SASE and The Future of Security with Michael Ortega at CATO Networks | Ep. 43
You know, it's funny. I I've I've been looking forward to doing this for a little bit now, and I was I was taking some notes last night. And this is another part of my prep, which is I I've decided not to prep for most things because then I I don't know. Like, I don't know. There's, like, a there's, like, an appropriate amount of prep.
Max:And I was thinking about, like, where I wanted to start and what to what to start with. And and I've I've I've I I mean, there's a lot of different stuff here, but but I'm but I think the the the question I wanna start with, which is probably the biggest question, is how do we get to sassy? Like like, what was the you know, I feel like in a lot of technology stuff, we have, you know, iterative, you know, like steps. And then things come out of left, you know, just like out of nowhere and then all of a sudden, like, you know, thank you, Gartner. We have Sassy, and then everybody just kinda just piles in, and now we have, like, this animal that's out there.
Max:But but how did we actually get here? Like, what was what was this the, like, the before and that step that really took us into what we talk about now in SaaS in the market? Like, max overload?
Michael:Yeah. Like, all the way. No pun intended, by the way.
Max:There's a new new name for the show.
Michael:I think it was just, you know, it was tool overload. Right? It was just the culmination of, you know, a product to fix a problem, and and in a bit of a a vacuum, in a bit of a silo, and that just amassed, right, over time. And IT organizations suddenly found themselves without the resources to manage, to maintain, to design properly, to integrate properly. And, I think the net result is gaps that that weren't expected to be there.
Michael:And, I think sassy or whatever you wanna call it at the time. It obviously wasn't called sassy originally, but this desire to make things simpler again to, kinda converge all these different, domains and focuses and technology, bring them together in in a sort of a singular way or a singular model architecture?
Max:As soon as we have a definition, so sassy, next thing that happens is every supplier, service provider, vendor, ODM, OEM, whatever acronym we wanna put on it. Right? Their marketing team then runs into it. Oh, oh, we we check the box. Like, it works.
Max:We are this thing. And and, I mean, I mean, I've been I've been doing this for a long time. When I you know, years years ago, it was like clustering. Clustering was the big thing. So it was everybody's like, oh, we support clustering.
Max:What kind of clustering do you support? And then you have to get into, like, all these nuanced conversations around, well, yeah, we're this because we you know, like, oh, yeah. We can kinda technically check that box. And I feel like the same thing, of course. I mean, it has happened.
Max:It happened with SD WAN. It's, you know, SSE. Right? Now we have SASE. And and and then, of course, you get acronym soup.
Max:Right? So sassy is and of itself a breakdown of a lot of different acronyms. And how do you you know, for somebody, it's like trying to figure this out and like walk through this of, like, understanding the marketing mess that's been created of, you know, like, why why, you know, what is it? What should it be? How do you figure out if you're getting into the right thing or the wrong thing?
Max:Like, you know, like like like, walk me through trying to unpack that.
Michael:I think I think it's difficult for the enterprise, frankly. It's not uncommon as you mentioned. You know, somebody floats some analyst says, hey. Here's something new. And, you know, supplier 1, check.
Michael:Supplier 2, check. Supplier 3, check. And you've got everybody doing it suddenly when yesterday, nobody did it. And so it's it's it's difficult to kinda weed through the marketing, weed through what's real, what's fake, what's eventually, I'll have it, but I wanna tell you I have it today. It's difficult.
Michael:The enterprise has to do it themselves. It's a lot of legwork, to dig into the well, how? How are you doing it? Don't just don't just tell me you can. Show me.
Michael:Or talking to trusted advisers and and and consultants that have gone through that already, who've done a lot of that leg work already. And I think there's definitely a value in that.
Max:Break down break down the acronyms inside of Sassy and how, you know, how this gets expressed now of I mean, what you're buying. Like, why do you buy Sassy? What do you what is Sassy considered at this point? Like, you know, how does somebody say you know? I mean, what?
Max:There's, like, 7 7 acronyms inside of Sassy that gets packaged together. You know, what is that what is it doing? Why are you getting it?
Michael:Oh, boy. Yeah. There's a there's a few acronyms, aren't there? You know, you've got firewalls as a service. You've got SWIG.
Max:Mhmm.
Michael:You've got CASB, DLP, RBI. Think I think they're trying to jam digital experience monitoring into that now to to kind of amplify the value of the network story, but there's SD WAN, of course, the access piece, ZTNA or SDP. There's a lot, and it's and it's growing. Right? It's it's it's it's where it is today, but it may be something greater than that tomorrow.
Michael:And, you know, you you the idea to bring it all together into sort of a single unified solution, I mean, that's like utopia, right, for for enterprises, I think. They're they're looking for a way to make their world a little bit easier. And unless you're a, you know, a very, very large enterprise with a $2,000,000,000 IT budget and infinite, you know, IT resources, you have to figure out how to do things a little bit easier. You have to simplify your world. And it's and it's the goal is to, obviously, is to to simplify, but it's also to cover the gaps.
Michael:Right? If if you can adopt a solution that allows you to do that in the right way, you can significantly remove risk. Risk in serviceability and uptime for your business, but also derisking your environment from from threats.
Max:Firewall as a service, so, secure web gateway, RBI, remote access, CTNA, SD WAN, CASB, DLP, digital experience monitoring. Then you probably get into endpoint. You know, some some EDR function is getting put into Sassy now. Then you can also talk about this, like, line is blurring also into MDR. Also, it's kinda getting blurred into to to Sassy.
Max:So if I was gonna say, like, give me, like like, a 2 or 3 minute spiel on each one of those, like, just just down the list.
Michael:Sure. You know, on the access side, it's pretty simple. I think networking hasn't evolved as dramatically as, as the cyber landscape has. So SD WAN, frankly, is is about optimizing, the transport that you have available to you and making sure you can access the resources you need, whether they're resources in the public Internet, if they're resources in a in a a private colo or hyperscaler like an AWS or GCP. The idea is to derisk, the transport that exists between the user or the office and the resource you're trying to access.
Michael:And that's SD one in a nutshell. So, of course, there's lots of different mechanics that do that derisking for an enterprise. On the security side, it's, you know, it's it's I think it's it's really about getting deeper and deeper into the traffic, into the payload. You know, we first start with sort of the swig. Let's look at, you know, the HTTP traffic.
Michael:Right? What what URL is it going to? Does that, adhere to my corporate policies to remove, you know, risk in general, whether it's a phishing website or it's a spam bot website or some other high risk, kind of domain or maybe it's a productivity play. You wanna eliminate social, etcetera. And so you start there, and then you get deeper.
Michael:Right? Deeper in removing some of the risks that are, say, less intentional risks. Risks, that say an intrusion prevention system or an inline NG, anti malware, solution might be where we're actually inspecting the payload or inspecting the behavior of the traffic, looking at reputation, or or certain types of destination IPs or destination, countries for that matter. And you get deeper into the packet, and we're looking at, you know, controlling action. You know?
Michael:Hey. It's it's not enough, for some enterprises to say, you know, no file services online. We need file services. It's part of our business. But we need to control what we can do with specific file services.
Michael:So now we dip into the CASB world where we're controlling action based on, say, specific accounts or tenants, you know, corporate OneDrive versus personal OneDrive and what you can or can't do. And, of course, then then the data loss side of things, the DLP side of things, which is just getting better, introspection into the the sensitive data or the data in general that's in those payloads. It's not DLP, I think, oftentimes is is, looked at as a security mechanism. It's not really a security mechanism. It's a control mechanism.
Michael:It's you know, the bad guys, if they wanted to send an exfiltrate sensitive data, they can do that whether you get DLP or not. Right? It's more about sort of the, unexpected, insider threat, right, or the unintentional upload of sensitive data. But the idea is I'm controlling what kind of data exits or enters, my enterprise, with these kinds of controls. And you've got RBI, for example.
Michael:Now we're looking at, okay. Hey. I can't just block every URL that say undefined or uncategorized because that creates an impact on productivity for my for my user community. So I need to I need to silo that off. I need to send that traffic to a protected isolated environment where my user's not at risk, but they can do their job.
Michael:Right? They can they can go to that website that maybe hasn't yet been categorized or defined. And we start dipping in further into the endpoint and then in in contextual correlation with XDR and creating remediation on top of that. And you mentioned XDR, MDR, NNPP. We're just getting closer to the user, and then getting more intelligent with all the data we have.
Michael:Right? Because if we're getting it from all these, we're getting it from the network. We're getting it from the security engines. We're getting it from the endpoint, from the applications. Now what do we do with all that data?
Michael:How do we make that data meaningful? That's where XDR comes in. And then, of course, adding remediation on top of that is is key. Right? The, boy,
Max:I have a couple places I wanna go with this right now. I'm just gonna make notes so I can circle back. A big disconnect that I've noticed in procurement of of IT systems is the dialogue between an IT practitioner and the organization. And you're in IT, we think about it in terms of IT things, right, which we you know? And and when you get deeper into, like, the sales side of it, you know, it's like speeds and feeds, and all these different acronyms start coming up.
Max:But, ultimately, we talk about we could say, come down this list. Right? You know? We'll just I'll just pick on 1. Right?
Max:Secure web gateway. If you go to sell a secure web gateway to an enterprise and you say, hey. You know, we wanna buy this capability we don't have today, and we wanna we wanna introduce this to our environment. That immediately gets evaluated in terms of what is this displacing or how much, you know, how much is it gonna cost? What is it displacing?
Max:And and you get into this financial thing. And and, you know, the, my my acronym I hate the most is ROI. Right? Because immediately you get into these things of, like, well, how do you judge this purchase? And that purchase is judged based on what is it returned to us.
Max:And and that is really disjointed, of course, because if you say we're gonna introduce something as a new functionality or a new capability that we don't currently have, how do you quantify a return on that investment in terms of, like, an you know, you have an input and output, which becomes, like, this very, like, foundational idea in business.
Michael:Sure.
Max:So what I'm what I get really curious about with these things is underlying requirements that surface of we need to solve a problem. And what is that business problem? So you talk about DLP in terms of control. What immediately goes to me with DLP is not, you know, necessarily the x you know, the, the outsider threat, the external threat. It's more of these basic things of, you know, Johnny is leaving the company, and we know he's leaving the company because 5 days before he gave his notice, he downloaded the entire financial archive of the business onto his personal laptop.
Max:And and I've I've seen multiple organizations that go through that and then say, okay. We want we wanna make sure this never happens to us again. And how do we prevent it? And that's on an ROI based sale. Now you're talking about you've got something else.
Max:And and and as much as Sassy becomes this, like, we're gonna throw everything into the pot, but there's still a lot of things within this platform that we talk about that are solving problems for a business that aren't necessarily, you know, what I would say, like, in terms of, like, a a direct replacement or rip and replace or efficiencies. And I'm I'm I'm curious what your thought on that is, and and I'm putting you on the spot with this one, but, like, you know, in that case of DLP, you know, CASB is another good example of that. Nobody really knows what CASB means. I mean, now you define, like, the CASB and and DLP and some vendors in the SaaS space even put RBI into the same kinda, like, idea around, you know, just inspecting payload and controlling access to data. But what are organizations actually getting out of these things that they weren't getting beforehand that then drive these purchases?
Max:Because a lot of times, you're talking about them spending money they haven't spent in the past. You have a firewall on premise, and then you go into this platform, and then you add these function I mean, you're increasing your your cost in some cases. So, you know, other than it's cool, which I agree, it's awesome. You know? And it's and it's really good, and everybody should ensure to run it.
Max:But for somebody that's not involved in this day to day, like, what are they getting that they don't have before that all of a sudden they can look at and they can say, okay. This changes something for us in our in our organization?
Michael:I think it's, it starts with knowing what you didn't know. Mhmm. I think is a is a big part of it. We've got threats coming at us left and right in lots of different ways, and everyone's a target. Right?
Michael:And so on one hand, you can you can kind of look at the threats as, hey. They don't care about me. And and maybe the risk, is perceived as being so low that having this additional visibility and control is not warranted. But then it happens. You know?
Michael:I can tell you prior to my my stint at at Cato Networks, I spent 12 years, in managed services, with a small regional MSP here in North Texas. And, I would say the last 3 to 4 years of my time there running operations, the cyber practice, the networking practice, I can't tell you the number of MoneyGrams I had to buy, the Bitcoin I had to acquire, and the the countless number of times I had to visit, you know, Tor to to pay off some ransom to get access to to decrypt. And these are for small businesses. Mhmm. Because that was that was the target at the time.
Michael:It was all small, medium businesses. We're talking one site, 50 users, to as many as a 100 sites and maybe a couple thousand users. So everyone's a target now. Everyone everyone that that, that can be a target is a target, and it's not just for the large, you know, Wells Fargo's of the world. No.
Michael:Those honestly, those are the hard ones to go after. The, the smaller enterprises that have less controls and and less insurance in place, They're the easier targets. They're the whole low hanging fruit, and, and I think that you don't know what that value is until you've had to go through that experience. And, I think that once you do or or once you hear about it, the the investment into having greater visibility and control, it's it's a no brainer.
Max:I mean, that's a chicken and egg problem, though, because until you've had the experience, you don't understand what it is. And, you know, even reading and regurgitating things out of, like, Verizon's DBIR. Right? Like, this percentage of businesses are gonna have a cyber incident or breach, and that percentage are gonna have the you know, average cost is this much money. And you read these numbers, and they seem insane.
Max:Right? Like, oh, the average cost of a breach is, you know, x $1,000,000. Like like, why? You know, I'm a I'm a, like you said, 50 person, 100 person, 200 person company. Like, why is this gonna cost me $4,000,000?
Max:And and so the the
Michael:I mean, this is how
Max:does this change? Like like, at what point you know, I have my theories on it, but, I mean, I mean, you sat in the seat. You helped organizations deal with this. So how many of those organizations survive the process? How many didn't survive the process?
Max:And then afterwards, how many actually invested in making sure it didn't happen to them again?
Michael:Yeah. It's a great question. I think in all cases, the businesses survived the experience.
Max:That's great news.
Michael:It's debatable, how one one organization, one business felt, the the severity of the experience impacted their business. This is 10 years ago. Many had not gone through sort of that that digital transformation yet. Right? So their resources were local.
Michael:There wasn't a complete cutoff. It was easy to get to, say, backup resources. There are a lot of other elements about their environment that were far more fragile to consider. Mhmm. But I would say that I couldn't put a specific percentage on how many saw the light and how many did not.
Michael:I would probably say at the time, fewer saw the light and were ready to kinda, get those crap dice back out and roll them again. But there certainly were some who understood, that it wasn't about the data in the end to them. It wasn't about the inaccessibility of the data. It was about what it did to operations, to their business, how it impacted their customer experience in the end. I don't have your information.
Michael:I'm sorry. I can't look it up. We're in the middle of an event right now. And how many times they may have had to repeat that kind of response to their customers, and they'll never know to what extent really that impacted the relationship they had with that customer as a result. So there there definitely were some that saw the light and knew that it was time to make a change.
Max:You say everyone's a target. I'm I'm I wanna get your I wanna get your answer to this one.
Michael:You and I
Max:are a target either. I I've I'm not I'm I'm I want your answer to this one because this is this is and you and you made a really good example, Wells Fargo. Right? There becomes this, perception. I don't have anything that a hacker wants.
Max:I'm not Wells Fargo. Right? I've I've had similar conversations. Oh, nobody's gonna come after me. Like, why is that not true?
Michael:Why why is what not true?
Max:Why is everyone a target? Why is it not true? It's some that somebody would say, I'm not a target. I'm not Wells Fargo or Bank of America or Chase. I don't have anything a hacker wants.
Max:I'm not a target.
Michael:Do you have money that you want to keep? If you've got something that they can leverage to get you to come out of pocket to return to you, then you're a target. You're a target. And it's so easy, especially with modern day tooling. Now you've got AI, that's that's coming on the scene.
Michael:Right? It's making it easier. It's making it easier for people who are novice at at doing this kind of thing. Now they're able to massively multiply and, you know, you've got ransomware as a service being sold, now on the, you know, on the dark web. So now you don't you know, I'm I'm not into that, but, heck, if I wanted to, it wouldn't be too hard.
Michael:And, it's easy. Hey. Here's a link. Here's a carefully crafted email. Here's a, you know, a phishing kit that looks a lot like your Office 365 account that I can spin up on an instant, you know, in in some hyperscale or somewhere.
Michael:It's not the the friction is low to get into it. And as long as you've got money and you've got, you know, that that one picture, you just can't can't do without.
Max:My ask my explanation has become very simplistic on this one. The second you connect to the Internet, you're done. You're done. Right? Like, now you're you're you're in the game.
Max:You're in the ring. You know? Like, you're there. It's it's, you know, and if you're if you're in, like, a network practitioner or security practitioner, you're in IT, you know, you've probably seen these things where you go out and, you know, it's like, how long before you plug a computer in the Internet before it gets its first scan, and how long before it's exploited if it's if it's, if it has known, you know, vulnerabilities attached to it? I mean, it's it's it's frighteningly fast.
Max:Right? And, and the other one that I've I've tried to explain to people is, you know, you're you're dealing with people whose professional, like, jobs. Like, they feed their families based on doing this. You get really good at something if your income is dependent on it and feeding your children is dependent on it. And and and then you practice it day in and day out at scale.
Max:Like, you know, like, go to the gym and lift weights every day. You're gonna get stronger. It's the same thing. You know? Like, what do you do?
Max:Oh, you know, I sent out 20,000, you know, impersonation emails today, and and, you know, I got 4 today. You know? Like, what did it cost you to sell those 20,000 emails? Nothing. And, okay, you got 4.
Max:And what'd you get? Oh, I got $10,000. You're like, okay. Great. Now tomorrow, we're gonna send out 40,000 emails and try to get 10.
Max:You know? Like, it's not, you know, it's it's pretty it's pretty straightforward. Right?
Michael:Yeah. I mean, some of these organizations are unbelievably sophisticated.
Max:Oh, yeah.
Michael:I don't have you have you ever received a call? One of the one of those calls and actually kinda played through it to see where it would go?
Max:I haven't live answered one. I get a bunch, you know, that my, you know, I've I've I've screening on my devices, so I've had a bunch in voice mail where even you listen back to it and and you're and and I kind of the the problem with it, I think, is the second part is it's always, you know, timing. Right? And you and you just get into even the best people, if they get that call at the wrong time, it changes the whole game for them. And Sure.
Max:Really savvy, sophisticated, you know, people in tech and crypto, for instance, have been, you know, socially engineered just because they had it's just the it was just the right they just it's just the wrong series of events just intersected at exact right time for them, and they were in the road host. Yeah. And these are professionals. So what do you do? You say the average person has any shot?
Michael:It is getting hard.
Max:I you know, I've I've always kind of I thought for a long time that in cyber insurance was gonna push this needle a lot farther. And, you know, and we see it kind of happening, but it it hasn't, like, tipped over the way that I thought it was, you know, 4 or 5 years ago. What, I mean, what what do you think actually drives, you know, mass awareness and mass adoption of just I mean, I'm not saying, like you know, everybody everybody tries to equate this to, like, CIA level security. Like, I'm not even talking about CIA level security. I'm talking about, like, you just have a padlock on your gate, you know, kinda level stuff.
Michael:I mean, you see it. It's it's everywhere now. Like, you can't you can't watch a movie with some reference to social engineering or some cyber threat. So I think that you're you're seeing a lot of awareness being raised in just day to day social activities.
Max:But when does that go from, like, awareness to I actually have to do something to protect myself? And this is the thing. I unfortunately know people that have had their, you know, burglaries. Right? Whether it was commercially or per or residential area.
Max:But the average person probably hasn't experienced a home you know, their house being robbed. But the average person is still locking their front door when they leave their house. Why? Well, they don't have personal experience that they have to lock their door. They just know we have to lock our door before when we leave our house because we wanna prevent this outcome from happening.
Max:What what what is what hap when do, like, the average company person you know, I mean, I guess we're talking about people ultimately because they're making decisions. What does the average person wake up one day and say, hey. You know, I need to, like, actually do x, y, and z for my my company here because I, you know, don't want somebody walking in the door.
Michael:That's a great question, and a great analogy, by the way. You know, I think that there's a lot of trust. It's it's Wells Fargo. It's Bank of America, so I inherently just trust it. I don't I don't have to worry about my money.
Michael:I don't have to worry about my credentials. And I think you could you could relate that trust to so many other online solutions, technologies, platform, services. So so I think we're trusting. We're very trusting that these, that that these risks that seem at least, as a perception by very many people, but we're just we're insulated against them because of the institutions that we do business with. But we hear more and more about how these institutions are being exploited.
Michael:Information is being exfiltrated. But even then, the average person isn't hearing about that. Right? To you and I, we're we're tapped into that community. Right?
Michael:We're we're seeing those feeds come up in our LinkedIn or our socials, and we're reading through them. And it's front and center for us. But for the average Joe, probably not so much. They're not seeing that. So I think until all the other different types of news feeds, are are also looking at that a little bit more like, this is this is important.
Michael:You know? It's it's yeah. There's there's war here and there's war there, and those are undoubtedly significant. It's not the only war, right, that's going on, and we're not necessarily as a as a as a community, as humanity, we're not putting as much attention on this other war, this kind of silent war that's going on all the time. It's like, you know, when when you were a kid and you were you were looking for bugs, you find the biggest rock that hasn't been moved in ages.
Michael:Mhmm. Looks like a nice shiny rock, but you lift that rock up, and there's just all sorts of, you know, living organism going on underneath it. That's like what's happening behind the scenes, you know, under the rock of our computer or under the rock of our smartphone. It's like that's that's constantly going on, and most people just either don't care, don't believe it, or don't think it's as big of a threat. And I think until we raise that level of awareness everywhere, you know, within reason, we're just not gonna buy into it as much.
Max:Humans have a a a phenomenal capacity of just not believing that bad things are gonna happen to us.
Michael:Right? Exactly.
Max:Yeah. And the closest answer I've gotten to this question has been scar tissue. Right? It just it takes enough it, you you know, it takes enough people having stories in their immediate orbit that they want to avoid. Oh, my neighbor lost their job because their company had this event, and then they ended up laying off a bunch of people because they lost key customers.
Max:Right? How many of those stories would it take you to hear in your neighborhood before you say, oh, man. I don't want that outcome to happen to me. So that's what I always I always thought that was the case. And then you see and there's, like, there's a couple really big events that that I that are I remember, like, are in my mind.
Max:Right? And the first one was hospital chain, in New England that had a major cyber incident and ended up having, uniformed like, camouflage wearing uniformed National Guard members going device to device, helping them reinstall computers as part of the recovery. And, you know, it's pretty powerful image when you see a hospital with camouflage national guardsmen, you know, putting thumb drives into computers and and and reimaging boxes. You know? And this I mean, and it wasn't like one hospital.
Max:I mean, it was a major chain. Took down took down a significant amount of of care and ICUs and emergency and, you know, really bad situation. And then the other one more recently is, Colonial Pipeline. And and and, again, the imagery that I have from that is is seeing videos. And, of course, you know, I don't know.
Max:It's not widespread. But, you know, you see one person with a tarp in the back of a pip pickup truck filling it up with gasoline. You're like, okay. We've we've definitely gone off the deep end on this. Right?
Max:But even in those two markets where you have hyper specific horrible outcomes that affected everyone on a day to day basis for the most part in that market, there's no measurable increase in, you know, your baseline cybersecurity posture. And anybody that lived that was affected by Colonial Pipeline could not get gas for their car. Like, obviously, there is an association that bad things can happen to a company related to cybersecurity, but people aren't running out and putting 2 f a, you know, in their identity platform and and doing x, y, and z. And so now I I'm just like I I I feel like we're screaming into the void a lot of times with this. Just like, yeah.
Max:You should do something, but if you don't wanna do it, like, I can't convince you to do it. Like
Michael:Yeah. I mean, you mentioned that that's what the public sees. Right? So the public thinks that, hey. This is this is the target.
Michael:Right? Even and when I say the public, like, the consumer, right, the average consumer, but also to the business. You know, maybe that's small or medium sized business who is teetering on a decision to invest more or not. That's what they're seeing. But that's not me.
Michael:Yeah. But but that's the exception to the rule. That's not the rule. You know, those aren't happening every day. What's happening every day?
Michael:It's the small attacks. It's it's a small hey, ransomware to this small business, ransomware to this medium sized business, double extortion techniques and, you know, that's that's happening on the daily. Right? And we don't hear about that. Right?
Michael:As a general consumer, we don't hear about that.
Max:Oh, that also is a good other good point. Right? Because ransomware now is the ultimate outcome that people think of in most cases with cybersecurity, but it's actually not the case. You know, you have a you you mentioned earlier. You have a chain.
Max:You have marketplaces. So you have somebody that's gonna exploit and get into an organ into an environment, and they've done their job. And then they sell that credential and that access to somebody else who then goes figures out what's in there of value, and then they sell it again to other people. And then maybe somebody buys it to launch a ransomware attack because they've decided that's what's valuable, and they're gonna, you know or or is it exfiltrating data? Or do you remember Target when Target had their breach?
Michael:Mhmm.
Max:You remember the source of the breach?
Michael:Not in particular.
Max:Their HVAC contractor.
Michael:That is right.
Max:Now, you know, who who in the HVAC industry would think that they need to have a, you know, sophisticated cybersecurity, but they had connections into Target. So Target ends up with, you know, effect of a key logger on all their point of sale terminals, taking credit card numbers. You know? What was the source of the I mean, you you know? So you're like, okay.
Max:Great. You know? You're you know? Yeah. With the fish tank?
Max:Somebody exploit the fish tank. What do they do with it? You know? Like, you know, these these are crazy stories.
Michael:You know, I, I there's some there's some organizations out there that, you know, their sole task is to simulate attacks, and it's interesting to what extent some of these organizations go and how available information is when you don't, when you don't take a concerted effort to protect it. And in one such example, there's a there's an organization out of the Pacific Northwest who has a drone service. Oh, jeez. They'll fly drones over your establishment, over your building, and take a picture of people taking smoke breaks with their their access cards hanging off their belt loop. And, and, you know, hey.
Michael:Risk.
Max:Do you see this one?
Michael:Point of exposure.
Max:See this one with Strava that just came out recently with bodyguards? No. Yeah. So the Strava exploit, I remember years ago because they were finding they'd found, service members running the fence line of defense installations that weren't, you know, mapped. Right?
Max:And, and there was another one that just happened where they were able to identify movements of protect protectees by their bodyguard, you know, their, you know, their security teams because they would use Strava, and all of a sudden, you'd see, like, the security team would be in another market out for a run or whatever. And and and, you know, it's it's it's like, the stuff is so it's just it's just there. You know? Yeah. I don't want we we can we can go on this about this forever, but, Sassy is a, I guess, to some degree, it's a disruptive technology.
Max:You're displacing other things. Now in some regards, you you know, there's this idea of single vendor sassy, and then that becomes, of course, this race that everybody's now in, and there's a lot of other, you know, large manufacturers that are with massive, you know, market caps. They're going out and acquiring pieces and trying to plug pieces in, in together. And I don't wanna talk about necessarily, like, the outcome of somebody going and making act bolt on acquisitions to try to do technology. Okay.
Max:We can come back to that maybe. But, I think we should talk about a little bit about what is being displaced and what is being replaced and why that becomes important for an organization. And you mentioned it briefly like the SD WAN case because now, you know, Sassy from includes SD WAN. Now there's a lot of Sassy vendors in the market that don't actually have the access component and then require somebody else to so so, yeah, they're like, yes. We're Sassy, but, again, we won't talk about that too much.
Max:But, but but I wanna
Michael:Don't get me started on that.
Max:Oh, I'm I'm really close to going off the deep end on this one. The, maybe maybe the new podcast should be like Max with Mezcal, and then it'll be
Michael:you know? That's a great idea. You
Max:know?
Michael:I can get down.
Max:So so let's let's talk about the what's being displaced and why and why it's being displaced and why that's actually important and relevant.
Michael:Yeah. I think, you know, it starts at the edge, like you said, SD WAN, the access component. It access isn't just SD WAN, of course. Component. Access isn't just SD WAN, of course.
Michael:The, the user, the end point, also serves as an access component,
Max:right, when they're remote or
Michael:in their when they're in the office. But, yeah, SD WAN, VPN solutions, traditionally serving a remote access use case. From a security standpoint, branch security devices, even to some extent where it's applicable, large data center firewalls, that are protecting resources in the data center both on the kind of public ingress side, but protecting the WAN as well. And then you've got the rest of the acronyms out there. Right?
Michael:The SWIGs, the the cloud application security brokers, or just cloud app security solutions, remote browser isolation. These are all the things that are kind of up for grabs as a part of a a SASE initiative or a SASE project.
Max:What do you find I I mean, I people probably come into this entry point from a lot of different places. I mean, we can pick on the SD WAN for a little bit. Right? And, you know, when I get into the SD WAN conversation, I you know, the first thing I ask is, like, well, what what are you? What kind of SD WAN are you?
Max:What solution are you actually providing? Right? Because, you know, are you a, an auto magic VPN to v you know, site to site SD WAN? Which, by the way, if you've ever configured VPN on a firewall, like, in you never wanna do it again. You know?
Max:Like, it's oh, jeez, man. Cisco I'll pick on the Cisco picks for a little bit in the essay firewalls. It was like the dark arcs of, like, of, like, configuration. It's like, oh, look. It's working.
Max:I have no idea why, but don't breathe on it now.
Michael:Oh, but as an engineer, you felt the power.
Max:Oh, jeez.
Michael:The power and that knowledge.
Max:Oh, I don't know, man. If I if I never configure a a, an ASA VPN again, it it might be too soon.
Michael:All those no NAT statements.
Max:Oh, jeez. I don't wanna I don't wanna go into, like, a PTSD conversation here about SD but but SD WAN. Right? So, like, SD WAN solves a bunch of different things. You solve, I mean, at at its at its base level, right, by definition, you're providing a, a a cloud based web interface to manage your appliance.
Max:Right? That mean that is SD WAN. Right? So, oh, you've got a web interface to manage an appliance that's remote? Software that's software defined.
Max:Okay. So so I know I know I know vendors that check the box and say that we're SD WAN as a result of that. Then you've got side to side VPN SD WAN. You've got, Internet circuit aggregation SD WAN. You've got, MPLS replacement SD WAN, then you can talk about overlay, underlay, you know, designs.
Max:You've got, TCP optimization usually for, you know, either low bandwidth applications or low bandwidth environments or crossing oceans. Right? So there there's even within that world, you know, we're talking, like, one piece of the whole sassy puzzle, and you already and you start from a foundation of, like, I don't even know, like, what the difference is between one approach and another and what I actually care about. So when you're talking to people and you're getting in these conversations and saying, okay. Fundamentally, you know, in order to provide you this whole thing, now we talk about access.
Max:Well, s by the way, SD WAN doesn't cover your endpoint. Right? So it doesn't give you your your user. It doesn't give you remote access. It doesn't give you these things.
Max:But now you start from, like, a thing of, like, okay. Well, we know we want to display certain POS, or we have a performance, you know, issue, or we have, what else comes up a lot of times? We wanna lower our costs. We wanna try to go to cheaper circuits, you know, at our remote locations because broad you know, broadband is viable now. You know?
Max:Fiber to the x is available. How do you walk somebody through that journey, you know, when you start talking about, like, okay. You know, here's an SD WAN application and access, which then probably turns into, we're gonna replace our SD WAN boxes, which then is like our firewall is now in play. Do we replace our firewall? And then it's like, okay.
Max:VPN concentrate. And it it becomes just, like, you know, the avalanche of of stuff. So what what does that journey really look like in a conversation from start to, you know, honestly start to finish, but, you know, going through that process with somebody thinking about this?
Michael:Well, Sassy in particular, I think that it starts at a very strategic level. Right? The prospect of Sassy for an enterprise, what can that achieve? And as as mentioned before, it's it's a lot of operational simplicity, reducing that that burden on IT, is one of the one of the goals.
Max:Can we let's quantify that for a second. Sure. I know this could set us a lot, but I don't think a lot of people really understand what this means. So I'll give you a scenario. Let's say, we'll we'll pick a squarely mid market company, 2,000 employees, figure that's spread out over 20 to 30 sites.
Max:And, you know, now because it's you know, we're post COVID, we're gonna have a remote workforce in any given time about, I don't know, let's call it 50%, you know, in any given time, but it's not consistent. Like, people go remote. They work from home. They come, you know, they come into the office and back and forth. What does that actually mean in terms of IT overhead in a legacy environment?
Max:And and you can talk about component, however you wanna phrase this, but, you know, walk let's talk about that. Start.
Michael:Yeah. Sure. I would say it depends Mhmm. On the type of Sassy solution you're looking at. But but the goal the primary goal of Sassy is to automate and simplify through convergence, and, you know, obviously, through a cloud native adopted architecture, whatever you wanna call it.
Michael:The the difficulty with most suppliers is actually being able to provide that net result. So I can speak from personal experience. Mhmm. Look. I've I've been at Cisco ASI a ASA PIX guy.
Michael:Mhmm. I knew what it was like to manage a full mesh IP VPN network. I knew what it was like to manage incumbent sort of legacy MPLS architectures. Very complicated, very hands on, nothing really automated, a lot of critical thinking, which isn't a bad thing, but just a lot of investment by IT resources in maintaining, those those technologies, those ways of doing things. And what SASE and what SD WAN should do in the end is to simplify that.
Michael:Right? Add software intelligence, do more kind of point and clicky versus CLI CLI CLI, and maintenance is a is a big part of that. Fundamentally, the supplier of Sassy should be maintaining those those technologies for you, maintaining the software, maintaining the hardware. And so that alone, just the maintenance aspect of it, should reduce some of the burden on on IT. But there are degrees of that burden removal depending on the supplier you're talking to.
Michael:I would say some. You might not see anything different. What it was yesterday before it got a new name, it is today. But with some, you will definitely experience a a significant difference in the way that you design, that you deploy, that you use, and you maintain those systems, and you will feel a significant difference in the the burden on IT.
Max:2000 person enterprise with 20 to 30 sites, somewhere between 80 to a 110 pieces of network infrastructure that they're maintaining.
Michael:Sure.
Max:And that's circuits, routers, SD WAN appliances, firewalls, remote access, something. You know, probably VPN, you know, whatever they're running for their VPN, probably on top of their firewalls. Plus you have your identity. What's your identity provider? Are you actually connected to the identity provider with any of these things, or are they stand alone?
Max:And and, you know, you say maintenance and the issue of maintenance. If you have to do a firmware update on a 100 devices and they take 30 minutes to device, you have a very simple time issue. How long does it take you to actually roll out that firmware device at 30 minutes per times a 100? And then nobody wants to do this during work you know, business hours. So then you have to do it in after hours, so now you have less time that you can actually do it.
Max:And then the enterprise has a change control process where they only allow updates to happen on certain days and certain nights within certain windows. That reduces your your threshold. You have to go through probably a committee to to measure the risk and approve the activity, and that narrows your options as well in terms of how much time it takes. So to roll out a a firmware update across a 100 devices, if you can, for some reason, do 5 devices a week, you have 20 weeks of maintenance. And by the time you're done with that maintenance cycle, you have other updates that have already come out that you then have to plan for and continue to update across.
Max:And that's for a simplistic environment. You know, you talk about these, retail organizations. Got a 100 stores, 500 stores, a 1000 stores, 2,000 locations. Okay. Great.
Max:Now apply a firmware update across 4,000 devices in a meaningful way. And and it's and this is the other side of it. Like, this is this is the, like we we can't even control our own our own estate in a lot of these things. Like, you know, and and, you know, our, you know, our collective houses are in order. You know?
Max:I mean, some of these some of these manufacturers, I mean, I won't I won't say them, but they they released a security, notification, and their remedy wasn't a firmware update. It was replace the box. Like, the physical box that you have is compromised. There's no way for us to fix it remotely. You have to replace them.
Max:Okay. Great. You know what you do with that? Okay. So so maintenance.
Max:How I you you know, like, I I I find I find it, like, that walks into this thing of, like, there's still this perception of if I displace my job. Like, if I'm not doing the firewall updates and then, by the way, I see this perception also from, like, you know, junior people outside the organization, but also more senior people inside the organization that maybe are managing these teams. But if we're no longer the ones doing that work, and now we've displaced it to a supplier who's taking care of this for us as part of their service, what does that mean for me and my job? And and there's a lot of fear associated with that.
Michael:Yeah. I don't, I don't disagree. I think this is where enterprises, businesses have an opportunity to reevaluate those priorities for, say, the this, you know, mid enterprise
Max:Mhmm.
Michael:Example, that likely doesn't have, you know, a 1,000 IT personnel. Maybe they have 5. They only have time to run through that cycle of maintenance. That's about it. Yeah.
Michael:What about all the other risks of the business? What about end user education? What about evaluating some of these other services like Caspian DLP? You know, maybe they want to. They just don't have the time or the resources to do that.
Michael:Let alone then say they make the decision to go with it, the time of the resources to then manage them on top of managing just the edge hardware, the iron. Mhmm. So I think that there are a lot of organizations they're behind. They wanna get further ahead, but they can't because they have the burden pulling on them constantly of maintaining the the technologies they have in place.
Max:Burden is such a good word for this. I, you know, I I always put it in terms of context of, like, the value that you present to the organization is not that you've applied a firmware update. Right? It's it's helping the organization win at whatever it's trying to do. You know?
Max:And and, you you know, I I would express it simply in, like, capitalistic terms. A company that is making money and growing hires more people and produces more economic success, you know, for everybody inside of that environment. Companies that are on the decline are the opposite. Right? You know?
Max:Like, now you start talking about how do you squeeze efficiencies? How do you operate more effectively? How do you lay people off? You know? Like, what you know, all these other things start to happen.
Max:And and and even though, you know, IT gets into this, like, role of, you know, nerds typing on computers, it's a customer service organization inside of a company. Right? Like, IT exists to help the other lines of businesses excel at whatever they're trying to do. And and I find that disconnect is really telling in in in terms of the health of the organization as a whole. Like, you know, you can see it when, like, oh, we're actually helping create value and create leverage, or we're not.
Max:And you're like, okay. I know everything I need to know about your company now just by talking to, you know, the IT people a little bit.
Michael:And the irony in that is to regardless of which profile of an organization you are, the risk is still there.
Max:Oh, boy. So why not why not do this with why not do this with your traditional firewall? Right? So now we've got this thing where the firewall manufacturers are acquiring SD WAN functionality, and they're shoehorning into their firewalls, or they're wanting you to buy an appliance to sit in front of your firewall, you know, however the architecture is. And, of course, in their firewalls, they've always touted that their firewall does deep packet inspection and unified threat management and all these other things.
Max:Why is why is that not a good why is that bad? I'll I'll use this really, like, simplistic language. You know? I won't say, like, sophisticated stuff. Why is it bad to continue down that path versus, you know, figuring out how to pull a ripcord and getting out of it?
Michael:The the prospect of a firewall
Max:Mhmm.
Michael:In general, sitting at your edge, doing what it's always done. I mean, that idea of of having that device do that is changing. Right? It needs to change. It's a finite resource, but the world of cyber is not finite.
Michael:It's it's infinite. Right? It's constantly evolving, constantly changing, but you've got this investment in a finite resource sitting at your edge that has to keep up with that. And that's just an impossible task. Long term, that's an impossible task.
Michael:Or or we'll go back to the word burden.
Max:Mhmm.
Michael:You're constantly living through life cycle management of hardware every 3 years or every 5 years and something new, something something bigger. And am I am I gonna get it right this time? That's gonna buy me the next 5 to 10 years, or am I not? Am I gonna fall short, and have to sacrifice on the types of protections that maybe I want that box to do because I just don't have the resources to keep up. I think that's one thing that really compels, enterprises to really consider where that inspection resource exists.
Michael:And if you put it at the edge, you know you have you have a very you have a timeline, a very specific timeline relative to doing that. You put it in the cloud, well, now you you are you were you've adopted a model that is supposed to deliver scalability, flexibility, agility. Right? It's supposed to be elastic. It should be able to keep up with what your requirements are today, and if they change tomorrow, no big deal.
Michael:Let's let's add what we need and could keep going. I don't have to worry about a piece of iron sitting at my edge. Now in contrast, the networking side, it's it's not as changing or as evolving. Right? We've got SD WAN today.
Michael:Chances are SD WAN's probably gonna serve a functional role in the capacity that it is for quite some time. Right? It's not gonna change. So, yeah, stick that on a box. Put it in your your office.
Michael:Logically, because you need some way to on ramp to whatever service you're trying to get to to secure your traffic or to secure your users or resources, but that's okay. That makes a lot of sense. It's still on a piece of hardware. That's still but it's got a it's got a pretty basic fundamental role, and that is securely get me to the next step, which is securing my users, securing my traffic, and put that next step in a cloud somewhere so that I have ultimate flexibility, I have ultimate agility for my business.
Max:I had a client about 10 years ago, a VP managing, VP of IT globally, how they approach their office strategy was the same as Starbucks. Now he was ahead of what would be then become, like, this idea around 0 trust and how do you actually secure the remote user and all these different things. But, you know, his goal was just somebody could come into an office and sit down and get on the Wi Fi or plug into, into the wall and have a really good experience and fast Internet, and it would just work. But there wasn't any sophistication there. He didn't assume there was any it was just this is just a fast Internet location for you.
Max:Yeah. That I've I've seen this concept now, like, fast forward to today. Right? We've got way more sophisticated technology and techniques, and we can, you know, segmentation and zero trust and all these different things that start to apply. But this idea has now, I think, fast forward and become really common.
Max:Like, oh, our offices are just a place for people to be at any given time. It's not necessarily the place. It's just a place. But now you get into this I think this becomes as a a point of pressure. Right?
Max:Like, how much money do you invest in something that you kind of consider as, you know, like, a place that has no real value to you in terms of, like, your IT operations versus investing in things that actually are going to improve that experience. The question becomes, Cato sells a, access component of it. And part of the value of Cato is is you have, you have your cloud. Right? I'd say you have, like, a federated in platform that everything flows through, and the access component of that means that you have data flowing to and from your gateways.
Max:You have devices connected to the Internet around the world that whether I'm I'm a laptop user, a phone user, or an office user, have to connect to. Right? So that creates cost for you, which then gets expressed down the chain of, you know, cost plus value plus service equals, you know, you know, subscription to the customer. But now customers have to evaluate. Okay.
Max:I've got this office that I, quote, don't care about. Justify spending more money beyond what I'm spending on Internet circuits to provide here, especially if I can go to another manufacturer and buy an SD WAN component that can give me circuit failover. We can argue about whether it's good or not, but it'll give me circuit failover, and I don't have to you know, and and the cost is different.
Michael:Yeah. I and, honestly, for for some enterprises, sure. Maybe you don't need SD WAN. Maybe just stick an agent on your endpoint and you operate like a, you know, a Starbucks. You know, we come in.
Michael:We dock. We work. We're good. But there but there is a it depends factor. Right?
Michael:What types of services are those users running? Are they on Zoom calls or team calls? Are they running real time applications and services? Do you care if there's a service impact? Because if you're running an agent only to connect to subresource or to that SaaS application, that agent really only knows one logical path out and there's no protection around the service service uptime of that Starbucks, is it okay if there's impact that's felt that that, you know, terminates that call or impacts or degrades that call?
Michael:How important is that to the business? Right? Because I I can't tell the business that's important for him, but I can ask the questions. Right? And is it is it just that there's a risk towards Zoom and Teams?
Michael:What about other services, that they're that they're asking, accessing other lines of business, applications that they're accessing? Could they be materially impacted by a service incident at the edge? If the answer is no, no. We don't care. That's okay.
Michael:Well, hey. We'll just hop right back on the Teams call. No big deal. Maybe there's no application for SD WAN in those cases.
Max:I think a lot of places don't care until they care. Like, security we're talking about earlier, maybe they don't care until they care. Right? How do we help IT teams, I don't wanna say educate, but communicate better with the rest of the company of what these decisions actually mean for the business and business operations. Right?
Max:Because an IT team obviously cares if users are having bad experiences because they're getting the phone calls. You know, it's part of whether they're being judged directly in some sort of KPI or measurable metric or if they're just getting like, oh, you know, our platform sucks. You know, nothing ever works here properly. You know, there's they are the they are the recipient of that judgment. But how do we help them communicate this internally better?
Max:So that way, there's other stakeholders at the table making informed decisions that actually understand what these trade offs mean. And and even if it's not quantifiable in terms of the, you know, expression of ROI, but but actually get what they're buying or what they're not buying.
Michael:Well, I I I do believe that when you buy into sort of that agent only model Mhmm. You give up the right to having, at least from a network perspective, control and visibility. And, it's a big sacrifice to some, but maybe to some, it's not. And I think that as long as there is a concern that their users are going to potentially be at risk of poor experience and that they're gonna need to deal with that, then then it's it's logical that there should be some investment made into dealing with that. Now maybe it's SD WAN.
Michael:Maybe SD WAN will mitigate some of that risk, right, that could be impacting the experience. Maybe it's digital experience monitoring. Let's get more visibility into that end to end experience so we know what's causing it. Maybe that then tells a story about where that issue is and hey. Back to SD WAN.
Michael:Right? Maybe it's wireless LAN that's an issue, or maybe it's a problem on the endpoint itself or runaway processes that are impeding on the user experience. So DIM is a DIM digital experience monitoring is a it's it's a newer tool. It is something that recently we've introduced in the, the Cato Sassy, cloud platform, fully integrated or or a component of converged into, into the Sassy, cloud. It's it's fundamental.
Michael:I come from that world, the, you know, the support world, the networking world. If we had anything like this 10 years ago, 12 years ago, I think the 12 years I spent of as an MSP may have actually only felt like 12 years. Unfortunately, it felt more like 30 years. But, I think that you need it somewhere. Right?
Michael:You need to either mitigate the risk through some sort of last mile optimization technology like like SD WAN, or you at least fundamentally need visibility because it will happen. Right? It will happen. Your users will complain this this is not performing well. This is this is locking up.
Michael:I can't get to this page. Right? So you need some level of of visibility in the end. Whether or not you need controls and other thing, but you at least need some level of visibility.
Max:Friend of mine, was at another SD WAN platform. He his line was I love his line. Time to innocence. He always expressed this in terms of, like, time to innocence for the IT teams. And, you know, and it was, you know, it was always like the I I think his his favorite example is Salesforce.
Max:It's like, no. No. No. The network's fine. It's actually Salesforce.
Max:It's having a problem, and I can prove it. You know? And and that was the time to innocence. And experience digital experience monitoring has been around for a long time. I mean, was Keynote, you know, years years ago.
Max:It was doing web performance monitoring, and there were network application monitoring. But it was this thing that, like, nobody wanted to buy them because they were so expensive, and they couldn't justify the purchase. And, like, what it so so it's it's like having it as a component of something else that's already being deployed where now you get the information. Once you start seeing it, you never wanna go to a world without it again. It's it's this crazy thing where people don't have access to data, don't understand the value of the data, and they get access to the data, and then they never wanna let give the data up.
Max:Right. Yeah. You know? So it's it's kinda like how do we get these, like,
Michael:You can't believe how long they've lived without it.
Max:Oh, yeah. Yeah. So so then you're like, well, how do you Trojan horse this into into more things? You know? Well, I think a lot
Michael:of, a lot of what you were asking earlier about, you know, how how do we do we convey the message to an IT organization, a lot of it's just showing. You have to show them. Right? If if they've never seen it before, they don't quite understand the value of it. So you have to show them.
Michael:Like, this is something you've never been able to see before. What would you do if you could see this? What kind of answers could you get to, and how quickly could you get to those answers if you had this resources, power in front of you?
Max:Well, it's not just digital experience monitoring. In that case, in your example, it's also your apps app the the your application catalog. Right? And shadow IT. We always talk about, like, shadow IT, and then you talk to companies and you're like you're like, how many applications you have?
Max:And like, oh, we have, you know, 5. You're like, well, have you run anything to actually tell you? And then you turn around, you're like, we're running 15 applications per employee on average times, you know, like, the quantity of employees. You know, we've got 700 applications in a company of a, you know, a 170 people. And you're like, what are you talking about?
Max:You know? How did this happen to you? Well, we didn't know. People just use their own credit cards and subscribe to everything under the sun.
Michael:Right. It's a it's a valid, it's a valid reason for why CASB exists. You know, access to Shadow IT. And it all ties together. Right?
Michael:It all ties together in the end. Visibility and data is is everything.
Max:Expand on CASB for me. You know? Because I you know, the the simple example I was given years ago, which I like was, like, CASB's data at REX versus DLP and data in transit, which I I think kind of quasi explains it, but it there it's still you have different goals with CASB and DLP and why you would have one versus the other and why one's foundational to the other, you know, as you're layering.
Michael:Well, I mean, CASB starts purely from a visibility standpoint. What do we have? You mentioned a moment ago, shadow IT. What am I using that I don't even know that I'm using? And that's what CASB initially exposes you to.
Michael:And it it does all start from well, what what supplier of CASB, to what extent do they know about the application landscape. Right? What does their catalog look like?
Max:Mhmm.
Michael:And you hear you mean, you hear companies like Netskope who've been in this field for a long time, who do really we've got 70,000 applications and, you know, and Palo comes with, we've got 70,001 applications. And, in the end, it's it's like, okay. Hold on a second. To the enterprise that's using this, who only uses 50.
Max:Or only thinks they're using 50.
Michael:Or only thinks they're using 50. Chances are they're not using 70,000. Right. What's important to them? But it is there is a definite, value associated in what that application catalog looks like from the supplier.
Michael:Right? I don't know that 70,000 is necessary anymore as chances are that more than half of those are from 10 years ago and beyond that nobody really uses anymore.
Max:FileMaker. We know about FileMaker. FileMaker.
Michael:That's right. But, yeah, it starts with visibility, and it and it is important to have a supplier that has a healthy catalog. Otherwise, they're not gonna be able to identify. Once you have visibility, and that's like, now what do you do with it? Right?
Michael:Now I know what users are using. Sure. I knew about some of them before, but, man, what is all this other stuff? What do I do with it? What does it mean to me?
Michael:And I think what CASB then takes beyond visibility is assessing the risks associated with those applications. What is what does this mean to the enterprise from a risk perspective? And if you can have that assessment element after you get visibility, the next step is then asserting control, asserting enforcement. You know, let's let's let's take these necessary applications and let's call them sanction applications, and let's make sure everybody has access to those, and let's look at the rest of the stuff and make a different kind of determination. Maybe they're unsanctioned.
Michael:Maybe we need to control based on their general risk. Let's you know, everything under risk x, let's just, you know, siphon out into the ether. Right? We're not we're not we're not using those. This is where things go beyond just the swig functions.
Michael:Right? Swig is so rudimentary. It's necessary. Don't get me wrong, but it's very rudimentary. CASM kinda takes you to a whole new level of exploring control for your enterprise, and it doesn't have to be a super rudimentary approach.
Max:You know, risk. Do you have data and platforms you don't I mean, that was really easy when you had an enterprise and everything was on premise and your server was on premise and everything was just there and, like, you were surfing the Internet or maybe using AOL Instant Messenger to chat with people. Right? Right. Which was relatively easy to block, and then Yahoo Instant Messenger became popular, and that thing was impossible.
Max:I can't breath. But it's also like, it's other things. It's like, what are you spending money on? Do you know that you're spending money on this stuff? Do you know that you've got 4 applications doing the same thing that different different teams and different departments are using?
Max:Does that matter to your finance team or not? You know? Like, if you're if you're if you can make an organizational wide layer to say, we're gonna use this tool versus this other tool so we're all on the same tool and we have a common expression of how we work together, like, does that help the organization? Like, what's what's how do you quantify that in ROI? Right?
Max:I mean, it's it it's, it's, again, it's one of these strange things where, like, until you actually have the ability to make that decision, you don't even know that you you have that choice. It's hard to say, like, is that valuable to you or not? And you say, oh, yeah. No. We can actually say we're gonna use this platform to talk to each other on, and that's it.
Max:It's it's very interesting when you when you run something and somebody sees it for the first time, and then they actually have to have to go down the list and be like, what is all this stuff? And now what do we do with it? Yeah. It's it's, I don't wanna say it's funny as an outsider, but it's always it's always interesting to have that conversation after the fact with somebody.
Michael:It's look. I've had many a eureka moment on calls. I'm doing demos, or just enabling the service for the first time in production for a customer. There there are definite eureka moments. They're like, wow.
Max:Yeah.
Michael:I had no idea. No idea what I was missing.
Max:I'm gonna I'm gonna beat you with this one a little bit. ZTNA or STP versus VPN. And and I'm gonna I'm gonna and here's the bait. The bait is, well, ZTNA is VPN. What gifts?
Michael:Well, this one this one is hits home for me because, I do I do see this this ZTNA versus VPN story play out in social all the time. Mhmm. For me, ZTNA first of all, ZTNA not being a product, but rather a strategy K. To use the products or tools or services that we have in play. For me, VPN is just one of those tools or services that are in play.
Michael:Now how we implement that that VPN tool determines whether or not we're following a practice that allows us to adopt a ZTNA strategy or not. You know, VPN without getting to Wikipedia on on everyone, it's it's a virtual private network. Right? It's an overlay type of, connectivity or access method. Right?
Michael:It's it's all it is now. You could turn it into a whole bunch of things if you wanted to, if you want to, but it's that's what it is in a nutshell. So most ZTNA, solutions out there, there's still VPN solutions. There's still a you know, we're encapsulating and encrypting traffic out to this gateway. Now whether the gateway is on prem or in the cloud, it's still a gateway.
Michael:You're still fundamentally performing a virtual private network to that endpoint. So for me, it's not a ZTNA versus VPN strategy. It's VPN 2.0, let's call it. Right? And with VPN 2.0, we get all this other really cool stuff.
Michael:Right? We can authenticate the endpoint. We can put posture checks in place and say, hey. You can't connect or you can't have access to this resource if you don't have fundamentally these key things in place, like malware protection or a, you know, corporate certificate. You know, I need to know who you are.
Michael:Right? I need you to authenticate to your to your IDP, and, I need to be able to validate that. Right? These aren't things that were necessarily a part of VPN 1 point o, but they can be a part of VPN 2.0 and beyond. And so to me, ZTNA is just the way that we're using the same types of overlay technologies that we had before.
Michael:Maybe some nuanced characteristics from one supplier or another who differentiate. Oh, we're doing IP obfuscation. Right? It's the next best thing. It's it's so secure, you know, and for me, it's like security through obscurity.
Michael:It's like we can net. Did you not know that VPN solutions can net? We can do some netting in between them, you know, even the even the old school Cisco ASA, you can net. Right? You can you can have a dedicated IP pool just for your remote users that don't put you in the data center on the local LAN.
Michael:I think that was the big motivation between people kinda going against VPN. I think it was maybe certain suppliers out there who thought VPN only existed in a certain operational model where a remote user owned an IP inside of the data center. And, yes, there was a time where it was like that, but, man, we evolved past that, like, a decade ago, right, before ZTNA really hit hit the market strong.
Max:I mean, IP ops oh, wow. Like, I'm not gonna be able to say the
Michael:word now. Fun word.
Max:Because it is cool, but it doesn't I've I've yet to hear anyone come to me with a business requirement saying that we have to do
Michael:that. Right.
Max:It's usually something different. It's usually something along the lines of, well, lately, right now, I put into really 2 things that I hear a lot. I hear, we have a requirement that only corporate owned devices can access client data. So it gets expressed to me that way. Right?
Max:Like, how do we do this? And and the answer is, well, you know, like everything else in tech, you can do it, like, 50 different ways. And, like, here's your options, and let's talk about this more about what you already have and what you're trying to get to. So I get that. The one I get is we need to actually be able to audit and report on our remote access users.
Max:Who connected? Where were they were? What did they do when they connected? You know, what what happened in those sessions? And we're unable to do that in a way that actually meets our auditor requirements with our existing VPN solutions.
Max:And whether that's and by the way, that could be, your, like, leg legacy manufacturer based VPN to a firewall or concentrator, or that could even be, like, some of these open source tools that are out there that are popular in the market like, that do not actually give that layer, you know, level of granularity of actually being able to say, you know, this person connected this time and did these things. And, and, you know, you you say, identity imposter check. You know, who, where you know, I I mean, it's it's pretty amazing once you actually see one of these things of, like, oh, we can actually tie your identity to our identity provider. Enter AD Okta, like, whatever you're using. And by the way, this was Colonial Pipeline.
Max:Right? They had a VPN concentrator with credentials that weren't connected to their identity and, you know, got exploited. But we can just just having, like, strong identity connection is pretty cool. And then you could say, okay. Now you can do posture check and and, you know, are you on a device that has a certificate that's pushed from the MDM?
Max:That's cool. Like, we own the device. It's running our EDR. The EDR is actually running. Patch has been applied.
Max:That's pretty cool. That's that's nice to know. It's in a geographic market where it should be. That's pretty good to know. You know, we don't have time travel capability for an executive that was in LA this morning and all of a sudden is in Shanghai 15 minutes later, it's kinda hard to do.
Max:Right? Right. And then, you know, so you got all these kinda, like, foundational things, and then you say, okay. Now we get to apply a policy after determining those other other things. You know?
Max:And that policy is you get to access something. Right? And and if any one of those, you know, other things change, like, you no longer get to access it anymore. Right? I mean, it's like, you know, again, like in the nerd, it's if if you've ever configured VPN, like, 1 point o as you I'll I'll use your terminology, VPN 1.0.
Max:Again, if you've done this on an ASA, you're like, I don't know why this is working, but we're don't touch it again. Right. It's a thing. It's so bad. So
Michael:It's it's it's definitely fundamentally the same, but with a whole host of new mechanics and and, control components in play today that allow us to but this is this is ZTNA said, here's the definition Mhmm. Of what your solution needs to do, but but didn't say, and by the way, you can no longer call it VPN. It's no longer VPN.
Max:Well, ZTNA isn't a I mean, it's it's commonly used as remote access, like, in in the idea of the thought process, but ZTNA isn't remote access. ZTNA is just access. Correct. You know? And so whether or not you're remote or or I don't don't even know the difference between remote and not remote at this point for most most environments, but, you you know, it's it's just an it's an it's an access policy of what you have to do in order to access data.
Michael:Right? That's it. In a nutshell, that's it. And I think that, it's interesting also that the remote access component of it or the Mhmm. Structure of it has really been kind of the the defined or de facto definition of ZTNA for most, even the enterprise, but certainly for some for for suppliers too.
Michael:And and, really, it it it extends beyond that. It really should be a strategy that exists whether you're in Starbucks or
Max:you're
Michael:in the office or you're in the data center or you're on a plant upper operating.
Max:It's what drives the purchasing cycle. Yep. People aren't showing up and saying I needed to have strong authentication for my person who's sitting in their cubicle in their office. Right? Like, that's I could count the amount of times I've had that request hit me at 0.
Max:Right? You know, it's so ZTNA gets defined as remote access because people are looking for to fix the remote, you know, remote access issue. Sure. And then what is the actual issue that they're trying to fix? So, you know, we we actually need to have a strong identity posture, or we actually need to have a corporate owned device.
Max:We need to get away from personal devices, or we need to, you know, make sure that somebody can't connect then download all of our data. You know? Like, there's there's something else has happened usually triggers that, and and I feel like with, it's almost always just this idea of remote access. You know? At least for me, it's always been this idea of remote access.
Max:So and what and, I mean and remote, again, is like, oh, we wanna get to our AWS or GCP or Azure environment. You know? And so, therefore, it's remote because we know it's not here physically in front of us.
Michael:Right. And and even if you're that user in the office, that resource is still remote to you. Right? And so you're you know, that's where they they talk about, you know, the perimeter is collapsing and you know, because everything is out there. You know?
Michael:And we're here. It doesn't matter where here is. We're always over here, and it's always over there. And there's there's the idea of being a large headquarters with a data center right around the corner on a different VLAN. You know?
Michael:It's we're getting we're getting less and less. It still exists. Certainly, it still exists, but less and less of that. Companies like Zscaler and Netskope and, you know, they've they've done really well because that's the realization that that they've seen, and that's the message and the story and the narrative they're telling. The enterprise is, look.
Michael:Your stuff's all out here. You need it everywhere. It doesn't matter where you are. Well,
Max:as much as we're now starting to see companies push, you know, return to office, I have my own theories on that one, but, you know, we're we're in a different world. I don't think IT is ever gonna assume that everybody's sitting in a physical location full time ever again. Like, it's just not that ship sailed. One of the nice things, I mean, forget the whole, like, single single vendor definition. Just Kato, whether you have the access piece and you've got a box providing the SD WAN function or you've got the, the agent that gets installed onto a device, The experience from the user or even from the administrator at that point is a single platform.
Max:Right? It's how you're connecting to that single platform. And then all these things that we're talking about become, you know, turn them on or turn them off, you know, keep them off kind of approaches. Can you run me through that real quick in terms of, like, foundational? Like, just at the very basic level.
Max:We're not doing access. We're just gonna put the agent on our devices because we know we wanna improve, know, what's happening. We don't know what's happening with our endpoints. Right? Like, any one of these conversation, you know, subjects we talk, you know, hit like a nerve.
Max:Right? So we start, let's get this deployed. But then within that, you've got options. Right? You've got, you know, you've got SWD and firewall and then CASB and DLP.
Max:How do these things layer together?
Michael:From the context of Cato, it's it's really simple. I would I would contend that everything starts with access. Doesn't have to be SD WAN. K. I still see the agent approach, sort of the VPN or the remote access boat.
Michael:That's also an access component. Right? It's a means for connecting that user to the Cato SaaS e cloud platform. Right? And the idea is that once you connect, your traffic is now flowing through the platform.
Michael:It's all there. All the context is there. The traffic is there. So it's as simple as adopting all of these acronym soup
Max:Mhmm.
Michael:Of services with the toggle switch. In the same UI, in a single UI, I want Swig. I turn the toggle switch on to find a policy. All my context is there. I know the user identity.
Michael:I've got geo information. So if I wanna do some fun geo related controls, whether it's CASB or, heck, whether it's Swig Mhmm. I have that context available. And this context is a single shared context model throughout the entire platform. And it it all started with just getting the traffic there.
Michael:Once the traffic's there, I can now apply all these different inspection engines at the flip of a switch in defining policy. I don't have to worry about integrating my IDP with Swig, integrating my IDP now with CASB, integrating my IDP now with RBI. It's all there already through one integration with that IDP, and that really is where simplicity kind of rolls in is less integrations, shared context across the entire platform, and you have one place to go where everything is. The metrics, the analytical data, the policy enforcement. It's all in one place.
Max:And this I mean, again, these lines start getting really blurred. Right? Because Sassy is part network, part access, part security. Like, it's it's, like, piece, piece, piece, piece, piece that kinda get, you know, shoved together. And then from a, you know, from a cybersecurity practitioner standpoint, you know, the the the the holy grail of concept was, you know, if you have if you get to the level where you can do SOAR.
Max:Right? Like and but before that, foundationally, it's SIM. You know? Can we collect all this data and shove it into one platform more than we can look at this one platform? I think part of the reason for that is is, you know, you wanna have all your data in one location so you can do an investigation.
Max:Right? You can do correlations. But the other part of it was is that's what your option was. You couldn't you know, the average cybersecurity practitioner in an organization, an enterprise wasn't didn't have access to the firewall. So there was another team driving.
Max:They didn't have access to SD WAN. Another team had you know, was doing that. Didn't have access to the endpoint. You know, like, there was or maybe they did because they rolled an EDR out. Right?
Max:But, but that also changes again when you get into a single platform where you can now define, you know, a permission set and give access to this data to other to different people. You know? Do you need access to make routing and firewall changes on it, or do you need access to be able to see it and make decisions based on it? Right? Like, that that changes for people a lot as well.
Michael:Yeah. For sure. It does. Would say that, it's it's kind of part of the the secret sauce
Max:Mhmm.
Michael:If you will, is well, there's a lot of great technologies out there, and they they do fundamentally what they're supposed to do very, very well. But one thing that most suppliers and most technologies don't do is sort of instinctively work together. Right? They have to be brought together through some integration stitched together in some way. And I think that when you have to do that, there's gonna be some challenges.
Michael:Right? Challenge is 1 in adopting that and doing it to begin with. Right? But then maintaining any kind of element of innovation in that. You know, one moves.
Michael:You now have to move the other one in some some extent. Right? You have to keep up. And that would it undoubtedly inhibit how the other one is moving, how the other one is developing or evolving or innovating. When it's all together in one platform, everything moves at once.
Michael:Right? When when Cato decides, hey. We're gonna add endpoint context to because now we're running an EPP or an EDR. That endpoint context is now available everywhere. Now I'm I'm I'm using that endpoint context in my Swig policies, my CASB policies, my networking policies if I do have SD WAN.
Michael:Now I'm controlling link aggregation or link selection or application priority based on the endpoint context even. Right? This is where the sort of single platform shared context model really shows its value. And and if you think about that as an as an IT administrator, you know, as a network, you know, engineer, Think about what that power has for you when when you can see everything in one place. You can define a policy as simple as, you know what, Windows updates.
Michael:I'm gonna I'm gonna put a a shaper globally to 10%. You'll never use more than 10% of my available bandwidth. I don't need to define what my bandwidth is at any one location because that's already been part of the implementation of that location. I've already defined when I deployed SD WAN for that location. You know, you have link 1 at this and link 2 at this.
Michael:I've already provided those values as a part of just simple deployment. But when I go in and administer it from a global perspective, one rule and I can I can adopt a police or a shaper for that type of traffic and change their priority level in one rule globally? That's where the power of simplicity and convergence comes into play.
Max:I I want a great example that people I I would imagine that next to 0, like, almost nobody is probably thinking about that in a selection process or an evaluation process for this. But then how much headaches have you dealt with in your career in IT where it's, oh, Windows up Windows update just happened, and our entire network just went down, basically. Right? I mean, this is you know, it's Cato has I I kinda group competitors to Cato into 2 buckets. I would I would put the 1st bucket in the what was, like, the SSE vendor where they were dependent on somebody else for, you know, access.
Max:When when I say access in this case, I'll use the SD WAN as the access piece. Right? You know? And, and then the other side, I would put the traditional firewall manufacturer, traditional. Right?
Max:They're all gonna say they're next generation. But the traditional firewall vendors that you we all know and love who've been gobbling up and either building capability or acquiring the capability. Now some of those firewall vendors, not all of them, have gone out and acquired the entire estate. They've either built it or they've acquired it. Where they have, They bought the SD WAN or or built it.
Max:They have the firewall. They have the switch. They have the access point. They have a SWIG, maybe. I mean, now if you've implemented any of these systems, you kind of understand that they don't all work in the same console, and they don't talk to each other.
Max:But there is there is now pressure also on the traditional SSC, you know, competitors where they have to go figure out access now because their access components have been acquired by other competitors that aren't so friendly with them anymore. Right? So there's there's a lot of movement in the space going on right now. And in the case of the enterprise where you work in is coming in, the basic assumption, because you're not providing switches and access points, is there is going to be another vendor still there. They're gonna displace whatever components of some vendors.
Max:Maybe it's already hodgepodged. Right? You know, if you're in the HP world, you were you you know, Silver Peak for your SD WAN, and you had a firewall, and then you had you know, like, you were already all over the map. And who knows what happens with Juniper? How how do you see this, like, evolving and playing out over the next 3 to 5 years?
Max:Because, really, I mean, we're that's that's the bet cycle for most enterprises now is trying to figure out how do we make a bet that's gonna be you know, people people bet in 3 year intervals because that's what they're contracting like this. But, realistically, they're making, like, a 5 year bet, 6 year bet because, you know, you gotta be a crazy person to, you know, run through a 2 year project to deploy a new piece of infrastructure, then they'll, like, change it on year
Michael:3? More consolidation.
Max:Mhmm.
Michael:I don't think that's ever gonna stop. But I also do see organizations like Cato are gonna find ways to get deeper into the land, for example. When we think about Dem and we think about having access and visibility to the full end to end, flow, You know, there are gaps that SD WAN, SaaS, have. Right? We have the visibility through DIM, but what can we do?
Michael:We can't do anything to the wireless network. We can't do anything necessarily, to the endpoint unless we have some sort of endpoint control. But it's getting closer and closer to the endpoint. And I think that means going further and further into the land. So there's be some evolution.
Michael:Right? Cato's sassy didn't start at the same time Cato started. Right? Cato was founded in 2015. I think we would argue that we were very much, maybe not exclusively responsible, but certainly had an influence on the sort of the the birth of Sassy, as it's it's always been our model.
Michael:It's always been our approach. But we started not as SASE. We started as this idea that we could deliver a cloud native IT security platform. Platform. It wasn't just SaaS.
Michael:It was what can we do with this? Let's build it in the cloud first, and let's figure out what kinds of services we can deliver. Because if we build it right from the onset, it should mean we have every opportunity to deliver anything that is practical, to the enterprise. And, certainly, we're not stopping where the definition of Sassy stops. EPP is not a current, acronym you'll find in the Sassy construct.
Michael:It may become there. XDR is not an acronym that falls into it. Yet these are things that that here recently, Dem. I don't think Dem has yet made the, the checklist, but it it could. But these are recent, evolutions, product, platform evolutions that Cato has released just this year alone.
Michael:And so with that, I would say we're gonna we're gonna expand and continue to expand further beyond the definition or the framework of Sassy. Again, the goal is to deliver as comprehensive of a of a platform to IT organizations around the world, and that means going further into the land, we're gonna go further into the land. Mhmm.
Max:It's, I mean, I'll date myself. I started professionally 1997. So I'm I mean, what is that now? 27 years? 27 years into?
Max:Few. Yeah. I was smart. I would have signed up somewhere where I could have retired after 20 years with a full pension, but, you know, what do you do? It's you know, when I started, we were in the process of doing token ring to Ethernet migrations.
Max:And and, you know, so it was token ring to Ethernet, and then it became hubs to switches. And then just we went through a period of time where just everything became faster. Wasn't necessarily I I feel like there was monumental shifts in technology or improvements in technology. It's just everything got faster. Hard drives got faster, bigger.
Max:Computers got faster, bigger. I mean, the I mean, the user experience is much better now than it was, you know, 20 years ago for sure. Some things we lost along the ways. I mean, if you've ever, if you were a group wise or a network person. Right?
Max:Like, you know, network's I'd what you could do with identity and and network and group wise, just we're we're just starting to scratch the surface again on, I feel like, you know, almost 30 years later. Right? We're finally getting back to where we were 30 years ago, but, I, I've I kind of I kind of fit this thing now where I look at it. I think about this a lot in terms of, you know, part of it is is centered around, enablement always for me. Like, how do you help people do more, do better, create leverage, create value, make some portion of their day transparent to them so they don't they don't know it exists anymore?
Max:And, you know, the other part of it's it's you know, it comes in this guy rails of, like I don't wanna I hate the phrasing of, like, protecting people from themselves almost. You know? Every every threat now is a is a person based threat. Right? Like, used to be defined differently.
Max:But now if you look at, you know, any any of the rankings of, like, what are your actual threat vectors? It's like it's people people people people people. Just what the what the vector against a person is. And and I I don't believe in this idea of, like, people are the problem. It's not their job to, like, be able to defend every attack that comes their way.
Max:Like, you just you you can't you you you can't take school, you know, like like, people off the street and put them up against a professional army and expect you have a good outcome. Right? Like, you've got rocks and sticks, and I want you to know go battle this other modern, you know, force that has tanks and aircraft and, you know, drones. But, and and what I have liked as much as I don't like all these acronym soup things that happen, what I do like about what what Sassy has these ideas, now it feels like collectively there's this this push now to do more for people and, like, actually try to help along the way with all these different things. You know?
Max:IT teams need them. They probably have never been able to successfully purchase it. But if they buy something that has it, it's great. It's good for everybody. You know?
Max:Like, you you know, like, these are not these are not bad things for people. You know? Anyways, when I go on, like, a soapbox around here for too long, but,
Michael:No. I think enablement is it's it's fundamental, in every sense in where we're going, where we are already and where we're going. They're they were still we're still out educating.
Max:Right? You
Michael:know, Sassy is 5 years old. Right? It's it's it's crazy to think that it's 5 years
Max:old,
Michael:but
Max:That's just weird.
Michael:We're out educating. So much of it is education, and I think that, honestly, the diversity in the market with what Sassy is, really compels us to to really get after it and and do a lot of enablement, do a lot of educating because there is a lot of differentiation, and and it does mean something. And these differences do yield the different value down to the enterprise in the end. And if the enterprise isn't challenging on their own, if they're not saying, how do you do that? Show me how you do that.
Michael:Then I think in a lot of cases, they're walking into something that they expect to be something that that isn't in the end or might not be in the end. Mhmm. So enablement is is a huge part of this.
Max:Yeah. Mike, thank you very much. I think we I think we we we went around the horn here a little bit.
Michael:That's that's what these are all about.
Max:Right? I I appreciate it. Thank you.
Michael:Yeah. Thanks, man. Appreciate it, Max.
