Ashish Rajan: [00:00:00] What's your 2025 version of what is cloud security today?

Gil Geron: People are tired from just finding more issues and tired from stories about the latest and greatest risk they should lose sleep. About.

Ashish Rajan: How do you see AI impacting the threat landscape for cloud?

Gil Geron: Vast majority of CSOs that I talked to understand that actually AI could be their salvation in the sense of.

The challenges they've been facing so many years are the cloud

Ashish Rajan: security problems for incidents moving to a SecOps like security operation teams.

Gil Geron: It's also ridiculous to think that only SecOps can secure your cloud because SecOps are operations. SecOps are reactive more than 95% of the malware that are found in the cloud or not from a penetration to the cloud, really?

Yes, it was brought to the cloud. It was introduced. Find the ones that give you hope and stay away from the ones who are trying to sell you by fear.

Ashish Rajan: If you're like me and you've been in cloud security for some time, you probably have seen waves of different transitions. We have gone through the visibility part, the [00:01:00] remediation part.

I had a conversation with Gil Geron, who is CEO and co-founder of Orca Security. And we spoke about things like how far have we come in the decades that have passed for cloud security where we were 10 years ago, and what's the 2025 version of this? Where are people shifting left? Where are people moving to soc?

And whether that's the right thing to move to SOC today and whether we are ready for it, and what would cloud security look like in the world of ai? All that, and a lot more in this conversation with Gil, where we spoke about the disruption that's happening in the cloud security market in 2025. So if you are someone who's interested in knowing where cloud security is going in 2025, and probably for the next couple of years as you plan your cloud security program or your career or just the way the industry is moving. Then this is the episode for you, and share this with someone who's looking at the same problem to solve. What does the state of cloud security look like today? If you are here for a second or third time, I would really appreciate if you take a quick second to drop and hit the subscribe and follow button.

Whether you're listening to this on Apple, Spotify, or watching on YouTube or LinkedIn. It only takes a few seconds and I really appreciate the support for all the work we do. Taking that quick. Second, it's free for everyone, so feel free to take that one [00:02:00] second, just to hit the subscriber follow button.

As always, appreciate the support. I hope you enjoy this episode with Gil. I'll talk to you soon. Peace. Hello and welcome to episode of Classic Security Podcast. I've got Gil with me. Hey man. Thanks for coming on the show. Thank you for having me. Uh, maybe to take it off, could you tell us a bit about yourself, your professional background?

Gil Geron: Sure. I'm the CEO of Orca Security. I am in the role in the last two years. Prior to that I was the chief product officer.

At Orca, uh, caused most of the, uh, damage to the company so far. Um, and prior to that I was for almost 11 years at, uh, checkpoint at various roles. Alright. Last position was director of cybersecurity products.

Oh, nice. So, I'm, I'm a bit in the cybersecurity business, I guess, all my life. Yeah, yeah, yeah.

Ashish Rajan: Fair. Um, lives in New York and, oh, you're based on New York as well now. I was gonna, you were talking about the early mornings as well before we started recording. Obviously we're in Vegas, we are here for Black hat with the cloud security.

I think it's [00:03:00] been over a decade. I'm curious, what's your 2025 version of? What is cloud security today?

Gil Geron: Yeah. So I think the market is super interesting mm-hmm. In terms of, uh, its evolution.

Um, um, when you there's, uh, something almost I would say, uh, funny about when you see how uh, products evolve or how perception of market evolves.

And when early, uh, uh, cloud security pioneers started to address the risks in the cloud, they were talking about firewall of the cloud. Yeah. And, um, and that perception came from the a position of understanding that at the end Cloud, what is it? Is it, it's the modern data center. That's right.

Yeah. Right. And when you really try to understand what are the both pillars of biggest pillars of security, you have. Endpoint and you have data centers. And traditionally it was done by [00:04:00] either network or input solutions. That's right. And obviously a lot of, like more than decade as mentioned past. And it moved along to configuration control and to workload protection.

And then identity and access came along because this is the modern networking for for cloud. And then. Containers, Kubernetes serverless, now ai so much have been, I would say, accumulated to the perception of what you actually need to protect your cloud. Where I would say the latest in terms of the understanding of what you need to do, and it's also, by the way, echoed in the last Gartner report, is the fact that people and companies understand that securing your data center is a workflow.

Okay. Securing your data centers means that you need to maintain a good way that you're developing your applications. Mm-hmm. Uh, securing your [00:05:00] deployment, securing your production, securing your runtime, and ensuring that you have a policy that prevents issues from reoccur. Interesting. And I think we are seeing that.

People are tired from, uh, just finding more issues and tired from stories about, you know, um, the next, the latest and greatest risk they should lose sleep about.

Ashish Rajan: Mm-hmm.

Gil Geron: And they are so much focused about how they can ensure that their cloud is actually secured, how they can be more productive, how they can focus on things that matter.

Yeah. Yeah. And what will move the needle for them.

Ashish Rajan: Very well said. I think, uh, I definitely agree on the complexity as well. In terms of, at least the first version was heavy on I. And I guess to your point, because people didn't even understand what they were looking at, they, they just wanted to compare it to something they new and the data center was the most obvious one they could compare to.

How do you see, uh, and we were talking about this before as well, how do you see AI impacting the threat landscape for cloud? And, uh, what are you hearing from [00:06:00] people you're working with as well?

Gil Geron: I must say that I'm more than pleasantly surprised. With the fact that most people see AI and AI security as an opportunity versus risk.

And it's not to say that, uh, CISOs and companies are not concerned about the potential risks of ai, but. I think that the vast majority of CSOs that I talked to,

Ashish Rajan: yeah,

Gil Geron: understand that actually AI could be their salvation in the sense of the challenges they've been facing so many years. Now think about it like two or three years ago, if we would have this talk, we would talk about, we talk about the challenge of, uh, of, uh, finding enough security professionals, right?

Ashish Rajan: Yeah, that's right. That's what we were talking about. Yeah.

Gil Geron: And, uh, we would talk about how challenging it is to find right. Talent talents. Right. And, [00:07:00] and it's not that it's not a challenge now, and obviously when you add AI and complexity to it, you actually have a bigger challenge, but you also have an opportunity.

Yeah. Yeah. You can make a junior security engineer. A very fast and effective professional.

Ashish Rajan: Yeah.

Gil Geron: By leveraging ai.

Ashish Rajan: Yeah.

Gil Geron: I just had a, a call yesterday with, uh, ciso.

Ashish Rajan: Yeah.

Gil Geron: A Very large company and, um, and, uh, we've we've enabled for them a new feature and said, I love it because you can ask them questions and no one, no one's there to judge you.

You don't need to ask it in a call of enablement. You don't need to ask it. From customer success and now like they can gain confidence and they can gain knowledge. With this assistant? Yeah, yeah, yeah. Without without the need for it to take years or even time for them to gain confidence.

Interesting.

Ashish Rajan: 'cause I think to add to what you were saying before as well, the initial battle was people didn't understand cloud, so the threat was unknown. You couldn't even [00:08:00] ask a, there was no AI to kinda ask the question for, Hey, what's a cloud thread that I should be worried about? Whereas ai, to your point, is.

Doing that job where it's lowering the bar for people to understand their environment, being able to know what, what should they focus on, what should they not focus on as well? Do you find that, a lot of conversation in the industry is also talking about sort of shifts that's happening in cloud security.

And one of the shifts they are focusing on is, Hey, my cloud security alerts and logs are being sent over to SecOps. And cloud security is kind of moving on to bit bigger, better things. In terms of, in organizations, where do you see a stand on that and where do you see the companies? Are they really moving to SecOps in at least the conversations you're having?

Gil Geron: When we talk about the realization that, uh, securing your data center is more than a workflow, more workflows than just an, an a result or, or a task, then then it means also that SecOps are involved, right?

Yeah. But it's also ridiculous to [00:09:00] think that that only SecOps can secure your cloud because SecOps are operations. SecOps are reactive.

Ashish Rajan: They're not actively solving it. Yeah.

Gil Geron: And you, and, uh, there's only so much you can do reactively in terms of, of manpower, in terms of. Uh, the amount of issues you can resolve and so on.

You need to shift things to the left as much as possible because you need the SecOps team to deal really with the important critical runtime or realtime, uh, issues that occur.

Ashish Rajan: Yeah,

Gil Geron: ideally. These issues will never occur. Yeah.

Ashish Rajan: Yes.

Gil Geron: So this is why No.

Ashish Rajan: Yeah, yeah. But

Gil Geron: why Yes is because if it's a process and we, we, like, I have more gray hair than you, but I, I assume you've seen it, uh, many times before.

Before we, we love to find silver bullets, but we never found a silver bullet to, to security. And I don't think we should look for one, we should look for. Ability to, uh, be as effective as we can. [00:10:00]

Ashish Rajan: Yeah.

Gil Geron: And and then if you agree with that notion, then yes, it means that also we won't be able to solve everything in the development stage.

We won't be able to prevent everything.

Ashish Rajan: Yeah.

Gil Geron: And that's why we need SecOps.

Ashish Rajan: And I think, I love what you said as well, because if people just look at cloud security from a end to end workflow perspective, rather. Hey, I'm gonna get a lot of bun. I'm go, I will get a lot of detection, I will get a lot of alerts.

I need someone to just triage and find out which to, what you said is a very reactive approach, rather than how do I prevent a leak from happening? Moving forward instead of trying to be, Hey if I'm just throw this across the wall to the security operation people, they look after this. And I think a lot of gaps that at least I've been trying to focus on.

And I don't know if you've seen this as well, the SecOps people were great at data centers. They've always been good at that. They can go into a malware figure out the inside, out of it. But cloud security, where we started, it was in a, it was a silo in a particular part where people had some context [00:11:00] around it.

Security operation people would not have the context for what is an S3 bucket versus a blob storage. They have no idea. Are you finding is that kind of where some of the battle is coming from as well? That the silver bullet that you're talking about, where people might throw that, Hey, if I just throw it across, it'll be fine.

Is that where some of the gaps are coming as well?

Gil Geron: I think that that the notion of, uh, eh, that. The last line of defense should be my only line of defense as has, has failed too many times. The. You need the last line of defense is not a debate.

Ashish Rajan: Yeah.

Gil Geron: But the fact that uh, that should be the only one is definitely not the answer.

And the way we actually picture the securing your cloud, we use the infinity sign but a little bit different than other vendors. Oh. Where, uh, on the left you have the co-development and then you have. In the curve, you have the deployment, [00:12:00] the registries. Yeah. The product, the pipeline, all of that where we want to secure that.

And then you have production, and then you have runtime.

Ashish Rajan: Yeah.

Gil Geron: But people tend to forget what's all the way to the right. You can say, Hey, this is runtime realtime. Okay, great. But you know, there's, there's a next step. Next step is to change the policy so that won't happen again. The

Ashish Rajan: feedback loop. Yeah,

Gil Geron: the feedback loop.

The ability to prevent issues from reoccurring the ability to or to reduce the risk. Ni more than 95% of the malware that are found in the cloud, were not from, uh, penetration to the cloud. Really? Yes. It was brought to the cloud, it was introduced. Think about it like you cannot browse and get infected in the cloud.

Yeah. You don't have to connect link. You cannot bring a USB and infect a computer from A USB or something like that. It's machine operated. So, and then if you have ample controls and protection and a good vulnerability program, so [00:13:00] exploitation is. Uh, not necessarily easy. Yeah. Uh, but you know what's easy, bringing an open source with a malware, that's easy.

Ashish Rajan: Yeah. And to your point, it's uh. Maybe this was traditionally hidden in a data center environment because this was not accessible on the internet. But by nature of building in the cloud, you're exposing a lot of it to the internet by default. And, uh, I love the example of the USB plugin as well was traditionally, we have always spoken about that, hey, Ashish is clicking on a phishing link and losing his, uh, losing the identity control or whatever.

Or someone has plugged in a malware using A USB. None of that scenario actually does exist in the cloud context. And which is kind of related to the identity piece you kind of touched on as well. How do you find the identity in the cloud security world is top of mind? And you mentioned Gartner as early earlier, as well as kind of spoken about this as well.

What are you seeing the impact of how identity has changed in cloud security and in terms of, we obviously spoke about the shift [00:14:00] that. Some people may be walking towards SecOps as a way there are other people who are focusing on identity. What's that? What's that looking like in terms of the role identity plays in cloud security today?

Gil Geron: Identity is basically the new networking. Like when you think about challenges you used to have around access, around permissions, around segmentation, all of that today. Needs and should be solved by identity.

Yes. Machine identity or personnel identity. But, um, this is like the only way to really effectively manage it and control it, especially in the cloud.

Ashish Rajan: Yeah.

Gil Geron: The and, and of course under the assumption of zero trust and, and, and doing that, and you see organizations are really, really have already adopted the, the position of zero, zero trust and all of that. But what we are seeing, especially with the adoption of, of ai, that um, it becomes like [00:15:00] identity and access management on steroids.

Because you suddenly have a lot more applications or processes. We can call them agentic ai but Yeah. Yeah. That communicate, that have interface, that have access to data, that can produce actions. And then it becomes on steroid because you need a much more um. Reduction of risk and permission and access to every basically portion of the process.

So it becomes from identity of a service to an identity of a microservice or identity of a micro or an agent.

Ashish Rajan: Yeah. Yeah.

Gil Geron: In your environment now there's around it. I think another little known fact, but I issues with identity are well known for, for quite some time. And if you recall the Capital One incident?

Ashish Rajan: Yeah.

Gil Geron: I had a conversation with someone who had knowledge with the incident and, and oh, and asked him like, what [00:16:00] did you do after that? And he said like, we went engineer, engineer, and we made, made sure that he doesn't have over too much access to the services. And I like, come on man. And he said, yeah, no, that's really what we did.

We were really, uh, uh, and say, okay, understand, but every engineer told you that he has to have this permissions and that it's gonna happen again. It's essential. And, uh, he can't, uh, he can't uh, uh, do his job without this permission. Said, yeah, obviously. And then the understanding and I can also share like also neither known fact is that in real world, uh, teams are challenged in reducing permissions.

Yeah. Even when you look on lack of usage.

Ashish Rajan: Yeah.

Gil Geron: Uh, that's why one of the things we've, we've added to our customers is, is we've added, uh, just in time access. So they can, can go to the engineers and say, you know what, okay, let's not argue now here. Access for a few hours. If you need [00:17:00] again, ask again.

Ashish Rajan: I love your perspective on the, just in time provisioning as well, because I guess a having long lived credentials, definitely a bad notion to court on the path of, but I also love what you said about the least privilege is one of those things which has not been solved, and I don't think it can ever be solved.

I think you and I and others can sit about security in a, in a, in a near a bonfire and talk about how identity should be least privileged. But the reality is, it's not us who's managing the identity as an engineer. Developer can walk in tomorrow and ask for, Hey, I, I need more privilege 'cause I need to have this AI agent in production by tomorrow, and these are privileges I need.

I don't know how much, but I need all of it. So, and you're like, you're not gonna say no to that. So, yeah, I, I love the perspective. I think, um, when we were talking about this early, you kind of mentioned, um. I think someone you're talking to you who had about 60,000 plus internet facing VMs, and what was that scenario that I think I would love to kind of, if you can share some of that example as well in terms of the kind of threats you're seeing and, uh, where I guess what, what's your lay of the [00:18:00] land for the, the current way of how expose the current cloud security landscape is?

Gil Geron: So I think that. The industry matured from, you know, from the basics. Of, uh, like, uh, public facing, uh, bucket or stuff like that. Like we are seeing less of like basic configuration issues. I think also the cloud providers provided more tools to avoid, like, uh, we call it thumb mistakes. Yeah. Of, uh, accidentally like, uh, pressing the wrong button.

Yeah. Yeah. Um, uh, what we are seeing a lot more of, we are seeing a lot more, uh, we are still seeing a, quite a bit of cases of neglected assets.

Ashish Rajan: Okay.

Gil Geron: Where assets are being either forgotten or not updated or, uh, left exposed. In, in ways that produce risk for the, for your environment. We are seeing quite a bit still in identity and access.

While there is an improvement, but it's a hard task. Yeah. And [00:19:00] I think it's also related to the fact that you you know, and I know it's, it's no longer a technical challenge. No. That's why I think the security industry needs to mature from reporting the news to acting on the news.

Because it's okay, there's a problem. We need to fix it, but how do we fix it and how can we make it easy to fix it and let's fix it.

Ashish Rajan: Yeah.

Gil Geron: Um, and I, and we're seeing, um, more and more cases we're the challenges of companies and organization become more complace and relate to that workflow, meaning that finding and attributing an issue.

Ashish Rajan: Yeah.

Gil Geron: Being able to focus on the on the core reasoning of the problem.

Ashish Rajan: Okay.

Gil Geron: And also offering a solution that that is, um, that you can actually implement because and I'll give you an example. Let's, let's say you have a VM with a vulnerability or a container with a vulnerability. update it.[00:20:00]

What's the problem? But there's dependencies or I can't, or you know what? I didn't update. It's a production server. I can't update it. I need the downtime to upgrade it. Now, during this time of waiting, should we just every week in our weekly style with engineering, talk about the same issue and understand there's a plan in six months, or should we now.

Try to mitigate it or focus on other problems that are easier to solve and will reduce the overall risk in my company.

Ashish Rajan: And where are people today? Are they, are they somewhere between that,

Gil Geron: the position of, of what we, so, uh, uh, there's a maturity curve.

Ashish Rajan: Yeah.

Gil Geron: And you see that companies that are just, uh, that have not adapted to new or have a significant presence on-prem or still.

Trying to focus on criticality of issues. And then you see companies that have already assimilated into the cloud and the [00:21:00] workflow and the application development and leveraging more, uh, workflow tools. Mm-hmm. Then suddenly you see like amazing stuff. Amazing. Really? You see how they're looking at the architecture and they're changing it in a way that not only solves the problem, but allows them to solve future problems.

Ashish Rajan: I love that perspective, but how can, and I guess to your point, it's easier said than done. I'm sure there's quite a few challenges in involved with this. How can CISOs and security leaders who are trying to modernize a workflow to, as you called out as well, the entire workflow is now different. While not exposing themselves to more risk, what are you seeing people do that actually is helping, to your point?

Waiting is definitely not helping. 'cause the vulnerability is still there. And the AI agent, as we, as we are talking about it, is a lot more understanding that, hey, maybe today AI is not attacking or reasoning. But tomorrow it can, it may, it may not be far. So how are you fi seeing that, uh, what are, what are, what are CISOs and [00:22:00] security leaders doing about modernizing their workflow?

Gil Geron: So, I would say first of all, that I'm seeing that CISOs today are really smart. A lot of them are really focused on actually trying to collaborate with the engineering and to enable the engineering. And how, how does that contribute to security? Because uh, like if you go back like 20 years, right?

The recommendation of the CISO was to cut a cord. And if we can't do that, then at least let, let's make sure no one's using our software.

Ashish Rajan: Yeah.

Gil Geron: Uh, uh, and I'm, of course I'm exaggerating. I'm not trying to, of course. Yeah. But. Uh, but there was this notion of, you know, prioritization of security versus usability.

Security versus the business.

Ashish Rajan: Yeah. Yeah.

Gil Geron: And, um, most today, or actually their main fight

Ashish Rajan: Yeah.

Gil Geron: Is to ensure that their engineering team is modernized. Think about that. Like if your engineering team is using cicd Yeah. And is [00:23:00] deploying every day. Vulnerabilities is a much smaller problem than it used to because you can update tomorrow.

Yeah. Yeah. If you are still using infrastructure that gets updated with a image once every four years, then. It's we are stuck in just patching instead of focusing on, on the real stuff. So, what, what happens is that the more you are pushing your engineering team to modernize the workflow, you are actually increasing their security position.

Ashish Rajan: And do you find it would, does it impact the response time pattern as well? Like are people able to, 'cause obviously a lot of people talk about, like cloud security has been notorious for being that wall of red that people talk about that, hey, start something, then you land on 10,000 alerts. It leads to fatigue from people.

What are you seeing in terms of people are finding that they've learned from the historic patterns to reduce the quote unquote SOC fatigue as people may call it.

Gil Geron: So of course there's [00:24:00] there's prioritization that's possible in the cloud and was not possible in the on-prem world, like understanding context, for example.

Yeah. Understanding, uh, what's the impact on my environment, which are the core critical path that I should fix. Understanding what has access to PII the code usage, the reachability of the vulnerability, the exploitability of the vulnerability, all of this. Today, Orca has the tech to actually, uh, be able to reduce the amount of issues between a hundred to a thousand x

Ashish Rajan: mm-hmm.

Gil Geron: Versus a traditional solution like I've literally. We, uh, like a few month back, we've released a new technology around vulnerability reachability that that does it in an agentless manner. One of the companies we've, we've enabled it, they reduced the vulnerabilities from 230 million vulnerabilities to 1,500 they actually need to fix, and then they grouped it [00:25:00] by image and they had to fix six images.

Oh, wow. Yeah.

Ashish Rajan: So that's the value of context in this particular context, right? Rather than having millions of alerts to look at, you're able to reduce the one where, where you should pinpoint and focus on

Gil Geron: six images. That's it. Six images. It's like vulnerability management solve next task. Yeah. Think about it like you've 234 million.

Nothing to do. 1,500. Okay. It'll take us some time. We need to, uh, now start a project of reducing, solving them and so on. Six images. Let's open the jira task and do something else.

Ashish Rajan: We spoke about remediation as well. Remediation is one of those ones where it came for a hot second. I feel like to what you were talking about in the gen, in the different generations that CSPM and everything went through, there was a, Hey, I care about my compliance care, about my workload.

Then there was, for a hot minute, there was a whole conversation about [00:26:00] remediation. I should be able to automatically remediate a Lambda function or whatever. Do you find people are more open to that now? Now that AI is in the picture?

Gil Geron: It's not about ai. It's not about, it's not about the technical challenge.

Like today, for example, you can deploy a VM or a container or that is automatically updating itself.

You have between one to two weeks till you'll get fired because you are gonna cause a downtime in production. For sure. Not maybe for sure. Um, um, and so the challenge, the challenge is not technical.

And there is, uh, automatic remediation capabilities. And these are excellent ways to cause the downtime. Uh, I had a customer, uh, discussion last week. One of their, uh, runtime solution caused the downtime of two weeks, oh my god, of, of a new service, uh, because it blocked access to a bucket.

That [00:27:00] bucket had essential data and images that they needed for the service to operate and to try to figure out who's the owner of that policy. Why is that policy, to get exceptions on the policy just cause the downtime of two weeks at the end and the challenge there so we can talk about, hey, that service didn't have the context, it was needed.

It was okay that the configuration was that way. It leads to a position where if you understand that remediation needs to be, uh, uh, something that requires governance and suddenly you understand remediation is actually more of an orchestration challenge than a technical challenge. Who needs to be no notified, which service should be updated?

Should we change it by a pull request? Because maybe the position should be is not in production. We should change it in the code.

Ashish Rajan: Yeah.

Gil Geron: If you're deploying your cloud by infrastructure's code, why should you change production and [00:28:00] configuration? You should change it in the code.

Ashish Rajan: To your point, because the original remediation was more around, if I have a function or serverless function or whatever, repositories open to the internet or S3 bucket, open the internet, it automatically makes it private.

What's the modern remediation workflow that you are pitching for?

Gil Geron: Uh, so the modern remediation talks about these different, about solving the problem at the core, the origin,

Ashish Rajan: yeah.

Gil Geron: There are companies and organization that are looking for that automatic remediation prevention capabilities. And, and it's definitely needed, but it is more of, think about it as the last line again. Same as what you expect from a runtime sensor, same as what you expect from firewall.

You, you expect it to be the last resort. Of a very, very, very strict and uh, and a clear policy of, okay, everything has failed. We should, uh, stop it while it's running.

Ashish Rajan: Yeah.

Gil Geron: And [00:29:00] because if you think about the friction on the organization, if you cause that two weeks downtime. You cause a lot of friction.

Ashish Rajan: Yeah.

Gil Geron: Think about the DevOp. He just deployed something and it's not working.

Ashish Rajan: Frustration would

Gil Geron: be the, uh, why, like I deployed it, the code is there, why is it blocked? And then he starts, and then the security team blocked me. Now the security team needs the DevOp to actually deliver security fixes.

And now you've lost credit.

Ashish Rajan: Yeah.

Gil Geron: And credibility with that engineer. So security teams also. Have to today they are, they are trying to reduce the amount of false positive. They're, because they understand that they will be on the hot seat if they prevent and cause a business downtime.

Ashish Rajan: Yeah.

Gil Geron: They're afraid of it more than anyone.

Modern ways of doing it does not say we don't do it or you shouldn't do it, but it means the last line. And you should have a really strict guidelines on where you should trigger that last line of defense.

Ashish Rajan: Yeah, and I guess to your point, use the [00:30:00] context. You have to know the kind of remediation you need to trigger instead of changing.

Production and cause downtime. If it's a pull request to what you said, you just go down the pull request part because that's a low friction and people can take their time and they, no, you're not really bringing in down, bringing down any service at that point in time. I,

Gil Geron: I've seen companies, yeah. With malware in production, with the decision of not to do anything really.

Yes. They, uh, figured that it'll cost them millions of dollars of, uh, downtime. If they will deal with this malware and after analyzing the malware, understanding that it was introduced in a certain way that does not actually pose a risk.

Ashish Rajan: Yeah.

Gil Geron: And that they should do it in a different way than they should resolve it.

So they did different mitigations. They had a planned downtime versus an immediate, I would think of the position of, of the fact that, let's say you would now [00:31:00] cause a downtime of that server, millions of dollars, what would you say? But we found the Muller. Okay. But then literally five minutes later, you understand that this is not a running malware.

It's a malicious code. Yeah, not exactly. Cause an a risk. This code is not running. Yeah. You know what, it was a accidentally someone. Brought it for whatever reason as part of a malware lab to a production server, and it was a Windows malware on a Linux machine. So it's not even that it's capable of running.

Ashish Rajan: Oh, right. Yeah. Yeah.

Gil Geron: And, and so obviously for. Uh, so, so, so those, they definitely made the right call for their business.

Ashish Rajan: Yeah.

Gil Geron: But you need a really clear guidelines and understanding on how you are pressing that red button of potentially causing a downtime in production versus fixing it correctly.

Ashish Rajan: Yeah. I, I think, I love what you said because I find that because today, day and age, in today's day [00:32:00] and age cloud is not just one cloud as well. Most enterprise have multi-cloud. They're all building AI agents as well. So what would something like this, what would a modern workflow look like in, in that scenario where you have multiple moving parts as well where just multi-cloud agents and serverless in multiple, multiple cloud environments.

So what is the new modern workflow for this, I guess in terms of how much of the context is required for you to even make that kind of assessment where, hey, this malware is okay because there is no. Actual risk of the business,

Gil Geron: you need a lot of context. You the opportunities to do it in a multiple stage.

Meaning that you can actually try stuff and then decide on a different strategy. So if you think about, for example, traditional orchestration, remediation, you would basically build a workflow.

Ashish Rajan: Yeah.

Gil Geron: And that workflow should operate the same way all the time. Yeah, but the modern one should be reactive and dynamic.[00:33:00]

If I can't do that, I try this workflow, it doesn't work for this case. Here's a different strategy. And today, with the context, you can actually produce and, uh, recommend on a different strategy. Let's say for example, there's a vulnerable machine. You can't patch it or, and you can understand why. Mm-hmm. Uh, we see no logins to this machine in the last two years.

Uh, you usually don't update this machine. We recommend to update it, but you usually don't. And this is a critical issue. You should resolve it now. Maybe, uh, the right move is to change to,

Ashish Rajan: yeah. Yeah.

Gil Geron: And so what we reco, what an agent could recommend or a, or an engineer could recommend, let's change the waffle and open a jira ticket to update this issue.

And once this issue is resolved, once it's updated, let's remove the waffle. Mm-hmm. Because I don't need it from [00:34:00] performance impact, it doesn't really provide more protection. So, being dynamic and trying to look at multiple data points. And it leads also to a responsibility of security solutions to collect insightful data that allows you better decision making.

Yeah. Which os. Uh, where does it reside? Is it a production service or not? Yeah. Does it have access to PII? Mm-hmm. Uh, what is the overall risk on organization? What is the overall impact? So think about it like all of that can be collected. Yeah. And it's a good. Data point, like you as an security engineer, you would ask these questions.

Ashish Rajan: Yeah.

Yeah.

Gil Geron: And your best security engineers are ones who are making intelligent decisions and saying, you know what? This is, this is not a really critical service or this is a critical service. And, and we should act right now, or we should have a discussion.

Ashish Rajan: Yeah.

Gil Geron: These data points help agen, help [00:35:00] modern orchestration tools to make better decisions with you.

Ashish Rajan: I think, um, it reminds me of what you mentioned earlier, which is shifting left. Mm-hmm. So what is shifting left? Because a lot of people think about shifting left more from an AppSec perspective. They don't think about shifting left from a cloud SEC perspective. So, you kind of, what you're describing sounds like a shifting left strategy as well in terms of how do you see cloud security shift left in terms of the new modern remediation workflow that you're recommending.

Gil Geron: The opportunity today is to like what is the challenge, the biggest challenge with AppSec? Mm-hmm. Uh, today there's excellent solutions and there's excellent vendors in AppSec. And I think the promise of AppSec, again, we all looked for the silver bullet. We won't have any issues in productions because we are solving them in the pipeline.

Mm-hmm. We've, uh, shifted our security challenges from production to development, and now we are all safe. And where it, it failed. It failed in the context, [00:36:00] like the opportunity to understand the context from the code

Ashish Rajan: Yeah.

Gil Geron: Is really hard. Because you you see the architecture, you see the theory and not practice.

Ashish Rajan: Yeah.

Gil Geron: And in practice it's connected to a bucket with PII or connected to a database or connected to the snowflake that has certain types of data. And someone did some of the changes. We are, we live in an imperfect world. So someone did the changes manually.

Ashish Rajan: Yeah. Yeah.

Gil Geron: Now what if you can actually go to an, uh, to an engineer and tell, you know, the code that you're writing opens an API, it's going to be internet facing.

You know that 95% of what people are 90%, what people are deploying to the cloud is not new. It's an update. It's not a new service, it's an update of a service.

Ashish Rajan: Yeah.

Gil Geron: So you have the context. Yeah. You know where it's gonna land. So what we are seeing, and this is all something that we are building, but also collaborating with excellent vendors like, uh, Snyk and others.

Yeah. [00:37:00] That we both try to enrich. Each other's knowledges in order to give you context, in order to be able to make the decision faster, in order to prevent these issues and actually achieve that that promise of preventing as much as possible in the, uh, development and pipeline and and ensure that I have issues in production.

But, uh, I have fewer and, and farther apart. Interesting.

Ashish Rajan: How do you recommend CISOs and security leaders making a call today for cloud security? At least a market which, what should they go for? Because a, a lot of people already have a cloud security, either a vendor or whatever they're using at the moment.

And they may consider that, Hey, maybe I have enough of it. But I guess maybe after they have the con, after they hear this conversation, like, actually Gil has a point, I need to have all the other things as well. How do you separate the signal from the noise in this market, especially when. Cloud security has been there for a decade.

People are probably in some stage of [00:38:00] the, one of the versions we spoke about, which was the previous versions. How do people kind of today are able to, at least CISOs and security leaders who have to make the decision for, Hey, what am I looking now that I'm at BlackHat looking forward and I'm planning my roadmap, how do I seperate with the signal from the noise for the cloud security, uh, choices that I have to make?

Gil Geron: I think that the first thing you need to do is, find the ones that give that that give you hope. And stay away from the ones who are trying to uh, to sell you by fear. The I can tell you, uh, nightmare stories about potential exotic attacks, uh, all day long.

Ashish Rajan: Yeah.

Gil Geron: And new risks you haven't thought about and how devastating there will be on your organization, but it'll take you nowhere.

Ashish Rajan: Yeah.

Gil Geron: And and I find it really. That the approach of all of US [00:39:00] security vendors and security comp com community alike, we need to understand that A, this is a community.

B security is a calling.

Ashish Rajan: Yeah.

Gil Geron: Security is, is a commitment. Security is something that is around, uh, working for the good versus working for the bed.

Ashish Rajan: Yeah.

Gil Geron: And, and as you are building the strategy of how to secure your cloud and how to secure data centers and how to adopt new technologies and how to be an enabler of your company and organization or to adopt new technologies look for vendors.

Ashish Rajan: Yeah.

Gil Geron: That aim to help you on that journey. And that's where we.

I am trying to do the best I can, and we do pay for it sometimes from a business perspective because it's by the, it's, it's way easier to sell fear by the way. Really easy. Yeah. Yeah, yeah. Um, um, but, uh, what I find is that um, if we are able to prioritize better, if we provide more [00:40:00] context. If we're able to remediate better, if we are innovating mm-hmm.

In ways that contribute to the fact that you will have less alert fatigue that your team is more effective, that there are more professional, that they can ask the dumb questions and get answers that can educate them and elevate them.

Ashish Rajan: Yeah.

Gil Geron: Then. This is who you want on your side.

Ashish Rajan: Yeah.

Gil Geron: If you work for the good and you are because you're in security.

Yeah. Then you want someone who's uh, who's on your side. And I think that's the type of solutions you should look for. And I think there is many, many areas where it's still unclear. What is the right or the best or the solution that you should have? And, and while there is progress, like if you think about, uh, uh, some of the stuff around identity and AI and agentic AI and, and securing prompts and stuff like that.

So all of these are still a lot of questions of what's the right solution and how it should work. [00:41:00] And and, and this should still be top of mind. Generally speaking, like if you'll be able to resolve more issues, more of the basics, more of the non basics,

Ashish Rajan: yeah.

Gil Geron: You'll probably be, in a way, way better.

And this is what I saw, I saw companies, you know, focusing on, on good hygiene.

Ashish Rajan: Yeah.

Gil Geron: And then when, you know what, when the, if they're getting breached or when a breach happens, suddenly they don't panic. Damage doesn't happen. They're able, uh, you know, I've seen huge environments move from risk and uncertainty to safety.

It's amazing to see that.

Ashish Rajan: I love that. And I love the fact that 'cause fud is very much to what you said the industry is driven by. And we are in a lot of ways. We are, we are trained to love fud as well because we do the same strategy to the board, the same, the same strategy to the CTOs CIOs as well. Hey, if we don't do this, the hell all hell would, uh, break loose or whatever [00:42:00] as well.

I, I love that. Uh, I mean, those are most technical questions. I've got, got three fun questions for you as well. First one being, what do you spend your what do you spend most time on when you're not trying to solve the cloud security problems of the world? What do you do? Uh,

Gil Geron: I must admit that, uh, my work is also my hobby fair.

Uh, but behind that, uh, like in terms of like, I love. Hiking and, and skiing and scuba diving. So nice. Uh, I, I tend to see that high activity uh, ac stuff that I'm doing are actually creating clarity when I'm thinking about, uh, these challenges and, and, and where I should focus.

So, uh, people ask me like, how do we relax? And I say like, the way that most people relax is actually creating, uh, for me a lot of frustration and, uh, uh, I feel like anxious to do something. So that's, I think one of the ways of

Ashish Rajan: fair I actually, I'm, I'm also someone who has not had a beach holiday.

I don't think I can have a beach holiday as well. I'm kinda like you. [00:43:00] The whole idea of just sitting on a bum and not doing anything. I'd rather go for a snowboarding holiday, kinda like what he said, uh, at least as an activity. The second question that I have for you is what is something that you're proud of that is not on your social media?

Gil Geron: Something I'm proud of. Yeah. Uh, I think what I'm proud of the most is, is like my team um, the our market has so many changes in tomos and competition is fierce. And sometimes you do have to fight fud and. And the fact that the team is so much focused on the mission

and is, you know, it's inspiring to see people do that.

So I'm extremely, uh, I'm extremely proud of the team and the way they operate. One of my, one of my, uh, customers had a, had a breach and. And he said, he told us, like, Gil, you guys were amongst the only vendors that the, they did only one thing. They [00:44:00] came, what do you need? How can we help?

Here's the research team. Whatever you need nothing around. And even after the event was done, no one came in, Hey, do you want to buy? No. No one, uh, was there to sell you more or you, you, you were just there. And then when you see that the team operated

Ashish Rajan: Yeah.

Gil Geron: Then you feel very proud because you know that the team is focused on the mission.

Ashish Rajan: Yeah.

Gil Geron: Understand the calling of what we do.

Ashish Rajan: Yeah.

Gil Geron: So I couldn't be more proud of the team.

Ashish Rajan: That's awesome, man. Uh, final question. What, uh, what's your favorite cuisine or restaurant that you can share with us?

Gil Geron: Uh, my favorite cuisine is. It is actually fusion. Oh, right, okay. Obviously I love, uh, mediterranean cuisine and, and Asian cuisine.

Yeah. Like, uh, I love Indian food. I love Thai food and but I am a person who doesn't like, like walking the line. Yeah. Fair. And, and, and so [00:45:00] I think, I love things that are. Mix.

Ashish Rajan: Awesome. And, uh, so what's your comfort food then? I guess, what's your favorite dish? Um, is there like a com comfort food that comes to mind when after a ski hard day, ski french fries, like hands down.

Gil Geron: Oh, nice. Like good french fries. In, in a nice, noisy place is, is always the best.

Ashish Rajan: I can, I can see that. Yeah. Uh, warm fry, warm french fries in a cold place. Oh my God idea, man. Thank you so much for sharing all that information. Where can people find and know more about what Orca security's up to and how can they connect with you to know more about this as well?

Gil Geron: So, uh, we are here at, uh, BlackHat, but also like go to orca.security. To learn more. Uh, we are a very. Approachable and accessible people. So feel free to reach out to me or anyone from my team as you go through your cloud journey. We also have a lot of customers that are, have been partners to the journey.

Yeah. Ask. [00:46:00] And and you know what? I'll tell you, we are, we're, we're not perfect as we, as, as much as we wanted to be. Mm-hmm. Or want to be. Mm-hmm. But we are inspiring to to be. And, and I think that reach out to us, reach out to our customers, you'll find an easy route to, uh, learn more about Orca and we promise to be there for you.

Ashish Rajan: That's awesome, man. Thank you for sharing that. And I'll put the links in the shownotes as well. But thank you so much for coming on the show. Thank you so much for having me. Thank you. Thanks everyone for tuning in as well. Thank you so much for listening and watching this episode of Cloud Security Podcast.

If you've been enjoying content like this, you can find more episodes like these on www.cloud k podcast or tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was an interest in learning about AI Cybersecurity

We also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do an in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is the CNAPP or whatever, a [00:47:00] new acronym that comes out tomorrow.

Thank you so much for supporting, listening and watching. I'll see you next.

‍