 Hi, this is your host, Uplim Bhartiya, and welcome to the tier for Let's Talk. Today we have with us Nabil Zuljalali, VP of Technology Innovation at Dark Trace. Nabil, it's great to have you on the show. Thank you so much for having me. Stop now. It's great to be here. It's my pleasure to host you today. And if I'm not wrong, this is the first time you and I are talking or actually this is the first time I may be talking to somebody from Dark Trace. So I would love to know a bit about the company. What do you folks do? Dark Trace was founded in 2013. We're a cyber AI business. And over the last 10 plus years, we've really been focusing on finding use cases where machine learning and AI are ideally suited to address cybersecurity challenges that really can't be solved otherwise. Since then, we've essentially grown our business. We have over 8,800 customers around the globe. We operate in over 100 countries. And we went public in 2021. And there aren't that many signs of us slowing down. So we're really excited to be here. I think there's quite a lot of traction over the last 12, 18 months that we've seen, especially around the application and the promise of AI, which has been really, really nice to see how it's developed over the years and really, really excited for the future. When you say cyber AI, what exactly do you mean by that? Yeah, absolutely. That's a really great question. I essentially am talking about really the intersection of cybersecurity and AI machine learning. And what I mean specifically by that is historically speaking, the way that most cybersecurity tools and products operate is they operate off of this framework of trying to understand and learn attacks, attackers and attack techniques that have happened in the past with the hope to stop and prevent those things from repeating themselves in the future. What we really focus on doing at Dark Trace is instead of trying to focus on attacks of the past, we actually look at leveraging a lot of machine learning to learn how businesses normally operate. And without necessarily depending on attack data or historical breach data, we learn what normal business operations look like at a very granular level. And that allows us to bring about new use cases and innovations that you really can't create with the old framework of doing things. How we have seen securities evolution from the traditional IT data center days to the more cloud centric. And now we're not just talking about cloud. We can also talk about Edge. And Edge can be seen depending on who you look at. They may be small IoT devices or it may more or less like smaller data centers closer to users. With this, the way you deal with security is also kind of changing evolving. It's not someone else's problem. We talk about the whole shift left, deficit cost movement. And now we are throwing AI into the mix as well. So talk about the evolution from Dark Trace perspective. Yeah, absolutely. I think from our perspective at Dark Trace, we really thought and kind of set on to really go through this journey of creating innovative technology that is able to gather and monitor and observe a certain type of data, learn how it normally behaves and learn all the intricacies of the interactions and transactions between different assets and services with the hope to be able to find not just anomalies or deviations from normal but then also be able to do it at such a level of accuracy and position that we then allow customers to enforce normal. And that's kind of one of the key benefits that we have in terms of innovations and differentiations in the market is that we're a security vendor that can actually enforce normal and stop a threat that we've never even seen before ourselves. And we have a number of different kind of interesting stories and blog posts on our website that talk to that. But to your point about kind of the trend that we see in security, you're absolutely right. And I think for a variety of internal and external factors, the way that essentially IT systems operate these days, it's not just in an IT closet where all of your compute, your storage, your services, your applications, all reside in a physical location that you could touch and manage yourself. But it's almost kind of this distributed environment where data resides in different places and really what businesses have started to focus on is optimizing for the business operation itself. And I think this is one of the things that's really key to keep in mind, right? I don't think any security engineer 15 or 20 years ago would have put up their hand and said, I would love to secure an environment that has data sprawled in all these different places, many of which I don't control or own myself and now I need to maintain and manage all of the human error that comes as a result of that. But what you really end up with is a lot of these things have such great tremendous business benefits that people have had to essentially cope and manage and maintain these environments that are incredibly distributed. And it's something that I always mentioned, the cloud doesn't exist in a vacuum, right? A lot of the key benefits that the cloud provides are business benefits, right? These are benefits that help the business scale, help them with availability, help them with distribution, help them really optimize their operations and from that perspective, the cloud isn't just sitting somewhere on its own in somebody else's data center completely in a vacuum but it's actually intertwined and interconnected with different third party applications, different types of authentications, different modalities of operating and managing and maintaining those services as well. And I think when you think about this dynamism, right? And you think about how kind of ephemeral everything is, it becomes really, really important to have a layer in your cybersecurity program that can deal with that level of dynamic change and that level of transformation. And I think that's something that machine learning is ideally suited for. It's kind of dealing with these kind of dynamic changes and evolutions and processes and how data moves, where it comes from, how it behaves. It's one of the things that I think machine learning does a great job of learning that normalcy and how it changes and evolves as opposed to having to define everything, right? And that becomes doubly true from a security standpoint, right? Because if you think about it, human error and misconfigurations are probably some of the most reported and talked about challenges that security practitioners face these days. And from a realistic standpoint, there's no way to enumerate every single error a human could possibly do. That would be a task in futility. But if you think about it from a machine learning standpoint and framing, machines are actually really, really good at learning how do things normally occur and what do those anomalies look like? How many deviations away from norm are you? And if you can do that accurately and precisely, you can actually cut out the edge cases and only allow humans process these technology to operate in a way that allows for business continuity and resiliency. Cloud was seen as a magical place once there are so many comics also. You just moved to the cloud, suddenly all of your problems are gone. So why do you have to worry about security when you're dealing with already secure cloud environment from, you're using probably one of these three, AWS, GCP or Azure, other persons as well. So talk a bit about cloud security. There's definitely a little bit of truth to the fact that the cloud security providers that you mentioned, they invest a lot of resource and they really have best in class security capabilities in comparison to how an end customer might be directly managing or maintaining a physical space because they're doing it at scale, right? They're doing it at scale. So they actually address and think about challenges at a dimension that most single customers, generally speaking, won't be addressing and thinking about. From a security standpoint, though, to your question, I think it goes back to what I mentioned earlier, right? Human error isn't something that you get rid of. And what's really happened is if you think about the challenge of cloud security, I think the cloud provides incredible promise. It's a fantastic technology that's optimized for a very large number of use cases. But at the end of the day, you have humans managing and maintaining that technology. And while the cloud providers have abstracted and taken on some of the responsibility of security onto themselves and they do a fantastic job with it, there is still a level of responsibility that's left to end users and end customers. And when you think about the benefits that the cloud provides, the scalability, the flexibility, the availability, those benefits aren't just benefits for end customers. Those are benefits for all. Technology doesn't discern between good and bad. So those benefits are also the same benefits that attackers leverage, right? So when you look at it from an adversarial standpoint now, credentials become way more important and interesting because if I have credentials, I have keys to the kingdom. And if I have keys to the kingdom, I can scale my damage, I can make it more flexible, I can make it more available. So all those benefits that end customers get from the cloud adversaries have access to those same exact benefits as well. And from that perspective, I feel like this is where the actual paradigm of cloud security is different in the cloud. Not that it's non-existent, but it actually highlights different priorities when compared to people that purely run on-premise data centers and the such. What are some of the common challenges that you see organizations face or mistake they made, make when trying to secure cloud environments? And then we'll talk about, you know, dark races approach, how you folks come and help them. So let's start with the challenges and then you roll there. Perfect, absolutely. I think in terms of challenges, the way I oftentimes describe it is there is what you call pre-implementation cloud security and what we'll call post-implementation cloud security. And what I mean by these two terms is from a pre-implementation standpoint, this is really the idea of being able to secure and capture risks that may or may not manifest before anything goes live into production, right? And I think what we've seen in terms of the industry so far today is there is a very, very large field in the domain of cloud security around posture management of different kinds and sorts where the idea really is how does your cloud posture look and does that posture lend itself to a high volume of risk, a low volume of risk and how do you catch things and address them before they result into actual impact, right? And that's again loosely what I call pre-implementation security and the benefits of pre-implementation security is a lot of times posture management type tools and products, they're very broad in their ability to cover a wide range of asset and service types within cloud environments and they're very relatively simple to deploy, right? Within usually 20, 30, 40 minutes you can actually have a broad view of your entire cloud environment but the trade-off is the depth of what you see is quite limited, right? Because posture management usually is based off of either snapshots or APIs and regardless how you slice it, you're not getting real-time view of what's happening as it's unfolding and this is why we're calling it pre-implementation security. On the post-implementation security side you have the inverse, right? You want to find out what's going wrong as it's going wrong and that's usually done with agents or sensors that actually deployed on compute workloads to actually monitor in real-time as things are happening, what do they look like, what are they causing and how do we address them as quickly and as efficiently as possible? The trade-off there is you don't have the breadth of pre-implementation security because now you're limited in scope to only what you can deploy agents on and what you have deployed agents on and are managing and maintaining yourself. But the benefit here is you get the depth, right? You're getting real-time view of things as they're happening and you're able to get much more granular data and these are the two challenges and options that customers have to face. Where do I do pre-implementation security and how much time and resource do I invest there and how do I make sure that on the post-implementation side I'm catching things as they're causing harm and damage and as they're manifesting but without losing sight and spending too much time fighting fires that doesn't allow me to make the kind of changes that have lasting impacts, right? And this is really the challenge is do I invest in one place versus the other and how do I really get that balance of those two things, right? In a way that is meaningful and actually net positive for my cloud security team. Can you talk about the importance of teams people and how much you're seeing that the cultural changes because we love to talk about DevSecOps, we do love to talk about, you know, Shiftflip but what is happening in reality versus what we hear, what role, what importance you see and how dark races tools, you know, approach to cloud kind of reinforces, it kind of becomes a catalyst to bring that cultural change that it needed in the organizations. Absolutely. I think that's a really, really good question actually. When you look at this kind of whole shift left mentality and the discussions around DevSecOps really fundamentally, if you were to boil it down and try to simplify it, what we're talking about is really two groups that based on the normal operating model don't become best friends and see eye to eye always, right? And those two groups are you have on one hand developers whose role and whose duty for the business is to create products that delight products that help the business grow. And from a developer standpoint, if you ever try to develop or work with a developer yourself what you really hear is they want to have unrestricted frictionless ability to create, right? And when you look at security and again, this changes from program to program but at the end of the day, security is mandate and what they're focused on and what they're optimizing for is for the secure release of products and the secure operation of the business. And oftentimes there's this perception that security is gonna inhibit or slow down developers from creating. And this is the tension and I feel like there are some approaches which really aim at speaking into existence. Well, we should just be a family, right? So let's just put developers and security people in a room and become best friends and we'll just speak it into existence. But I feel like to address your point around the cultural shift, to do this accurately what you really need to do is you need to find the areas where these two groups can see eye to eye and how they can support each other's functions. And I think to that question that you bring up there are a few things we've done with Darkshoulds Cloud Security because I think there are areas where these two groups can definitely collaborate, right? One of the areas that becomes really important and that the industry has kind of naturally promoted over the years is this idea of DevOps and security, right, the idea of how are workloads architected? What's the application architecture and how does that architecture lens itself to risk? And is there a way to actually have security and DevOps work together in a way that they optimize the architecture not just for the performance of their products but also for the safekeeping and the security of their customers? And from that perspective, Darkshoulds Cloud has actually done a lot of work to applying our machine learning approach and our pedigree not just to the data plane of cloud environments but also to the control and management plane allowing for our algorithms to learn normal architectures to understand in a cloud environment how is an application normally architected? The interesting part about this is application architectures are not a single silo activity, right? An architecture will include serverless, it will include identities, it will include users, permissions, roles, it will also include different types of compute and these things interact cohesively together. And this goes back to my earlier point about pre-implementation and post-implementation security. If you're only to look at an architecture from a pre-implementation perspective only through the lens of the API, you miss part of the picture. If you look at it only from a post-implementation perspective of sensors on compute workloads, you miss part of the picture. If you do those two things in separate vacuums, you create a lot of work trying to piece those two things together. And one thing we've done with Darkshoulds Cloud is actually have our machine learning be able to correlate what actually happens between data control and management plane and actually offer customers this view of this is what's happening in real time. If there is a incident or an alert that happens in real time, we can actually attribute and associate it with the misconfigurations that were not addressed that led to this point. And from a visibility and dynamic understanding view, we can offer a single source of truth for both DevOps and security to look at the architecture and say, okay, we're both seeing the same thing. We both see what each other's challenges are, right? From the developer side, this architecture can't do these things and from the security practitioner side, this architecture has risk here, here and here, right? So by having that single source of truth, you start to allow that kind of collaboration, but it is not an approach where it's strong arming or forcing security onto developers or forcing security people to compromise the integrity of the security programs in favor of better and more seamless kind of development experience. It's really about bringing the two together and allowing them to see how to have a single source of truth. What does your offering look like so that they lure the barrier of entry and you also talk about the conflict between the teams? It kind of helps with that. And another great point that you made was that developers should have their time to focus on writing business applications, not with a lot of other things which are moving into their pipelines. So let's talk about your products, how they serve them. Yeah, absolutely. I think there are really three core things that Dark Trace Cloud aims to achieve through this new release. And I know I talked a lot about the kind of challenges of pre and post-implementation cloud security and really the product aims to actually take the best of both worlds, right? How do we take that ease of deployment and that breadth of view that you get with pre-implementation security, but also combine it with the depth of capability and the real-time visibility that you get with post-implementation cloud security. And that's essentially what Dark Trace Cloud is really built on. It's this ability to actually have our machine learning models that we've kind of created and finessed and honed over the last 10 years now actually be more multimodal and multidimensional and not just look at raw network real-time data, but also look at it in conjunction with control and management plan information, whether that be from the API, whether that be from Flow Logs, whether that be from Event Bus or Route 53 or what have you. But really the idea is by default you want to have this seamless customer experience, right? You want to have an offering that is really easy to get off the ground and can scale really nicely. So Dark Trace Cloud is agentless by default, but it also actually has this ability to once it builds the different architectures for your different applications within your cloud environments, actually help orchestrate and kind of automate a lot of the deployments of where do you want sensors at what time, for how long and this way you get the best of both worlds from a deployment standpoint. You also get the best of both worlds from a capability standpoint, right? You get to look at your misconfigurations and all of that kind of human error that could manifest in real serious harm, but you get them contextualized within the framework of the actual architecture of your application, which allows you to actually reprioritize and re-risk misconfigurations because you're not just saying this is a risk in general for anybody. Now we're saying Dark Trace's machine learning has learned this architecture. Based on this architecture, these are risks that may never manifest based on how you've architectured your application. These risks that would traditionally be much lower in terms of priority and severity are actually now amplified based on how you've architectured your application and based on what we're seeing in real time and these events that we're detecting and responding to in real time, these are misconfigurations you should address right now because they're manifesting themselves into real concerns and into real time threat for the business. And really it's all when you are able to learn self and understand the cloud environment and not oversimplify its complexity, but harness it and understand these are how applications are spread out over these accounts, these are the services and assets that overlay and communicate with one another. Now you have the ability to not just do very, very advanced threat detection, but you're also able to actually enforce normal and this idea of enforcing normal and being able to stop a threat that nobody's ever seen before, not by virtue of predicting it heuristically, but by virtue of knowing what normal good looks like, that is a key capability that we're releasing with Darkshoulds Cloud that we're really proud of is this kind of cloud native response. And it's something I actually wrote a blog post about not too long after we launched the product at the end of October. Who is your target audience? What kind of industries you cater to or it doesn't really matter, big, small, anyone who onto the everybody has cloud story there, just talk about use cases and who is leveraging your technologies. I'll answer your question probably slightly a little differently because you're absolutely correct, right? Everybody's really using the cloud in one way or another. And the idea is the cloud has a number of optimal use cases that it helps address and customers really lean into those things. And actually as the cloud develops, those use cases might change, they're gonna evolve, they're gonna become more robust and mature and how you deal with it dynamically also changes, which essentially lends itself really nicely to who is the ideal person to be looking at dark-traced technology. And the ideal benefit is again, that dynamism and that change and that evolution that happens, machine learning is really, really well suited to deal with that, right? It's really, really well suited. And what becomes really interesting is that you get customers that save a lot of time and resources by having dark-traced machine learning do the heavy lifting of dealing with that dynamism and that evolution and that constant evolving change while allowing them to also have the ability to actually not necessarily worry about defining or maintaining or managing or having a large team of data scientists that have to kind of create and maintain these machine learning models on their behalf. And I think that is the ideal use case for dark-traced is the ideal scenarios are those that are really difficult to define, right? Scenarios where you want to be able to have some level of risk mitigation against human error, some level of control against dynamic change. Those are really the kind of use cases where dark-traced shines with its heavy reliance on machine learning. Nabil, thank you so much for taking time out today to talk about dark-traced, the challenges out there when it comes to cloud security. And I would love to chat with you again. Thank you. My pleasure. Always great chatting.