure you’ve got file integrity no matter the source?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, recently quoted in the New York Times, his name is Steve Zalewski. Steve, let people know what your voice sounds like.
[Steve Zalewski] Hello, audience.
[David Spark] That’s exactly what it sounds like. You’re going to hear a lot more of it later in the show. Our sponsor for today’s episode is Votiro, a great supporter of the CISO Series. We’re a fan of Votiro because, if you didn’t know this, Votiro is the winner of the first season of Capture the CISO. What is Capture the CISO, you ask. Well, why don’t you just go look it up on CISOseries.com and listen to the season. It came out phenomenal, and we’ll be doing another one real soon. All right, Steve, on LinkedIn, you posed the question as to how people are handling files coming into their network. Now, traditionally most companies have looked at file attachments in emails, and they have antivirus running. But with the proliferation of collaboration apps, files come in from anywhere, often from applications you don’t even know about. So, you asked the community, “How do you handle this?” And I got a lot of answers suggesting a Defense in Depth approach, which seems kind of like the solution for everything. I put “solution” in quotes I say that. What do you think?
[Steve Zalewski] When I posted this, this was kind of a follow on to what I was seeing at the recent security conferences, which is business SaaS. That the business is driving the SaaS implementation, not necessarily IT. The result of that is traditional AV may not be up to snuff. Because we all think we’ve solved it. And so I think what we’re seeing here is indeed…
[David Spark] Well, if we had solved it we wouldn’t be having this conversation, and nobody would be having an issue.
[Steve Zalewski] That’s right. So, I think the camel has kind of stuck its nose back under the tent, and that’s why today’s episode was Defense in Depth may be the right answer, but really the key is what’s changed that AV isn’t the answer anymore.
[David Spark] All right. And the person to help us with this very conversation, again, as I mentioned, the winner of Capture the CISO, a phenomenal sponsor of the CISO Series. We love having him on. It is Aviv Grafi, founder and CTO of Votiro. Aviv, thank you for joining us again.
[Aviv Grafi] Thank you very much, David. It’s great to be here today.
Does anyone have a better solution?
[David Spark] David Larson of Southwest Gas Corporation said, “Defense in Depth, the best investment is probably advanced EDR and sandbox for files that get past the initial defenses.” We’re going to address what works and what doesn’t work of that. Grant Yost, Village MD, said, “First get visibility into your own SaaS sprawl. Two, guiding your business to a standard toolbox for collaboration that does not rely upon email. Three, robust IM and security monitoring integration. Four, context aware DLP to monitor the file movement. And of course good EDR to watch for the malicious content. Again, a Defense in Depth approach. Grant goes on to say, “Selling the strategy as allowing the business to collaborate with guiderails with decreased decision making for the user will likely go further than a multistep procedure or complex end user policy,” which I think everyone is on board with with regards to security. Another quote I just want to close with, Jonathan Waldrop of Insight Global, who agrees with most of these and adds that, “Having CASB/web app monitoring functions are key to monitoring where files are moving to/from the web and how much data is moving.” All right, so this is… I’m going to highly summarize here and just say implement a lot of stuff. What do you think, Steve?
[Steve Zalewski] I would say this is kind of the traditional technologist approach. Do more, do more, do the more. But the reason why we were having this conversation to start with is there’s two components to it. The first is traditional AV, stop malware. Well, business SaaS is no longer saying even that’s acceptable because we have to let files through that may have malware in it, but the business still wants the business data in the files. And so therefore we have to rethink the block it all costs and be done. And so what do you do now that we’re acknowledging that we have to let files through with malware as the business needs it. Then the second use case is where we’re driving with this is…and that’s what I see, but now there’s a bunch I don’t see, which is there’s files that are moving through infrastructures and third party that my AVs don’t have access to because they’re not going through the traditional mail or file exchange servers. And so now I got a twofold problem there, which is one, I got to go see it to determine it’s malicious in addition to potentially allowing it to go through once I clean up the malicious content.
[David Spark] Aviv, I’m throwing this to you. This is…just to let our audience know…this is definitely Aviv and Votiro’s bailiwick, dealing with this very problem. I’ll begin by saying nothing anybody said here is wrong. It’s just not targeting the very specific issue we’re having here. Yes, Aviv?
[Aviv Grafi] Yes, that’s correct. I think that Mr. Larson actually raised an interesting point. What he believes in is the best investment is actually having ADR and sandbox, but I think that it’s too late. If we can actually implement those security controls outside before it actually gets into our network, not relying on the EDR that’s already there, I think it’s a way better approach. This is one. And what Grant has mentioned is that we should implement tons of stuff [Inaudible 00:06:34] I don’t think that’s the right approach either because implementing a lot of controls, that’s a headache and a mess to manage. I think the reason why we’re having so many controls is that we’re not probably implementing the right solution that can really solve the problem of allowing those documents and that content to get into the organization from all those platforms with one gateway solution that is not relying on multiple point solutions. This is for example for Box and maybe Microsoft [Inaudible 00:07:07] 365. Maybe someone did or did not implement a secure solution for SNAC. Having one solution, I think it’s a way better approach, and it’s way more maintainable.
[Steve Zalewski] Let’s riff on that for a moment, too. Which is yes, Aviv is correct, too. But there are a couple other things that we’re talking about here, which was Secure Edge. Where is my edge? The business SaaS exercise of where is my edge, is it actually my laptop, is it my phone, is it a traditional firewall, or is it a third party SaaS app that I don’t own but I have to let data flow… So, between two APIs that I’m moving this stuff through, where is the new edge that I can see this. And once I can see it, I can implement policy. So, I think we’re driving at a much more problematic challenge here, which is how do I redefine where is my secure edge. Just even start with visibility into it, never mind then worrying about being able to either clean up or stop the malicious file as it moves. And so I like what David said, because here are all the controls. But implementing those controls to a certain extent assumes where your edge is. Is it my own data center? Do I have network firewalls? Do I make people VPN in? And what COVID did and what digital transformation did is it said, “I can’t just go through a traditional way of enforcing the controls. Where’s the good enough?”
What else is required?
[David Spark] Allen Westley of L3 Harris Technologies said, “Data tagging automation is a must. I’ve seen cumbersome file groups, manual data segmentation efforts, MAC, DAC, VLAN separation all fail in protecting people from themselves. Data must be self-identified, categorized, and access controlled. We need to take people out of the data labeling, file management, and access business. I am not surprised by the number of violations considering the dizzying pace at which files are generated.” And by the way, having a solution is key to that very last line there. Luis Valenzuela of InComm Payments said, “Introduce default automation in advance. The most painful step of the process of doing something with data and identifying what to do with the files is the who – who has the authority to decide whether a file should be protected if it comes from their cost center, who will be responsible if it will be deleted. Thus one possible solution is to make sure A, labeling happens at creation or inception. And B, standard retention and deletion rules are automation attached to each label so that every file has a protection action control and an end date that can be adjusted to business needs.” All right, Aviv, labeling we’ve heard this for a while. And automatic labeling we’ve heard for a while. But it’s always going to fall short somewhere, isn’t it?
[Aviv Grafi] Yeah, definitely. I think that it is the task of labeling and understanding what data and how we can identify that, and who should be responsible for that that’s the problem. I do think that if we’re taking the human factor out of that equation, I think that’s more reasonable and a scalable approach. Probably we need to see what is the source of that content or what is the source of that document and apply that policy based on source. I think that’s probably the best technique that we can apply these days.
[David Spark] Steve, my feeling is we could sidestep the data labeling issue, which is still cumbersome in itself, and it doesn’t need to be a part of the solution process here. Or am I wrong?
[Steve Zalewski] I often say if I had a magic wand and I could wave a magic wand once and fix one thing I would love to be able to get every piece of data labeled at the point of its inception. We could solve a ton of problems if we could hold accountability at the point that the data was created to know what its label was. But we can’t. And furthermore I say it’s even harder because it’s one thing to try to label the data for business confidentiality, which is our old school problem. But more and more, what I’m worried about is not that, but it’s the data privacy of the consumer data that exists within the files. And that’s within the purview of the lawyers, not the lines of business and not IT. So, we’ve made the problem worse because we’ve got different organizations accountable, and they have different perspectives on the role that they provide in being the adjudicator of establishing what that data is. And so what I say here is why we talk about this is it’s important that we acknowledge now that the old use cases are still there. There are new use cases and new people that are part of this, which is the legal teams and consumer data privacy that has us having to relook at where our edge is to know not just where business confidential data might be moving in files but consumer privacy data. And often times they intermingle. So, this is really kind of like a warning bell if you want to call it that this digital transformation and this business SaaS says, “Don’t be complacent that you think you’ve got the AV problem solved. You’ve got to go out and take a look at it again, and traditional AV may not be the way that you can solve it.”
Why are they behaving this way?
[David Spark] Khalid B. of Cloud Innovation Partners said, “Real data should be well protected and not possible to extract from systems as xls/csv for ongoing data projects. For day to day business needs, team members working with real data should be working on systems/tools only and stop recreating the world with Excel. They should stop creating Shadow IT tools. If they need anything extra, they should ask IT teams to add their features into existing tools. Pragmatically, security teams should deactivate file sharing via all means because it’s the number one root cause of data leaks and GDPR noncompliancy.” So, I’m going to summarize this, Aviv. Khalid’s comment of everyone should listen to security, not do business the way they normally like to do business, and just do what we tell them to do. That would be wonderful, but that’s not how the world works, does it, Aviv?
[Aviv Grafi] Of course not. Of course not. We see that every day.
[David Spark] By the way, could you agree that if everyone followed Khalid’s advice things would be a lot better?
[Aviv Grafi] Of course, in an ideal world.
[David Spark] Yes.
[Aviv Grafi] But not in reality. That would be probably a Disney movie of the CISO.
[David Spark] I like that line – Disney movie of the CISO. So, this doesn’t work. I want to give you an opportunity to really tell the Votiro story because we haven’t told it yet in this show. Nobody has actually offered this as a solution, what you do. I’m just kind of setting you up here. Because you uniquely attack this very specific problem, allowing us to avoid what was previously mentioned, the need to data label, the need to create 15 different layers and hope that we catch the problem. Explain what Votiro does.
[Aviv Grafi] That’s right. So, I think in this discussion we definitely highlighted the delicate problem and the tension between security and productivity. We all know that we need to secure our organization and network, but we all know and we have to allow the business to flow. We have to allow the business to work. We understood that a lot of…
[David Spark] I’m just going to comment here – this is why… I addressed this at the beginning and Steve mentioned it about this whole idea of sandboxing, which has been a common technique. It’s like, “Oh, we’ll check that file later. In the meantime, how the hell am I supposed to do my job?”
[Aviv Grafi] Of course. Of course. And one way sandbox was supposed to solve that problem, but we know that it takes a lot of time. It might be too late. It’s not the most modern solution for detecting security threats. So, I think that one of the things that we understood is that we have to allow the business to flow. So, we know that a lot of security solutions, mostly in the detection world, like the AV, like the sandbox, like the EDR, they’re all relying on one thing – let’s try to detect the bad stuff, let’s try to isolate what we don’t know yet, and the business will wait. So, we understood at Votiro that we have to find a solution that naturally turned the problem on its head. So, instead of trying to look for bad stuff, we know what is the good stuff. I’ll give you an example. So, the core technology that we invented at Votiro is called Content Disarment and Reconstruction. We take content. We construct it to a safe version of it. Let’s talk about that Excel spreadsheet or the csv that Khalid actually mentioned in his quote. We take that document, and we deliver a safe version of that document immediately without the need to isolate that, without the need to park it somewhere. And in that way we’re just allowing the business to work.
[David Spark] Let me interrupt for just a second, because I remember this question came up during the Capture the CISO competition. Often techniques like this have been done before, but it was just disable the macros. How do you know what’s malicious and what’s not malicious?
[Aviv Grafi] That’s a great question. One of the things that we apply apart from reconstructing those documents into a safe version is that we know how to detect the benign macros. We have our machine learning model say, “Okay, this is a benign macro. This is a macro that is harmful, so we can actually allow those whitelisted macros in.” And this is one of the challenges with that technology seven years ago. So, we solved that problem, and we allowed a lot of financial organizations…and not just financial…to really work with their standard documents without telling the finance team, “Oh, you cannot receive any macro enabled documents.” Which is a real problem for some of the businesses these days. So, we took that approach, and then we implemented that at the Cloud as a SaaS solution that anyone can actually plug the Votiro technology into their workflows using Votiro API within minutes. So, no matter what platform you’re using, no matter what file sharing platform you’re collaborating with, we can connect to that. Then we’re allowing all those files to be reconstructed and sanitized, and delivered safely to the user so they don’t need to think twice before they’re opening those documents.
[David Spark] All right, Steve, you’ve heard about Votiro’s solution before. How does this compare to what we’ve been talking about previously in the show with all this other advice we’ve received?
[Steve Zalewski] So, I would say the difference here is one of philosophy. If I can’t secure the company, and I now have to protect the business, which is what Aviv is saying, then another way of saying that now is as a security practitioner, what the business is saying is, “Don’t tell me what you can’t do. Tell me what you can do.” And so therefore I can’t just block the files anymore. I have to let them through in many cases, and I have to do it in a way that I can’t use traditional ways of determining malware. And so that’s what Aviv is saying. So, “Don’t tell me what you can’t do, tell me what you can do.” So, it turns that pyramid upside down, look at what’s known good and let the known good through. That is just a different way of thinking about the problem given the business SaaS solution. And so while many people may look at what they’re doing and saying, “Hey, we’ve known about this for a while. And so turn off macros and everything else…” But it’s a foundational shift to one of resiliency. “Tell me what you can do, not what you can’t do. Let’s flip the problem upside down. Let’s let known good through and let the business continue.” We’re accepting a different class of risk and therefore Defense in Depth. The way that you want to position that gives you some new options.
[David Spark] It’s also… And kudos to you, Aviv, on this. It’s more of a department of yes answer rather than a department of no.
[Aviv Grafi] That’s correct. That’s correct. I think that’s one of the things that I want to highlight because you mentioned that in Khalid’s quote is that his advice is to work with real data and stop recreating the world with Excel spreadsheets. What we see in the actual world is that a lot of lexis [Phonetic 00:20:24] systems are still generating the list or the lowest common denominator which is Excel. We’re still going to have Excel spreadsheets flying around probably the next few years. So, I think that shift will take many years. And until then, we still need to protect those content pieces. One of the techniques, as I mentioned, that content disarment reconstruction, and of course there’s some other [Inaudible 00:20:51] kind of technologies.
[Steve Zalewski] I’m going to play on that, too. Because if you think of this as a bell curve, which was you’re going to have forward thinking companies, leading edge that will want to take a look at how I get to yes better, and then you’re going to have trailing edge that are going to be using old school technology, files and everything else, for a long time. Then you’re going to have a whole bunch of people in the middle. The reality is none of them is the right answer. This is how business works, and it’s going to work for a long time. So, the opportunity to be able to solve the old school problem and open up the door for the companies to migrate to the new school way of thinking with a single solution or a single set is the obligation we have to get to yes. But it’s not a panacea.
What needs to be considered?
[David Spark] Or Eshed said, “Understanding the source context can improve tremendously the security assessment, especially when files are downloaded from the browser and via collaboration tools. A simple example would be as follows – a file passed internally via Slack, is that equal to a file downloaded from a torrent drop zone. Of course not.” So, I’ll start with you, Steve. Yeah, I think knowing the source of where it’s coming from does play an enormous role in here. I guess is this up to the firewall at this point? Who’s responsible for this at this point? Or the CASB I guess maybe.
[Steve Zalewski] Oh, okay. So, we got to take it a little farther back. I like your question, but the key is if now what we’re doing is all the developers are realizing that there’s outsourcing a lot of their code, and they’re using shared code, and they’re getting it from shared repositories… Traditional locations of where files existed in the past might have been considered risky, but they may be acceptable risks now in order for the app dev developers to meet the business requirements. That’s why what I said earlier was you’ve got to rethink traditionally how you look at AV in these files with what digital transformation and business SaaS has done to us. It’s everything is code. Everything wants to be reused.
[David Spark] Good point.
[Steve Zalewski] Third party risk is to the source of the file. It no longer means it’s an Excel spreadsheet. It could be GitHub. It could be somewhere else where somebody is pulling in a library because they built some mobile app, and I’m the poor security guy that’s trying to determine whether it should be allowed or not, and can I do it in a way that gets to the known good and allows the business to proceed. That, I think, is the core of what we’re getting at here.
[David Spark] I think what you’re pointing out is that everyone’s trust levels have gone up considerably, specifically around code sharing. Because such an enormous percentage… And by the way, we did a recent episode of Super Cyber Friday on the topic where 79% of code is coming via open source. Now, Aviv, correct me if I’m wrong, does your solution deal with code snippets, too?
[Aviv Grafi] We’re not dealing with the code snippets by itself, but we see that a lot of the content consumed is not necessarily code. It’s also getting through GitHub and some other sources. If you think about some sources that sometimes we’re not even thinking about those as risky. If you think about insurance company or any business that receives documents from their clients or from other parties, let’s say the marketing team receiving from their vendors, or maybe insurance companies receiving claims documents from their clients, that’s a source that you might think maybe they’re trusted. But in reality, it’s actually flying under the radar of most of the controls through those APIs.
[David Spark] I’ll give you a perfect example of this. I was in JC Penny a little while ago. The place is dead, by the way.
[David Spark] No one shops there anymore. But I purchased something in cash there, and the person took out that marker to swipe the bill to see if it was counterfeit or not. I and most people rarely pay for anything in cash in the department store, but some reason I was. Because most everyone is paying with a credit card. I said, “How often do you see counterfeit bills?” She goes, “Every single day.” And that made me realize… And this goes to the third party thing is unknowingly I am sure that I have passed counterfeit bills. If they’re that prevalent and so little that cash is being used in a department store and that they’re seeing it every day, I have probably received a counterfeit bill and then handed it on. To the point of the third party issue of they don’t mean to be taking counterfeit code or counterfeit files, but they’re passing them along, thinking that they’re perfectly good $20 bills. Is that what you’re seeing, Aviv?
[Aviv Grafi] Yeah, that’s very similar. I think that this is very interesting, the point that you raised. Because probably most of those counterfeit bills actually are now being used in those kinds of stores. So, that’s definitely one of the things that we see in the digital world.
[David Spark] All right. Let’s wrap this up. We’ve come to the point in the show where I ask both of you which was your favorite quote, and why. Aviv, I want you to start. Which quote was your favorite, and why?
[Aviv Grafi] I like Grant Yost’s quote. I think I might actually outline the controls that he would recommend to implement, but what I really like is the second part of the quote where he said that selling the strategy is allowing the business to collaborate. I think that’s the main point here. That’s an extremely important point that some of the other folks didn’t highlight. I think that allowing our users to actually work and allowing the business to flow, that’s way more important than talking about what exactly would be the control and what complex policy you want to implement. I think that’s why I like Grant Yost’s quote.
[David Spark] It goes into the subject of being invisible, too, which we talked a lot about on this show. Steve, your favorite quote, and why?
[Steve Zalewski] I am going to go with Or Eshed – understanding the source context can improve tremendously the security assessment. I think that gets back to what the theme of this show is, which is don’t tell me what you can’t do, tell me what you can do. And realize that files in the traditional sense are not necessarily how files are being used in the current business domain. And so therefore make sure you’re not inside the box. Get outside, look at it. And to your analogy, I would say and so we’re passing counterfeit bills all the time, so go use your credit card.
[David Spark] That is the solution.
[Steve Zalewski] Because that has its own challenges, but that’s getting out of the counterfeit bill conversation. And then we’re going to get into electronic counterfeiting so to speak, but it’s a different conversation. And now we’re saying what we can do.
[David Spark] Excellent. Well, thank you very much, Aviv. Thank you very much, Steve. Aviv, I’m going to let you have the very last word. You can make another plug for Votiro as well. I will mention your company, Votiro.com. Just check them out. Again, we greatly appreciate your support of the CISO Series. I think what I like most about today’s conversation and what your solution offers is it very much is a kind of department of yes way of looking at security and the business at the same time. We’re enablers of the business, not different ways to shut you down from doing what you need to do. I know that’s a big point of yours, sort of the mantra of the Votiro solution. But I’ll let you say more about that later. And the question I always ask my guests, are you hiring? So, make sure you have an answer for that. Steve?
[Steve Zalewski] Last thoughts, which was it’s been great to talk to Aviv and to talk about this problem. Votiro is actually a step in the right direction. It’s realizing that the job isn’t done. Even Votiro doesn’t have all the answers, because we talked about use cases today that are going to have to continue to evolve. There’s additional use cases on what files look like around everything is code. And so I think it plays to the fact that we can do better. It’s going to continue to change, and so let’s make sure that we don’t fall asleep at the wheel.
[David Spark] Good point. All right, Aviv, you get the last thoughts here. And any plug, and are you hiring.
[Aviv Grafi] Great. So, I think that what I learned today actually is that a lot of the folks, they’re still realizing that there’s a new way to collaborate that we’re not detecting well enough and understanding that those terms of controls, we need to change the way that we think about that. We at Votiro, we’re allowing our users and we’re allowing our customers to secure all those content collaboration platforms to secure all those APIs and interfaces by using Votiro API and plugging it in ten minutes. Then we can prevent the hidden and the unknown threats in files wherever they come from. We can actually provide today 30 days for free for all the audience and would love to hear your thoughts, would love to hear your feedback. So, don’t hesitate. Just contact us at Votiro.com. We would love to demonstrate and hear your thoughts. So, thank you very much.
[David Spark] Are you hiring, by the way?
[Aviv Grafi] Of course we are hiring. We’re hiring for engineering, for dev ops, both in the US and in Tel Aviv. And of course we’re hiring for sales and marketing, so we’d love to talk with you.
[David Spark] Awesome. Well, thank you very much. Thank you to Votiro. Thank you to our audience. We greatly appreciate your contributions, and as I always say, for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.