Micki Boland: [00:00:00] Like military intelligence, I always like to say is like, we're looking far afield. We're looking at signals, right? Threat signals all across the globe. We're looking at our own, uh, internal self to see what's going on. Case in point, there's leak credentials that no one knows about yet, right on the dark web or uh, in a hacker channel.

At the same time, this is happening, you see an attack against your organization on your cloud assets.

Eyal Golombek: The blind spot is thinking of cloud security in, in verticals. And not really seeing the pool horizontal picture. You have your vulnerability management team, you have your data security team, you have your identity team, and they're all doing a fine job, but no one's actually trying to understand, well, how are all of these connected?

How do you do this without losing that trust from your developers? Developers can feel part of the solution and not necessarily feel like they're the problem. I think truly the number one gap is psychological willingness to accept, you know, auto patching. It's funny, right? But it is a challenge. We're all kind of.

Afraid of a system fixing things for

Ashish Rajan: us. If you work for a SaaS company, ISV, [00:01:00] and you're trying to figure out how does the cloud security market and traditional market kinda fits in together into solving cloud security, then this is the episode for you. I had a great conversation with Al and McKee. Al is from Wiz.

Micki's from Checkpoint. We spoke about some of the current challenges they're seeing with their customers and what are some of the blind spots that ISV are facing specifically, and why is there a need to think about threat detection as well as prevention in a different way in today's day and age?

'cause clearly cloud security has changed quite a bit in 2025. There's a lot more variations of cloud security. They kinda explain their definition of what cloud security means as well and how you can position yourself in your organization to take advantage of the way Cloud Security's evolving to. I hope you enjoy this episode with Eyal and Micki, and if you're here for a second or third time and you've been enjoying episodes of Cloud Security podcast, I really appreciate if you hit the subscribe follow button on Apple's Spotify, if that's where you're listening to this episode, or on YouTube, LinkedIn, if that's where you are watching this episode.

I hope you enjoy this episode and I'll talk to you soon, peace. Hello, welcome to another episode of cloud security podcast. I've got Eyal and Micki with me. Thanks for coming on the show.

Micki Boland: Thank you. Great

Ashish Rajan: being here. [00:02:00] Great to be here. Well, maybe to start off with I can maybe have some introductions. Maybe Micki, if you wanna start with, thank you.

Your background. What have you been doing in the cybersecurity space?

Micki Boland: Yeah. Awesome. Thank you. Uh, so I'm kind of an old dog and I was in cybersecurity before it was cybersecurity. Uh, my background's military, uh, ex-military, and, uh. I did some defense work and, uh, I, uh, I was mostly in Tel Networks and Sprint, so Telco, MSP doing hardware, a lot of hardware and software.

Uh, and then I've been at, I have my own company and doing digital forensics for a while, and then I've been at Checkpoint for about 13 years. Oh wow. Yeah, I love it. I mean, it's really, there's no boring day, right? There's no boring day, and I really love emerging tech and ai. So those are the things that I'm really focusing on now.

And the intersection with cybersecurity. Of course.

Eyal Golombek: Course. Yeah. Yeah. So I'm a product manager. Actually, my background is from engineering, like started as a software engineer, also from military, actually did a [00:03:00] couple of years in the. Uh, equivalent of the NSA back in the 8,200 unit. Yeah. Uh, but then since then, really focused on innovation, the startup, uh, space.

I joined early on at a startup called Dazz. Oh yeah. Um, yeah, really exciting starting a company from scratch, really seeing it grow. And, uh, yeah, we got, uh, acquired by Wiz. So now I lead the team of product managers at Wiz. Um, and it's, um, the same as you, right? Innovation really drives me. Seeing how AI blends into the space is just so exciting.

Ashish Rajan: Yeah. And maybe it's a good place to start the conversation as well. I've been asking this. I feel like AI is just separate. So many things that people just redefine certain assumptions we had about the space. So. How do you guys define cloud security in 2025?

Micki Boland: Wow. It's, it's really, it's like super accelerated, you know, hyper accelerated, I think, into cloud. So we have customers that like, are traditional customers. They're on-prem and they're like, oh, we're gonna cloudify. Maybe it's a cloud first strategy, new applications in the cloud, a little bit of backup into [00:04:00] the cloud now.

It's completely hybrid cloud. It's cloud everywhere. There's really not anything that a customer has, especially in development. In ai, there's nothing that doesn't touch cloud. Mm-hmm. And so we've had customers really change their minds because, and they're not in just one cloud, they're in multiple clouds and not that just multiple clouds.

Security or cloud service providers, but multiple like public cloud, but multiple environments where they have like a one cloud strategy on-prem in colos across. Many public clouds mm-hmm. To create a big ginormous cloud. And that's a lot of complexity, but there are ways to actually make it easier Yeah.

And more elegant. But, uh, yeah, it's been phenomenal. It's just, uh, it's exciting because the big customers really get it. Yeah. And the smaller customers, uh, mid-size, they'll try to make it more like a traditional infrastructure and that doesn't always work. So we always helping them though. Yeah.

Eyal Golombek: Awesome.[00:05:00]

What's your definition of cloud security? Yeah, I think what's so exciting about cloud security, it's never stops, you know, innovating. So 2025 is nothing like 2024, and it's probably nothing like what 2026 is gonna be. I think we've seen such a big scale with ai, right? So cloud security has always been about, you know, growing fast, moving fast, changing fast.

Changing what we thought about traditional security. But really with ai, it opens up the door for growing even faster and bringing in new problems, but also leveraging AI to solve, longstanding problems where we couldn't solve them. So I think that's what 2025 for me is. Yeah.

Ashish Rajan: Interesting.

And maybe to kind of take that next step then, what are some of the security challenges you guys are seeing with your scale up ISVs? Whatever use name you wanna use for it. In that industry, what are some of the security challenges that you guys are facing?

Eyal Golombek: Yeah, sure. So Clouud security, I think, you know, is not a super new term, right? Yeah. But obviously as, as we kind of grow, it keeps changing. And I think cloud security has always been challenging because it's very different than what we, we were used to in the [00:06:00] past, right? Traditional security is nothing like cloud security.

And I think, you know, really understanding the cloud nature and how ephemeral it is, how it changes every day, how things go up and go down. And, and you know, what you thought about your environment yesterday is not what it is today. So that changes so much in, in, in this AI era. It even enhances that dramatically.

Right? So I think the biggest challenge is just keeping up with speed and making sure that our day-to-day operations as security practitioners involve deep understanding of the cloud and not trying to take what we used to do, you know, 10 years ago and do it again now, because it just doesn't work. We have to think.

In the cloud mindset, I think. Yeah, absolutely. Yeah.

Micki Boland: I, I love it. I agree a hundred percent. I think that, you know, it's all about agility and speed. Yeah. And it's also about, about saving costs. It's beauty of cloud, on demand when you don't need it, trash it, don't pay for it. Security had to do the same thing.

So it's, there's lots of cool stuff. But scaling agility, killing stuff when you don't need it and [00:07:00] bringing it up, resiliency is like the ultimate across all of these environments.

You have. I mean, uptime availability is the, you know, in A-C-I-S-S-P triad, confidentiality, integrity, and availability. Yeah. And it has to be up and running.

Ashish Rajan: So what do you find as a blind spots? I mean, obviously there are features and everything as well, but I guess from, for from a CISO perspective, for people who are listening and watching, yeah.

What do you find are some of the blind spots that perhaps ISVs are missing out on or not paying attention because to what you said, some of the environments have been traditional for a long time.

Micki Boland: Right? There's a couple things. This is my favorite question ever. Um, I'd say number one, uh, because everyone's adopting SA SaaS everywhere, if I can reduce having anything.

Deal with SaaS. Reduce my risk. I have, I have to protect my identity and access management. My account's gonna have to protect my data, right? Mm-hmm. But that's it. It's easy breezy. But are we doing SaaS posture management? Are we looking at do, are there account hijacks? So that's a big one. As [00:08:00] people SaaSify more of their stuff.

Number two, APIs. APIs. I've been begging people for years. Everything is API driven. We're communicating all via API. With generative ai, large language models retrieval, augmented generation, all APIs. Yeah, we are gonna see, it's a machine stalking machines, but these are largely not security tested.

Their business logic isn't really known. It's not documented. Yeah. There's old versions and they have public service, public endpoint. Yep. So those that, and then I guess, you know, putting the whole thing together is you have risks in across all of this environment. You have to be able to see what those are.

Yeah. What exposures you have, and can you mitigate those as quickly as possible, because in cloud or away to the cloud. The bad guys will find it very quickly, like immediately, and they will exploit it as quickly as they can. So we have to be as fast with the security. to [00:09:00] stop them, which is a challenge.

Eyal Golombek: Yeah. The speed is just mind blowing in cloud. Yeah. I think when obviously agreeing completely with everything, I think adding just, you know, in terms of mindset and operationalization of security.

Ashish Rajan: Yeah.

Eyal Golombek: Really about, in my mind is, is the blind spot is thinking of cloud security in, in verticals and not really seeing the pool horizontal picture.

'cause at the end of the day, you know. In cloud the different risks that we have, the different exposures that we have, and maybe we're a large organization with multiple teams involving in, you know, API and, and data and vulnerabilities, but really looking at them siloed misses the bigger picture, right?

Yeah. Because in cloud, everything is interconnected and maybe traditional data centers, we could have, you know, other mitigating factors. But in the cloud, everything is interconnected. So trying to think of things as a horizontal. Attack path and trying to think like an attacker and, and the fa and the pace that attackers, you know, work at.

So looking it from, uh, how everything is connected together is what I would say.

Ashish Rajan: Yes. Oh, big blind spot. So I [00:10:00] guess, because obviously people have known misconfiguration is a thing. Mm-hmm. But to what you're saying, yal, there's a lot more, integrations and points of contact as well. Also have the traditional methods kind of failed us there coming, I mean, we've been doing security for a long time.

Agreed. So why or where do they fail in this particular context? Yeah,

Eyal Golombek: I think in the traditional space and yeah, security has been around for decades, right? Yeah. And it's been doing a great job in what we had in the past, right? Yeah. But really, I think, you know, the, even if you think about the way that teams are structured, right?

You have your vulnerability management team, you have your data security team, you have your identity team, and they're all doing a fine job, but no one's actually trying to understand. Well, how are all of these connected? And maybe that made sense back in the traditional world, right? Mm-hmm. In the on-prem data center, but in the cloud.

There is no difference between the way I manage my identities or the way I manage my vulnerabilities. It's all back to code. It's all back to the developers, right? Yeah. Yeah. So trying to artificially separate that because it has been historically different teams, I think that's, uh, that's something we have [00:11:00] to, you know, move away from.

Ashish Rajan: Oh, actually, 'cause to your point, because if a CISO who's watching, listening to this, they the same mindset.

Micki Boland: That's just phenomenal. And I think that this is the, the, this thing we are seeing really, innovative companies where they actually have developers working with the security teams and security working with the dev teams, but it's not that common.

Mm-hmm. We've actually tried to do security as code, you know, and try to keep up. We have a child security pipeline Yeah. In the dub pipeline. Um, so that can inform the security teams and put the hooks in for like incident response and after everything's up and running. Yeah. Uh, checking the security pieces all along.

Wiz can do a great job of informing, like, Hey, you know, we got, uh, open source, um, vulnerabilities, dependencies. You can fix this. You can fix something that's busted into IDE. You have infrastructure as code that has an exposed key or credentials, um, in clear text. You can fix all that in the dev cycle. I think that putting that whole story together of like the shift [00:12:00] left and the shift, right, which is like now you have security operations, totally.

Like you said, different teams thinking about what they're doing, doing a great job, but they really have to work together. So the best thing we can do is provide really good, uh, finding things that are broken as rapidly as possible. I think IBM has a study that says that if you fix something, say a bug is a hundred dollars to fix in the dev cycle in production, it'll be a hundred thousand dollars.

Mm-hmm. To fix. So that's a hundred x times Right. For tech debt. Right. Fix it. Then these guys are showing it. You know, bring that afford, fix that, and then as it moves over to like going into production, you need threat intelligence and incident response and incident handling. So I think as we show them how it can all be together, yeah it's, it's coming along.

We, I think many times, we're actually doing a lot in influencing the org structure. With security kind of [00:13:00] being I guess an influencer, a heavy influencer into the rest of the teams, but it's all about innovation and speed of business, right? Yeah. Yeah. Like if we show them, Hey, if you do this. I have a big philosophy, like we should make KPIs for developers to find bugs.

Mm-hmm. Oh, interesting. And get, get, get bonuses, man. When you find and fix something, you showing the business, right? Yeah. You reduces risk, but internal bug bounties and offensive security teams, that's so fun, right? Mm-hmm. You can make it a culture, but it's a long time coming, right? It's a. It's definitely an empathetic firewall.

You know, even remote access used to be a different group. Yeah. So bringing this all together and then also whatever we do, we can send them list and list and lists of vulnerabilities that they have no clue how to fix or what the hell to do. It just makes everyone go like insane. If you have a great platform, you can actually show the developer exactly what they need to fix.

Yeah. Where they need to fix it and [00:14:00] way further before it gets out into, uh, deployment. Yeah. So that is the way we can show them, Hey, you wanna be free to operate. You love your freedom, you love your innovation, and you know you are doing your thing, you're making your sprints. We're gonna make your lives easier.

Yeah. And save you getting your butt chewed, but maybe get you some extra money. With some, you know, fixes.

Eyal Golombek: I love that. Yeah. Yeah. I think being close security and developers is key. Yeah. I think especially in, we're talking about, you know, modern ISVs, modern SaaS companies. Yeah. Developers are the core, the bread and butter of what drives the business forward.

So keeping them close. Yeah. The security is key. And actually that's why, you know, with Wiz, we really love the gamification concept. Yeah. You know? Yes. I mean, I love the concept of also money prizes. Definitely. That's the next step. Uh, but I think even if it's just internal, you know, praise and, and games.

Mm-hmm. Ification. Where developers can feel part of the, you know, solution and not necessarily feel like they're the problem. Yes. 'cause at the end of the day, if our entire company is building software, developers are really our, you know, engine that's driving everything. [00:15:00] Yeah,

Ashish Rajan: absolutely. Because the, the bigger challenge in this is that finding the balance where you don't pay software developer is kind of where we fail.

At least security team seems to fail. How do you do this without. Losing that trust from your developers, I guess because two point shift left, you mentioned that as well, right? How do you do so you know, developer first environment, which is what most ISVs and SaaS providers are, they're like least friction for developers.

Let them go geek crazy. So how do you find, and maybe y if you have a concept for this as well.

Eyal Golombek: Yeah, a hundred percent. I think it's, first of all, important to understand that again, they're the business driver of the company. We should embrace their mindset and understand that they're really about innovation, about moving fast.

So, first of all, embracing the fact that we want to be enabler and not a blocker, which is sometimes, you know, many security teams see themselves as a gate. Really, we want to be embedded deeply into the process.

Micki Boland: Yeah.

Eyal Golombek: And then I think the second part is really speaking their language. So making sure that when we communicate security problems, we communicate in a way that they [00:16:00] understand.

So no longer, Hey, here's CVE 1, 2, 3, 4. Well, I have no idea what that does mean. Instead, let's tell them, Hey, here's this line of code you wrote and it's, if we don't fix it, someone can actually exploit your application called, whatever.

Ashish Rajan: Yeah.

Eyal Golombek: And if you don't fix this line. Your application is at risk, right?

Yeah, yeah.

Ashish Rajan: Sorry, you wanna add something to

Eyal Golombek: that? Oh,

Micki Boland: yeah. I think it's so crucial. I, I think that, uh. It, even in security teams just looking at CVEs and stuff and like, oh, I've gotta do this. It, it really comes back to being able to visualize what are the things that are putting my company at the most risk right now?

And it, it may not be if I, if we were just patching CVEs or just fixing certain things, like we are not seeing the big picture. We need to see the big picture. What are the top priorities of the things that I can do All that. All that tooling, all that visualization that brings it back. Mm-hmm. Where can I fix it to remove the most risk?

And a lot of this, this is now coming [00:17:00] back like full circle and having a three, kind of a 360 degree view of your organization. Kind of like military intelligence I always like to say is like, we're you and Geospacial, we're looking far afield. We're looking at signals, right? Threat signals all across the globe.

We're looking at our own. Uh, internal self to see what's going on. We see our perimeter. When you're looking at the kind of hybrid cloud environment that we're having today, you need to see those signals across the board. Case in point. There's leak credentials that no one knows about yet. On the dark web or in a hacker channel.

Right? And at the same time, there's fake accounts doing some stuff being registered underneath your domain. Yeah. Um, there are insider threats as well, right? We've seen some pretty big insider threats. We won't mention names, but the fact is, is that you don't know who might be leaking your credentials. It could be an external threat actor.

But at the same time, this is happening. You see an attack against your organization on your cloud assets. That is a multi-phased [00:18:00] attack. Yeah. That threat started to weigh out here, geospatial. But now if we could have stopped it, then we could have stopped impending attacks. Right? Yeah. Yeah. So really putting this whole story together, I think is the holy grail is what everybody is chasing after.

And AI is gonna help us a lot with this to be able to make big picture things of multi-step, multi-path vector attacks, right? And precursors of attacks are huge. And if it's something, Hey, I see this. I see that there's this going on. This is happening over here, and this is also a vulnerability that's now being actively exploited.

Okay, now I know exactly where to spend my time, right? Yeah. I'm gonna go after and fix that thing. Because I know that there's an impending attack or an attack in progress, or, yeah.

Eyal Golombek: Yeah, no, I think I really agree and, and you bring up really good points on being able to tie between, you know, one side of the house, the right side of the house, the, I would say [00:19:00] the, um.

Incident response or like security operations side, which are reacting to threats. Yeah. And uh, the other side of the house, which is the exposure, uh, management or like posture management, how do we prevent things? So really having these two sides communicate closely and, and we, we investigate. An incident tried to tie back to what posture, gap led to it.

And when we do analyze and close posture gaps, trying to, articulate that in a way that what might be the breach that would happen, right? So having these two sides deeply connected is, is really exciting. And we see, especially in the cloud, there's so interconnected and events that happen in runtime, you immediately tie them back even all the way back.

to infrastructure as code sometimes, which is amazing to see. Yes. Yeah, fantastic.

Ashish Rajan: With the customers you guys are working and talking to, I wonder what are some things as they've matured through the journey, a lot of them fast movers, the SaaS companies, clearly first adopters of a lot of technology. Are there things that they had to unlearn as they have matured in this?

And I [00:20:00] wonder what you guys are finding there.

Eyal Golombek: Yeah, sure. I think in my mind I would split it into two types. Yeah. You have the companies that were, I like to call it born in the cloud, right? Companies that cloud was their bread and butter since the first day.

And I feel like they, you know, are drinking from the Kool-Aid, so to speak. Right. And are just adopting everything. And then you have these larger enterprises, organizations that have been here maybe hundreds of years even. Right? Yeah. And they need to. Adapt and change and how the cloud is coming out. And I feel like it's more about just keeping up with the pace and being very willing to adapt and to accept new technologies and not trying to shy away from them or be afraid.

Right. I feel like when the cloud just came out, everybody were afraid of, oh, how can I protect it? How can I be sure it's secure? Yeah. But then, you know, fast forward a couple years in the future. Everybody understands that the cloud is where they want to be and, and just need to understand what guard rail to put in place.

So as long as you keep adopting and learning all the time, new things and not trying to stay, you know, where you are. I think that's, that's what I've seen the [00:21:00] most success, you know, companies that truly adopted this cloud nature.

Ashish Rajan: Awesome.

Micki Boland: I love it. I, I agree a hundred percent. And I think that we've seen across the board, you know.

Different you know, different kind of use cases or scenarios for customers and their evolution. And we used to say it's a journey into the cloud. Yeah. But everybody has taken that journey. How far are you, how fast you're going to get to this summit is another thing. But, but yeah, I think we've seen like a big shift though, because it used to be like, Hey, we're gonna do cloud, we're gonna be slow moving, and then we'll do, it'll be like, uh, cloud first. So new applications. We have a lot of customers. They have legacy applications. It can't be cloudified, whether it's on-prem, it can't be software-defined, data center cloudified. It can't be private cloudified, it can't be public cloudified. But it's really all coming back to this hybrid cloud environment and it have to be able to support that across.

Ashish Rajan: Yeah, I

Micki Boland: think, the pain points I've seen with customers that just refuse to adopt is that, I mean, these are usually very [00:22:00] heavy, fixed cost, super risk averse. Mm-hmm. You know, organizations, they don't move fast. They don't assume risk. I mean, we even have some customers, um, that basically say no cloud, they're build, they're still building data centers and they're hyper scaling them.

It's, it's like, uh. It's very interesting how they approach, but I think that the really good ones are embracing mm-hmm. You know, cloud and they are doing the hybrid cloud kind of approach, so it's seamless and they've really, I've seen, I wish we had more, like we're seeing with ai, we're seeing like chief AI officers, we're seeing now AI like, uh, governance, committees reporting directly to the board talking about AI trust.

Ai, you know, ethical ai and I think we should have had that with cloud more because it was kind of, sometimes it fell under the CFO and sometimes it came under a technology group. And there, there were some cloud steering [00:23:00] committees. Yeah. And enterprise architecture standards around cloud adoption.

But it was kind of like, it just, it was kind of quirky. Yeah. Um, now they become very mature and the mature ones are really adapting and, and seizing the day.

Eyal Golombek: Yeah. Yeah. It's a great point. You know, I've seen some companies have like a cloud excellence, you know? Yes. A space which is phenomenal for the growth, for building that grassroots movement and church moving.

I think especially as you said, like the, the older organizations that are trying to mature and move forward, and especially if they're risk averse, like financial services, right? Mm-hmm. Obviously they will always have these more traditional applications that every small change in them is a huge, you know, ordeal.

Um, so really trying to embrace, I really like your approach of hybrid cloud and trying to, you know, move everything we can, but then even things that we can't move, try to modernize and embrace the same mentality. Yes. I think that's, uh. That's a really great best.

Ashish Rajan: Do you guys feel the detection and, uh, response in its isolation doesn't work then in this world?

Like, I guess, where do you guys [00:24:00] see, I'm, I'm going with this very, very, it's a very I guess alert fatigue is a thing these days as well. A hundred percent. Uh, there's the whole concept of a lot of people have built their entire security programs around detection, response, resilience. But maybe And how do you guys see this, especially now, as you mentioned, there's a lot of AI use cases in there as well.

Yeah. How is AI changing a lot of this?

Micki Boland: So exciting. I, I don't even get me started on detection. Oh, man. You're only detecting, what's that gonna do? Like human has to run behind now? Mm-hmm. How so? Like, okay, something happened, there's an exposure, right? Is it actively being. Exploited. Yeah, right. So like in the cloud, the window has to be like, you know, it has to be closed immediately.

So this detection thing of like, okay, go look and see if this is a problem, what should we do? Humans running behind, not gonna work. So we've been doing machine learning and deep learning and neural networks for, uh, everything from [00:25:00] malware. Malware identification to like threat intelligence. Um, I think we do have a very good efficacy for our threat intelligence.

I think that it's very important to have the best threat intelligence you can have because if you have a high degree of confidence in the efficacy of the threat intelligence, then you'll block on it. Yeah. Like the two kind of objections for, especially if you talk to like the C level. Is gonna be why we don't do preventative actions on threats or security events is because, one, we feel like it's a false positive and we could be blocking real traffic, right?

And that's a valid concern. High false positives and. Bad events really bad efficacy has caused that pain, right? Mm-hmm. The second thing is, if I invoke this protection, I'm gonna break something. Mm-hmm. It's gonna hit a performance thing and it's a threshold and everything is gonna tank. So what you really have to go back to is [00:26:00] like on the threat intelligence, if you will be preventative, which I say you must, that checkpoint we're the people of prevention.

Mm-hmm. I mean, especially because we believe that. Attacks are not, they can be like low hanging fruit attacks, just like, you know, just opportunistic. But they can be very, very crafty and very dark hearted, detect with multiple vectors, right? We feel like if you can prevent something from happening in the first place, wouldn't you wanna do that?

And. We take pride that we do have high efficacy. So catch real threats and don't give a bunch of false positives because no one will listen and it's just noise. Right? Yeah. And we were just talking over at the checkpoint booth at that, at Black Hat is, you know, you talk to CISOs that have been around for a while.

The noise, the noise, the noise. Like Corton hears a who or whatever. Mm-hmm. You know, like it's just all this noise. Yeah. They can't make sense of it. Right. We have lots of data. Are we making intelligent sense out of it? This is [00:27:00] where the AI comes in. Mm-hmm. So we much faster than human can see these things.

Right. The AI can see these things and actually augment human in this. And I know you're gonna maybe talk more about like automated fixes and stuff like that, but I would say like, you know, we have to take every, if we wanna see a ahead of the bad guys, we have to take every advantage that we can. I still love human in the loop.

I'm a big human, uh, I like humans a lot. I love it. I do agree, agree. But I want humans, right. Um, to be augmented. So, but it also reduces a lot of stress. It takes a lot of risk. I mean, you could probably cut 90% of your risk if you proactively block. I, I literally had a customer ask me, like, I saw cobalt strike.

Mm-hmm. In my security. Log. Should I block it? I'm like, you're not blocking that. You should never see that. Yeah. I'm like, are you red teaming? Are you like, are you pen testing? No, no, no. You gotta block it. Oh. But it's like they, they need help, right? Yeah, yeah. Right. They, they want guidance. Mm-hmm.

And that's the [00:28:00] thing. So that was a long story,

Ashish Rajan: but No, no, no. I mean, y'all do wanna add as well. Yeah, no, I, I

Eyal Golombek: totally agree. Basically, anything which includes any manual, repetitive labor should be, uh, completely automated with AI and keeping you in the loop for the sophisticated cases, for the cases that need.

Need, you know, deep expertise. That's the way I, I look at it. Yeah. And in general, I think the way I like to think about, you know, the security, especially in the cloud, is kind of like a post-incident and pre-incident, right? And obviously there's the side that deals with detection and response. There's the side that deals with, you know, logs and events happening, and then there's the side that is meant to prevent these from ever happening and couldn't agree more, you know, on prevention being a key part to improve and, and, you know, reduce the exposures that we see at the end.

Keeping these two sides closely knit together is really what we've, you know, been focused at Wiz and really focused at getting them together and, and incorporating AI on both ends. Yeah. Really makes, you know, every site better. And especially, you know, when we look at the detection response, right? Having AI [00:29:00] automated, you know, SOC analysts or things like that, that can crunch through the data fast and surface out those, uh, risks and detections, and then pass them over if some deeper analysis needs to be done to the human.

Which can then pick the important events out of the sea of logs. Right? Yeah. Yeah.

Ashish Rajan: I, I think, and um, Nick, you mentioned the remediation part, the automation path as well. I'm curious as to, 'cause remediation was one of those ones where it kind of came in between, we spoke about the different eras of it.

Mm-hmm. We all start with compliance and started going for misconfiguration visibility and somewhere in between there was a hot second for remediation and then everyone dropped it like a hot cake and No, no, no, no. Let's move on to workload. Like, Hey, look over here. Don't worry about remediation. Are we, are we in a better state to do remediation today compared to previously attempts?

Micki Boland: Yeah, I believe so. I think so. I think it comes back to. It, I think like vulnerability chasing and vulnerability management is like Totally, you have to [00:30:00] do it. Yeah. Uh, but it's kind of like you'll never be ahead. So I think it's also coming back to it's if for remediation. It's like, do I, can I look out there?

Like I can look at W can I look at Checkpoint? Can I look at the other guys? And we support up to 70 vendors. Can we, via API can we see if there's a control set or an enforcement point somewhere that can do something about this. Mm-hmm. Um. Yeah. If there is, is it active or is it not active? If it's not active, like what is the impact if we invoke it, right?

Mm-hmm. And then if it's something that does need to be patched, can we virtually patch it? Patching because you guys, I used to work with government and like we would have hundreds of thousands of vulnerabilities that required patching. Mm-hmm. And this is way back, way this like in some other time. But basically the fact is, is that you can't patch this stuff all the time right away.

Yeah. Because the application owners won't allow you to [00:31:00] patch. If there's something, like, if it's like a Microsoft, you know, patch Tuesday, that's a whole different story. But you're talking about a lot of different applications. That, that are very difficult to patch. So they, they will try to do a maintenance window.

It could be in three months, right? Mm-hmm. So then what can you do? Yeah, you don't have a con, a compensating control. Can you virtually patch it? And this is again, comes back to the network level, right? Can we do something at the network level to virtually patch until such time that that patch can be actually mitigated or remediated?

Right. And I think that's the thing. Taking all the things you can do. I love how you said like putting all these things together and pulling them together. Mm-hmm. Likeeven it, pre precursor preventative stuff in the dev cycle, workloads, applications, containers. Code all the way through. Now the application's up and running, what can you do to get ahead of the bad guy?

So like it's not a one or other, it's all of the above. And it's really not that hard [00:32:00] to achieve. I think the other thing too is you got, you've gotta have verification. Yeah. And validation. Any type of QA process that's automated without a human big problem, we saw that. Mm-hmm. With a, a major company.

Mm-hmm. And some of the customers are still being impacted by that. I mean, when you literally brick all your servers and all your endpoints, it's a big problem, so mm-hmm. Security cannot do that. Yeah. Because like security's always the guys that are like, uh, oh, this is the firewall. Right. Or something they're doing on the security team, right?

Yeah. So, um, yeah, we have to be like, uh, we can't be having, uh, security fixes that. Or mitigations, you know, remediations that are gonna break something else.

Ashish Rajan: So you're finding that actually customers are open to the whole virtual patching, uh, the meantime? Yeah,

Micki Boland: they're the, the virtual patching thing is pretty awesome because you can do, like, you can look at the classification of like, the risk.

Is it high critical? Yeah. And then you look at the performance impact, right? So it's like you're getting, you're getting information that tells you whether or [00:33:00] not, and if you see that it's okay, it's actually actively contextually, it's actually being exploited in my environment. Virtual patch.

Ashish Rajan: Interesting.

Interesting. And do you find the same as al that your customers that you're talking to are open to the idea of remediation? And

Eyal Golombek: I think it's a great topic and you followed up on, you know, the, the challenges and the dangers of it. I think I just had a conversation with a customer today, at the conference here, right.

About the willingness to adopt it. And I think truly the number one gap is uh, psychological willingness to accept, you know, auto patching, right? Yeah. I mean, it's funny, right? Yeah. But it is a challenge. We're all kind of afraid of a system fixing things for us. I think the technology is there, right?

Yeah. You were saying, you know, remediation is kind of having a new wind in a way. The technology is there is just the willingness to adopt it and I think trying to find the areas out of, you know, a hundred percent of my landscape, where am I willing to have the automated patches, the automated fixes, even if they're virtual or actual patches, they are gonna impact my environment and am I ready [00:34:00] to accept that the machine is gonna.

Patch automatically or fix. So I think we're seeing adoption and willingness to adopt that in lower environments. You know, if it's in dev, well, I don't mind. Yeah. An automated patch. Right. I guess the exciting part would be when teams would be willing to adopt these mentalities also in production environments.

And I think we're still not there. Obviously there's the new, you know, the folks that are willing to be, you know, cutting edge. Uh, but I don't think that we're a hundred percent there and this is why. The way I see it is that really tying back, you know, the, the vulnerabilities and the risks back to their origin, back to the code if they're related to code.

Right?

Micki Boland: Yeah.

Eyal Golombek: And fixing there is better. 'cause that's where people are willing to accept the automated fixes. Right. So, yeah.

Ashish Rajan: And would you say that the, the, uh, there's a whole thing about. A lot of industry focuses on posture management for a while. Mm-hmm. And based on at least what, what I'm hearing as well, cloud these days is quite complex.

You have your CICD pipelines, your containers, your serverless, and throw AI [00:35:00] in there as well. Of course. And now you're looking at this world where p management doesn't seem like the right thing to describe it. So what does. Vulnerability management or threat management look like in this particular world that we're in?

Micki Boland: I think it's, uh, I think it's kind of a twofold approach is that, taking the traditional things that we know of. Yeah, and applying them being more open to do things. I think it's really more about it. Posture management is so important to be able to see the things that are happening.

So like keep that going, take the other stuff and mix with it. But I think it, it really comes down to like continuous threat exposure and risk management. What are my digital risks across all of this environment? What is the highest, what are the things that are causing me the highest risk? Mm-hmm. If I can fix it.

Well, it's in the dev cycle. Absolutely. If it's a container drift, like why are we having, I know of a customer that had containers that were invested with malware. Like there, that should never happen. You shouldn't have a [00:36:00] container. It should have a clean image principle of immutability, right? Yeah. When you're building code, it's not manipulated after it's running these things.

You put this all together. I think the big picture is really being able to see far afield, see what's going on internally, look at, take all your traditional stuff and put this all together for a big, a big, uh. Kind of approach big, uh, 360 view. And really, again, if you can fix anything anywhere and if you can automate it and augment human.

Mm-hmm. I mean, I, you guys remember when you used to test malware, I'm sure you used to use like hex ways, ipro and stuff. Mm-hmm. And reverse engineer malware. Yeah. It's really fun. It's real fun. If you're in school, it's, yeah. Or, but you can't do that. You know, if I can say, Hey. All these things being equal, all this stuff is good, but we see that this threat actor just grabbed, got through an end point, got a a person to click a phishing link, and now I have dropped malware on that [00:37:00] machine.

Now it's trying to spread laterally. That's something that we have to think about because really network security, posture management, all those things are great and Ev, we should do all of those things, but it can take one phishing link. And it, and you real. If you have really good endpoint security and you're gonna stop it there or browse your security, you're gonna stop it there.

Um. With like ai, what you putting in the prompt window if you're using like a SaaS-based AI application, these things are super important. So I I, I guess I'm just kinda like digressing, but ultimately it really has to be all things. Mm. I think posture management is amazing and now you guys are having like AI posture management and data posture management, it's so crucial because we need to put all this together.

And I think that, you know, as we continue to to work together, it's all gonna be like, how do we, I don't wanna say integrator of integrators, but how do we become system open garden [00:38:00] players? Mm-hmm. So that we can give the best value, the best security for the customers, right? Mm-hmm. Yeah. Putting it all together, not adding complexity and layers.

Eyal Golombek: A hundred percent. Yeah. I think to me, posture management, if you will, 2.0 really is, is what we call exposure management. Right. Is really understanding that our posture leads to an exposure. Yeah. And really understanding that posture management is not just, oh, this is misconfigured. You know, which is what people think.

When they think about posture management for the cloud, it is about whether my environment is built in a way that, can lead to an exposure. So to me, the evolution of posture management is to adopt the mindset of exposures of analyzing the attack path and thinking like an attacker. Yeah. And not just trying to, you know, close all misconfigurations, which might not be even relevant.

Ashish Rajan: So that's, I think the evolution of that. Are there cultural challenges walking down the spot? I feel like. To what? To what both of you're saying as well. I mean, traditionally we've done a certain way. There are people who are fixated on the idea and [00:39:00] how to solve a particular problem. Some people still waterfall or, you know.

Eyal Golombek: Yeah.

Ashish Rajan: So what are some of the cultural challenges that you're finding that your customers, uh, probably face and how do they overcome it? I'm curious.

Eyal Golombek: Yeah. I think it's a really good point. And we're, we're really driving for something we call Democratization in Wiz, which is really making security.

Something embedded in the entire organization. Right? Yeah. I think you're bringing up a great point of security. Is is still siloed in on, in the security team. Yeah, so that's a major organizational problem and, and the reason we were many teams are unable to break that barrier is, is a lack of ability to democratize security, make it.

Accessible and, and you know, even gamified, if we're going back, you know, to what we brought up in a way that, you know, other people in the organization can step in, can take part in the security game, right? So that's the biggest barrier in driving this democratization is what I see. Yeah. Obviously.

Micki Boland: Yeah. I love that.

That's amazing. That is really a game changer, right? Mm-hmm. And, and the, uh. [00:40:00] The platforms or the tools the things that we have available actually do help. Mm-hmm. Train people. So everything, you know, we've done phishing campaigns, we teach, we do cybersecurity training for everyone. If you get everyone on board and you gamify or find something fun and also create, you know, cross teaming that all comes from a cultural shift too.

Like that, you know, if, if, uh, people are hiring developers and they're basically insourcing them and it's just like they're working to create something or whatever for the company. There's not any cultural like shift or, or crossover. Um, that's one thing we see a lot. There's a lot of different, like software shops and people developing, but ultimately the organization, whether it's their own developers or their sourcing or their using combined teams, they can create that culture.

That is the key though. And that really is, I mean, in teaching everyone and [00:41:00] especially I think developers for a long time, they just get lists of stuff from, they see like to security as the overlords, right?

And it makes their lives miserable. What they want is like, tell me, put the guardrails on, gimme the tools they use. And tell me how you wanna do it, because ultimately all of us have to inform the business, right? Yeah. How are we supporting the business drivers for innovation agility? How are wedu reducing risk?

And we have to quantify it. So like we can put a lot of stuff together in different ways. We can kind of let like laissez-faire, Hey, go do what you want, but we really have to have. A little bit of process, A spirit of esprit corps, right? And how everyone works on security together as a team and like celebrate wins when we're reducing risk and fixing bugs and stuff like that.

I love an internal bug bounty program. We're a public one. 'cause I mean, we should all be, I think, you know, we all [00:42:00] should be testing our software like that and then like somebody finds something, it should be. A big win, you know? Yeah,

Ashish Rajan: yeah. No, thank you for sharing that. Oh, I mean, I, those are all the technical questions I had for you guys, making people learn more about the partnership that you guys have in terms of the Wiz and checkpoint.

And maybe I'll start with you making, can people find more about the awesome stuff that Checkpoint is doing?

Micki Boland: Yeah. I mean, well, I think we have like a better together story with Wiz. I'm not the corporate spokesperson Right. But I'll tell you Micki's approach is that, uh, Wiz is amazing. We have a great partnership.

I think it was a fantastic idea. Um, Nadav, right? Look, you guys are all on the old team together, but, um, uh, Israel, uh, Israel is startup up nation. Mm-hmm. Cyber nation. Right? Innovation nation. So, but I think it's phenomenal and we have. Our external risk management, continuous threat, digital risk exposure, right?

Uh, we have the network security, all the cool stuff in cloud. Let's be honest. You can [00:43:00] have all your stuff running in cloud, but you still need segmentation. You have experimental environments. There should be segmentation. There's still a place for network security. Actually very viable place for, um, cloud guard network security.

There's also. APIs I talked about. We have an amazing waf Yeah. That we have. It's does machine learning. We, it has a bunch of supervised learning, uh, training, and then it does unsupervised learning and it does risk scoring. It's amazing. Great. For API security schema, validation rate limiting, you put that together with their amazingness.

Like it's just, we have a great, great, you know, comprehensive solution together.

Eyal Golombek: Yeah, I'm super excited about the partnership as well. I think Wiz, you know, is, is, you know, every day something new is coming out and I'm super glad to be part of this rocket ship. But I think specifically the bread and butter of Wiz has always been analyzing attack path, analyzing, in the cloud, deeply understanding the context that's king and queen in our [00:44:00] world.

And this is why we've always been building on top of the Wiz Graph, right? And I think this amazing partnership lets us expand that graph, you know, and bring in the expertise from the Checkpoint network understanding. We've built a deep technical alliance right? Beyond, you know, obviously all of our joint work together in, conferences and, you know, marketing, but really deep product integration to expand the context that we see in the cloud and embrace that deep network context that, you know, checkpoint brings to the table.

Super excited about this partnership here.

Ashish Rajan: That's awesome. Uh, thank you for sharing that. And where can people connect with you guys, uh, to talk more about Wiz or Checkpoint? What? LinkedIn. LinkedIn is always a great place. Yeah, yeah, yeah, yeah. So feel free to reach out for sure. Yeah, it, I, I'll put, I'll put the links in the notes as well.

Well, thank you so much for coming on the show. Yeah. This is great. Thank you so much. So much fun. Yeah, thank you. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv. We are also publishing these episodes on social media as well, so you can definitely find these [00:45:00] episodes there.

Oh, by the way, just in case there was interest in learning about. Cybersecurity. We also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do an in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow.

Thank you so much for supporting, listening and watching. I'll see you next.

‍