Goldilock Secure On Cutting The Blast Radius In Overconnected Networks

00:00:00 Neil : For years, the cyber playbook was simple connect everything, integrate everything, and keep the data flowing at all costs. But what happens when that very strategy becomes the biggest source of risk? Well, today's conversation will challenge one of the longest standing assumptions in enterprise IT and ask whether resilience this year will depend on knowing when to disconnect just as intelligently as how we connect. Well, joining me today is Steven Brody. And he's from the NATO backed Goldilocks Secure, a company that's rethinking blast radius operational continuity and what real control looks like in this hyper connected world that we all find ourselves. So if you care about protecting crown jewel assets, buying time during an attack and moving beyond compliance checklists towards the cyber security utopia of true containment. This episode will hopefully give you a completely different lens on the future of cyber security. But enough scene setting for me. Let me officially introduce you to my guest right now. So thank you for joining me on the podcast today. Can you tell everyone listening a little about who you are and what you do?

00:01:26 Steve: Well, thank you for hosting us. It's a pleasure. My name is Steve Brody. I'm the chief revenue officer of Goldilocks Security. Um, we are a cyber security company. Hence by its name, that does something very unique in the industry. And I'm sure your listeners are going to be very excited to learn a lot more about this.

00:01:42 Neil : Yeah. There's so much we're going to get through today. And I think for the past twenty years, the industry mantra has been, hey, let's connect to everything. And we're now reaching the point where over connectivity has almost become a strategic liability for business. Is that what you're seeing at the moment? Because we we've both come from a time where we had to bring your own devices and we had shadow it. But but what you're seeing here, where are we now?

00:02:08 Steve: I completely understand where that comment is coming from. So again, I'm part of the the group that started to push that mantra twenty odd years ago with about connect everything as quick as possible, as fast as possible and everywhere as possible, because it was about driving business and it was about driving the way to connect, to give a competitive advantage. However, as as years have gone by, we have many, many connections out there, some that are forgotten, some that are old. We connect in everything for some, sometimes for no reason at all. So we have a situation where we are hyper connected in a lot of places we're over connected, which means that we are sadly leaving a lot of exposures open into a lot of organizations, which means there's risks. And then you see this now in all the cyber attack announcements, you see the IBM report that got released the other day. Over fifty percent rise in cyber attacks. The risks for organizations keep getting greater and greater and greater. And a lot of that is through connections. It's the remote connections that come in. And that's how we have to make sure that we have to change the mantra and the philosophy that organizations take to go from always connected to always connected when required. And that's an important difference.

00:03:22 Neil : It really is. And before you join me on the podcast today, I was doing a little research on you, and I was also looking at the the slightly tweaked mantra because you, you spoke about, I think it's right sized connectivity. So what does that look like in practice for a modern enterprise? That still depends on cloud services, APIs and remote access, etc.. What's right sized connectivity look like?

00:03:44 Steve: So you have to first of all start from what's the objective of an organization? Most organizations are not there to be a IT company. They're not there to be a security company. So what they have to do is they have to look at what their business risks are, what is the most important things for them. So therefore they have to get clarity of where they have connections. They have to have look at control of those connections and therefore work out when do you access something and when do you not access something. So it's not about saying you don't have connections available. As I mentioned just a moment ago, it's about having the connections to be available when required. So it does mean that as people start to look at their risk registers, do you need your crypto keys always online? Yeah. Do you need your HR records? Always accessible twenty four hours, seven days a week? Do you need sort of like your systems to always be connected from the finance to the operations team? No, but you need to be in control of them. And that's that's what we're trying to get people to think about on the right size connectivity piece. Because at the end of the day, there's a lot of security products out there and they are needed and they're wonderful. And we're not going to ever say anything bad against them. But there are always instance that occurring. So the security market hasn't got everything right yet. What we bring is an extra layer of security at the physical aspect to ensure that instead of having just logical control of your connectivities, you now have physical control of your connections as well. And that has a whole new depth of actually defense that's never been available before. From both a reactive and a proactive stance.

00:05:17 Neil : And a question I've got to ask is when we're scrolling down our news feeds and we see a typical breach that happens today, why is that blast radius still tend to be so large? And how much of that is is driven by architectural decisions, maybe even technical debt that made in the name of convenience or speed. And another life time ago where those people working for the company are no longer there. Why is that? That radius so big still?

00:05:44 Steve: Well, if you think about it, and we've spoken to a lot of different people, as you can imagine, from board advisors to the military to finance organizations, to others and they talk about it as, again, risk management. At the end of the day, most organizations have grown and a lot of them grow organically. So you add another connection, you add another system. And sometimes the rate of those growth has meant that they've gone through at such a pace that they haven't been able to refresh their systems, they haven't been able to, like, work out how that acquisition acquisition has been able to merge all the different systems together correctly to give them the full parameters of control. So when you start to see the way that modern attacks work is typically done by software. So it's a software part that goes from A to B. Have you always got your systems patched? Yep. Have they always been updated? Are they even available to be patched nowadays? Certainly when you look at some of the CNI aspects. So it's also a case of when you go through an attack you can get one small breach and you think, oh, we've contained it, but if you've only got that software and they've got something dormant and then release it later. It can just spread like wildfire. So you need to have that segmentation controls in place to physically stop it spreading, not just logically, because otherwise there's a software part that comes through. And if you think about what's happening with all of the sort of like the news last week, unfortunately one of the firewall vendors with the AI tools that are coming out, they're speeding up the automation and the ability for the adversaries to go through and attack different systems. So what this means is the bad guys only need to be quicker than you can patch as an organization. And patching takes time. It takes effort. It takes takes people to be able to do it and systems to be able to do it. And how do you how do you buy yourself time as an organization if you haven't got that in a physical control like ours, then at the end of the day, you are in an arms race and software and software. We see what happens all over the place. And that's the reason why we often get the commentary that the blast radius keeps expanding, you Yeah. And in some cases they're quick to react. You know in some cases when we've seen it in the press with some organizations where they've actually run down and pulled the cable because that was the only option they had. So it's, it's, it's a it's a debate that a lot of people will have about how do we sort of control zone, how do we control the segment. And that's why I often use that word segmentation. Yeah. And at the physical layer that's how you do the blast radius control.

00:08:14 Neil : I think you hit the nail on the head there with that word time. I mean, even if you've got the perfect strategy and you've got the the time to do all that patching, getting downtime for some of those critical applications from stakeholders, that's a challenge on its own, isn't it? Half the time it is.

00:08:31 Steve: It's a it's a massive challenge. And that's also why we see sometimes the people misunderstanding where they're secure. They've gone and got compliancy, but they haven't got security. The two aren't always hand in hand. So exactly as you point out, that time is fundamental and what we provide is the firebreak product is not just a reactive tool to say we pull up a barrier and we stop the breach from spreading and going further. We change the whole perspective of the way that you look at operational resilience and security and risk by saying, actually, do we need it connected if we don't? Why connect it? Yeah. And then we connect and open the door at the right time for the right person to do the right job and then shut that again. And, and going back to that, that sort of example with about the AI beating sort of like the patches. That's just that's a maintenance issue as well. So as you said, it's a time window that people have to have. You have to book in sort of a time to say, right, we're going to shut that system down or shut access to that system down more importantly. And that just exacerbates when you start to look at day zero type attacks. Yeah. When a day zero issue is found, how long is it before then the vendor can actually put out the software patch. And then you have to get the right person to go and do the installations. And again, depending on the size and scale of the company. Can you actually have an IT expert immediately online to do the updates and patch rollouts? The answer is nine out of ten times. You don't. Yeah. And you have to prioritize your resources appropriately. So we're trying to give people the choice of how do they assess what they can afford to lose or how much loss they can take.

00:10:05 Neil : And logical micro-segmentation that's something that many people listening would have widely adopted as a control. But even there, where does that fall short, and where do you believe software based controls alone are just no longer enough?

00:10:21 Steve: And well, I'll just repeat what I said earlier. It's software and software. Yeah, it's purely software and software. And eventually the bad guys will get through. It's just then again, how do you control that? Yep. And don't forget, I think the whole Micro-segmentation software element is absolutely vital because it starts to put things into a practice and process that people understand. It's a toolset that people use, but it's only a part of the puzzle. Now you need to look at the entire picture. The entire puzzle to actually go through and actually say, right, we now have the hardware protected and the software protected. Yep. So again, as you go through that, I would ask you, why would you only look at a micro segmentation software strategy when you're looking at an entire solution? Because at the end of the day, as I said, most people are not IT companies. They're not sort of security companies. They are trying to sort of provide clean water. They're trying to ensure banking services are provided, healthcare, all of those other aspects. So you're only looking at half of your defensive solution here. So it's about, as I said, building the entire stack together.

00:11:23 Neil : So at Goldilocks Secure you focus on physical segmentation that can remotely connect or disconnect assets without sending commands over the internet. So how does that change the threat model compared to, let's say, the the traditional network defenses that many people listening will have?

00:11:41 Steve: So if I take us on a trip back through history where we started as well, when when we was building the internet out, you know, originally before Cisco become so dominant and so, so wonderful in what they did, you would have people that would actually have networks that were control networks and data networks, and they were over two cables. And Cisco got such an advantage when they actually managed to put the control in the data network all over the one cable, which then allowed us to have the hyper connectivity and the scale and the and the great things that we've got today with all the technology. What then happened is, though, you then saw the security industry boom because they realized there was security challenges. What we've in effect, done with our technology is basically be able to split the control plane in the logical plane back out again, but over one cable. So you now have the physical control and you can choose that whether it's human in the middle. And you can go over sort of a SMBs, for example, you can send a text message to can say, allow the access to flow or shut off the access, or you can have it via an API so you can automatically link it to your SoC. You're seeing your management tools, so you can then put policies and processes in place to give you that sort of control factor, that control elements to say, right, this zone is only allowed to be opened at this time of day, or this zone is only allowed to be opened if sort of certain individuals have the right criteria or actually we've seen something suspicious. Therefore we go and actually hit the alert threshold and shut that system off. So you provide that layer of physical control that comes through and actually gives you that boundary that never, never, never been seen before.

00:13:17 Neil : And we will have a lot of IT and security professionals listening today, but also stakeholders, business leaders, etc.. And one of the reasons I wanted to highlight that is I think there's always been somewhat of a tension between security and operational continuity. So how do you introduce deliberate firebreaks into a network without slowing the business down, or frustrating teams who rely on seamless access and almost see it as a as a hindrance to their working day when you're trying to be the guardians of the network.

00:13:48 Steve: Absolutely. Um, so so there's a different ways to answer that. So for those that actually would be looking at the architecture and the the sort of the physical installation, the physical installation is actually very, very easy. It's more about two cables being moved around to put it in line with the system. So it's a very simple installation process. The process of policy and decision making authority. That's where it takes a little bit more understanding of how to do this. Because yes, there's always the debate we need more more networking. We need more security. We need more the other IT aspects. And how do you get together? The reality is it gets set by the board. If you think of the people responsible for the company, yep, they have a duty to actually ensure that their shareholders are supported correctly. They have a duty to their customers to make sure their products are done right. You have the duty to make sure that your systems are operating as quickly as you can. So we're not in any shape or form trying to insert a product that is a hindrance for anybody. It's supposed to be a help, and it allows those boundaries and those controls to become in place for people to say, yes, we continue to operate as normal, but if we need to press the access control, we're now in control and we only give people that access who need it when they need it and why, you also then have the ability then to say, we have an audit trail. So if you start to look at Compliancy, you start to look at all those other things that are coming through, like NIST, for example, when you do have the NIST policy being followed, the first thing you should be doing is isolate and then investigate and then remedy. Now we do that in a physical tool so you can start to look at compliancy reasons. But also then you have an audit trail to say actually who has access. We have one customer that I'll talk about as an example here. They have masses of systems deployed all over the place, and they have a lot of third party contractors, and they've always been able to set them up with your VPN credentials, your login credentials, all of your IT type of stuff. But the problem they had was that they wouldn't always know when their time had shut down, so they couldn't sort of ensure that they never had access. Now with this system, you can give them all the VPN, the passwords, all the rest of the logins. But if you've actually then physically disconnected them from their access, they'll never get to the system to even try to log in. So it actually buys people the time and the security and the knowledge and the confidence that they will actually sort of like know that who is in the system when they're in the system at the right time. So it's actually a tool that actually we've seen actually provide a lot of collaboration between those other parties to work out. Right. Yes, we do need this IT zone to connect to this OT zone. But the technologies are different. So we need to come in for one day a week for an audit period or five minutes a day. Whatever happens to be you set the parameters, they're in control. We're not going to dictate to them how they do it, but it's a case of bringing them together for a common objective.

00:16:38 Neil : And I think a very real problem inside every organization is that rising amount of technical debt that they've built up. And at the same time, there's pressure to add AI and agentic AI. Hundreds, thousands, maybe of agents into the mix as well. So for CISOs listening who are beginning to reassess their architecture, what are the first indicators that their current network designers has grown far beyond what is defensible right now?

00:17:04 Steve: Just look at the amount of alerts that are coming through to the SOC. It's you see that? Just read the press. You'll see all those different announcements that are coming through. And and I did mention earlier, just if you look at what the AI has to do, they just have to be quicker than the patching capability. Yeah. So how do you how do you get patches out there faster, quicker. Yeah. You can't. So the way that I sometimes positioned us, certainly in the partnerships that we're forming with the firewall vendors is with the Guardians. The Guardians. Um, so so we're there to protect them. So when that software firewall hasn't got the ability to be patched, you can now go back to the bind time scenario. You can actually pull up the barriers and ensure that system isn't accessible without your oversight. So if you do need it to be accessed, of course you can then allow the access to be there. You can watch it. As a security engineer that went to the seaside policies, you can see what's happening, and then you can again pull the barriers up until you've had the time to patch and go through. So it's another option. Yeah. It's another option that we believe is going to be the only way to actually be so quick and responsive as the physical layer to give you control when the world is software and software attacks.

00:18:17 Neil : And if we go back, what, five to ten years ago, the C-suite was often accused of not understanding the real value of cyber security. I think that has largely changed now. But many boards still measure cyber security maturity through things like compliance Checklist. So how should leader teams rethink metrics if containment and resilience are ultimately becoming the primary goal now?

00:18:41 Steve: Well, it comes down to different viewpoints and different boards will have different ways of assessing this. Some will be about how much loss are we willing to take because they will take loss. Some will be actually how many incidents are we taking? Some will take it in terms of actually more of a technical approach to say, how many engineers have we got dealing with actually reactive scenarios of operational uptime compared to productivity? So there's other ways to think of that. Um, what we are actually seeing as part of the education process is with this as well, is actually a very easy conversation for the board to understand. It's it's without needing a PhD, like some of the sort of like the AI tools that you want to be able to explain how and why it gives you all the value. We can basically say door open or door shut. Yeah. So if you think about it in a, in a nice, easy way when you live at home. Most people will shut their front door. Most people will lock their front door. They choose when they open it, and they go to work, or when they go to the gym or to see their friends, and they will maybe give a key to one of their neighbors to allow themselves to come in at certain times. That's what we provide. But we do one step a little bit further than that, but we actually hide where the front door is so people don't even know where the front door is. So you can't just walk past the street and then look inside and see whatever your crown jewels are. As an organization. So the board with this tool now give themselves one. A compliance audit boost. So they know that they've got a tool that is the action of what those compliance rules are trying to do. They know they've got an extra level of security. And they also know that now that they have the ability to really defend themselves as required.

00:20:17 Neil : And I always try and give everyone listening a valuable takeaway. So if the future of cyber security really is about control, disconnection rather than constant connectivity, what is the the mindset shift required in an an organization, and especially from tech leaders who've spent their careers expanding into integration, and they've got a certain way of working, and they've been following in certain instructions for a decade. What mindset shift and cultural shift needs to change now?

00:20:45 Steve: Well, there's a few few things on that. First of all, it's not just about controlled disconnection. It's about controlled connection as well. It's important to make sure we're not turning things off. Yeah. So if you're a water purification system, for example, we want people to still have clean water. Yeah, yeah. We just don't want to change the chemical constructs like for anybody to do that. So it's important to do that. Um, the other part that I would say it's it's again, it's all about standard change management. Don't think doing the same things that you've always done is going to change the perspective. So you have to be able to look at the new modern techniques. You have to look at the new modern ways of thinking. In many ways, we're not a modern technique. Yeah, there's air gap networks that have been around for many, many years. What we've done is applied modern techniques of how to use air gap technology in a system to give you full control. So we now give you all the software flexibility that organizations are used to, but at the physical layer. So it combines this strength. So the part for me that becomes really important for people is understand where your risks are and actually give them authority and control and decision parameters down as the organization needs them. And then you can automate and you build it out. So I'm not I'm not saying that anybody should not invest in AI, because I think AI is going to have some wonderful things, but you have to make sure that you understand how to use it correctly. And that's the same as any technology, and that's what we provide as well.

00:22:11 Neil : Well, thank you so much for joining me today. Before I let you go, I want to have a bit of fun with you now. I always try and bring out a virtual soapbox, because I've got a feeling that when you're scrolling down your LinkedIn newsfeed or having a look on Reddit or wherever you hang out, you see a lot of myths and misconceptions about the areas that you work in. So let's see if we can write a few wrongs here. Bust those myths. What do people misunderstand most about your industry? Or are there any myths about your job or area of expertise that that we can lay to rest?

00:22:42 Steve: Um, I think the biggest thing that we can do is get people to become aware of our technology exists. So when people talk about cybersecurity, everyone instantly thinks there's against software and the application. So for those more technical, everyone thinks of layer two to seven in the OSI stack. Yeah, yeah. No one's thought about security at layer one at the bottom, at the actual fundamental foundations where everything goes through. And that's where we are, and that's where we add that extra layer of defense and depth of defense. And that's what I want people to understand is security can be an illusion, but it can also be real. And if they understand that, if they have all the different parameters in place and they can go through the entire stacks, you've got a much better chance of actually continue to be operating consistently without any damage coming through, whether it's by accident or whether it's by a malicious intent.

00:23:34 Neil : And for anybody listening that just wants to find out more information on any of the topics we crammed into a thirty minute conversation today, we did cover a lot there. Where would you like to point everyone if they want to continue this conversation and find out more about the work that you're doing?

00:23:50 Steve: Two places Goldilock comm is our website, so please contact us via there or via my LinkedIn page. But also we work with channel partners only, so we actually have a massive program with working with key distributors and key resellers and integrators, and they are starting to educate people and deploy and obviously sell the products on our behalf. So there's a lot of parts to keep a look out for, and we have some fabulous PR teams pushing some work out for us as well.

00:24:15 Neil : Awesome. Well, I'll add links to everything there. And just listening to you, I think the one of the key messages there is that the, the goal isn't to go back to air gapped islands everywhere, but just to put deliberate, well-placed fire breaks into sprawling networks so a breach becomes a containable incident, not a company wide crisis and a huge, um, blast radius there. So thank you so much for shining a light on this. I'd love to throw it back to everyone listening. What are your thoughts? What are your experiences? Please let me know at Tech Talks Network.com as well. But more than anything, just thank you for starting this conversation today. I really appreciate your time.

00:24:52 Steve: No, thank you for having us on. And I said we just want to defend people and actually make a better difference. So thank you.

00:24:58 Neil : I think if today's discussion told us anything, it's that the future of cybersecurity might hinge on a cultural shift as much as a technical one. From permanent access to deliberate, policy driven connection, physical segmentation, right size, connectivity and the ability to pull up a firebreak in seconds. These are the things that could be the difference between a minor incident and a business wide crisis. So as you head back into your own organization, ask yourself, do you actually need everything connected at the same time, and do you have the control to change that when it matters most? As always, love to hear your perspective, your challenges, and how you're rethinking resilience in this new threat landscape or a threat landscape that continues to evolve at breakneck speed. As I said earlier, Techtalks Network.com you'll find all the links how you can get hold of me for thousand different interviews over there as well. Love to hear your feedback on this one, but that's it for today. So thank you for listening as always, and I'll speak with you all again very soon. Bye for now.