 Hi, this is Josef Nibhartia, and welcome to another episode of T3M, our topic of this month. And the topic of this month is security and compliance. And we have with us once again, well, but CMO of Tigera to discuss this topic with Bill. Once again, it's great to have you on the show. Thanks, thumbnail. Yeah, again, it's a pleasure to be on the show. Pleasure is all mine. Let's start with some of the basics, which is more or less like if you look at the evolution of security from a traditional IT word, legacy word, where software was kind of sold. Somebody will buy it, install it, manage it. So security was always someone else's problem. But now in the cloud native Cloud-centric word, it is the problem of the developers. Things are moving towards developer pipeline. We talk about shift left movement. A lot of other movements are happening. So we talk about those things a lot. But what are you seeing is the reality? What is the state of security in the multi-cloud Cloud native word vis-à-vis the traditional IT word? Yeah, I think the security has fundamentally changed with Cloud and especially the Cloud native world. And everything you mentioned all the way from shift left to different aspects of the application that need to be secured in all those we see. And it all started off with as the application development and the deployment became more automated, that it was very important that security controls were introduced early in the development cycle. So we started seeing image scanning and further shift left to code scanning to make sure that you're catching these vulnerabilities before their deployment. And so we started to see that. And that was primarily because of the CI CD automation. And then we started to see Kubernetes orchestrators like Kubernetes that would automatically scale up and scale down on your workloads. So even there, you had taken away any sort of human intervention. And there could be security risks there, too. The orchestrator itself was breached. And so we started to seeing security practices being implemented within the platform team responsible for that sort of infrastructure. And then finally, the workloads, of course, the security team has to continuously monitor workloads for any type of breaches. But we started to see the occurrences of the breaches was happening in many different ways. The breach could come in from the network because all these applications are these tiny microservices. They're all communicating with each other. They're all communicating outside over the internet and with other applications. So you could be attacked from anywhere. And once you're attacked, the scope of the attack can grow very rapidly as these services are communicating with each other. And so we saw that the security teams had to now look at a lot of different types of threat vectors. Where are my threats coming on from the network perspective? Is my container breached? And is there malware there? How do I protect it from there? Is my orchestrator? Is my CSED pipeline? So you see that security folks had to think about a lot of different things all at once in order to secure their application. And that was a big change. Earlier it was, once it was deployed, that's when you start to think about it only from the workload perspective. When I was listening to you, it sounds like, of course, a lot of things are moving in the right directions. But we continue to see a lot of breaches. Of course, a lot of them are social engineering. Some are, of course, bugs which were fixed, but they were never patched. And of course, API vulnerability that we saw in Books.com kind of things are there. So it does look like things have improved, but there are still a lot of areas to improvement. So when we do talk about all these movements, of course, some of these breaches are actually in the big tech companies. So we cannot even talk about smaller companies. Do you think that when we do talk about the whole movement of Ship Lab, Zero Trust, is it really being practiced? Or yes, companies do want security, but they are not fully implementing all these practices. What is the reality there? So the reality is that, I mean, if I think about a day in the life of a security person, I mean, it's become extremely demanding and complicated. And that's because, number one, because of these new kinds of architectures and applications, your attack surface is huge now. And you have, as we discussed, attacks coming because of vulnerabilities in your pipeline or in your orchestrator or communication outside or there are things inside your environment that are advanced persistent threats that are moving laterally, et cetera. So number one, there's a lot of ways you can get attacked. And historically, the tools that were used or built for the security teams, they were focused on one or two areas at a time, instead of looking at all the attack vectors holistically. And so now, on one hand, you have lots of attack vectors. You have tools that are kind of siloed. And then the third thing is that because of these attack vectors and siloed tools, you're also generating a lot of alerts and sometimes a lot of noise. So from a security person standpoint, if he or she has to look at all these attack vectors, if they have to have tools that are detecting vulnerabilities and attacks, and then they have to score and prioritize to make sure that where the imminent threats are and what needs to be addressed, it's a very complicated problem. And I think that what we are seeing is that teams are trying really hard to address this problem. So they are deploying everything we talk about, whether it's shift left, whether it's zero trust, whether it's runtime security tools, et cetera. So they're doing all that. But the question is, is that really helping? And there, I think the jury's still out because despite rolling out a number of these types of tools and these types of processes, breaches continue to happen. The security teams continue to get overburdened. The development teams continue to complain about app velocity and how security is becoming a business inhibitor and so on. So while they are doing all these things, is it all working? I think that's still a question mark. And you talked about so many points that I was going to ask or I'll be asking about that as well. But let's start with, are there any new threat vectors that you have seen in the recent time? We hear a lot about zombie APIs and a lot of other things are there where you are concerned. Hey, these are the new threats that we will also talk about this whole complicated. Of course, cloud reality is still as complicated as you talk about all the alerts come in. It becomes overwhelming. But then aside, are you seeing any new threats that should be of concern? In terms of, so what we do is, we do around threat research. We also rely on a lot of industry-specific threat research to make sure. So I think as an industry, we are seeing, I think we are seeing threats across the board from all those three areas. We are seeing threats because of a lot of use of open source software and a lot of use of public registries. And so we are seeing that those are areas that are prone very easily exploitable at these areas. So I think that's one big source of threat that we continue to see. And we continue to see issues, log4j vulnerability that we saw not too long back was, again, one of those examples. So that's number one. I think we also continue to see our threat actors becoming a lot more sophisticated. And so if you look at the MITRE group, continues to update their framework with list of tactics. And you see that those tactics are getting used in conjunction with some of the use of open source software. And that's where we see either you are somehow making your way inside the environment. You're doing privilege escalation. You're doing some defensive agent. So we're seeing a lot of that as well. So I wouldn't be able to say that there isn't a specific type of attack that has increased. I would say, in general, there are attackers that are using all these threat vectors and trying to get into your environment. How much adoption of things like zero trust approach? Of course, we talked about shiplet movement. Also, DevSecOps, that security is not one team's problem. It's the problem that has to be looked at, or mentioned wide. How much adoption are you seeing? How much cultural change are you seeing here? I mean, as far as our customers are concerned, everyone's aware of zero trust. Now, the implementation of zero trust, where and how pervasive that is, that depends on the different types of industries. We still see zero trust principles definitely at the perimeter level. We see that those are getting applied. But when it comes to environments like containers and Kubernetes where there is no fixed perimeter, and now you have every single workload considerably talking and communicating outside and communicating internally, we don't see as much usage of zero trust there yet. What we see is customers who are actually starting to realize that just by implementing zero trust at the perimeter level, but then allowing traffic inside, that's that. So for example, inside of a Kubernetes cluster, as you know that each and every microservices internally can communicate with each other without any sort of controls there. Now, a zero trust principle would advocate that even a microservice itself has to authenticate that has to use the principles of zero trust and make sure that you are enabling communication between services only when it's allowed and you're identifying or authenticating that service, et cetera, using identities. So that sort of, I would say, sophistication when it comes to implementing zero trust principles is still not there. I think we see that in terms of applications and devices. We see that getting used, but not in terms of microservices. We still see zero trust not being used as per visibly as it should be. This year, we started to see a lot of restructuring with the organizations. Of course, during COVID times, companies overhired. So now they are trimming their teams. So we are seeing a lot of layoffs happening, but we are seeing layoff across the board. Do you see there will be an impact on security aims or CISOS budget sense? You know, absolutely. I mean, this industry is also not. I mean, we are seeing in the layer, it's not that the customers don't need security or security is, but at the same time, what we saw is that over the last few years with the funding of companies and the rapid kind of growth of a lot of companies, including a lot of security companies, that a lot of them may have hired before the demand or overhired, et cetera. And so if you look at, I think there was a publication, there was a report by a very prominent VC out of Israel who's invested in almost 10 or so biggest security companies coming out of Israel. And they mentioned that they're going to see a trimming or reduction in all of their portfolio companies. And that's what we see happening. We have seen security companies announce layoffs as well. So I don't think it's immune to what's happening. Now, let's talk about Tigera, of course, Calico is there as well. How are these solutions and projects helping customers to improve their security, despite all these budget cuts and limited resources they have today? Yeah. Yeah. So you know, at Tigera, we have a very specific point of view, right? And the point of view is that in order to secure these cloud-native applications, number one, whatever solution that you provide has to be a complete solution. In other words, it needs to look at it holistically. It needs to make sure you are covering all the attack vectors, all the way from your images, making sure your images are clean before they're deployed to making sure that the posture of your configuration and system, whether it's Kubernetes, it's robust. So you are comparing it against benchmarks. You are making sure you're doing microsegmentation, access controls. And then you have all the runtime protection, whether it's from known threats or unknown threats, whether these come from the network or containers. So number one is complete coverage. Number two, what we see is that the security teams because they are getting so stretched thin across all the different things that they have to do, the solution has to be plug-and-play. So it just has to provide these types of protection out of the box without requiring the security teams to configure rules or think about the forensics and what the incident response should be. You know, the tool itself should be able to do a lot of that. And the third thing is in our philosophy is that you should always assume breach, right? So it's not a question of if you get breaches, when you get breached and everyone is going, that's going to happen. What is your mitigation approach? And are you going to be able to deploy emergency measures to prevent that breach from becoming into a disaster? And that kind of drives what we do at Tigera. So the first thing is that we've created a CNAP that provides comprehensive protection against all security threat vectors. And that includes your build time threats, your config threats, and your runtime threats. With regards to configuration, we provide capabilities like out-of-the-box microsegmentation, egress controls. We provide capabilities like integrating with your firewall. And then when it comes to runtime threat defense, we provide out-of-the-box protection against both container-based threats and network-based threats. And these could be from known attackers or from zero-net threats, right? So that's kind of number one, comprehensive protection. The second thing we have done is we have, our environment is completely plug-and-play. So you can get started within minutes. So you go to Tigera.io, sign up to Calico Cloud, and within 15 minutes, you're up and running. You can deploy controls over your cluster. The detectors we provide are out-of-the-box. You don't need to configure anything. The protection, such as IDS-IPS or workload-centric VAP, all that is provided and enabled out-of-the-box, right? So the time to value is incredibly fast there. And the third thing we provide is that in our, we believe in defense in depth. And so we always assume breach and we provide mitigating controls. So you are able to automatically deploy compensating controls in the case of a breach and contain the scope of that breach. And that's what, you know, Tigera does. And in our approach, we strongly believe is aimed at this new class of applications that just require a different way to think about security. Before we wrap this up, the last question I have for you is that your solutions are there. Of course, we are seeing some positive trends also there. What advice do you have for companies so that they can improve their security posture because tools themselves are not going to help them. They need a lot of, you know, culture, you know, as we discussed, they need a holistic approach to our security. Yeah, I mean, I think they, that's a great question. See tools are, it's just one thing that you have in your list, you know, in your kind of bag, right? So it really starts with, from a mindset, right? You really have to have a mindset where you are first starting off with improving the security posture and trying to reduce the attack surface, right? So there's no point in spending a lot of effort on detection when half of your work can be made easy by just implementing just good practices when it comes to your CI CD pipeline, when it comes to configuring your orchestrator, when it comes to kind of isolating your workloads. And there are lots of easy wins there. I think that's number one. Number two is that, you know, you should always, I mean, it's all about defense in depth, right? So you can't go for an approach where you're gonna put 10 locks on one door. You know, you really have to make sure you're locking your front door and locking each and every single room inside your house as well. And I think that is, again, very important, defense in depth to have multiple layers of security control so that if someone gets through to one layer, you know, you always are covered. And then I think the second thing is that, the last thing is that there needs to be an empathy between the different kinds of roles involved in their needs in order to get the security of the application robust, right? For example, the developer is under the pressure to push out applications. I mean, why the security team has to make sure that the applications that are getting rolled out have the lowest probability of getting breached, right? So I think the idea of kind of helping each other out with the right kind of insights. So for example, getting the developer teams a prioritized list of things that they should address instead of, you know, here's everything you should need to fix or having the development for the development team to make sure that they're adopting good code scanning and image scanning practices so that the number of things that are pushed into production have fewer vulnerabilities, right? These are the kinds of, I would say, processes and more collaboration that needs to happen between the two teams in order for overall, I mean, security is not just the responsibility of the security team, it's the responsibility of everyone involved. Udbak, thank you so much for taking time out today and talk about this topic. And as usual, I would love to chat with you again soon. Thank you. All right, thank you so much.