 Hi everyone and welcome to this special segment of the cube. I'm your host Rebecca Knight. Today we're going to be honing in on a new key partnership between Avanti and its ecosystem that is addressing some of the most pressing challenges that security teams and technology teams are facing today. I have two great guests for this segment. I'd like you to welcome Srinivas Mukamala. He is the Chief Product Officer at Avanti and Kiran Chenagangana Garri. He is the Chief Product and Technology Officer at SecureN. Thank you both for coming on the cube. Thank you Rebecca. It's a pleasure Rebecca. So mitigating cyber risk is a top priority for organizations today and it's a really big challenge because there's a lot of headwinds. First of all we have shortages in security talent. There are constrained IT budgets which is putting a lot of constraints on how well enterprises are able to defend against these threats. A joint report that you both put out in March of 2023. The total number of breaches reported was higher than the previous three years combined. That is a scary and staggering statistic. We know that Congress is passing legislation. The White House is putting out executive orders. Governments around the world are really focusing on these issues. Against this backdrop you have announced this partnership. I'd love for you to tell me what we need to know. What is new here Srin? I'm going to start with you. Tell us a little bit about this partnership. Absolutely Rebecca. You hit it straight on right. If you take a look at what's happening we are catching up to what we call a symmetric warfare. Most of us understand what a symmetric war is. Conventional war. You take tanks. I take tanks. I take my ground troops. I take my ground troops. What happened in the last three years especially is we're seeing a hidden enemy. We don't know who it is. We don't know where they're going to come from. How they're going to strike us. It is starting to show a massive impact. There are four questions posed by every single organization irrespective of the size. This is where the whole equality comes into play. Cybersecurity is becoming the haves and the have nots. It's boiling down to do I have the resources? Can I afford cybersecurity? What are the four fundamental problems every organization is trying to address? You touched on two of them. The first one is do I have very clear visibility into my risk? That is the number one. It's risk management. We know every single leader irrespective of the size focuses on that because you manage risk. Risk is seen as an advantage because companies who take risk are the ones that truly strive in any competing economy. Cyber is actually taken as an advantage if you do a try by the companies who invest in it. At the same time, if you ignore it, you pay the price. The second one is tech is ubiquitous today. Every company is on a transformation journey. There is no company that is not digitizing. There is no company that is not on a path for digital transformation. There is no company that is not adopting cloud. There is no company that is not talking AI. When you look at it, there's a massive revolution. You can talk about we went through industrial revolution. We went through the communication revolution that's the internet. We went through the software revolution where everybody adopted software. Now, what we're going through is we're going through a massive, I would say, intelligent revolution. We're trying to empower every human being to give their best. What that means is now you want to understand your technology risk. You have to understand your overall risk. You have to understand your technology risk. I'm adopting the tech that will not create risk down the line. Then you touched on the human talent. Do I have qualified team members to address the risk? Before we address the risk, do we have qualified team members who understand the risk? Do they have the right context? Do they have the right tools? Do they have the right partners to help them prioritize? It comes down to empowering again, enabling and empowering. Finally, the fourth one is there is no way we can fight AI with humans. There is no way you can fight machines with humans. We have to automate. You have to fight AI with AI. You have to fight machine speed with operational speed. Unfortunately, we're still way behind in addressing the risk posed by machine learning and artificial intelligence. I'm speaking purely from a cybersecurity perspective. If you take a look at the four key outcomes, what people are looking at to address. This is a problem for everybody. Cybersecurity today is only invested by the people who can afford it. You touched on it. The legislation forces everyone to invest, everyone to adopt, everyone to ensure not only they have resilience, but they're protecting critical data they're collecting from the consumers and the citizens. At the end of the day, it's protecting us like individuals who are giving our data to the companies. It boils down to can we assure our data is not misused? What does it mean? Can we trust the systems? Can we trust the organizations? Can we trust the governments with our data? It's coming down to a very simple factor of trust. Yes, I'm willing to give you my data, but can I trust you? That's where I truly see our partnership very important because at the end of the day, everything is coming down to two elements, data and context. That's when we felt we do a lot. I mean, as the viewers know, Iwanti is a global company. We touch critical infrastructure across the globe and we want to make sure whoever we partner with has the best data and also has the best domain expertise at the same time have capabilities where they can apply machine learning and artificial intelligence. Those are fundamental considerations. We want to be the best. We are the best in what we do, but we also want to make sure when we partner with startups or with companies, we try to bring the best as well. The elements we look for as the north star is always the data. Data with context and expertise gives us what we need. Kim, I'd love to bring you in here and talk a little bit about it from Securin's perspective. It seems as though providing customers with more visibility into their potential cyber threats and exposures is so key here. Again, I echo a lot of what Sri just talked about. Let's start with the AI. Generative AI is something that has taken the world by surprise in the last year or so. The use of AI has tremendously grown. But a lot of folks are using AI without realizing how this AI generated models like the foundational LLM models are being claimed, what data is being used, how your data is going to be used. We want to look at how the organizations can leverage the AI in a more meaningful and safe fashion. But at the same token, we're also looking at how adversaries are using AI to promote attacks, promote breaches, and do it in a faster, more efficient way. Like Sri said, we have to use AI to tackle AI. But at the same token, we don't want to purely rely on AI. We also want to bring in the human element. That's where the dual use comes into play. What Securin brings to the table is what we call as the human argument and machine learning. Because if you can use humans to understand how these models can be structured, but also provide inputs to it and be able to make decisions in a more meaningful fashion, that will actually take much further. That's the first one. Second is, we also look at how the attackers are using AI within the different domains. Again, we look at, not just from a gender list view, but we are looking at this particular ransomware or APT group is focusing on industrial sector or manufacturing or finance or health care. So we're looking at a very different lens and seeing what are these threat actors doing and how do we actually think like hackers? How do we think like these bad actors? And how do we bring that into the overall product that we are building? This is where we come into play. The Securin Voluntary Intelligence product is actually an outcome of extensive research through the collaboration of DARPA. It started off with funding from DARPA, but also collaboration, reason of state university, but also our internal teams that have boots on the ground and experience. In fact, some of our staff members are the authors of the exploits for Blue Keep and Double Pulsar. We also have that extensive background. Today too, our criteria we have is 55-0 days. That's only because we are in the trenches looking at this adversarial behavior. All of this is going to benefit Ivante customers. We talked about how do we actually be in front of the game? How do we look at this war from a very different lens? Not only the hand side, but the cyber war. This is what we're bringing. Sumi, I want to go back to you and ask you about the specific problems that Ivante and Securin were hoping to address and why vulnerability management is such a challenge for so many companies. Great question, Rebecca. One of the interesting things what's going on is, if you take a look at the isolation that's passed this year, it's called the Vulnerability Reduction Act. It requires all federal entities to identify vulnerabilities, prioritize vulnerabilities, and remediate vulnerabilities. If you go back to the CC, they clearly talked about not incident and bridge disclosures, but they want you to now disclose material risk. You'll see a lot of shadow on SolarWinds and a few others. You're seeing that in the news now. When you go back almost 18 months, DHS, Department of Homeland Security, CISA started a program called Non-Exploitable Vulnerabilities. The whole idea there is, we're going to look at what vulnerabilities are used by adversaries to advance their motives, right? Breach, cost chaos, cash havoc, and all that stuff. When you start looking the entire ecosystem, we're too late to this. We've been talking about vulnerabilities for 12, 13 years. What changed is in the last, say, 12 months, what used to be a periodic assessment looking for vulnerabilities has now become continuous. Now, you have to look for vulnerabilities on a continual basis. It is no more a luxury that I'm going to scan once a day or once a week or once a quarter or once a year. The frequency at which you're scanning is now continuous, which means you're collecting a lot more data than you ever collected. It's boiling down to a data problem. You're trying to understand the data you're collecting. Data without context is meaningless, right? Vulnerability is a precursor to it. It's the weakness that causes the vulnerability. It's the vulnerability that attackers exploit. It's the exploit that causes breaches. While KEVs are focused on what's used to create a breach, that's too late. You want to be proactive. While that's very important, we started as the known known. I know I have a vulnerability. I know there is an exploit. Somebody is doing it. By the way, it started with a handful today and CISA has not a thousand today. How do I prioritize those thousand when I have thousands of vulnerabilities? I'll give you a simple stat. When you look at the national vulnerability database, you have 200,000 plus vulnerabilities. Out of them, less than 10% are actually weaponized. In other words, somebody took time to write an exploit. Well, is that everything important? Not really. How many of them are actually used and are dangerous? In other words, it doesn't require a human interaction. It's less than 3,000. When you start looking at what's used by ransomware and threat actors, it's down to 300. When you start looking at what's really trending in the last 30 days, it's down to 50 to 100. When you look at that prioritization, you're really solving for a data problem. This is where when Kiran touched on, we have the domain expertise. If you let the machine do the analysis without the domain expertise, you're going to get garbage and garbage out. Why do we need epidemiologies to look at the data and tell this is a real epidemic? Think about COVID. It's a global problem, but is that a problem in your house? That's why we ship testing kits, remember? And we said, do rapid tests, rapid tests. And that's what I like about what Kiran just talked about. It is real science. It started as a DARPA project out of Arizona State University. And this team was in the front lines of cyber war, creating some of the most lethal exploits, right? Blue Keep. Every security researcher would know. Double Pulsar, which is WannaCry. We're still, everybody knows, one of the most expanding ransomware. So when you start looking at this whole thing, Rebecca, we need the right data at the right time so we can help our customers prioritize what matters. It boils down to am I prioritizing for three reasons again. First, am I assuring my consumers, my customers resilience? I know what I'm doing. I'm ensuring that I'm fixing things at the right time. Two, am I complying with the regulations we just talked about? Three, it's your promise to your customers, right? Hey, when you collect data, we take it very seriously. So what we get from secure in is really not all the comprehensiveness of the data set, because NVD today doesn't have the full coverage. They have a 30 day to 45 day lag in getting the information. So we don't want to miss out for 30 days. We don't have blind spots. Then being able to know what's going on on the entire internet is a Hercules task. I mean, I need to mine every single thing and figure out what are the needles in the haystack. They give that to us. Not only they help us collect all the hay, assemble the haystack, they also start finding the needles in the haystack. Then when they find the needles, they come back and tell us, this is why this needle is important. These are the five attacker groups. This is their intent. This is what they have done in the past. Well, by the way, our domain experts actually have validated that that's a real bad thing. The classic example of a human anatomy. X-ray, when you find something, you go ask for a CT scan because you want to get a validation. When you do your CT scan, you might go, I want to go to the lymph nodes all the way. You do your MRIs or vice versa MRI CT scan. Then if you really see a problem, you go for a biopsy because you want to go deep and understand how bad it is. If you fail these steps, all you're left with is an autopsy. Your autopsy is your breach. You come back. That's your pen test, your biopsy. When you do an authenticated scan, that's your CT and MRI. When you do your external scan, that's your X-ray. When you start putting it back into your human analogy, that's really what happens. You're collecting more data. X-ray is just a film. CT is much bigger. MRI is much bigger report. When you do the biopsy, it's a much bigger report. That's really what we like about what security gives us. What we do to our customers is we don't want them to go spend time on data scientists, on machine learning experts, on security experts. It is the super outcomes we talk about. How do we give you the right actionable information and automate that for you so you can really solve the problems that matter? That's really how we work on this. The other thing I also like about what we started doing is rather than being very tactical about vulnerabilities, we expanded that. What does the vulnerability do? It creates exposure. That's what we're trying to address. We also touched on continuous. We touched on threat. We started looking at what would be the right framework? Continuous, threat, exposure, management, because there is a weakness, there is a vulnerability, there is an exploit, and how do I address this? We started putting together an industry framework called CTEM and given the vast tool chest Iwanti has, from a discovery to patch management, to risk-based vulnerability management, to access management, to device management. Now we were able to actually bring all this data together and help our customers understand exposures. However, from an external internet-facing perspective, again, we reached out to our partner here who has the ability to mine the dark and the deep and the surface to bring that exposure to us. That's what we have done. Elevated ourselves not just to vulnerabilities, but to exposures to start helping us get that very clear visibility and use their intelligence, their data, their domain expertise to prioritize what those exposures are to help our customers truly be proactive, not reactive. Kiran, it seems as though that security teams need to just truly understand the true risk of the vulnerability. That's the only way they can start prioritizing, remediating it. How do they do that? 100% Rebecca, the key is what you just said, understanding the risk of this vulnerability. I call it as the dynamically able to track the risk of the vulnerability in its continuum. From the time this vulnerability was discovered until the product is sunset, there is a continuum, and you have to look at the vulnerability and then the constant risk and threats that are closing. I would give you five things for your viewers to walk away from. One is coverage, touched on it. NVIDIA has about 200,000 plus CVS. I'll give you an extra number, 225,000 CVS. That's what they track. They're missing about another 65,000 CVS. That's because NVIDIA is always behind by about 30 to 45. That's what Shree alluded to. First is making sure you have the right coverage. If you don't have the coverage, then your scanners and all of it are not really going to actually identify those vulnerabilities. That's the first one. Second one is, how do you prioritize vulnerability? NVIDIA does not have a threat context. When you look at NVIDIA, they take the information from whoever is reporting the CNS and all of it, and they actually have analysts give a score, but they don't have the threat context of which ransomware, which APT group is using. It's a trending and deep and dark of none of it. The other one that customers or some of the vendors use quite a bit is EPSS. EPSS is really good, but it only goes to the extent of saying that, hey, this vulnerability is likely going to get exploited in the next 30 days. After it gets exploited, First.org and EPSS say that all vulnerabilities should be treated equal, and you should prioritize all of them. The challenge with that is, there are about 1,000 plus vulnerabilities. CISA, KV, which is what a lot of are now using just across 1,000 plus vulnerabilities. That's still a lot. How do you prioritize those vulnerabilities when you have thousands of them to deal with? This is where Sree was talking about, now you take the final approach. How many have RCEP, Remote Port Executioner Privilege Escalation? How many of them are actually used by ransomware or APT groups? How many are trending? Now the funnel will start getting smaller and smaller. If you can now add the threat context, which of these are on your external attack surface? That actually will go down, which ones are highly automatable. Then that list would even go down. Now you actually can take that, map it to the mitre and say that, hey, is there a kill chain that we can form and look at the overall kill chain for this attack? Then that list will actually even go down too. How do you prioritize vulnerabilities based on the threat context? The third one is understanding the supply chain risk. One of the use cases is as you build in software, how do you shift less? You want to ideally prevent these vulnerabilities from getting into your production code. Early detection is really great. How does a tool or a vulnerability intelligence product help you as developers are writing code? During the pre-commit code, we can look at the package and say, these packages have these specific vulnerabilities and these vulnerabilities are being exploited by threat actors. That actually can give you that heads up so that before that code gets even checked into a sorcery control solution, then you can actually detect it and prevent it. For some reason, if it gets beyond the pre-commit, then you still have the different stage gates. Your CICD and all the other ones, you still have some automation built into this work, various tools, whether it is Jenkins or GitHub or GitLab or any of it. You can do workflows over there and still mitigate some of the rest. That's the third use case, the amount of customers could benefit from. The fourth one is the prediction. NVD is definitely behind because not all the vendors still report directly to the MITRE or NVD right away. They're definitely behind. That information doesn't get updated. The other one is the CSR. CSR DHS KVS are definitely behind. What we have seen in our analysis when we do the research is we are able to predict about 30 to 45 days ahead of the DHS CSR KVS. What does that mean to viewer or advantage customers? That is the window, then now they can actually look at and say, hey, I have this 30 to 45 days window. Let me start patching my lower end lines, my dev QA stage and UAT whatnot. Before it actually gets used by a ransomware group or APT group, now you can start putting compensating controls. Maybe you can patch your systems. Maybe you can decommission the system if you don't want it anymore. There are a lot of things you can see. The other thing we're also seeing is bug bounty programs is very, very ineffective. What we are seeing is the CVs that these bug bounty programs are prioritizing are not what the actual real is showing that the attackers are using CWVs that are not part of the bug bounty program. That is something that we're seeing that is very ineffectiveness of it. That's the fourth one. The last one is how do you be safe from scanner blind spots, scanner by nature. You have to work on a plugin. You have to have a detection script whenever a vulnerability is identified. They are a newly identified expertise discovered item. We call this as mean time to exposure. How many days you're sitting without any protection, without a scanner being able to detect it. These are the key measurements that we want to provide to the customer saying that, hey, we can tell you to detect this particular vulnerability even if a scanner is not able to identify it. Those are four or five key benefits from this partnership that we want these customer script benefits. Sree, picking up on Kiran's last point, what are the keys to successfully mapping vulnerabilities to software updates? How do you ensure that the patches don't dramatically lag the known vulnerabilities and that you're also being consistent across your platforms and portfolios? Great question, Rebecca. If you take a look at Ivanti, what we're known for, we're known as the world's last mile company. Our mission to the world is we will fight the cyber war period. To do that, we can go alone. We have to make sure we play in the ecosystem. So our heritage has been the world's best patch management company. And if we take a look at 90% of the security companies, they report on vulnerabilities. You're really trying to build a big R, which is resilience. I touched on it when we talked about what the government is asking for is resilience. Are we resilient against a cyber attack? It's a question every one of us have to ask ourselves. The promise of resilience is a lot of the security companies today can report on a vulnerability. They can respond to a vulnerability. Very few of them can remedy a vulnerability. For resilience, what you need is not a response, not a report because that's too late. We talked about we have to operate at machine speed and operational efficiency. So Ivanti started with the last mile of helping other security companies remediate. When you find a vulnerability, use a patch management remediate. And what we realized almost two years ago was that's not enough because we don't have enough resources, not the time to patch everything. What I liked about our partnership here is Kiran touched on, hey, we are 60 days ahead, 25 days ahead, 30 days ahead. First blind spots. In patch management, we have to either collect a patch or we need to write a patch. Us getting 60 days ahead is Nirvana. Now we are ahead of the game. We are toe-to-toe with the attacker and we can prioritize patches. So suddenly what we created was risk-based patching. We created a complete category of risk-based patching, patch that matters. The one that can resolve the maximum number of your vulnerabilities to shrink your attack surface. Now you can measure. It's a measurable outcome. It's a true risk reduction. And not only that, you're ahead of the game. So that's what I love about this partnership. It is a very data-centric approach. It is not believe in me, believe in him. Our data is the belief system. Our data is the not star. And that's our promise, right? Secure everywhere, work. No matter where you are, no matter which computer you're using, no device you're using, we will ensure there is resilience. How do we do that? We want to make sure we understand your attack surface. We prioritize it and we patch it. It comes back to a complete life cycle. The other thing I also loved about what Kiran just touched on and what you just asked Rebecca is, it's also giving us a very interesting perspective into how we look at code. What's going on today is machine-generated code. Machine-generated software is a reality. You keep hearing about co-pilots. Co-pilots are writing software. Humans are writing only very little code. That's going to be a reality. Machines are going to write a lot of code and humans will look at it, verify it and put a little bit of code. What this partnership is doing is trying to understand the weaknesses that attackers are going after. You asked this question to Kiran a little bit. How are your human experts looking at this? The data that giving us is not only about vulnerabilities, but the helping us understand what weaknesses are attackers prioritizing so they can find the vulnerabilities and quickly write exploit code. They're going to use machines to do all this now. We've got to go ahead of it. The research and the actual work this partnership is doing is being able to understand the weaknesses and several of them are missing the top 25 rankings of the MITRE. These are blind spots. That's exactly the beauty of this. Again, we're going back with the data. We're not calling anybody, but the data is really telling we have gaps and we need to address it. That's the promise this partnership is delivering to our customers. Kiran, another aspect of all that Sree was just talking about, mapping vulnerabilities has to do with addressing bias in AI. I know you talked earlier about the importance of keeping a human in the loop. I'd like you to touch on that, but then also explain what is vulnerability intelligence? What I would say is, again, we don't want to purely look at machines. The way I say it, if you take a bad board and automate it, it becomes super bad, super fast. You want to be very careful about how you actually look at this ML models or AI models. I can see what they are doing, but also have the human interaction always constantly look at it and say, what is the outcome that this model subject? Is there a bias in it? Ultimately, it also is about what data we are feeding it. One is, are we feeding the right data so that the model can actually make sense of it? Second is, is the model actually inferring something that is not what we are like? This is where research is coming to play. We have boots on the ground. We look at these CVEs, CWCPs, and all of these relationships on a daily basis. We look at it and say that don't look at this vulnerability from this only one angle. We look at, okay, this vulnerability can be changed with other ones. In the industry, these two products are always there. Microsoft Exchange is always going to be on a Microsoft Windows product. Can we look at, is there a vulnerability on Microsoft Windows that a attacker can leverage or on a Microsoft Exchange vice versa, right? That kill chain is really, really important. We look at all of that and bring that information right into the model so that the model can actually make sense. That's what we call it as a human augmented intelligence that gets into this model. We are also able to look at it and say, hey, is this what we are seeing in the real world? We can actually tell the model that, hey, this is wrong. Go back and adjust your feature sense or take this as a feedback. That's what we call it as human augmented intelligence and all of that. The second one is your question was about what is vulnerability intelligence? My broad definition is vulnerability intelligence is aiming to provide organization with the insight and context that is needed to sufficiently or effectively identify prioritize and immediate vulnerabilities. And the key is before they can be exploited by attackers. I talked about the scanners. Scanners are great for identifying weaknesses and they support the patch management activities. They do periodic scans. They give you a lot of information about organizational security but they're often not on the date. In the meantime, somebody has to write the plug-in and all of it. This process of creating the plug-in and updates is going to take several days to several weeks to sometimes even months. What that means is, you have a gap that is left by this vulnerability scanner and that's what the vulnerability intelligence is bridging. It is the bridge between what is left by the scanners and what can we provide. So that context of providing that information is what vulnerability intelligence is. Another aspect is, again, I touched on it just a bit about looking at the different lens from an industrial sector. Don't look at every threat in every industry the same. Look at CISA has 16 industrial sectors like whether this is manufacturing or healthcare or anything like that. If you look at IoT devices, IoT devices have very different attacks of space and the threats in IoT devices are very different than medical devices. So you have to look and say that where is this device? What type of a sector it is? What are the types of doing? So that's what vulnerability intelligence is about. Excellent. Last question for Sree and that is about this joint partnership. The big question is how are you going to measure success? How will you measure success with customers? What are the metrics that you're using and that they're going to be using to determine the value of this partnership? It's a great question, Rebecca. The first one is you asked a question from Kiran. What is vulnerability intelligence? You're required to report your material risk. You need insights. You need intelligence. That's the number one. Are we helping you get to your prioritization faster than what you were? It's a real measure. If you're taking 20 days to go through your data to report and if I can do it in two minutes, that's a measurable outcome. Second, did I augment your talent shortage? You didn't have to go buy a higher data scientist. You didn't have to go build your ML model. You didn't have to go hire another security expert. You didn't have to have somebody who just crunches all this data and reports on it. I gave you four headcount by bringing this. I solved your human talent gap. I augmented what you have. Second, I provided very clear technology risk. When people talk about, oh, there's a log 4J issue or there is the Citrix issue or there is this Solovents issue, how do you know that's relevant to you? It's like COVID, right? You wouldn't know if you have COVID or not if you don't do your test. I'm helping you collect the global data, localizing it and telling you if you have a problem or not. That's a lot of work. That's clearly on your tech stack. Number one, I'm providing a complete exposure outside and inside out. The four key things companies are trying to do, and that's how we measure it. Meantime to detect, meantime to remediate, meantime to create resilience, and you do it on a continual basis. The promise really here is providing the platform, providing the solution for them to get super outcomes. That's how we measure success. That's number one. That's very measurable. The second one is, if we can save our customers from the agony of a breach, it's a win-win. That's our part. Number three, a patch prioritization. Now, not only helps our customers, but the entire ecosystem. We have more than 25 other very large security companies using our data. Now, it's not only helping us advance our products to our customers, but it's helping these 25 security companies truly be in an advanced state and helping those. The broader mission of, we're going to fight the cyber war, is now helping us take this to the entire ecosystem. Again, that's a big success as we keep adding security companies. These are the three ways we measure the success. Of course, nothing trumps money, right? That's always there, but there's also the promise of security framework, whether we do it or we do it through our partners, and that's a promise we are delivering. I like that tagline, saving customers from the agony of a breach. You can use that in your marketing. That was really good. Seri and Kiran, thank you so much for coming on theCUBE. A really fascinating conversation. It was a pleasure. Thank you for having us. It's a pleasure. And thank you to our viewers for tuning in. Stay tuned for more of our coverage of Avanti and how they're working with partners to secure everywhere work. You're watching theCUBE, the leader in enterprise technology coverage.