 What Simulate is doing is providing visibility, providing the security professionals and the companies an understanding of what is their current security posture, what is their current risk level from security gaps that they have in their organization. Boom, what's up everyone? Welcome to Simulation. I'm your host, Alan Sakyan. We are still at COFES, the Congress on the Future of Engineering Software for our second annual partnership with them. We are now with Iran Abramovitz. Hello. Hey Alan. Thanks for coming on to the show. Nice meeting you. Really appreciate it. And Iran just won the startup competition at COFES? Yeah, innovation competition, innovation companies, innovation technology. Yeah, yeah. And he just won that, super cool. And we're going to be talking about his company, Simulate. And Simulate is doing breach and attack simulation, how secure organization is assessing different attack vectors. And he was previously at Microsoft for three years and it's just a really cool journey that we're going to be unpacking here. So tell us about this journey. How did you end up becoming who you are today? You know Alan, it's a good question. It's a long journey. It actually started in security back in 2007, if I'm not mistaken. I worked at a company that did malware detection and malware stopping. I took a break, came back to security in Secure Islands. We had a very cool tool for security orchestration. We sold this to Microsoft, which is now part of Microsoft Information Protection. And in Microsoft, I was in different roles, global black belts, the experts of security for Microsoft, cyber solution group, a very good group that is focusing on the top strategic customers of Microsoft, helping our customers to understand what is the journey that Microsoft is doing in security versus what they need and how to combine these two needs. In the last role, I really was part of a product strategy team in Microsoft. And then Simulate approached me with this cool technology and the reason that I've decided to go from Microsoft to Simulate is really based on the journey that I had. So lots of professionals, security professionals that I've been spoken to across the globe, regardless of the verticals, whether it's financials, banking industry, insurance, manufacturing, healthcare, really you name it, law, public sector. Where privacy is needed and security is needed. Where privacy is needed, where security is important. And let's face it, where it isn't today. All of these professionals, I've sold them so many different types of technologies, but they all had the same challenges. Understanding how effective are they. Or yeah, I understand the need in this, but I don't have the budget from the board. They don't really understand what I need, why I need this. And when the founder of Simulate, Al Vaxman approached me, and he is the guy that I knew in the past, and he told me about this technology and about the platform. I said, yes, this is something that customers do need. So I jumped ship from this amazing company that is called Microsoft. And I came back to the startup world to be innovative and really to provide customers with some cutting edge technologies around cyber. So now, let me take a guess, I'm just going to take a guess, an educated guess, correct. So is this sort of, you potentially set up a very strong security for your precious data or information and then the security is then, you run simulated attacks on the security and then wherever the stress points are, you build those up, you kind of have potentially machine learning to learn about where the stress points are, build those up. I will explain. Was I 10% 20% zero? I would say 30%. That's okay. That's okay. Yeah. Yeah. It's not too bad. Yeah. Well, you haven't heard about the product yet. Yeah. It's correct. Yeah. Yeah. So organizations today, security professionals, security organizations, and again, regardless of the size of the organization or the vertical, everyone is spending a lot of effort in securing their organization. You know, every organization to their extent to their limit of resources and budget, but everyone is buying what they think is best for their organization in order to secure them from cyber attacks, whether the reason is still data or to basically stop production of these companies. So security is really top of mind for any, of course, security professionals, but chief information officers, CEOs, board of directors, risk officers, it's top of mind because cyber attacks are real and cyber attacks are happening on a daily basis. In the day that we are now recording this, we basically heard that this is a record-breaking day from the perspective that the most, the largest amount of records have been leaked, two billion records. Two billion records. Two billion records of private information of individuals and professionals. We're talking about email addresses. We're talking about, thank God, not social security numbers, but phone numbers, addresses, mortgage information in some cases. So two billion records. What was this leak? Who was it by, do we know? So it's a company that is doing verification for marketing companies. So they own a huge amount of data in a few databases that were compromised. And who hacked into those databases, do we know? I don't know at this moment, but it was just published today. Yeah, but this is crazy all, yeah, there's tons of these. The publishings of cyber attacks and just cyber war in general, such an insane field that has constant geopolitical pressure is all over it and corporate pressure from across countries and even inside of countries. So just for example of magnitude of what is the impact of such cyber attacks, just 20 days ago, North Skydro, it's an aluminum factory in Norway, got hit with ransomware. In the past 20 days, they've analyzed the amount of damage that it caused them. So far, 20 days, it's around $40 million. It's much cheaper to pay you to help prevent this from happening. So I'm not preventing, but what Simulate is doing is providing visibility, providing the security professionals and the companies an understanding of what is their current security posture. What is their current risk level from security gaps that they have in their organization? Their posture. Interesting. Their security posture. How well they're positioned. Exactly. To fight, fend off the... Exactly. And one of the things that is extremely important today is to have a repeatable process in order to increase your security posture. And this repeatable process is requiring a platform, a tool that will continuously, automatically and customizable and fully customizable to execute these attacks in order to understand where is our security gaps, to assess them and prioritize them. The prioritization is usually done half by the solution and half by the security professional because we know what the risks are but we don't know what is the business of the customer and the combination of these really provides where the major risks are. And we also provide recommendations how to mitigate, it is up to the enterprise to mitigate whether it's to change configuration, change work process or buy a new solution or a better solution than what they currently have and then validate it. So it's a circle process, a repeatable process that is required by various security frameworks today and risk frameworks. Do you guys have like 12 points or something? Do you have a certain amount of points that show that this would be the ideal security posture and like you have these 12 points and then if they were missing any then... So it's a good question. When you are looking at a cyber attack or what we call a modern cyber attack or advanced persistent threat in the security lingo, it basically have three steps. One step, the first step is the infiltration, the front door step. How an attacker infiltrates the organization. The second step is the actual exploitation. So the attacker is in, they need to get hold of an endpoint and then there is the process that is called lateral movement. This is a post exploitation. In the lateral movement, the attacker is trying to get to high valued assets in the organization whether it's files, emails, databases and basically gain domain domination through getting admin password on the domain controllers. And the last stage is either flattening the organization using ransomware or anything else but also data exfiltration. Let's assume the attacker doesn't really even want to be unknown that there is an attack just to find the information and exfiltrate it. And what Simulate is doing, we have divided this attack kill chain to seven different vectors and we are testing the security controls in each and every one of them and providing a risk score for each and every one of these. Interesting. So you test the organization's security yourselves through your own attacking of their security to see how well they do. Exactly. So organizations have email security controls, web gateway security controls, DLP solutions, endpoint solutions. We are basically attacking these solutions. We are challenging these solutions in a capture the flag game. Once we are done, once we are in, we have captured the flag. We know exactly what was the method that we have used and we are actually mapping this to a common, now common practice of mapping this to the MITRE attack framework. It's an organization that is doing some mapping of attack technologies in order to help organizations really increase and enhance their security posture. One interesting thing that we are doing in addition to this is our constant research, our research team is constantly researching new attacks. So whenever there is a new attack in the wild that we heard of, we are actually looking and we are working with international certs and other companies to get some insights on this attack and we are immediately implementing this attack into our solution so that a day or two days after the attack has happened, you can already test yourself, am I protected against this? And this Norsk Hydro that I mentioned before, basically a day after the attack happened, you already had this version of attack in our solution and you would be able to check for yourself whether you are protected or not. Correct. So you are constantly learning just like an autonomous vehicle is learning from the decisions that it is being made as it is driving and then updating the network of cars similarly to what you guys are doing. So it's not an automated process, there is a lot of human expertise that is needed in order to reverse engineer these attacks and build them in a non-malicious way into the solution. Because when we are attacking an organization, we don't want to cause any harm. It's really light, really no impact on the environment, on the production environment. So it really requires light touch and an expert touch for more team of engineers and researchers. Yeah, you work with the organization's top security and then you work with them on making sure that the way that you are using Simulate on their walls of security is a way that is agreed upon by both parties that you are going to be able to do. It's very light, it's all of our customers, we never had a problem of hey, you cause damage into our production environment. You're just strengthening the walls, you're strengthening them. I'm giving them the visibility to test their security controls, test their walls and moats. Walls and moats, yeah, yeah, yeah, they're walls and moats. Interesting, what are the seven attack vectors? So you look at email, so one of the main methods for attacking an organization, the getting into the front door, passing the front door is through three main mechanisms. Email, web pages that contain malicious content or web application that an attacker is attempting to compromise and take advantage of a web server and execute remote commands. So we are looking at the email protection, we are looking at the web gateway filtering system and the web application firewall, we are challenging them. You probably heard about phishing, phishing and spear phishing. Phishing is a method that is designed to either do two things, either trick a person to open malicious content inside the email or direct them to a malicious web page. So we are testing the email security to understand if a malicious payload was brought in or the web filtering gateway, whether a user that accidentally clicks on a link from a phishing email will go and reach a malicious website that contains malicious content. And we also have a phishing mechanism inside our solution. So these are the four front door pre-exploitation attack vectors or attack surfaces. The next one, the exploitation one is really the endpoint. So once the attacker got in, he needs to execute some malicious code on the endpoint. So we are looking at the endpoint protection solution and we are looking at what we call an EDR, endpoint detection and response solution, basically to challenge them whether they are protecting against the attacks that we have, warms, trojans, ransomware attacks and the more standard malware and antiviruses. After this we have the lateral movement where the attacker is moving throughout the organization to find the high-valued assets. And this is where we are challenging the user and entity behavior analytics solutions or the SIM solution, security incident event management solution of the customer. We even challenge their own SOC team, so the Security Operations Center, to be able to detect whether something is happening. And the last attack vector or attack surface is really to exfiltrate information out. So let's assume I've done everything and now I've found this type of information, whether it's images or CAD drawings or files which contain sensitive information on merchant acquisitions and financials to try and send this information outside. So these are the seven main vectors and we have this immediate threat vector that we call it or module that basically combines both the email, the endpoint and the web gateway that you can actually test new types of attacks, new threats that are coming and this is what we are adding almost on a daily basis now. So then when you do add this into a company, then you're simultaneously testing out their security posture and you're also helping consult with them on making those fixes to the security posture. We basically identify the security gaps and part of the solution is also to provide product agnostic recommendations on how to mitigate these. And it's up to the enterprise to take these results and these recommendations and either do some configuration changes or work process changes or to go and seek a different and new solution that addresses these problems. These reports are then also used in order to let's assume I need to get more budget from my management from the board. How do you actually reflect the security gap, the risk? It's not a subjective statement. It's not an assumption. It's a proof. It's a hard proof. It's a report based on an attack simulation that we have executed. And then you can actually have the agnostic recommendation for the fix and then you have an exact monetary amount that you need to to fix the security issue. So we're not getting into the monetary stuff. We're doing the recommendation. It's up to the security professional to go and seek the assistance of their security partner, security consultant company. But then it's not an abstract number for them anymore. It's an actual, like you said, hard data and they can actually present this as exactly how much money we also need to fix it. So it's very interesting. I have a couple other thoughts for you. One of them is let's talk about the role of how you program those attack vectors. How do you send an attack on a controlled attack on an organization? So it's a very good question and it's a very scary question for people that are listening to attack simulation, what will be the impact on my production environment? So let me put you in ease. It's a cloud service and from the perspective of the, so there are two types of attacks. One is external and one is internal. From external, we're looking at the sending the emails or attacking the web application firewall, challenging the web application firewall. The rest of the attacks are done from the inside. So we have an agent that you need to install, it's in any size of organization, you install anything between one agent and 15 agents, but these are the numbers we are talking about. We're not talking about hundreds or a thousand or the entire organization. And we're doing this usually except one case on a non-production machines because you need to remember what we are challenging is not your actual IT environment. We are challenging your security controls on the IT environment. So you can give me any machine, a non-production machine, but you have all of your security controls around it and I will challenge them. With whatever file you want on the inside. Yeah. Exactly. So I'm not disrupting the actual day to day work of the organization. So this is really with no impact to the organization, no harm is done. Very smart. So you basically take all the security infrastructure from the company, put it on to something that has none of the impact on the company and then you do your tax simulation on that. Exactly. And that's great. Yeah, that means a lot of things. It's usually called golden image or golden images where there's a new employee for example and they need to give a computer to a new employee then they upload the golden image into this endpoint and then they already have all of their security controls on this endpoint and you install our agent on an endpoint like this whether it's a physical hardware or a virtual machine. And you can test the security posture much quicker with a simulation potentially than if someone is trying to manually go and test all of the different areas. There's a lot of penetration testing companies in the world and when you're looking at this and a lot of companies are required or want to do pen testing. It's very expensive to do pen testing and it's very thorough. Very pen testing is very thorough but very narrow. So the pen tester is trying to penetrate through a specific path. The narrow is as possible because they want to finalize the penetration testing, get the report and continue. What we're doing and we're working with pen testers, we're working with partners that are pen testers and adding our technology into their tools. So a pen tester company can actually take our tool and use it in order to have this broad attack against the organization and then use the results to fast understand how they can penetrate so you get a much more elaborated pen testing result and then you can offer also to the organization, to the enterprise that hired you to actually, hey, let's run this in a more continuous method and not once a year or once a quarter. Interesting. You also work with pen testers. And then how about on the machine learning side of things, tell us about how you leverage artificial intelligence and what you're doing. It seems like if there's certain structural weaknesses that you could potentially, if you fail at once, maybe you up the ante a bit and you hit it again and see what Yeah, so I don't really like the concept of AI in this, but there's definitely machine learning in the best practices that we have. So I'll just give an example around this. So we have around the email testing alone, we have about 15,000 permutations of malicious payloads that we can send. That's crazy. Wow. So if practices that we actually engage is not sending all of these because it's just waste of time because if you are protected against something specific, then it doesn't make sense to send 4,000 examples of something similar because you're probably already protected. So we're sending the first 50 and we see what got in, what got out and what didn't, what was blocked. And then based on these results, we'll send another 50 or another 100, which looks at a specific aspect that we were able to penetrate. Basically once we're in, let's widen this whole and understand how big this gap is. So this is the machine learning that we're using. And this is where it's really important to also customize the attack. You don't want to just throw attacks in. You want to understand exactly what the attacks that you're doing. So let's take for example, you probably heard of patching Tuesday where the big companies are releasing all the patch and now you patch all of your machines. So let's call it ransomware Wednesday. Let's execute attacks that imitates ransomware every Wednesday. And I'll get a result of MI protected against ransomware every Wednesday and I know how to mitigate this. So the attacks can be customizable. And then maybe one of the last questions I want to ask you is, well I guess maybe a couple more, but this one's very close to my heart. I feel as though we're kind of heading towards a global surveillance state. And that security and privacy have to be at the highest level of cryptography and all this kind of stuff because we maybe haven't spiritually evolved yet. If we better collectively evolved, we might not have some of the malicious attackers. And so it almost seems as though we could have went on a way of complete trust and transparency, but in a way with all of the unfortunate circumstances that we have as well as fortunate ones we're heading towards a place of needing this very high security and very high privacy. Do you align with that? Unfortunately we do need to evolve ourselves in the way we are thinking and the way we are handling our data and our identity. And this is because of rogue organizations and I'm not talking about rogue states. I'm talking about criminal organizations that are using our data for their own needs, selling our data and the market, the black market for stolen data is massive. So I'm doing this with myself and of course my wife. We need to make sure that our data is secure. We need to make sure that our identity is secured. We need to use two-factor authentication. And one of the things that I would love to have as much as possible from government organizations or basically any company that holds our data is to only allow access to this data based on two-factor authentication or other new methods of identification. It's also called two-factor but facial recognition is something now that most of the people have in their cell phones or a thumbprint reader in the cell phone. And this is something that I really encourage every person if you have an identity in a website whether it's Amazon, Facebook, Microsoft, Google, any government website that allows two-factor authentication, please enable this. This is extremely important for your information. Yeah, yeah, yeah. And we're at COFES, we're here on behalf of engineering software and the importance of that. Where do you see or simulate role in engineering software? So that's a great question, Alan. And when it came here I had doubts, I have to say. I'm not from the engineering space but talking to all of these smart people in the industry I figured out something that I probably should have thought about it beforehand. There's a lot of intellectual property here. And it can be in the small companies that they are developing new technologies, new innovative technologies. It can be in the small technology companies that are developing for the large ones. And of course the large companies, lots of information, intellectual property that they need to protect. And again, I'm sure their security teams are spending the budget in order to secure themselves to the best of their knowledge. But the problem is that the knowledge, the best of their knowledge is based on assumptions and not based on true facts. And simulate is the tool that will provide them with this visibility of what is their effectiveness of their security solution, where they are most vulnerable, will give them a platform to do this repeatable process, will give them the ability to understand whether they are protected from new threats. And one thing that is extremely important, especially for the large companies, how their supply chain is secured. So this is something that we are considering now when we started talking with some companies about how their supply chain is being tested for security. And this is something that they can use in order to do so. It's regardless of the fact that this is an engineering software convention. Every company needs to be able to protect their assets, their high valued assets. And we help them with that. And the last question would be, we're heading into this exponential technology age. What would you say is, if not the most important skill set for kids and for adults to learn? Well, you know, it's an amazing question and as having kids of my own. I think that STEM is very important. I would love to see more girls also doing STEM, so science, technology, engineering and mathematics. But what I would love to see kids today is actually talking with each other and not texting. You know the millennials. This has been so enlightening, really. I'm loving what you're putting it forth with, with, with Simulate. Like it's just, it's simulating attacks to bring up defense and to bring up privacy and security. It's just, it's very fascinating. Yeah. Congratulations on winning too. Thank you, Alan. This has been such a pleasure. Thank you so much. And thanks everyone for tuning in. We greatly appreciate it. Check out the links below to Simulate. Also check out the links below to Co-Fez. Let us know your thoughts in the comments. We'd love to hear from you. Share more of these conversations with the people around you and your communities online with your family and friends, coworkers. Also check out the links to Co-Fez as well. And also support the artists and entrepreneurs that you believe in. Support us. Support Simulation below. And go and build the future, everyone. Manifest your dreams into the world. Thanks for tuning in and we will see you soon. Peace. Thank you.