3040: From Weeks to Hours: How Zest Security is Redefining Cloud Security

[00:00:04] [SPEAKER_00]: How do you transform cloud security from a complex, time-consuming challenge into an

[00:00:11] [SPEAKER_00]: efficient streamlined process?

[00:00:14] [SPEAKER_00]: Well today I'm thrilled to welcome my guest.

[00:00:17] [SPEAKER_00]: He's the CEO and co-founder of Zest Security.

[00:00:21] [SPEAKER_00]: We will try and answer that question and also with over 15 years of experience starting

[00:00:27] [SPEAKER_00]: with his time in Israeli intelligence to building ground-breaking security products

[00:00:32] [SPEAKER_00]: that are now used by thousands of enterprises.

[00:00:35] [SPEAKER_00]: My guest today brings a wealth of expertise to this discussion.

[00:00:38] [SPEAKER_00]: He launched Zest Security to tackle one of the biggest challenges facing companies today,

[00:00:44] [SPEAKER_00]: cloud security vulnerabilities and remediation.

[00:00:48] [SPEAKER_00]: So join me today as we dive into how Zest Security platform leverages AI and automation

[00:00:54] [SPEAKER_00]: to cut vulnerability remediation time from weeks to hours.

[00:01:00] [SPEAKER_00]: So I want to learn more about that, how it seamlessly integrates with DevOps workflows

[00:01:05] [SPEAKER_00]: and how his backstory, his origin story helped shape his approach today.

[00:01:10] [SPEAKER_00]: And also what does it mean for the future of cloud security?

[00:01:14] [SPEAKER_00]: Delivering daily content to 140,000 of you wonderful monthly listeners across the globe

[00:01:19] [SPEAKER_00]: is no small feat.

[00:01:21] [SPEAKER_00]: I don't want to take all the credit here because it wouldn't be possible without the backing

[00:01:24] [SPEAKER_00]: of our dedicated sponsors and partners.

[00:01:27] [SPEAKER_00]: And I also want to shine a light on the fact that legacy managed file transfer tools

[00:01:31] [SPEAKER_00]: are looking dated.

[00:01:32] [SPEAKER_00]: They often lack the security that today's remote workforce demands

[00:01:35] [SPEAKER_00]: and companies that continue relying on that outdated tech,

[00:01:38] [SPEAKER_00]: they're in danger of putting their sensitive data at risk.

[00:01:41] [SPEAKER_00]: Attention IT professionals, are you tired of juggling these multiple servers for secure

[00:01:46] [SPEAKER_00]: file sharing, integrated shared folders and email plus a comprehensive REST API?

[00:01:52] [SPEAKER_00]: Kiteworks simplifies your workflow.

[00:01:54] [SPEAKER_00]: For administrators, you can experience unmatched functionality and integration

[00:01:58] [SPEAKER_00]: that traditional MFT servers just can't touch.

[00:02:01] [SPEAKER_00]: Step into the future of secure managed file transfer with Kiteworks

[00:02:05] [SPEAKER_00]: by going to kiteworks.com to get started.

[00:02:08] [SPEAKER_00]: That's kiteworks.com.

[00:02:09] [SPEAKER_00]: And remember, Kiteworks is also FedRAMP moderate authorized.

[00:02:13] [SPEAKER_00]: Thank you for your patience today.

[00:02:15] [SPEAKER_00]: This is the moment you've been waiting for.

[00:02:16] [SPEAKER_00]: It's time to welcome my guest onto the show.

[00:02:19] [SPEAKER_00]: So a massive warm welcome to the show.

[00:02:23] [SPEAKER_00]: Can you tell everyone listening a little about who you are and what you do?

[00:02:27] [SPEAKER_01]: Yeah, hey Neil, thanks for having me.

[00:02:29] [SPEAKER_01]: So my name is Neil Ben-Shimol.

[00:02:31] [SPEAKER_01]: Feel free to call me Dan.

[00:02:33] [SPEAKER_01]: I'm the CEO and co-founder of Zest Security.

[00:02:37] [SPEAKER_01]: We're based in New York and we also an Israeli cyber security startup company.

[00:02:43] [SPEAKER_01]: So we have our ID in Israel and we're solving probably the biggest problem

[00:02:49] [SPEAKER_01]: in the cyber security market today.

[00:02:51] [SPEAKER_01]: So I'm really happy to discuss that.

[00:02:53] [SPEAKER_01]: And of course, me and my co-founder 20, 30 years in cyber security,

[00:02:58] [SPEAKER_01]: but I will not bore the listener with our backgrounds.

[00:03:03] [SPEAKER_00]: Well, one of the things I was going to say that maybe I watch too many Marvel movies

[00:03:07] [SPEAKER_00]: and stuff, but I'd love to find out more about your origin story.

[00:03:11] [SPEAKER_00]: Can you tell me what motivated you to re-enter the cyber security space with Zest Security

[00:03:16] [SPEAKER_00]: and how your previous experience, which I believe includes everything from selling

[00:03:21] [SPEAKER_00]: your last company to Palo Alto Networks.

[00:03:23] [SPEAKER_00]: How did all that influence your approach to building and growing Zest?

[00:03:28] [SPEAKER_00]: I feel like there's almost a Netflix box set on its own there, right?

[00:03:32] [SPEAKER_00]: There's got to be a big story behind this.

[00:03:35] [SPEAKER_01]: Yeah, yeah.

[00:03:35] [SPEAKER_01]: It's quite fascinating.

[00:03:37] [SPEAKER_01]: We can start with, I started as a software developer to build things.

[00:03:43] [SPEAKER_01]: And then when I realized that I'm better in breaking things,

[00:03:46] [SPEAKER_01]: I went into the offensive security and stuff, breaking things.

[00:03:50] [SPEAKER_01]: But those things were like airplanes, a big enterprise software that you have top-notch

[00:03:57] [SPEAKER_01]: engineer buildings.

[00:03:58] [SPEAKER_01]: How can I break those type of things?

[00:03:59] [SPEAKER_01]: It's insane.

[00:04:01] [SPEAKER_01]: And after that, I turned into kind of like building security tools and running

[00:04:06] [SPEAKER_01]: incident response team.

[00:04:08] [SPEAKER_01]: And when you run incident response team, when you're working with the FBI and the Interpol,

[00:04:13] [SPEAKER_01]: and you're catching those big APTs and bad guys that are super sophisticated.

[00:04:19] [SPEAKER_01]: And every time you have an investigation, you basically realize that so many things

[00:04:24] [SPEAKER_01]: are broken from their base.

[00:04:26] [SPEAKER_01]: And it's so funny because every time someone hacks an organization, when you tell the organization

[00:04:32] [SPEAKER_01]: the story about the incident, they're like, oh, this is how they got in.

[00:04:37] [SPEAKER_01]: Oh, I knew it will happen.

[00:04:40] [SPEAKER_01]: So it's kind of like a surprise, but no surprise.

[00:04:43] [SPEAKER_01]: So running those incident response team, again, globally over 100 people,

[00:04:49] [SPEAKER_01]: I kind of like, okay, something needs to change.

[00:04:52] [SPEAKER_01]: Let's kind of shift left or let's do secure by design.

[00:04:55] [SPEAKER_01]: So at TIDR, that's my role as the chief strategy officer, we help our customers to actually

[00:05:01] [SPEAKER_01]: manage application security and try to build those applications secure by default, which

[00:05:06] [SPEAKER_01]: is great.

[00:05:07] [SPEAKER_01]: And until today, it's like, it's amazing things you need to do.

[00:05:10] [SPEAKER_01]: And then we started to see that those customers are shipping less and less vulnerability to

[00:05:17] [SPEAKER_01]: production.

[00:05:18] [SPEAKER_01]: But, and again, Palo Alto bought us a great product, great experience, massive value to

[00:05:24] [SPEAKER_01]: our customers.

[00:05:25] [SPEAKER_01]: But then we kind of realized no matter how secure you're going to build your cloud, to

[00:05:31] [SPEAKER_01]: build your application, there's going to be some flops.

[00:05:35] [SPEAKER_01]: There are going to be some issues.

[00:05:38] [SPEAKER_01]: And even if you're not building it with issues, you're going to have some new vulnerabilities

[00:05:44] [SPEAKER_01]: and new problems that you didn't know about when you build a product.

[00:05:47] [SPEAKER_01]: You didn't know about when you set up your cloud environment, but now it's new.

[00:05:51] [SPEAKER_01]: So what do you do about it?

[00:05:54] [SPEAKER_01]: And this is the point when me and Uli, my co-founder, who heads up product security at

[00:05:59] [SPEAKER_01]: Akamai before we founded Zest, we need to do something about it.

[00:06:06] [SPEAKER_01]: We need to give that toolkit to organizations to be able to remediate and mitigate, just

[00:06:14] [SPEAKER_01]: handle those vulnerabilities and those misconfigurations.

[00:06:18] [SPEAKER_01]: So I think my journey is basically building things, breaking things, helping organizations

[00:06:24] [SPEAKER_01]: to catch bad guys and investigate what they do.

[00:06:27] [SPEAKER_01]: And then try to figure out what can we deliver to organizations to make that process of

[00:06:35] [SPEAKER_01]: incident response, vulnerability management manageable.

[00:06:40] [SPEAKER_01]: So again, it's a big challenge.

[00:06:43] [SPEAKER_01]: This is why we're here.

[00:06:45] [SPEAKER_00]: Lovely.

[00:06:46] [SPEAKER_00]: What a great story.

[00:06:47] [SPEAKER_00]: And as you said, Zest Security was essentially born out of some of your frustrations that

[00:06:51] [SPEAKER_00]: you'd seen with you and your co-founder experience with cloud risk remediation.

[00:06:58] [SPEAKER_00]: But can you explain some of the specific challenges that you faced and how Zest Security,

[00:07:03] [SPEAKER_00]: how you address all those pain points that you experienced in that form of life?

[00:07:08] [SPEAKER_01]: Yeah, let's start with a story.

[00:07:10] [SPEAKER_01]: I like to tell stories.

[00:07:11] [SPEAKER_01]: I think they're fun.

[00:07:12] [SPEAKER_01]: So imagine you're an enterprise security team and you have something around eight, nine,

[00:07:20] [SPEAKER_01]: ten people in your team.

[00:07:21] [SPEAKER_01]: And you get an email once in a couple of hours.

[00:07:27] [SPEAKER_01]: And a customer, the CEO of this big company sends you an email.

[00:07:31] [SPEAKER_01]: It's like, hey, guys, we have this CVE or this vulnerability.

[00:07:37] [SPEAKER_01]: I'm your customer and I'm scared that because of this vulnerability, your product is

[00:07:43] [SPEAKER_01]: someone is going to hack me through you.

[00:07:46] [SPEAKER_01]: And they send that to all their vendors and they're expecting you to respond.

[00:07:51] [SPEAKER_01]: It's like, hey, am I vulnerable?

[00:07:53] [SPEAKER_01]: I'm not vulnerable.

[00:07:54] [SPEAKER_01]: What I'm doing about it?

[00:07:56] [SPEAKER_01]: And that pool security engineer that get that email is going to his manager.

[00:08:01] [SPEAKER_01]: It's like, hey, what should I do?

[00:08:03] [SPEAKER_01]: It's like, you need to tell me if we're vulnerable or not.

[00:08:06] [SPEAKER_01]: And then they're going to check and they're going to look and it's like, oh, I think we

[00:08:10] [SPEAKER_01]: are vulnerable.

[00:08:11] [SPEAKER_01]: And then it's like, OK, we cannot tell the customer we're vulnerable.

[00:08:14] [SPEAKER_01]: No, no, we can't.

[00:08:16] [SPEAKER_01]: So your manager is going to the CISO.

[00:08:18] [SPEAKER_01]: It's like, hey, we have this big enterprise that's going to plug out our product and we're

[00:08:23] [SPEAKER_01]: vulnerable.

[00:08:24] [SPEAKER_01]: And they ask us if we're vulnerable, what can we do?

[00:08:26] [SPEAKER_01]: And the CISO is like, I don't know, fix it.

[00:08:29] [SPEAKER_01]: Here we go.

[00:08:30] [SPEAKER_01]: So what does it mean fix it?

[00:08:32] [SPEAKER_01]: We cannot fix it.

[00:08:33] [SPEAKER_01]: We can detect it because all of our security tools, the only thing they know what to do.

[00:08:37] [SPEAKER_01]: And by the way, this is where we built it.

[00:08:39] [SPEAKER_01]: The only thing what those security tools know to do and doing very well, identifying misconfiguration

[00:08:44] [SPEAKER_01]: and vulnerabilities in the cloud.

[00:08:46] [SPEAKER_01]: So we know it's there.

[00:08:48] [SPEAKER_01]: We know it's affecting this customer.

[00:08:51] [SPEAKER_01]: But then what?

[00:08:52] [SPEAKER_01]: The post security engineer is going and opening a ticket and he's doing it a couple of times

[00:08:59] [SPEAKER_01]: a day, probably to the DevOps team.

[00:09:01] [SPEAKER_01]: Like, hey guys, we have this problem, fix it.

[00:09:03] [SPEAKER_01]: And the pure pool like DevOps team, they're like, I'm reading this vulnerability information.

[00:09:10] [SPEAKER_01]: I'm not a security person.

[00:09:11] [SPEAKER_01]: I have no idea what you want from me.

[00:09:13] [SPEAKER_01]: No, I have a lot of problems to deal with.

[00:09:16] [SPEAKER_01]: Leave me alone security dude.

[00:09:17] [SPEAKER_01]: It's not for me.

[00:09:19] [SPEAKER_01]: And then the security guy needs to escalate.

[00:09:21] [SPEAKER_01]: And then his manager talking to the DevOps manager is like, this is serious.

[00:09:24] [SPEAKER_01]: We have customer on the lines.

[00:09:26] [SPEAKER_01]: Like, hey, you every day you tell me it's serious.

[00:09:28] [SPEAKER_01]: It's like, no, no, this is really serious.

[00:09:29] [SPEAKER_01]: And then they're going to the customer, they're going to the manager of the DevOps, the manager

[00:09:34] [SPEAKER_01]: of the DevOps, tell this DevOps guy, just do something and fix it.

[00:09:38] [SPEAKER_01]: And that DevOps guy called the security guy and the security guys tell him about the vulnerability

[00:09:43] [SPEAKER_01]: try to explain it to them.

[00:09:44] [SPEAKER_01]: And the DevOps guy is like, I don't think we're vulnerable.

[00:09:47] [SPEAKER_01]: It's like, yeah, but this product told me we're vulnerable.

[00:09:50] [SPEAKER_01]: It's like, okay, show me.

[00:09:52] [SPEAKER_01]: And the product's oh, actually, yeah, so we are vulnerable.

[00:09:54] [SPEAKER_01]: How is it happen?

[00:09:56] [SPEAKER_01]: Okay, let me do something.

[00:09:58] [SPEAKER_01]: So he's doing something.

[00:09:59] [SPEAKER_01]: The DevOps guy, he's changed something in the AWS configuration.

[00:10:04] [SPEAKER_01]: And here you go, you close the ticket.

[00:10:06] [SPEAKER_01]: The security engineers run to his manager and say, hey, we can tell the customer or the

[00:10:12] [SPEAKER_01]: other customers that ask us, we're fine.

[00:10:16] [SPEAKER_01]: We fixed it.

[00:10:17] [SPEAKER_01]: It's all good.

[00:10:18] [SPEAKER_01]: All that process, by the way, two weeks, three weeks.

[00:10:22] [SPEAKER_00]: Yes.

[00:10:23] [SPEAKER_00]: Yeah.

[00:10:23] [SPEAKER_01]: All that craziness.

[00:10:25] [SPEAKER_01]: So during that, the managers need to say, hey, we're validating it.

[00:10:29] [SPEAKER_01]: Yes, we have some exposure.

[00:10:31] [SPEAKER_01]: We're going to let you know how we're going to fix it.

[00:10:33] [SPEAKER_01]: And all of that is like two, three weeks.

[00:10:36] [SPEAKER_01]: Guess what?

[00:10:37] [SPEAKER_01]: One week after they close the ticket, the ticket is back again.

[00:10:41] [SPEAKER_01]: The customer or the auditor or that person who cares about these vulnerabilities coming

[00:10:45] [SPEAKER_01]: to that security engineer is like, what's going on?

[00:10:48] [SPEAKER_01]: You told me you fixed it.

[00:10:49] [SPEAKER_01]: I see it again.

[00:10:51] [SPEAKER_01]: And the security engineer, I don't know if DevOps told me he fixed it.

[00:10:53] [SPEAKER_01]: I was with him and he told me he fixed it.

[00:10:56] [SPEAKER_01]: What happened is he fixed the symptom of the problem in the wrong place.

[00:11:02] [SPEAKER_01]: And because he didn't fix it in the place that it actually happened, he needed to do

[00:11:06] [SPEAKER_01]: some forensics and understand how this problem introduced to the cloud and what happened and

[00:11:11] [SPEAKER_01]: root cause analysis.

[00:11:12] [SPEAKER_01]: They didn't do it because it's all manual.

[00:11:14] [SPEAKER_01]: It's all complex.

[00:11:16] [SPEAKER_01]: They fixed the wrong thing in the wrong place and the problem just resurfaced again.

[00:11:21] [SPEAKER_01]: And here we go again, opening another ticket.

[00:11:24] [SPEAKER_01]: And by that time, we open 20 other tickets that are all critical.

[00:11:30] [SPEAKER_01]: And we go again and again and again.

[00:11:32] [SPEAKER_01]: And this is the reality.

[00:11:33] [SPEAKER_01]: This is the story of the problem today.

[00:11:37] [SPEAKER_01]: Solving misconfiguration of vulnerability within the cloud.

[00:11:41] [SPEAKER_01]: It's a security identified, but other teams need to fix it.

[00:11:46] [SPEAKER_01]: But they're not security teams.

[00:11:47] [SPEAKER_01]: No, they cannot change configuration of the cloud.

[00:11:52] [SPEAKER_01]: This is why we have DevOps.

[00:11:53] [SPEAKER_01]: And that process is manual.

[00:11:56] [SPEAKER_01]: And that process is clunky.

[00:11:58] [SPEAKER_01]: And that process is complex.

[00:12:00] [SPEAKER_01]: And there is nothing today that is like kind of a platform that can take you from the point

[00:12:06] [SPEAKER_01]: to identify a problem to the resolution path.

[00:12:11] [SPEAKER_01]: This is how we call it to solve that problem.

[00:12:14] [SPEAKER_01]: So just imagine all this story can be avoided.

[00:12:17] [SPEAKER_01]: Just by doing two clicks of a button, the security guy will know or the security person

[00:12:23] [SPEAKER_01]: will now watch the options of resolution of the problem.

[00:12:29] [SPEAKER_01]: He will take that information, transfer that information in a DevOps way to the DevOps team.

[00:12:35] [SPEAKER_01]: The DevOps team can read it very clearly.

[00:12:37] [SPEAKER_01]: And say, oh, so it's a problem in my Terraform script.

[00:12:42] [SPEAKER_01]: Oh, this is the right script he changed.

[00:12:45] [SPEAKER_01]: Wait, let me change it.

[00:12:46] [SPEAKER_01]: And then it takes like four weeks, three weeks of craziness.

[00:12:52] [SPEAKER_01]: And you basically solve the problem like we want to solve the problem in a very efficient,

[00:13:00] [SPEAKER_01]: automatic way.

[00:13:01] [SPEAKER_01]: And this is exactly kind of like the pain that we want to relieve organizations from.

[00:13:08] [SPEAKER_00]: And just listening to your story there, I could tell how passionate you are about it.

[00:13:13] [SPEAKER_00]: It was born out of those frustrations that you must have seen time and time again.

[00:13:18] [SPEAKER_00]: But looking at your back story and your career, I suspect your background in the

[00:13:23] [SPEAKER_00]: Israeli intelligence, maybe that must have helped shape your approach to cyber security too,

[00:13:29] [SPEAKER_00]: especially when the stakes are so much higher in that kind of work.

[00:13:34] [SPEAKER_00]: How did the principles and strategies that maybe you learned during that intelligence career,

[00:13:39] [SPEAKER_00]: have they helped inform your solutions and services offered at Zest security?

[00:13:43] [SPEAKER_00]: I would imagine there's a few synergies and crossovers there.

[00:13:50] [SPEAKER_01]: Definitely.

[00:13:50] [SPEAKER_01]: I think I will maybe divide it into two.

[00:13:53] [SPEAKER_01]: The way I'm managing the company and the vision of the company,

[00:13:58] [SPEAKER_01]: definitely when you offer a government and with other governments collaboration,

[00:14:03] [SPEAKER_01]: you know, the interpol with collaboration with United States and Israel Defense Force,

[00:14:08] [SPEAKER_01]: you see those types of attacks that no matter how resilient you are, no matter

[00:14:13] [SPEAKER_01]: what's your budget for cyber security, you're going to get rich.

[00:14:18] [SPEAKER_01]: Bad things are going to happen, no matter which type of tools you're going to buy.

[00:14:22] [SPEAKER_01]: And by the way, I'm a vendor.

[00:14:23] [SPEAKER_01]: I'm selling security products, right?

[00:14:25] [SPEAKER_01]: I'm building security products.

[00:14:26] [SPEAKER_01]: No matter how many security products you're going to buy,

[00:14:29] [SPEAKER_01]: and how good you're going to operate, if someone is targeting you or something new is out there,

[00:14:35] [SPEAKER_01]: from the point it's out there to the point that something bad can happen,

[00:14:40] [SPEAKER_01]: that's prime mind on what we're seeing working for the intelligence is crucial.

[00:14:46] [SPEAKER_01]: Today to solve a misconfiguration of vulnerability, no matter how resilient you are,

[00:14:52] [SPEAKER_01]: it's between, let's say the best organization we saw and we worked with 10 days

[00:14:58] [SPEAKER_01]: for critical vulnerability in production, 10 days.

[00:15:02] [SPEAKER_01]: Imagine if you're a critical infrastructure, or if you're like a government state,

[00:15:10] [SPEAKER_01]: a supplier or weapon industry or healthcare or hospital, just imagine what can happen in those

[00:15:17] [SPEAKER_01]: 10 days that it takes you to fix a specific problem.

[00:15:22] [SPEAKER_01]: 10 days is a lot.

[00:15:24] [SPEAKER_01]: It's crazy.

[00:15:25] [SPEAKER_01]: So that's the reality.

[00:15:27] [SPEAKER_01]: This is what we saw in the, like me working with those government institutions,

[00:15:32] [SPEAKER_01]: that time is in essence.

[00:15:35] [SPEAKER_01]: Time is the most important thing you can have as a security team.

[00:15:40] [SPEAKER_01]: And sometimes one hour or one day can make or break and can lead to a full blown incident.

[00:15:48] [SPEAKER_01]: Just one hour.

[00:15:50] [SPEAKER_01]: And this is when you realize that you understand that no matter how expensive and fancy security

[00:15:59] [SPEAKER_01]: stack you may have, you need to understand your mean time to remediate.

[00:16:05] [SPEAKER_01]: And then I will take another experience means that most of the governments that we worked with,

[00:16:12] [SPEAKER_01]: they couldn't remediate those critical things.

[00:16:14] [SPEAKER_01]: Like just if you talk to real security people and some of the security and IT and DevOps that

[00:16:21] [SPEAKER_01]: listening to us right now, just ask yourself, how many of the security problems you actually

[00:16:27] [SPEAKER_01]: completely fixed and completely solved?

[00:16:30] [SPEAKER_01]: How many?

[00:16:32] [SPEAKER_01]: And their answers will be in the answers.

[00:16:35] [SPEAKER_01]: Like again, we're hearing from our customers, we're hearing from our advisors and the large

[00:16:40] [SPEAKER_01]: organization we're working with.

[00:16:42] [SPEAKER_01]: Basically, maybe we're fixing 50%.

[00:16:46] [SPEAKER_01]: The rest we cannot fix because again, you're in the intelligence force.

[00:16:53] [SPEAKER_01]: You have a mission critical system.

[00:16:55] [SPEAKER_01]: That mission critical system cannot roll down.

[00:16:59] [SPEAKER_01]: You cannot patch, you cannot update, you cannot upgrade.

[00:17:02] [SPEAKER_01]: That should be 24 seven lives.

[00:17:05] [SPEAKER_01]: How can you fix it?

[00:17:06] [SPEAKER_01]: How can you patch it?

[00:17:07] [SPEAKER_01]: Or you can upgrade it.

[00:17:08] [SPEAKER_01]: And then you realize that remediation and fixing is only one piece of the problem.

[00:17:16] [SPEAKER_01]: This is why we call our solution resolution platform.

[00:17:20] [SPEAKER_01]: Resolution doesn't mean that we're going to help you fix the problem.

[00:17:24] [SPEAKER_01]: It means that we're going to give you the ways to fix it, but we're going to also give you

[00:17:28] [SPEAKER_01]: the way that you can live with the problems you have.

[00:17:32] [SPEAKER_01]: Again, working with those intelligence units and working with governments, with large

[00:17:37] [SPEAKER_01]: institutions, you realize that time is important.

[00:17:41] [SPEAKER_01]: And every day that the government is exposed to those critical risks is a day that very

[00:17:47] [SPEAKER_01]: serious threat actor to take advantage of it.

[00:17:51] [SPEAKER_01]: So you need to break that time challenge by, okay, there is no way I can fix in less than

[00:18:00] [SPEAKER_01]: couple of days.

[00:18:00] [SPEAKER_01]: There is no way.

[00:18:01] [SPEAKER_01]: It's not normal, right?

[00:18:03] [SPEAKER_01]: So how can I take that problem and make it tangible?

[00:18:09] [SPEAKER_01]: Okay, what about not fixing?

[00:18:11] [SPEAKER_01]: What about mitigating?

[00:18:13] [SPEAKER_01]: So think about it as like a painkiller that you're not going to feel the pain.

[00:18:18] [SPEAKER_01]: The problem is still there, but you can live with that until the point that you can fix

[00:18:22] [SPEAKER_01]: it.

[00:18:23] [SPEAKER_01]: So this is something very big that I took with my time at the service and seeing those

[00:18:29] [SPEAKER_01]: systems in those type of attacks.

[00:18:30] [SPEAKER_00]: Such a powerful example there.

[00:18:33] [SPEAKER_00]: And I suspect with the rapid adoption of cloud services, businesses are also facing

[00:18:39] [SPEAKER_00]: increasingly complex security challenges everywhere.

[00:18:42] [SPEAKER_00]: And as we said a few moments ago, a 10-day fix is just not acceptable.

[00:18:46] [SPEAKER_00]: It's a lifetime in this fast moving world right now.

[00:18:50] [SPEAKER_00]: So how do you assess security?

[00:18:52] [SPEAKER_00]: How do you help simplify cloud remediation and mitigation for DevOps and security teams,

[00:18:58] [SPEAKER_00]: particularly in eliminating some of those technical barriers and resource constraints

[00:19:03] [SPEAKER_00]: that so many businesses are experiencing?

[00:19:05] [SPEAKER_00]: They're doing their best.

[00:19:06] [SPEAKER_00]: They're trying to put the fires out, but they don't have the right resources, etc.

[00:19:10] [SPEAKER_00]: in place or they're all stretched far enough as it is.

[00:19:13] [SPEAKER_00]: How do you simplify and how do you help?

[00:19:15] [SPEAKER_01]: So I like the word simplify.

[00:19:18] [SPEAKER_01]: And thanks, Neil, for kind of giving me that lead here.

[00:19:21] [SPEAKER_01]: To simplify it is we're going to take your problems or the problems that you already care of.

[00:19:28] [SPEAKER_01]: So we connect into your cloud environment, but we also connect it to a DevOps system and the system

[00:19:33] [SPEAKER_01]: who deploy and creates those type of assets within your cloud.

[00:19:37] [SPEAKER_01]: So we know how your technical DNA looks like.

[00:19:41] [SPEAKER_01]: And we also connect to your existing security product and security controls.

[00:19:45] [SPEAKER_01]: By looking at all of those, our very, very unique platform can take that.

[00:19:52] [SPEAKER_01]: It can take your problems and correlate those problems with the reasons that those problems exist

[00:20:00] [SPEAKER_01]: and the ways that those problems were exposed to your production environment in the get go.

[00:20:06] [SPEAKER_01]: By doing that kind of give us a lot of information about which type of way we can solve the problem.

[00:20:14] [SPEAKER_01]: And this is where our mitigation remediation engine come into place.

[00:20:18] [SPEAKER_01]: What I do want to mention is like three years ago, we couldn't build this product.

[00:20:23] [SPEAKER_01]: That this problem exists for many years.

[00:20:27] [SPEAKER_01]: But again, three years ago, the problem cannot be fixed for two reasons.

[00:20:33] [SPEAKER_01]: Organization didn't adopt DevOps system like Terraform and CloudFormation and Pulumi.

[00:20:37] [SPEAKER_01]: If you know those, they didn't adopt them yet.

[00:20:40] [SPEAKER_01]: They just transferred themselves to the cloud.

[00:20:42] [SPEAKER_01]: And also three years ago, we didn't have available AI, LLMs and AI technology.

[00:20:50] [SPEAKER_01]: So by looking on time, if you take the entire market right now that 85% of the market using

[00:20:59] [SPEAKER_01]: DevOps in automation, and now we have access to AI, what we're able to do to simplify the problem

[00:21:07] [SPEAKER_01]: is to take all your problems you have and you want to solve.

[00:21:11] [SPEAKER_01]: And to give you resolution to understand which type of mitigating control for those group of

[00:21:18] [SPEAKER_01]: problems you can enforce, and you can configure and how to configure it in order to take the

[00:21:23] [SPEAKER_01]: very critical problems that can take down the organization, make you some problems with auditors,

[00:21:29] [SPEAKER_01]: kick you some issues with bug bounty, take those problems and mask them, not solve them.

[00:21:34] [SPEAKER_01]: But which way with your existing investment, which will exist in security control,

[00:21:39] [SPEAKER_01]: you can mitigate them and mask them to a way that it will reduce the criticality.

[00:21:45] [SPEAKER_01]: But on the same time, we're also telling you exactly where the problems stand for,

[00:21:51] [SPEAKER_01]: and which line of code in which maybe DevOps system needs to be changed,

[00:21:56] [SPEAKER_01]: and which type of Terraform switch needs to be updated, and what DevOps or engineering need to do

[00:22:01] [SPEAKER_01]: exactly, without doing all those phone calls and meetings, exactly what they need to do to

[00:22:08] [SPEAKER_01]: completely eliminate that. So we're giving you those options and you as an organization

[00:22:12] [SPEAKER_01]: can pick and choose and can work with your available resources to say I want to mitigate

[00:22:19] [SPEAKER_01]: right now I want to take some painkillers because I'm not ready for surgery. I take some painkillers,

[00:22:25] [SPEAKER_01]: let's say, live with the problem for a few months. The greatest DevOps guy is going to be back from

[00:22:33] [SPEAKER_01]: vacation, because now he's in Paris drinking some wine in two weeks. So let me live with the problem,

[00:22:40] [SPEAKER_01]: let's update the customers that we're okay, we mitigated the problem and the security

[00:22:44] [SPEAKER_01]: update of the product is going to be released in two months. And it's fine. So we are the

[00:22:50] [SPEAKER_01]: platform that's providing those capabilities without those and whistles and craziness.

[00:22:56] [SPEAKER_00]: And of course, the cybersecurity landscape is evolving tremendously quickly now with new

[00:23:02] [SPEAKER_00]: threats emerging on a continuous basis, whether it be good AI versus bad AI, or is quantum gonna

[00:23:09] [SPEAKER_00]: bake, gonna break cryptography, etc. So I'm curious from everything that you're seeing here, what are

[00:23:15] [SPEAKER_00]: the most pressing cybersecurity risks you see today? And how are you helping access security,

[00:23:21] [SPEAKER_00]: position yourself to address these threats? Is there anything that keeps you up at night?

[00:23:25] [SPEAKER_01]: Everything keeps me up at night except of like the Yeah, I think except of taking care of my

[00:23:31] [SPEAKER_01]: customers and my employees. I think from a cybersecurity standpoint, the number one,

[00:23:40] [SPEAKER_01]: the number one and this is validated. If you look on mainly at M trend report this year,

[00:23:45] [SPEAKER_01]: if you're looking on the Verizon report on incidents, the number one, the top reason of

[00:23:53] [SPEAKER_01]: incidents is vulnerabilities, non vulnerabilities, and misconfigurations. We're in 2020, almost in

[00:24:01] [SPEAKER_01]: 2025. We have so much budget, we have so many great security tools. And the number one reason

[00:24:09] [SPEAKER_01]: that we're still getting in and still having those incidents is because organization cannot

[00:24:14] [SPEAKER_01]: remediate and mitigate cloud misconfiguration of our abilities. And again, this what's keeping

[00:24:20] [SPEAKER_01]: up at night. And this is exactly what the product is doing. We're going to give that superpower for

[00:24:26] [SPEAKER_01]: those security teams to take those problems and fix them not to manage them. It's like going to

[00:24:31] [SPEAKER_01]: a doctor again, I love the doctor examples like hey, you have a problem, manage it. No, I know

[00:24:37] [SPEAKER_01]: the problem, can we fix it? Can I have a cure? Can I have a surgery? Do something about it?

[00:24:43] [SPEAKER_01]: What can I do? And this is exactly, I think the problem security teams, including myself until

[00:24:52] [SPEAKER_01]: today felt powerless. We know about our problems. And we're managing our problems. We're kind of

[00:25:01] [SPEAKER_01]: arranging them in colors, like you do in M&A, the reds here, the whites here, the blue here.

[00:25:10] [SPEAKER_01]: But no one is taking care of them. They're just managing them and prioritizing them.

[00:25:15] [SPEAKER_01]: Why? Those are problems that need to be fixed. Can someone please fix it? And this is exactly

[00:25:22] [SPEAKER_01]: what we're here to do. We're taking the fear, the powerlessness of security that's relying on

[00:25:28] [SPEAKER_01]: so many other things and are so frustrated because it's so manual, so complex. We're taking those

[00:25:34] [SPEAKER_01]: number one reasons why you have incidents, we're taking that and we're fixing it. We're not going

[00:25:40] [SPEAKER_01]: to prioritize, we're not going to give you contextual, we're taking those tickets and

[00:25:45] [SPEAKER_01]: we're cleaning your backlog. We're taking those problems, we're remediating them. Maybe we can,

[00:25:50] [SPEAKER_01]: we'll mitigate it. We'll do something about it. So again, stop managing, start eliminating,

[00:25:58] [SPEAKER_01]: resolving your cloud risk. This is exactly what we're here to do. And I believe it will reduce

[00:26:04] [SPEAKER_01]: the pain from those two big pain points, the misconfiguration in the cloud and the vulnerabilities

[00:26:11] [SPEAKER_01]: within the cloud and containers and products. I love that. And I was nodding in agreement

[00:26:17] [SPEAKER_00]: with everything you said there, especially as an ex-IT change manager, the amount of

[00:26:22] [SPEAKER_00]: misconfigurations I see in the news every day and I'm ranting to my wife, where's the testing?

[00:26:27] [SPEAKER_00]: Where's the rollback procedure? What's happening? How did this happen? But you're so right in what

[00:26:32] [SPEAKER_00]: you say. And it's something I see again and again. And you're someone that's designed products that

[00:26:37] [SPEAKER_00]: are now used by thousands of organizations around the world. So I've got to ask, what would you say

[00:26:43] [SPEAKER_00]: are the key factors that contribute to the widespread adoption of a security platform?

[00:26:48] [SPEAKER_00]: And how are you at Zest Security ensuring that your solutions meet the needs of larger enterprises?

[00:26:54] [SPEAKER_00]: Because that adoption, getting people on board and the culture change and everything that goes with

[00:26:58] [SPEAKER_01]: it, that is where the magic happens, right? Exactly. I think the number one thing that works

[00:27:05] [SPEAKER_01]: very well for us at Zest and beforehand with the product they built is to be obsessed with

[00:27:13] [SPEAKER_01]: my customers. It's very easy to kind of think that my vision is the best vision and I know everything

[00:27:21] [SPEAKER_01]: and I saw everything. I was seeing a lot of things with many organizations, but the customer

[00:27:26] [SPEAKER_01]: is the one that's going to use my product. The customer is the one with the current problems that

[00:27:30] [SPEAKER_01]: I need to help them fix. You need to be obsessed with your customer needs and problems. And you

[00:27:37] [SPEAKER_01]: need to understand what's stopping him and his team from fixing or resolving his risks. You need to

[00:27:44] [SPEAKER_01]: understand exactly what he's going through. By being obsessed with the security team, with the

[00:27:49] [SPEAKER_01]: DevOps team problems, we're able to increase this adoption. We're able to make our customers excited,

[00:27:57] [SPEAKER_01]: very excited about what we're offering them because they feel like we build this product for them.

[00:28:02] [SPEAKER_01]: They feel like we understand what they're going through and they feel like there is finally

[00:28:07] [SPEAKER_01]: something that not only showing them more problems, it's actually something that can solve those

[00:28:14] [SPEAKER_01]: problems. And I think one of the major modifications for our vision we made, and we're always modifying

[00:28:24] [SPEAKER_01]: kind of like the product that we're building based on customer feedback, and we have great customers.

[00:28:29] [SPEAKER_01]: I don't want to thank them for their time working with us. Our customers basically told us in order

[00:28:35] [SPEAKER_01]: to resolve things that is not related to security but more related to engineering and DevOps,

[00:28:41] [SPEAKER_01]: you need to meet them in their own system, their own world, their own kind of like

[00:28:46] [SPEAKER_01]: native applications. And this is one of the biggest pivots we... Not pivot, but biggest

[00:28:54] [SPEAKER_01]: emphasis we provided in the product is our product is a security product, but the outcome

[00:28:59] [SPEAKER_01]: of what we're finding and the guidance and the fixes and the remediation and the mitigation,

[00:29:05] [SPEAKER_01]: we deliver to those teams in their own place. If it's in the code repositories or if it's in

[00:29:11] [SPEAKER_01]: the ticketing system or if it's in a specific Slack channels and in a specific template and

[00:29:17] [SPEAKER_01]: languages that they needed. And I think that's what makes us so special and different,

[00:29:24] [SPEAKER_01]: because in order to solve a problem, you need to meet your customer needs.

[00:29:31] [SPEAKER_01]: And this is exactly what our product is. We're excited about our product, but actually making

[00:29:38] [SPEAKER_01]: our customers happy. And that's the most important thing.

[00:29:41] [SPEAKER_00]: Love that. And as you continue to grow, especially with one eye on 2025 already,

[00:29:48] [SPEAKER_00]: what would say your grand vision, your long-term goals are for the company? And how do you plan

[00:29:53] [SPEAKER_00]: to keep innovating in the cloud security space and stay ahead of all these emerging threats

[00:29:58] [SPEAKER_00]: and industry trends? It's an incredibly exciting space, but it can be quite challenging too.

[00:30:04] [SPEAKER_01]: Yeah. So we have a lot to build. Our product is already GA available. We're supporting all cloud

[00:30:13] [SPEAKER_01]: environments. We have massive customers and we're getting a lot of customer adoptions.

[00:30:19] [SPEAKER_01]: So there's a lot of work to do from where we're seeing ourselves is basically every company today

[00:30:29] [SPEAKER_01]: that have a cloud presence and care about fixing vulnerabilities, they need to have

[00:30:36] [SPEAKER_01]: not only a CSPM or a CNAP and I will remove the acronym, Cloud Security Posture Management Tool.

[00:30:46] [SPEAKER_01]: That's starting to be very commodity. Everyone needs to have it. They have an IP virus or an EDR.

[00:30:53] [SPEAKER_01]: They need to have also, and I want the organization, this is my vision. This is what we're

[00:30:57] [SPEAKER_01]: leading for. We're going to innovate enough so each and every company today in the world will have a

[00:31:04] [SPEAKER_01]: resolution platform because identifying problems is not enough. Visibility is not security. Knowing

[00:31:11] [SPEAKER_01]: about their problems doesn't mean that you're more secure. It just means that you know how

[00:31:16] [SPEAKER_01]: not secure you are. And in order to solve those problems, it's a big, big, big challenge.

[00:31:21] [SPEAKER_01]: So again, our vision is to commoditize risk resolution and to deliver mitigation and

[00:31:28] [SPEAKER_01]: remediation to cloud security risk across all technologies, product, microservices, containers,

[00:31:37] [SPEAKER_01]: runtime, everything that's related to cloud issues that threat actors are abusing.

[00:31:43] [SPEAKER_01]: It's a lot. It's a lot of work. It's a lot of research. And this is why we're hiring today

[00:31:50] [SPEAKER_01]: security engineers. We're hiring developers. We have top-notch leaders, again, from companies like

[00:31:57] [SPEAKER_01]: Alamys and Akamai and Varonis. And we're using those brains to attract more talent and invest a

[00:32:05] [SPEAKER_01]: lot in R&D. And I think investing in the people that we hire and investing in the customers that

[00:32:11] [SPEAKER_01]: we're bringing on board will allow us to capture that vision. It's a long way to go, but

[00:32:19] [SPEAKER_00]: we need to do it fast. Well, I cannot thank you enough for sharing your insights with everyone

[00:32:25] [SPEAKER_00]: listening around the world today. And before I let you go, I'm going to see if we can have a

[00:32:29] [SPEAKER_00]: little bit of fun with you now because cybersecurity is a very serious topic. But we have an Amazon

[00:32:34] [SPEAKER_00]: wishlist and a Spotify playlist. I always ask my guests, would you like to leave a book to

[00:32:40] [SPEAKER_00]: that Amazon wishlist or a song to the Spotify playlist? What's that one final gift you're

[00:32:45] [SPEAKER_01]: going to leave everyone with today? That's a cool question. So there is a book, and you can

[00:32:55] [SPEAKER_01]: also have it as an audio book that really speaks to me when I start a test and add a lot of questions.

[00:33:02] [SPEAKER_01]: And that book called Play Bigger, probably very famous for like go-to-market people as a technical

[00:33:09] [SPEAKER_01]: person. It basically tells you how to address an existing market with a new problem and how

[00:33:21] [SPEAKER_01]: to take that new problem and create a new market and how to do it in the right way.

[00:33:27] [SPEAKER_01]: And I think that book basically helped me to talk to security people and tell them,

[00:33:33] [SPEAKER_01]: hey, we all know about this problem. We all suffer from this problem and we all kind of accepted

[00:33:38] [SPEAKER_01]: that this is a problem we need to live with, but we actually have a solution for it.

[00:33:43] [SPEAKER_01]: That change of mindset was very tough. Playing that Play Bigger audiobook kind of helped me

[00:33:51] [SPEAKER_01]: to address that really big challenge of creating a new category in a very smart way. So that's my

[00:33:57] [SPEAKER_01]: kind of small recommendation for the podcast. I love it. I will get that added straight to

[00:34:03] [SPEAKER_00]: our Amazon wishlist. And I love what you've done here with your own career and everything

[00:34:07] [SPEAKER_00]: and how you took a problem, you took your own frustrations and not just moaned about it or

[00:34:13] [SPEAKER_00]: complained about it like I might. You've gone out there and created that solution. You fixed

[00:34:17] [SPEAKER_00]: the problem. Incredibly cool. And for anyone listening just wants to find out more information

[00:34:21] [SPEAKER_00]: about Zest security, maybe find out more about anything we talked about today. Where would you

[00:34:27] [SPEAKER_01]: point everyone listening? What's the website? So the website is Zestsecurity.io. We're very,

[00:34:35] [SPEAKER_01]: very open. So all the information about how the product works, how the integration works,

[00:34:40] [SPEAKER_01]: everything is there so you can learn about the platform. More than that, feel free to book a

[00:34:45] [SPEAKER_01]: demo. A security specialist, not a salesperson, which I love salespeople, but again, security

[00:34:51] [SPEAKER_01]: specialist will jump on a call, give you a ride on our platform, ask you some questions, show you

[00:34:57] [SPEAKER_01]: use cases. So our website is the way to go. If you have a personal ask, anything that can help

[00:35:04] [SPEAKER_01]: to any one of our listeners, feel free to DM me on LinkedIn. I'm very active in LinkedIn.

[00:35:10] [SPEAKER_01]: So it's a Snil Benchimol, co-founder of Zest Security and LinkedIn. So feel free to reach out.

[00:35:16] [SPEAKER_00]: Love that. Well, I will add links to everything to make that nice and easy for people listening.

[00:35:20] [SPEAKER_00]: And I do urge them to check you out and maybe send you a message and be inspired by you because as I

[00:35:26] [SPEAKER_00]: said a few moments ago, you experienced cloud risk remediation challenges firsthand. Those

[00:35:32] [SPEAKER_00]: frustrations though, along with the fact that there was a realization, hey, there's no existing

[00:35:36] [SPEAKER_00]: solution in the market that adequately addresses this problem led to you developing this technical

[00:35:43] [SPEAKER_00]: solution, which went on to become the vision for Zest and that combined with the books that

[00:35:48] [SPEAKER_00]: you've recommended. I hope this light bulb moment is going off all around the world where people

[00:35:53] [SPEAKER_00]: with their own problems, where there's no solution out there and they don't just leave it. They go

[00:35:57] [SPEAKER_00]: do something about it. Maybe they start with a book, maybe they DM you, but hopefully we've

[00:36:02] [SPEAKER_00]: inspired other problem solvers out there. But thank you for shining a light on this. Really

[00:36:06] [SPEAKER_01]: appreciate your time today. Same here, Neil. Thank you for having me and let's fix some problems.

[00:36:11] [SPEAKER_00]: So what key insights can we take away from today's conversation? First, the growing challenge

[00:36:17] [SPEAKER_00]: of managing cloud security vulnerabilities is a problem that every organization must address.

[00:36:23] [SPEAKER_00]: And Zest security and its pioneering new approach to make the process faster, more efficient,

[00:36:29] [SPEAKER_00]: more scalable. That's the stuff that interests me today. And also his vision for integrating

[00:36:35] [SPEAKER_00]: remediation platforms into standard security stacks. I think it shows a forward thinking

[00:36:40] [SPEAKER_00]: approach that's driven by real world frustrations and solutions. And I think more than anything,

[00:36:46] [SPEAKER_00]: the key message there was that a reminder that cloud technologies are going to evolve.

[00:36:52] [SPEAKER_00]: And because of that, so must our security strategies. But the big question, of course,

[00:36:56] [SPEAKER_00]: is what steps will you and your organization take to ensure vulnerabilities are resolved quickly

[00:37:02] [SPEAKER_00]: and as effectively as possible? As always, please email me tech blog writer outlook dot com Twitter

[00:37:09] [SPEAKER_00]: LinkedIn, Instagram, just at Neil C. Let me know your thoughts on this one. And don't forget,

[00:37:15] [SPEAKER_00]: you've also got a backstage pass to tomorrow's episode, too. I will be waiting in your podcast

[00:37:21] [SPEAKER_00]: feed with another guest. But thanks for listening today. Hopefully I'll speak with you all again

[00:37:25] [SPEAKER_00]: bright and early tomorrow. Thanks again.