Matt Castriotta: [00:00:00] Cyber resilience is your ability to bounce back. It's your ability to say no to paying a ransom.

Ashish Rajan: So I imagine a lot of companies also say, I hear you Matt. I've got backups, man. Yeah, I'm, I think I'm covered.

No, it's not. Having backup doesn't mean anything. Right. Do you have the ability to recover? That's the key.

Well, I feel like identity is the new perimeter. If identity's down, everything's down, you have no ability to access. Anything, your identity system is ground zero. If that agent did something erroneous, you need the ability to be able to rewind that back.

Are you backing up your identity? A lot of times conversations around cybersecurity resilience are framed around backup recovery, but not really around identity.

For this particular conversation, I had Matt from Rubrik, and we spoke about the evolution of how identity is becoming a key part of a cyber resilience program. In this particular conversation with Matt, we spoke about what does a cyber resilience program look like? If you're doing an uplift of a cyber resilience program, you should consider identity.

What does it mean for ai? What does it mean for backup and recovery? Should you go for cloud native recovery only? And maybe what does it make sense? If you are someone trying to comply to Dora framework from [00:01:00] Europe, or just the upcoming frameworks on, you should be able to recover more than just only certain portions of your organization.

All that and a lot more in this conversation with Matt on Cloud Security podcast. As always, if you have an enjoying episodes of Cloud security podcast and if you're here for a second or third time, I really appreciate if you could take a quick second to drop a follow, subscribe, whichever platform you're listening or watching this on Apple's, Spotify, YouTube, LinkedIn, we are everywhere.

It takes only a second but helps us grow. So I really appreciate you showing us the support recently. We hit 1.6 million views, all thanks to you. So thank you so much for supporting in all the work we do, and I look forward to seeing you at one of the conferences upcoming. I hope you enjoy this episode.

I'll talk to you soon. Hello and welcome to another episode of Cloud three podcast. I've got Matt. Thanks for coming on the show, man.

Matt Castriotta: Yeah, thanks for having me. I appreciate it. Uh,

Ashish Rajan: I, well, I'm looking forward to this conversation. Could you start by just being, giving a bit of background about yourself?

Sure. Your professional background Yeah. Where you are today and all of that.

Matt Castriotta: Yeah, so, uh, so I'm the field CTO for cloud. So I shepherd the cloud business at Rubrik. I have been with Rubrik for seven years Prior to that long history in data management. I was A DBA at the very beginning of my [00:02:00] career and just found my way, my, found myself following the data path all the way through.

Worked for different iterations of data analytics companies along the way, and then, uh, ended up landing in a data protection vendor seven years ago. Never thought I was gonna go work for a data protection vendor, but, uh, here I am. Uh, and it's because Rubrik does some really cool stuff. So, yeah.

Actually share

Ashish Rajan: that with you. The conversation today is about cyber resilience. Mm-hmm. We are a database reinvent. Yeah. And obviously cyber resilience as a, as a concept has evolved quite a bit. Sure. It has ai know ai, it's already evolved so much with the complexity of compute and cloud and hyper cloud.

How do you define cyber resilience today?

Matt Castriotta: Cyber resilience is your ability to bounce back. It's your ability to say no to paying, paying a ransom. I mean, that's really what cyber resilience is all about. And resilience in general has evolved over the years, right? It was mostly focused on operational recovery initially.

Mm-hmm. Right. You know, an organiz, uh, someone in an organization might have made a, made a mistake, and they needed to rewind back to a [00:03:00]known point in time. Yeah. That the thing with operational recovery is, is uh, your data and your identity are still in a trusted zone. Mm-hmm. Right? Yeah. Yeah. Like, they haven't been impacted.

So I just need to rewind to a point in time before that thing happened. The advent of ransomware has changed the game. Like we finding out what the attackers did when they got in. We know what they want to do. They want to find sensitive data, they want to exfiltrate it. They want to inflict pain so that they can get a ransom so they can get paid.

We know that we don't know what they've done. How they've done it and what type of data were on those systems that were impacted. And then ultimately, what did they leave behind? What threats did they leave behind? And if I do go recover, I have to make sure I'm recovering a clean copy of data. And that's, that's the cyber resilience challenge.

Yeah. Is all of those things that you don't deal with when you're doing an operational recovery. So, interesting. Yeah,

Ashish Rajan: because when you say all that, and from an operational recovery perspective. Yeah. I think for me, I hear that as a capability rather than a tool that I [00:04:00] buy and just I'm done with the backup.

I mean, cloud native or not.

Matt Castriotta: Yeah. Yeah. I mean, it is a people process and technology problem, right. It's not just a technology problem, it's not tool you buy. Yeah. There, there is a, a people and process aspect to it too.

Ashish Rajan: Yeah.

Matt Castriotta: For example, ensuring that you have a runbook. If you're impacted, right. Ensuring that you have a safe place to do recoveries.

Yeah. If you're impacted, like that's all part of the people And process angle too. Having a really strong cyber resilience posture, but ultimately you need the visibility. You need to make sure that you have survivable backups to go back to. Yeah. That's gotta be paramount. Yeah. If I have nothing, if I have no backups, I have no recovery.

Yeah, yeah. Right. I have no I have no way of, of saying no. Yeah. Right. Yeah. And, uh, and, and once you ensure that you have survivable backups, then it becomes what is good? What do I need to recover and, and how long is it gonna take me to do that?

Ashish Rajan: Right? Yeah. Actually, it's an interesting point because you me, you mentioned the idea of cyber resilience [00:05:00] now is that you can say no to our ransom, right.

These days, ransomware is still very much common. As much as people like to believe it's an on-prem thing, it happens in the cloud as well. Happens everywhere. Yep. Yeah. So I guess in your mind the, the modern capability where it's an operational recovery capabilities, you're looking at mm-hmm. What, what. Do you expect as a reaction from companies that have done a good job on ransomware preparing for it?

Yeah. With, with this capability, right. In terms of how I'm being able to recover versus the ones who probably are not as, uh, mature in that, like how, what's the difference you notice between the two?

Matt Castriotta: Yeah. The, the first big stark difference I've noticed is that, uh, the organizations that do it, prepare themselves well ahead of being impacted.

It's a mindset shift. It's an assumed breach mindset. The primary goal is to keep the, the primary objective should be to keep the bad guys out of the environment. Mm-hmm. And a lot of security spend today is being spent on stopping the bad guys from getting in. Yeah, [00:06:00] that's right. Securing the perimeter.

Yeah.

Ashish Rajan: Prevention.

Matt Castriotta: Yeah. But that, that's, that's, that should happen. But the organizations that really succeed are the ones that have already gone beyond that. They've adopted this assumed breach mindset and they've gamed out the process mm-hmm. Of what a large scale cyber recovery would look like.

And when I say game it out, I mean, they've done tabletop exercises with their security organization, with its security teams that they partner with. Right. Uh, they. It and security are in lockstep with each other. And security has a vested interest in recovery. Yeah. Which security doesn't always have a vested interest in recovery.

Yeah. In organizations. Right. So ensuring that security is, is in the loop. And then they've actually gamed it out. They've gone through that process of what, what comprises my minimum viable company and what would it take for me to bring that back if assuming everything was impacted. And that's where I see the organizations that are successful.

Uh, unfortunately a lot of organizations don't do that today, so, yeah. Interesting.

Ashish Rajan: 'Cause, uh, is [00:07:00] there a. Because I imagine a lot of companies also say, oh, I can, I hear you, Matt. I've got backups, man. I'm, I think I'm covered. Yeah. Yeah.

Matt Castriotta: Is

Ashish Rajan: that good enough for 2 25? No, it's not.

Matt Castriotta: No, and it's not. And and, and there was a flaw in, in how you worded that.

Yeah. Because you're right. I've got backups. I'm good. Yeah. Having backup doesn't mean anything. Right. It's the, do you have the ability to recover? That's the key, right? Yeah. Yeah. So you always have to think about it as like, I don't have, I don't have a backup. I have a, an insurance policy. I have a recovery plan.

Yeah. I have the ability to get my business back, so. Even the way you worded it is very much the flaw that I hear a lot of customers say, I have backups. I'm good. It's like, okay, you have backups, but do you have the ability to know which backup I would recover from if you were ever impacted? Yeah. Do you have the ability to identify clean?

Yeah. What is that clean recovery point that I'm gonna go back to, to ensure that, you know, to ensure that I'm bringing my business back in a, in a clean way. So, so yeah. Do

Ashish Rajan: you find that the whole [00:08:00] minimal viable business that people talk about that they should be able to cover from, and I, I, I would say, and I'll take the, uh, I guess the short end of the stick for this one.

Yeah. I'm sure some organization out there is. Stop for time from developers. Absolutely. They would definitely have the way that we have to figure out what's the, for compliance purposes, what tests do I do for recovery? That I can take that disaster recovery box Right. And move on with my life.

Right. Because I don't want to keep the developer any more longer than I need to. 'Cause we have planned this three weeks ago. Yeah. And we have idol, we've widely found five scenarios that they can do within a short span. Yeah. Yeah. And then as long as that works, we are good. We're good. Yeah. Like so is that enough?

Matt Castriotta: Yeah. No, it's not in terms of

Ashish Rajan: not just COV coverage as well. Yeah. Yeah. Is it enough from, from a coverage perspective as well?

Matt Castriotta: No, I, I mean, and you mentioned disaster recovery, and that's another Yeah. Big, uh, I think mistake that customers make, they assume their disaster recovery plan is just as good as, as a cyber recovery plan.

Mm-hmm. And it's not, those are two very different things. Disaster recovery is[00:09:00] meant to provide business continuity in the case of some. Some outage that has that, that where your data and your identity are still in that trusted zone. That's right. Yeah. Yeah. That's the key. Once the cyber attacker gets into the environment, most likely by acting as a authorized and authenticated user on your network they, you at that point, you're in the situation where you're dated and your, your data and your identity are inherently mistrusted.

Mm-hmm. So now I have to figure out. What did they impact? And then, uh, how do I get back to a good clean point? And I think that's, um, to your point, like I'll have customers to say, oh, I have a disaster recovery plan. And it's like, well, you have a business continuity plan. You have the ability to keep your business running.

Uh, in the case of the data, your data in your identity still being in that trusted zone. But do you have the ability to keep your business running?

Ashish Rajan: If what's, because I, I, can you double, double click? Maybe you have an example. 'cause I almost. Certain, many people would hear that, but isn't that the same backup?

Isn't that where I'm recovering from? [00:10:00] So yeah, like what's the difference? Do you have a customer care study maybe? Yeah. I mean, we

Matt Castriotta: do. Yeah. So we work a lot with customers that will that will assume that things that facilitate operational recovery or business continuity are equivalent to backup.

And we see this a lot in the cloud space. Particularly things like, uh, techniques like versioning, for example. I have multiple versions of my S3 objects, my S3 bucket gets impacted. I'll just rewind back to a version. Well, what version would you rewind back to? And if there were hundreds of thousands of versions that you had to rewind back to, how would you do it?

Right. So that, that once we start to like, and the other thing is replication. I replicate my data to another region. Yeah. Yeah. Okay. Just because you replicate your data, if your data's impacted in your primary region, the replication is replicating that impact to the secondary region. So you're like your, your secondary regions are now impacted too.

And we hear this a lot where customers will conflate this idea of continuity with resiliency. [00:11:00] Interesting. There are two completely different things. Yeah. Um, and, uh, and yeah, it's, it's an education process, particularly in the cloud. Yeah, because, because I think OnPrem folks understand this, right? I think so, yeah.

Yeah, for the most part. Because on-prem has just been, you obviously been around a lot longer than the cloud has, so Yeah. And backup

Ashish Rajan: is like, it's not native on premise. Yeah. Backup is a lot more that I have to purchase. Backup. That's correct. Yeah. I have to purchase a server that's not

Matt Castriotta: just another service.

Ashish Rajan: That's right. Yeah. Whereas in the cloud, I just tick the box in S3 bucket. Now I'm like, right, yeah. And I'm protected. Yeah, yeah, yeah. Well, are you

Matt Castriotta: protected? Have you actually gamed out a recovery if you had to? Yeah. And what exactly are they doing? And then. And then it gets down to understanding the, the cost model of how that data's being stored, right?

Like, again, clicking that box. Means that you're essentially beholden to the to the tiering strategies that the hyperscalers provide. Mm-hmm. They may need to they may want to keep that data in a warm tier for 30 days before it can be cooled off. Oh, yeah, yeah, yeah. Right. Yeah. But that might, and that could meet [00:12:00] the need for tier zero or tier one applications.

But what about those tier three or tier four applications as you're running, right. Yeah. So. You know, you need optionality. You need to reduce the complexity because we know that you're not in a single hyperscaler. And ultimately those cyber capabilities are really what we, um, what we drive home.

Ashish Rajan: Yeah.

I, I think I was gonna throw another example in there about, I. You spoke about multi-region, there's also the whole conversation of multi-cloud where uh, banks may have a regulatory requirement that, hey, if you are primarily just AWS, you're back up. You should be, you're backing up into another cloud provider because what if Amazon goes down?

Yes. By the way, it has absolutely. Just recently as matter of fact. Yeah. Yeah. So I guess is that is this the theory still applicable and I guess in case of services going down, especially the DNS scenario? Yeah. How does this kind of capability. Work in that kind of scenario because then you don't have access to anything.

Matt Castriotta: Yeah. So it's a great call out. I think, uh, you're absolutely right, Dora. Yeah. And, and with the DORA regulations in the EU have really [00:13:00] shined a light on this. Yeah. I think we'll start to see just like we did with GDPR. Yeah. 'cause Europe lead led the, LED the way with, with data privacy. Yeah. I think we'll see same type of idea around financial services and, and ensuring that they have resiliency of that data or protection of that data across multiple.

Uh, across multiple hyperscalers in the case of Dora or in different regions. We yeah, we're gonna see that we're gonna see this more and more. Yeah. Right now what I'm seeing, and I don't, I don't know if this is, um, if this is endemic, but right now what I'm seeing is that the, a lot of folks are treating that Dora as sort of a checkbox.

I'm just gonna make sure that I copy my backups to Azure. Yep. I'm not gonna make sure they're in a format that Azure can even understand, nor am I even gonna ever test a recovery Yeah. Back into something in Azure because AWS and Azure are two completely different things, so Yeah. Yeah. Like I've now copied that to another hyperscaler.

I'm good. Right? Yeah. Yeah. So, um, that's what I'm seeing right now. Yeah. Around Dora. Yeah. Uh, specific to financial services, but. It [00:14:00] will evolve eventually. The challenge there, a couple challenges there. First is egress cost, right? Yeah, that's a big one. Yeah. I think we can all agree copying data out of a hyperscaler to another one is not a cost effective thing to do.

Uh, and then the other thing is conversions VMs that are spun up in AWS uh, look, nothing like ZA spin app Azure. Yeah. And how do you do that conversion and do it on the fly? Yeah. And do it in a way where I can. Build my application on the other side cleanly. That's still all being sort of worked out.

And the cloud, the cloud providers do, the hyperscalers do have tools Yeah. To do that migration. I just don't know if they're, uh, if they're robust enough and you know, the, that conversion is hairy.

Ashish Rajan: Yeah. But I guess to your point, it's, it was a fear of for a long time, no one ever really.

Question, the high availability that was promised by Amazon or Azure, right? Correct. And obviously the instance like these makes you question. If a service like Amazon is going down, where am I recovering it to as well? Like, what am I recovering to? Where am [00:15:00] I just putting it? Yeah, yeah, yeah. So that's

Matt Castriotta: a great, it's a really great call out.

So, the hyperscale, I think this concept of the shared responsibility model, I hope the, I hope your listeners, have, you know, have this top of mind. The hyperscalers are responsible for the uptime and the performance of the services that they provide. Yeah. They're not responsible for the data that you store in those services.

Yeah. Yeah. That's your responsibility. So if you ever had to run into an issue, uh, as a situation where data was changed. In a malicious way, they, they may or may not have your back. Mm-hmm. For the most part, it'll be a best effort type of activity. So yes, you would protect your data in the cloud just like you would protect it on-prem.

Uh, that's the first thing I would say. The second thing I would say is, um. Even the hyperscalers have problems with visibility. Right. We saw it with the east one region outage. Yeah. With, with the, with the Dynamo DNS, it took them an entire day to get their most critical and impactful region. To, to full back to full capacity.

Yeah. It was 9:00 AM uh, [00:16:00] actually it started way earlier than that. And then, uh, back up by 6, 6, 8, uh, I think it was like 6:00 PM Eastern. I'm on Eastern time. Uh, and then a week later, the front door outage. Yeah. With Azure. Yeah. Right. Yeah. Azure front door is all of a sudden unavailable. And content management is, you know, content delivery is down.

Ashish Rajan: Yeah. Yeah. And then CloudFare after that as well. Yeah. Yeah. And then

Matt Castriotta: CloudFare after that. Right. So this. These will become more common and even the hyperscalers struggle with the complexity of what they've built. Yep. So if even the hyperscalers struggle with that, you know, our customers are struggling with the complexity of what they've built too.

Yeah. Yeah. And they need a recovery plan, uh, that can get them back quickly. And I, and I, I, yeah, I mean, I, I, that's sort of how I like to position the those outages in that context. Yeah. Because I guess

Ashish Rajan: too, what you said. This almost begs the question that for people who are very cloud native, cloud first we do everything.

Amazon, Azure, Google Cloud, doesn't really matter. Yeah. Because A maybe cost effective A B what? Whatever, insert multiple, whatever rationale you [00:17:00] use. Yeah, yeah, yeah. Partnership build of, of cost, whatever. Right. I definitely find that if you are an organization that has. Figured out that certain applications require a certain level of availability.

Yes. In respect to the cloud provider. Right. I can't imagine like an internet banking going down, right. For anyone. Can you imagine like how much mil, how many millions would be lost? Oh, yeah. And there's, oh, sorry. The DNS of my cloud provider went down, so Yeah, yeah, yeah. We couldn't,

Matt Castriotta: sorry. Yeah, sorry. I would

Ashish Rajan: wish to kind of give you a money, but.

Do you, because you mentioned identity as well earlier when we are talking about recovery. Yes, yes. What's the context of like, so obviously I get the backup, recovery, all of that. Yeah. What's identity got to do with this?

Matt Castriotta: Yeah, so, well, I feel like identity is the new perimeter. Okay. Right. Um, we talked about, at there was this concept of the network perimeter.

And I think the perimeter is moving a little bit further towards the center of the circle. I think it's moved more to the identity layer, and that's because that's how attackers are gaining a foothold into environments. It's usually by infiltrating some you know, some known identity within that [00:18:00] organization through social engineering techniques.

You know, there's lots of different ways they can get ahold of an identity leaked AWS keys. Oh, right. Yeah. All the time. Uh, they have bots constantly scanning for leaked keys Yeah. That they can then go and use to log in. So it's all about infiltrating a specific account. Moving, uh, uh, escalating privileges so that they end up with admin privileges somewhere along the way through usually a misconfigured role.

Okay. An I am role or something that's misconfigured. Uh, and then moving laterally. Yeah. Right. And the lateral movement is usually cross account, could be cross region, could even be on prem to cloud, or could be cross cloud.

Ashish Rajan: Yeah.

Matt Castriotta: So in my mind, we have to look at identity as that new perimeter. And if iden, if your identity systems are down, think about it.

That's your way and that's the keys to everything. If identity's down, everything's down, you have no ability to access [00:19:00] anything. So your identity system is ground zero. It's the perimeter. It's what we need to protect, and you need the ability to bring that back first before you bring back anything.

And when I say bring it back it could very well be that, uh, they, um. They, they impact in your entire identity system where you need to do something like a forest level recovery with an active directory or without, within an entre. Or, uh, it could just be that roles need to be rewound. Yeah.

Uh, that could be in roles that got created for them to facilitate their lateral movement. So there's lots of different ways that you would recover your identity systems, but that has to be in a good state first before you can do anything else. It's interesting. Oh, yeah. That's, that's kind of how we look at it.

Yeah. To your

Ashish Rajan: point and I, I a hundred percent agree, identity has been top of mind for a lot of people with AI and everything else as

Matt Castriotta: well. Yeah. And all of the overly permissive non-human identities that are being created as a part of the ai. I think I, I listened to a po uh, an episode of your [00:20:00] podcast recently.

You had someone from Box on. Yeah, yeah, yeah. That was talking about non-human identities being sort of that. That critical you know, that critical ground zero, we're seeing it everywhere. Yeah. Overly permissive things are being created. Yeah. Because AI needs access to all the data that's Yeah.

Right. Yeah. Yeah. So those things need to happen and, and I think, um, yeah, it's only gonna get worse. Do you find that's better? Unfortunately,

Ashish Rajan: because it's, it's interesting 'cause people look at identity normally as a, as a point of compromise rather than something that I talk about in my recovery conversation.

Matt Castriotta: Yeah.

Ashish Rajan: Security programs moving forward. Especially in this AI world, the recovery conversation, to your point about operational recovery, should right, not include, not just the fact that I can back up, I can do disaster recovery, but also the fact that, hey, is my identity protected and would that be backed up as well?

Like am I doing an active directory right

Matt Castriotta: now, right. Yeah, yeah, yeah. It's a great call out and I think, uh. You know, there are, there are businesses and I'm, I'm not gonna name any [00:21:00] names or competitors, and I'm not in the business of, uh, of you mal maligning, anyone we compete with. Yeah. Because we're all in this together, we're all in this trying to protect our customers. Uh, but there are businesses that were built solely on just protecting identity systems. Mm-hmm. Right? Yeah. Um, so yes, absolutely. Your identity system needs protection not only from an operational. Error and to be rewound, but also from the fact that an attacker could could make many modifications to your identity system to facilitate their lateral movement.

Yeah. And that's really the, um, that's really the one you want to protect from.

Ashish Rajan: So I Identity is so complex, man. You have the whole PAM system. Yes. This MFA. There is like users in the cloud, users in on-premise. Yeah. User of your ai, right. There's

Matt Castriotta: your

Ashish Rajan: conditional

Matt Castriotta: access roles. Oh yeah. There's service principles.

There's how applications interact with services within the cloud. Yeah. Environment itself. And there's also how humans interact within the cloud [00:22:00] environment itself. And then now you're adding the AI complexity on top of it. Yeah. How LLMs interact and how model context protocol servers get data. Yeah.

From rag, you know, rag. Data from multiple sources into, uh, and they they're using non-human identities to do that. That's right. Yeah. And, and that's reallythe the key is, is it's going to get messier before it gets cleaner. Yeah. Uh, and we just need to make sure that we're keeping that top of mind to customers, that they should be treating identity as a data source, just like any other data source in their environment.

Ashish Rajan: Interesting. 'cause I, I wonder how many people, and I don't think I'm, I've been guilty of this even when I was a ciso. Recovery conversation never included identity. I mean, I don't even know when was the last time people even do identity recovery as a thing,

Matt Castriotta: right?

Ashish Rajan: It's more like, oh, Ashish got compromise.

Let me roll back his credentials. Right? Yeah, yeah, yeah. It's never a no. Can we bring up everyone who we have lost because we have a compromise Active directory, right?

Matt Castriotta: Or can we do a. Forest level recovery. Yeah. Or can we [00:23:00] recover an entire domain and do that in a way that is just a few clicks that's gonna take me minutes to get back and not hours.

If you're following the Microsoft Runbooks to do it, it could take you hours. Right. Then that's the, that's the challenge and I guess very complex.

Ashish Rajan: This is where. Are there any blind spots to I and I, I guess I've been guilty of being very cloud native for a long time because you almost are drinking the Kool-Aid from Amazon Azure.

Everyone's saying that, well, this is the way forward. Yep. Like the most cost effective way, engineer the first day. Sure. Whatever you wanna label on top of it. Right. As now that I've spoken to you about, I guess obviously I understand the gaps now. Now we've all had incidents with Azure and a WS as well.

Sure. So we are all, all opening our eyes for, hey, this is not a 99.99. Whatever the number of nines were. In terms of identity and bringing this together in recovery. 'cause that's usually a separate department as well. It

Matt Castriotta: is. As a matter of fact, it's a very different persona. Yeah. Which is why we treat it as a completely different business unit at Rubrik.

Yeah. Interesting. 'cause I was gonna say, so we, it's not your [00:24:00] typical cloud persona. It's normally, or even the backup person. No, no, no, no. Or nor is it people that even. Have thought about backup sometimes, right? Yeah, yeah, yeah. So it's like you actually have to get them to think about backup first. Yeah.

Oh yeah, that is probably something I should do to, because to your point,

Ashish Rajan: most people are looking at this as it is as simple as a. One identity or compromise. Right. Or one secret core compromise. Right. Or someone had excessive permission. It's always an individual. That's right. It's never a group of people or the entire active directory or enter id.

Matt Castriotta: No, but it is an individual and it's how those individuals facilitate their ability to move through the environment. Because again, assuming the individual is malicious. Yeah, yeah. Of course. They've, they've compromised a valid identity. And what they have done in order to be able to move laterally through the environment is really where you need the visibility and then the ability to rewind that back.

Do you find

Ashish Rajan: the, the conversations evolved more? I mean, have the, have it has. It [00:25:00] has the whole cybersecurity resilience added more legs with other parts, not just identity and backup. There are additional components being added with AI in the picture? Like what, what are you seeing as other topic, top of mind people, sorry, top of mind topics, especially when it comes to building resilience in an organization.

Matt Castriotta: Yeah. I, I think I do think that AI has really opened people's eyes to the fact that, that the data is the gold. Yeah. It, you know, like we always talked about data being the new oil. Like that was, I remember back in the big data days with Hadoop, everybody used talking about data being the new oil and data.

Data's the data's analytics, and it's the com. It's the lifeblood. And I don't know if that ever really took hold. But I certainly am thinking now it is taking hold, right? Yeah, yeah, yeah. That the data is really where it's at. Yeah. Like that, that is your, that is your crown jewels. That's right. And then access to it.

Mm. And how you facilitate that access. And then ultimately the outcomes that you get from it are all things that, that every [00:26:00] organization I'm talking to are thinking about. Um. But there's challenges there. There's challenges, uh, in that way. There's challenges not only in what you give it access to with agentic ai, there's challenges with what changes those agents might make that, or hallucinations those agents might make.

Yeah. To that data. That ultimately, uh, could cause you to have to rewind back what that agent had done. Right. So like, again, it's not just about LLMs now and getting intelligence and ragging data from different sources, uh, and using MCP servers to connect to all these different sources. Like that stuff is, is.

I think at this point, even though we're still early in that journey, yeah. I think at this point that's an understood sort of like concept. What we want to do is use AI to facilitate productivity. To increase productivity. Yeah. And if we gonna use AI to increase productivity we're gonna need we're gonna need to remove the human in the [00:27:00] loop.

The human in the loop right now. Is what's getting in the way. Yeah. Now I, it's not gonna be for everything everybody says AI's going to going after everyone's jobs. It's, it's not going to be for everything. And as a matter of fact, I think we're early in the agent life cycle right now, where I think there's still a human in the loop in many instances.

But that will decrease as we go along. Yeah. And when that does decrease and there's less humans in the loop. You need the ability to understand what that agent did, and if that agent did something erroneous, you need the ability to be able to rewind that back. Uh, and that's something that Rubrik is really focused on.

That's our next phase of growth for our company. Uh, we launching Rubrik, Rubrik Agent Cloud. So the ability to not only get visibility, it's an agent ops platform, uh, the ability to get visibility of what agents you have out there, but also visibility of what those agents are doing, and then the ability to rewind back the systems that they impacted along the way if they ever hallucinate or make a bad decision.

Ashish Rajan: Interesting one because now Amazon also announced, had three agents or whatever they, the found [00:28:00] foundation agents. Yeah, I know. Yeah. I actually

Matt Castriotta: wasn't at the keynote, but yeah. Gives you get announced. Yeah, it's an interesting

Ashish Rajan: one. 'cause I think, uh, even for people who may not, may have thought that, say we don't use ai, but now we have foundational models, uh, sorry, foundational agents being created by Amazon themselves.

Right. So AI and no ai. Now you have a native capability. We don't, I guess, obviously I haven't played around with it, so I don't know how they'll manage it. What the recovery, blah, blah. Yeah. There's

Matt Castriotta: a lot to, there's a lot of, uh, uh, variables there.

Ashish Rajan: We'll

Matt Castriotta: have

Ashish Rajan: to

Matt Castriotta: explore

Ashish Rajan: as we go along. I say. If you were to put into a, a situation where you have tell a CISO on who's uplifting, there is a backup and resiliency program.

I, I, I imagine most people already have a backup recovery idea. Mm-hmm. What they're doing. Mm-hmm. Whether it's com, whether it's compliance driven, tick, box, doesn't really matter. Sure. They already, some, most people have one. At least in an enterprise, everyone has one. If they're designed to uplift it for 2026.

Whatever they're trying to do. What do you think they should consider having in there as capabilities that they should consider a i? I don't know. [00:29:00]Any top three things that you think they should? There as a AI moving forward? Ai, no ai. These are things I should be considering for, for a future ready, uh, resiliency program.

Matt Castriotta: Yeah. I'll, I'll start with some of the people and process things. Yeah. Because we, as we mentioned, there's a people process and technology angle to all of this. Yeah. On the people and process side, the ability to, to know the assets that you have and the RTO expectations for each of the applications that you're running in your environment.

Mm-hmm. You'd be amazed at how many customers I talk to that don't have A-C-M-D-B. Right. And are not in the inventorying exactly what they have. Yeah. And shadow it is still a thing. Right. Yeah. Untracked buckets are still a thing. Yeah, they're everywhere. Yeah. And and I think like, you gotta get your house in order.

Yeah. That's number one. And, and that, yeah, Rubrik can help, but that's not our main core driver. Right. Our main core driver is gonna be after the impact has occurred, how quickly can you get back? And that's really three different angles to that. The first is what happened? So the boom has occurred.

[00:30:00] What happened? What systems were impacted, and what do I need to focus on first? Yeah. According to what's important to me, which again goes back to that initial statement of inventorying. What's really important to your organization? The second thing is what kind of data did it have on it and who had access to it?

Because there's gonna be, you're gonna have to understand, uh, what your impact is there for regulatory reasons, data breach, reporting reasons, all of those things. But also just to know if the attackers may have gotten a hold of sensitive data. That's their primary objective. By the way. It's not to encrypt your data or delete it.

That's them flipping off the lights on the way out the door. Yeah. Their primary objective. Find an exfiltrate sensitive data. I can monetize that regardless of whether you pay me or ransom not. Yeah. So understand the type of data you have and who has access, the who has access part is really important because when an identity gets compromised, you want to be able to understand what the scope of what they have access to is, assuming they don't, change privileges or escalate privileges or things like that.

[00:31:00] Yep, yep. And then the third is ensuring that you understand, uh, where those threats are. Mm-hmm. Um, are there threats like E-D-R-X-D-R tools, perimeter tools that track threats coming in? They're gonna miss. And when they miss, and a threat lands in your dataset, hopefully you catch that threat before it detonates.

But if that threat does detonate, you need the ability to be able to understand where my clean copies are. Yeah. My backups, and bring those back so I can bring my business back to a clean point. Mm. Um, and that's where our, you know, rubric has this, uh, this idea around preemptive recovery. Mm-hmm.

Because we precalculate what's clean. We can tell you essentially where that clean copy is, and then the ability to be able to bring that back. I think that those are the three, three things that customers are really gonna need to focus on. Uh, because again, our biggest, uh, the biggest risk today is cyber.

Yeah. I, I think, I think we all agree. It is not uh, is not fire flood. Those days are over. Uh, it is someone gaining malicious access into your [00:32:00] data and you just need to be able to get that back, and get your business back. Awesome. Quickly.

Ashish Rajan: Uh, I mean, this has been insightful 'cause I've those are technical questions.

I, I've got three fun questions for you as well. Sure. Yeah. Uh, first one being, where do you spend most time on me not trying to solve the backup, recovery problems, resiliency problems in the world?

Matt Castriotta: I am a, an avid guitar player. I, uh, I'm actually getting pretty good, I gotta say. Oh yeah. It's, did you play for bad?

It's, it is. No, I don't, it's something I picked up later in life, uh, because you know, when you get, when you get into your forties, you're kinda like, I need a hobby. Yeah. Uh, and then, uh, so I've been, I've been playing for about 10 years now. Uh, my baby is my Martin d. D 18. Oh, I love that guitar. It is my baby.

I actually, I'm so in tuned, my ti my son walked by it and strummed it. Yeah. And I, and it's like, like I was like, wow. And I could like, hear it and I was, now, I was worried like he was playing around with it. So I was like, you know, like, don't touch that please. Uh, but anyway, no, that I do, I play guitar a lot.

Uh, I am not in a band yet. I am I am [00:33:00] being professionally. Taught, and, you know, maybe someday I'll perform. That's kinda like a big BHAG for me. Yeah. Yeah. I'd love to. I mean, well,

Ashish Rajan: if anyone's watching and wants to give, give you a shot. Yeah. Yeah. That's it. I'm ready, I'm ready to play. Yeah. Yeah.

I, I

Matt Castriotta: would consider myself a really proficient camp campfire guitarist at Point. Point. Okay. Oh, but

Ashish Rajan: you would consider yourself or you I would. Okay. Right. Absolutely would. Yeah. So,

Matt Castriotta: But can I do more complex things within the context of a band? That would be, that would be, does that mean

Ashish Rajan: you can sing as well then?

Matt Castriotta: Oh, not right now. I've lost my voice. You know, it's all the dry air and smoke, uh, in the casinos, but you can normally, I don't know. Yeah.

Ashish Rajan: Oh, well, well, that's a

Matt Castriotta: different type of training. Yeah. I'll leave voice training for that. But yeah, I'll, uh, I'll, uh,

Ashish Rajan: I'll look forward to an episode where we get to have you sing as well.

Yeah. Yep. The second question I have is, uh, what is something that you're proud of that is not on your social media?

Matt Castriotta: Uh, I gotta say, I'm really, I'm really, I, I would. I would, I it would be on, it wouldn't even be on my personal social media. 'cause I don't, I don't share a lot about about me personally, I, I'm mo [00:34:00] focused a lot on professional social media, not personal.

But I'm really, really proud of the three boys that, that my wife and I brought up. I have two in college right now. They're starting to become men. Yeah, it takes time, but they're starting to become men. Uh, and I've won, uh, that's a sophomore in, in high school, getting ready to go to college and, uh, yeah.

Seeing the, the young men that they've grown into is, is pretty impressive.

Ashish Rajan: That's awesome.

Matt Castriotta: Uh, I was, I gotta say, I was a little scared there at first that maybe I'd made some errors along the way, but my parents always kept me grounded. Keep instilling good values in them. Keep teaching them the value of being a good person.

Yeah. And, uh, ultimately you'll see that, that, that payoff later on. So only that's been the case. Only

Ashish Rajan: takes 18 years to, it takes a little while. Right. It takes a little while to realize it. Uh, but,

Matt Castriotta: but yeah, I think that's starting to get there. So not fair. I

Ashish Rajan: think you're sharing that Final question. What's your favorite cuisine or restaurant that you can share with us?

Favorite cuisine? Uh, I love Italian food.

Matt Castriotta: Oh, right. Uh, I am Italian. I'm a hundred percent Italian. Uh, my wife [00:35:00] is Irish. And, uh, yeah, so our kids are, are half Italian, half Irish. I grew up eating pasta twice a week. Uh, I love carbs and yeah, Italian food, just like, and now guess

Ashish Rajan: your wife loves Guinness.

Matt Castriotta: And my, my wife loves be, loves beer, uh, and, and, uh, absolutely loves like meat and potatoes. Yeah, she's definitely the meat and potatoes one. So, so I'll try to bring some of the Italian flare to the, to the table. She'll bring some of the Irish flare to the table and, and we make a, we make a good match, so.

Awesome.

Ashish Rajan: Dude this has been great. Thank you so much for sharing, man. Yeah, thank you. Ashish. Where can people,

Matt Castriotta: I'm a little bit of a fanboy, by the way. I appreci I have listened to your podcast before and, uh, yeah, it's great. Som no, thank you. I'm really happy with the work you're doing and yeah. Yeah, it's been great.

Ashish Rajan: So I really appreciate it. Thank you for sharing that. And I guess we, can you come a full circle as well from listening to what being on the show as well? Yeah, yeah.

Matt Castriotta: It's, it's pretty cool.

Ashish Rajan: Yeah. Yeah. So maybe where can people connect with you? Where can people find more about what you Yeah, they can find me on,

Matt Castriotta: they can find me on LinkedIn.

Uh, I think that's probably the best way to get in touch with me Castriotta, and, you know, I'm sure [00:36:00] you'll have it in your description, spelling and all that. Uh, but yeah, find me on LinkedIn if you ever wanna know more about data in general. Right. Protection, resiliency, as well as how to best operate against your data.

That's, that's been my, my, uh. Been my, my bag to carry for the last 25 years. So, yeah. No. Awesome.

Ashish Rajan: Thank you for sharing that. I'll put that in the show notes as well. Cool. And thank you everyone for tuning in as well, as we'll see you next time. Thank you for listening or watching this episode of Cloud Security Podcast.

This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify, in case you are interested in learning about AI security as well.

To check out a sister podcast called AI Security Podcast. Which is available on YouTube, LinkedIn, Spotify, apple as well, where we talk to other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the [00:37:00] next episode,

please.

‍