Screaming in the Cloud - The Uptycs of Cybersecurity Requirements with Jack Roehrig
Episode Date: December 20, 2022About JackJack is Uptycs’ outspoken technology evangelist. Jack is a lifelong information security executive with over 25 years of professional experience. He started his career managing se...curity and operations at the world's first Internet data privacy company. He has since led unified Security and DevOps organizations as Global CSO for large conglomerates. This role involved individually servicing dozens of industry-diverse, mid-market portfolio companies.Jack's breadth of experience has given him a unique insight into leadership and mentorship. Most importantly, it fostered professional creativity, which he believes is direly needed in the security industry. Jack focuses his extra time mentoring, advising, and investing. He is an active leader in the ISLF, a partner in the SVCI, and an outspoken privacy activist. Links Referenced:UptycsSecretMenu.com: https://www.uptycssecretmenu.comJack’s email: jroehrig@uptycs.com
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, Chief Cloud Economist at the
Duckbill Group, Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
If you asked me to rank which cloud provider is the best developer experience,
I'd be hard-pressed to choose a platform that isn't Google Cloud.
Their developer experience is unparalleled in the early stages of building something great.
That translates directly into velocity.
Try it yourself with the Google for Startups cloud program over at cloud.google.com slash startup.
It'll give you up to a hundred grand a year for each of the first two years in Google Cloud credits for companies that range from bootstraps all the way on up to series A. Go build something
and then tell me about it. My thanks to Google Cloud for sponsoring this ridiculous podcast. your applications understand and act on what your users want without making them spell it out.
Make your search application find results by meaning instead of just keywords.
Your personalization system make picks based on relevance instead of just tags.
And your security applications match threats by resemblance instead of just regular expressions.
Pinecone provides the cloud infrastructure that makes this easy, fast, and scalable. Thanks to my friends at Pinecone for sponsoring this episode.
Visit pinecone.io to understand more. Welcome to Screaming in the Cloud. I'm Corey Quinn.
This promoted guest episode is brought to us by our friends at Uptix, and they have sent me
their technology evangelist, Jack Charles Roerig. Jack,
thanks for joining me. Absolutely. I'm happy to spread the good news.
So I have to start. When you call yourself a technology evangelist, I feel just based upon
my own position in this ecosystem, the need to ask the, I guess, the obvious question of,
do you actually work there? Or have you done what I do with AWS and basically inflicted yourself upon a company?
Like, well, I speak for you now.
The running gag that becomes more true every year is that I'm AWS's chief marketing officer.
So that is a great question.
I take it seriously.
When I say technology evangelist, you're speaking to Jack Roerig.
I'm a weird guy.
So I quit my job as CISO. I left the CISO
career for like 10 years. I was a CISO before that, 17 years doing stuff, started my own thing,
secondaries, investments, whatever. Elias Sherman, he hits me up and he says, hey,
do you want this job? It was an executive job. And I said, I am not working for anybody.
And he says, what about technology evangelists?
And I was like, that's weird.
Check out the software.
So I'm going to check out the software.
I went online, I looked at it.
I had been very passionate about the space
and I was like, how does this company exist in doing this?
So I called him right back up and I said, I think I am.
And he said, you think you are?
And I said, yeah, I think you're an evangelist.
Like, I think I have to do this do this i mean it really was like that yeah it's like well we have an
interview process and the rest you're like yeah i have a goldfish now that we're done talking about
stuff that doesn't matter i'll start monday yeah i like the approach yeah it was more like i found
my calling it was bizarre i negotiated a contract with him that said look i can't just work for
upticks and be
your evangelist. That doesn't make any sense. So I advise companies. I'm part of the SVCI. I do
secondaries investment. I'm a mentor. I'm a steering committee member at the ISLF. We mentor
security leaders. And I said, I'm going to continue doing all of these things because you don't want
an evangelist who's just an upticks evangelist. I have to know the space. I have to have my ear to the ground. And I said, and here's the other thing, Elias, I will only be your
evangelist while I'm your evangelist. I can't be your evangelist when I lose passion. I don't think
I'm going to. The way I see it, authenticity matters in this space. You can sell out exactly
once. So make it count because you're never going to be trusted again to do it a second time.
It keeps people honest, at least the ones you actually want to be doing work with. So you've been in the space a long time, 20 years, give or take, and you've seen an awful lot. So I'm curious,
given that I tend to see about, you know, six or seven different companies in the RSA sponsor hall
every year selling things because, you know, sure, hundreds of booths,
bunch of different marketing logos and products, but it all distills down to the same five or six
things. What did you see about optics that made you say this is different? Because to be very
direct, looking at the website, it's, oh, what do you sell? Acronyms. A whole bunch of acronyms
because I don't eat, sleep, and breathe security for a living. I don't know what most of them mean,
but I'm sure they're very impressive and important. What does it actually do for those of us who are practitioners,
but not swimming in the security vendor stream? So I've been obsessed with this space and I've
seen the acronyms change over and over and over again. I'm always the first one to say,
what does that mean? As the senior guy in the room all the time. So acronyms, what does upticks
do? What drew me into them? They did HIDS, Host Intrusion Detection System.
I don't know if you remember that. OSSEC was the one I always wound up using, the open
source version, OSSEC HIDS. It's like, oh, instead of paying a vendor, you can contribute
it yourself because your time is free, right? Free as in puppy, or these days
free as in tear when it comes to cloud. Oh, I like that.
So, yeah, I became obsessed with this HIDs stuff.
I think it was Evidentio that was doing it,
then it was ThreatStack.
And these companies are great companies.
I started this new job in an education technology company
and they needed a lot of work.
So I started to play around
with more sophisticated HID systems
and I fell in love with it.
I absolutely fell in love with it.
But there are all these limitations.
I couldn't find this company that would build it right. And Uptix has this reputation
as being not very sexy. You know, people tell me, Uptix, you're going to Uptix, Jack? And I'm like,
yeah, they're doing really cool stuff. So Uptix has this like brand name. And I had referred
Uptix before without even knowing what it was. Here I am, like one of the biggest XDR,
I hope to say, activists in the industry, and I didn't know about upticks. I felt humiliated.
When I heard about what they were doing, I felt like I'd wasted my career.
Well, that's a strong statement. Let's begin with XDR. To my understanding, that's some form of
audio cable standard that I use that plugged into my microphone? Some would say XLR, I would say sounds like the same thing.
What is XDR?
What is it, right?
So there's a lot of ways to implement it.
But you install an agent, typically on a system, and that agent collects data on the system.
What processes are running, right?
Well, maybe it's system calls.
Maybe it's going as granular as system calls.
Some of them use the extended Berkeley packet filter daemon to get stuff.
But one of the problems is that when you're obtaining low-level data on an operating system,
it's got to be highly specific.
So you collect all this data, who's logging in, which passwords are changing, all the
stuff that a hacker would do as they're typing in on the computer.
Maybe you're monitoring vulnerabilities.
It's a ton of data that you're monitoring.
Well, one of the problems that these companies face is they try to monitor too much.
Then some came around and they tried to monitor too little, so they weren't as real-time.
It's like a little pig story here.
Yeah, exactly.
Another company came along with a fantastic team, but I think they came in a little late
into the game, and it looks like they're folding now.
They're a wonderful company, but one of the biggest problems I saw was the agent, the
compatibility. It was,
you know, it was difficult to deploy. I ran DevOps and security and my DevOps team uninstalled the
agent because I thought there was a problem with it. We proved there wasn't. And four months later,
they hadn't completely reinstalled it. So a CISO who manages the DevOps store couldn't get his own
DevOps guy to install this agent for good reason, right?
So this is kind of where I'm going with all of this XDR stuff. What is XDR? It's an agent on a machine that produces a ton of data. It's like omniscience. I started to turn it in. I would ping
developers. I was like, why did you just run sudo on that machine, right? I mean, I knew everything
that was going on in the space. I had a good intro to all the assets. They technically run on the on-premise data center
and the quote-unquote cloud.
I like to just say the production estate,
but it's omniscient.
It's insights.
You can create rules.
It's one of the most powerful security tools that exists.
I think there's a definite gap as far as,
let's narrow this down to cloud for just a second
before we expand this into the joy that is data centers, where you can instrument a whole bunch of different security services in any cloud provider.
I'm going to pick on AWS because they're the 800-pound gorilla in the room, and frankly, they could use taking down a peg or two by and large.
And you wind up configuring all the different security services that in some cases seem totally unaware of each other, but that's the AWS product portfolio
for you. And you do the math out and realize that it theoretically would cost you to enable all
these things about three times as much as the actual data breach you're ideally trying to
prevent against. So on some level, it feels like a heads-I-win-tells-you-lose style scenario.
And the answer that people have started reaching out to is third-party vendors to wind up
tying all of this together into some form of cohesive narrative that a human being is a hope and hell of understanding.
But everything I've tried to this point still feels like it is relatively siloed, focused on the whole fear, uncertainty, and doubt that is so inherent to so much of the security world's marketing. And it's almost like cost control, where you can spend
almost limitless amount of time, energy, money, et cetera, trying to fix these things. But it
doesn't advance your company to the next milestone. It's like buying fire insurance on your building.
You can spend all the money on fire insurance. Great. It doesn't get you to the next milestone
that propels your company forward. It's all reactive instead of proactive. So it feels like it is never the exciting number one priority for companies
until right after it should have been higher on the list than it was.
So when I worked at Turnitin, we had saturated the market.
We worked in the education technology space globally.
Compliance everywhere.
So I did some work on the Australian Data Infrastructure Act of 2020.
I'm very familiar with the 27 data privacy regulations that are in scope for schools.
I'm a FERPA expert, right?
I know that there's only one P in HIPAA.
So all of these compliance regulations drove schools and universities, consortiums, government
agencies to say, you need to be secure.
So security turned it in was the number one, number one key performance indicator of the company for one and a half years.
And these cloud security initiatives didn't just make things more secure. They also allowed me to
implement a reasonable control framework to get various compliance certifications. So I'm directly
driving sales by deploying these security tools. And the reason why that worked out so great is by getting the certifications
and by building a sensible control framework layer,
I was taking these compliance requirements
and translating them into real mitigations of business risk.
So the customers are driving security as they should.
I'm implementing sane security controls
by acting as the chief security officer.
Company becomes more secure.
I save money by using the correct tool set.
And we increased our business by like 40% in a year.
This is a multi-billion dollar company.
That is definitely a story that resonates,
especially with organizations that are,
they should be, compliance forward
and having to care about the nature
of what it is that they're doing.
But I have a
somewhat storied history in working in FinTech and large-scale financial services. One of the
nice things about that job, which is sort of a weird thing to say there if you don't want to
get ejected from the room, has been, yeah, well, it's only money in the final analysis. Because,
yeah, no one dies if you wind up screwing that up. People's kids don't get exposed. It's just,
okay, people have to fill out a bunch of forms
and you get sued into oblivion and you're not there anymore
because the first role of a CISO is to be ablative
and get burned away whenever there's a problem.
But it still doesn't feel like it does more for a number of clients
than on some level checking a box that they feel needs to be checked.
Not that it shouldn't be necessarily,
but I have a hard time finding people that get passionately excited about security capabilities. Where are they hiding?
So one of the biggest problems that you're going to face is there are a lot of security people
that have moved up in the ranks through technology and not through compliance and technology.
These people will implement control frameworks based on audit requirements that are not bespoke
to their company. They're doing it wrong. So we're
not ticking boxes. I'm creating boxes that need to be ticked to secure the infrastructure. And
Turnitin was a company that people were forced to use to submit their works in school. So imagine
that you have to submit a sensitive essay, right? And that sensitive essay goes into this large
database. We have the Taiwanese government submitting confidential data there.
I had the chief scientist at NASA submitting pre-publication data that we've got corporate trade secrets that are popped in there.
We have all kinds of FDA pre-approval stuff. This is a plagiarism detection software being used by large companies, governments and and 12-year-old girls, right, who we don't want their data linked.
So if you look at it like this is an ethical thing that is required for us to do, our customers
drive that, but truly I think it's ethics that drive it. So when we implemented a control framework,
I didn't do the minimum. I didn't run an SS scan that nobody ran. I looked for tools that satisfy
many boxes. And one of the things about the telemetry at scale,
hey, it's XDR, whatever you want to call it, right?
But the agent-based systems that monitor for all of this run state data
is they can take a lot of your technical SOC controls.
Furthermore, you can use these tools
to improve your processes like incident response, right?
You can use them to log things.
You can eliminate your SIM by using this for your DLP.
The problem with the companies in the past is they wouldn't deploy on the entire infrastructure.
So you'd get one company that would just be on-prem or one company that would just run on CentOS.
One of the reasons why I really like this Uptix company is because they built it on OS Query.
Now, if you mention OS Query, a lot of people glaze over, myself included, before I worked at Uptix.
But apparently what it is is it's this platform to collect a ton of data on the run state of a machine in real time,
pop it into a normalized SQL database, and it runs on a ton of stuff.
Mac OS, Windows, like tons of version of Linux because it's open source.
So people are porting it to their infrastructure.
And that was one of these unique differentiators is what is the cloud? I mean, AWS is a place where you can rapidly prototype. There's tons of
automation. You can go in there, you can build something quickly, and then it scales. But I view
the cloud as just a simple abstraction to refer to all of my assets, be them POPs, on-premise
data machines, the corporate environment, the laptop, desktops,
the stuff that we buy in the public clouds, right? These things are all part of the greater cloud.
So when I think cloud security, I want something that does it all. That's very difficult because if you have one tool to run on your cloud, one tool to run on your corporate environment,
one tool to run for your production environment, those tools are difficult to manage. And the data
needs to be ETL'd, you know, it needs to be normalized. And that tools are difficult to manage. And the data needs to be ETL'd,
it needs to be normalized.
And that's very difficult to do.
There are companies doing,
Silk Security right now is a company
that's taking all these data signals
and they're normalizing them, right?
So that you can have one dashboard.
That's a big trend in security right now
because we're buying too many tools.
So I guess the answer there really is,
I don't see the cloud as just AWS.
I think AWS is not just,
AWS shouldn't call themselves the cloud.
They should call themselves the cloud with everything.
You can come in, you can rapidly prototype your software,
and you know what?
You want to run to the largest scale possible?
You can do that too.
It's just the governance problem they're running into.
Oh, yes.
The AWS product strategy is pretty clearly the word yes
written on a Post-it note somewhere. That's the easiest job in the world, is running their strategy. it right as well. Oh, yes. The AWS product strategy is pretty clearly the word yes written
on a post-it note somewhere. That's the easiest job in the world is running their strategy.
The challenge, too, is that we don't live in a world where monocultures are a thing anymore,
because regardless, if you use AWS for the underlying infrastructure, great. That makes
a lot of sense. Use it for a lot of the higher up the stack, sassy type things that you don't
want to have to build yourself from by going to Home Depot and picking out components, you're doing something relatively foolish in most
cases. They're a plumbing company, not a porcelain company in many respects. And regardless of what
your intention is around multiple clouds, people wind up using different things. In most cases,
you're going to be storing your source code in GitHub, not in AWS CodeCommit, because CodeCommit doesn't
really have any customers for reasons that become blindingly apparent the first time you try to use
it for something. So you always wind up with these cross-cloud, cross-infrastructure stories.
For any company that had the temerity to be founded before 2010, they probably have an
on-premises data center as well, or six or more. And you're starting to try to wind
up having a whole bunch of different abstractions viewed through the same lenses in terms of either
observability or control plane or governance, or dare I say it, security. And it feels like
there are multiple approaches, all of which have their drawbacks, which of course means
it's complicated. What's your take on it? So I think it was two years ago, we started to see
tools to do signal consumption. They would aggregate those signals and they would try and
produce meaningful results that were actionable rather than having to go and look at all this
granular data. I think that's phenomenal. I think a lot of companies are going to start to do that
more and more. One of the other trends people did is they eliminated data and they went machine
learning and anomaly detection, and that didn't work.
It missed a lot of things, right?
Or it turned it on false positive.
I think that one of the next big technologies, and I know it's been done for two years, but
I think one of the next big things we're going to see is the axonius of the consumption of
events, the categorization into alerts based on data classification policies.
And we're going to look at the severity classifications
of those that are going to be actionable to priority queue.
And we're going to eliminate the need for people
that don't like their jobs and sit at a sock all day
and analyze a SIM.
I don't ever run a SIM,
but I think that this diversity can be a good thing.
So sometimes it's turned out to be a bad thing, right?
We want a diversity.
We don't want all the data to be homogenous.
We don't need data standards because that limits things.
But we do want competition.
But I want to ask you this, Corey.
Why do you think AWS, I mean, you remember 2007, right?
I do.
Oh, I've been around at least that long.
Yeah, you remember when S3 came out?
Was that 2007?
I want to say 2004, 2005, and beta,
and then relaunched as the first general available service.
The first beta service was SQS,
so there's always some question around which one was first.
I don't get in the middle of those fights,
because all I'm going to do is upset people.
But S3 was awesome.
It still is awesome, right?
Oh, yes.
You know what I saw?
I worked for a very older company.
We had very strict governance.
You know, we had SOX compliance, which is a joke,
but we also had SOX compliance.
I did HIPAA compliance for them.
Tons of compliance initiatives.
I'm not a compliance officer, to my trade.
So I started seeing X cards, you know, these company personal cards,
and people would go out on any of this platform because if they worked with my teams internally,
if they wanted to get a small app deployed,
it was like a two, three month process. That process was long because of CFO overhead
approvals, vendor data security vetting, racking machines. It wasn't a problem that was inherent
to the technology. I actually built a self-service cloud at that company.
The problem was governance. It was financial approvals. It was product justification.
So I think AWS is really what made the internet inflect and scale and innovate amazingly.
But I think that one of the things it sacrificed was governance. So if you tie a lot of what we're saying back together by using some sort of tool that you can pop into a cloud environment and
they can access 100% of the infrastructure and look for risks.
What you're doing is you're kind of x-ray visioning
into all these nodes that were deployed rapidly
and kept around because they were crown jewels
and you're determining the risks that lie on them.
So let's say that 10 or 15% of your estate
is prototype things that grew out of scale
and we can't pull back into our governed infrastructure.
A lot of times people think that those 10, 15 machines are probably pretty locked down
and they're probably low risk. If you throw a company on there that does side scanning
or something like that, you'll see they are 90% of the risk,
80% of the risk. They're unpatched and they're old. So I remember at one
point in my career, right? I'm thinking Amazon's great. I'm non-stabbing on Amazon because
they've made the internet go, they've fluxed. I mean, they've scaled us up like crazy. Oh, the capability store
is phenomenal. No argument there. Yeah. The governance problem though, you know, the other
governments, there's a lot of hacks because of people using AWS poorly. And to be clear, that's
everyone. We all are. I take a look at some of the horrible technical decisions I made even a couple
of years ago, based upon what I know now,
it's difficult to back out
and wind up doing things the proper way.
I wrote an article a while back,
17 ways to run containers in AWS
and listed all the services.
And I think it was a little on the nose,
but then I wrote 17 more ways
to run containers in AWS
with different services.
And I'm about three quarters of the way
through the third in the sequel.
I just need a couple more releases
and we're good to go.
The more complexity you add, the more security risk exists.
And I've had horror stories. Dictionary.com lost
a lot of business once because a couple of former
contractors deleted some instances in AWS. Before that,
they had a secret machine they turned into a pixel logger
and had to take down their iPhone app. I've seen some stuff.
But one of the interesting things about deploying one of these tools
in AWS that can just look x-ray vision on into all
your compute, all your storage and say, you have PII stored here, you have
personal data stored here, you have this vulnerability, that vulnerability, this machine's already been
compromised, is you can take that to your CEO as a CISO
and say, look, we were wrong.
There's a lot of risk here.
And then what I've done in the past is I've used that to deploy HIDs, XDR, telemetry
at scale, whatever you want to call it.
But these agent-based solutions, I've used that to get justification for them.
Now, the problem with the solutions that use agentless is almost all of them are just in
the cloud.
So it's just a portion of the infrastructure.
So, I mean, if you're a hybrid environment, you have data centers, you're ignoring the data centers.
So it's interesting because I've seen these companies position themselves as competitors when really they're in complementary spaces.
And one of them justified the other for me.
So, I mean, what do you think about that awkward competition?
Why does this competition exist between these people if they do completely different things?
I'll take it a step further.
I'm a big believer that security for the cloud provider should not be a revenue generator in any meaningful sense.
Because at that point, they wind up with an inherent conflict of interest.
Where when they start charging, especially trying to do value-based pricing as they move up the stack,
what they're inherently saying is,
great, you can get our version of our services that is less secure,
but so what they're doing is they're making security
on their platform an inherent investment decision.
And I've never been a big believer in that approach.
The SSO tax.
Oh, yes.
And many others.
Yeah.
So I was one of the first SSO tax contributors.
That started it. You want data plane audit logging? Great, that'll cost you.
They finally gave in a couple years back and made the first management trail
for CloudTrail audit logging free for everyone. And people still
inadvertently build second ones and then wonder why they're paying through the nose. Like, oh, it's $40,000 a month.
It should be zero. Great. Send that to your SIM and then have that pass it out
to where it needs to go. But so much of it is just these weird configuration taxes that people aren't
fully aware exist. It's the market, right? The market is... So look at Amazon's IAM. It is
amazing, right? It's totally robust. Who is using it correctly? And I know a lot of people are.
I've been in the CISO for over a hundred companies. And IAM is one of those things that people don't know how to use.
And I think the reason is because people aren't paying for it.
So AWS can't continue to innovate on it.
So we find ourselves with this huge influx of IAM tools in the startup scene.
We all know Optix does some CIM and some identity management stuff.
But that's a great example of what you're talking about, right?
These cloud companies are not making their things inherently secure, but they are giving some
optionality. The products don't grow because they're not being consumed. And AWS doesn't
tend to advertise them as much as the folks in the security industry. It's been a long complaint
of mine, right? And I absolutely agree with you. Most of the breaches are coming out of AWS. That's
not AWS's fault. AWS's infrastructure isn't getting breached.
It's the way that the customers are configuring the infrastructure. That's going to change a lot soon. We're starting to see a lot of change. But the fundamental issue here is that security needs
to be invested in for short-term initiatives, not just for long-term initiatives. Customers
need to care about security, not compliance. Customers need to see proof of security. A
customer should be demanding that they're using a secure company. If you've ever been on the
vendor approval side, you'll see it's very hard to push back on an insecure company going through
the vendor process. This episode is sponsored in part by our friends at Optix, because they
believe that many of you are looking to bolster your security posture with CNAP and XDR solutions.
They offer both cloud and endpoint security in a single UI and data model. Listeners can get
Optics for up to a thousand assets through the end of 2023, that is next year, for one dollar.
But this offer is only available for a limited time on OpticsSecretMenu.com. That's U-P-T-Y-C-S SecretMenu.com.
Oh, yes.
I wound up given probably about 100 companies now
S3 bucket negligence awards
for being public about failing to secure their data
and put that out into the world.
I had one physical bucket made,
the S3 bucket responsibility award,
and presented it to their then director of security made at the S3 Bucket Responsibility Award and presented it to their
then Director of Security over at the Pokemon Company. Because there was a Wall Street Journal
article talking about how their security review, given the fact that they are a gaming company that
has children as their primary customer, they take it very seriously. And they cited the reason
they're not to do business with one unnamed vendor was in part due to
their lackadaisical approach around
S3 bucket control. So
that was the one time I've seen
in public a reference where, yeah,
we were going to use a vendor and their security story was
terrible and we decided not to.
Why is that news? That should be a much more common
story. But these days it feels
like procurement is rubber stamping it like, okay,
great, fill out the form. And okay, you gave some wrong answers on the form. Try it again and tell
the story differently until it gets shoved through. It feels like it's a rubber stamp rather than a
meaningful control. It's not a rubber stamp for me when I worked at it. And I'm a big guy.
So they come to me, you know, like that's how being my career a lot. It's just being big and
intimidating because that's, I mean, security kind of is kind of is that way. But I've got a story for you. This one's a little
more bleak. I don't know if there's a company called Ask.fm. And I'll mention them by name.
Because I worked for a company that did a hostile takeover of this company.
And that's when I started working with Raskan Natsur.
I speak Russian and I learned it for work.
I'm not Russian, but I learned the language so that I could do my job.
And I was working for a company with a similar name.
And we were in board meetings and we were crying, literally shedding tears in the boardroom because this other company was being mistaken for us.
And the reason why we were shedding tears is because young women, 11 to 13, were committing suicide because of online bullying.
They had no health and safety department, no security department.
We were furious.
So the company was hosted in Latvia, and we went over there and we installed one.
I lived in Latvia for quite a bit, working as the CISO to install a security program
along with the health and safety person to install a moderation team.
This is what we need to do in the industry, especially when it comes to children, right?
Will regulation solve it?
I don't know.
But if you're talking about the Pokemon video game,
I remember that, right?
We can't have that kind of data being leaked.
These are children.
We need to protect them with information security.
And in education technology, I'll tell you,
it's just not a budget priority.
So the parents need to demand the security.
We need to demand these audit certifications and we need to demand that our audit firms
are audited better.
Our audit firms need to be explaining to security leaders that the control frameworks are something
that they're responsible for creating bespoke.
I did a presentation with Al Kingsley recently about security compliance, comparing FERPA
and COPPA to the GDPR.
And it's very interesting because FERPA has very little teeth. It's very long
code, and GDPR is relatively brilliant. GDPR made some
changes. FERPA was so ambiguous and vague, it made a lot of changes,
but they were kind of like in any direction ever because nobody knows what FERPA is.
So I don't know. What's the answer to that? What do we do?
Yeah, the challenge is you can see a lot So I don't know. What's the answer to that? What do we do? Yeah.
The challenge is you can see a lot of companies in specific areas doing the right thing when
they're intentionally going out day one to, for example, service kids as a primary user
based demographic.
The challenge that you see with this is that that's great, but then you have things that
are not starting off with that point of view.
And they started running into population limits and realize, okay, we've got to start expanding
our user base somewhere. And then they wind up bolting on those things almost as an afterthought
where, oh, well, we've been basically misusing people's data for our entire existence. But now,
now we're suddenly magically going to do the right thing where kids are concerned.
I wish, but unfortunately,
that philosophy assumes a better take of humanity than is readily apparent.
I wonder why they do that, though, right? Something's going to, you know, news happen
or something. That's why they're doing it. That's not okay. But I have seen companies,
one of the founders of Scantron. Do you know what Scantron is?
Oh, yes. I'm much older than I look.
Yeah, I'm much older than I look, too. I like to think that, but for those that don't know,
a Scantron, you use number two pencil
and you filled in these little dots
and it was for taking tests.
So the guy who started Scantron
created a small two person company
and AWS did something magnificent.
They recognized that it was
an education technology company
and they gave them for free
security consultation services,
security implementation services. And when we bought this company, I'm heavily involved free security consultation services, security implementation
services. And when we bought this company, I'm heavily involved in M&A, right? I'm sitting down
with the two founders of the company and my jaw is on the desk. They were more secure than a lot
of the companies that I'd worked with that had robust security departments. And I said, how did
you do this? And they said, AWS provided us with this free service because we're education technology.
I teared up.
My heart was, you know, that's amazing.
So there are companies that are doing this right.
But then again, look at Grammarly.
I hate to pick on Grammarly.
Language Tool is an open source, I believe, privacy-centric Grammarly competitor.
But Grammarly, invest in your security a little more, man.
Y'all were breached.
They store a lot of data. They click a lot of the data.
Oh, and it scared the living hell out of companies realizing that they had business users
using Grammarly as an extension to work on internal documents and just sending proprietary
data to some third-party service that they clicked through the terms on. And I don't know that it was
ever shown that Grammarly was misusing any of that, but the potential for that is massive.
Do you know what they were doing with it?
Well, using AI to learn these things.
Yeah, but the supervision story always involves humans reading it.
They were building, and I think, nobody knows the rumor, but I worked in the industry pretty heavily.
They're doing something great for the world.
I believe they're building a database of works submitted to do various things
with them. One of those things is plagiarism detection. So in order to do that, they've got
to store all the data that they're processing. Well, if you have all the data that you've done
for your company that's sitting in this Grammarly database and they get hacked, luckily that's a lot
of data. Maybe you'll be overlooked, but I've got a Breach database sitting here on my desk. Do you know how many rows it's got?
Yes.
Breach database.
Oh, I wouldn't even begin to guess.
I know the data volumes that Troy Hunt's have-I-been-pwned site winds up dealing with,
and it is significant.
How many billions of rows do you think it is?
I'd say 20, as an argument.
34.
Okay.
Yeah, that's directionally right.
Fermi estimation saves us yet again.
The reason I built this breach database is because I thought COVID would slow down,
and I wanted to do executive protection.
Companies in the education space also suffer from active shooters and that sort of thing.
So that's another thing about security, too, is it transcends all these interesting areas, right?
Like here I'm doing executive risk protection by looking at open source data.
Protect the executives.
Show the executives that security is a concern.
These executives then realize security is real.
Then they pass that security down in the list of priorities.
And the next thing you know, the 50 million active students that are using Turnitin are getting better security.
Because an executive realized,
hey, wait a minute, this is a real thing.
So there's a lot of ways around this,
but I don't know, it's a big space.
There's a lot of competition.
There's a lot of companies that are coming in and flashing out in the pan.
A lot of companies are coming in and build snake oil.
How do people know how to determine
the right things to use?
How do people know what to implement?
How do people understand that when they deploy a program that only applies to their cloud environment, it doesn't
touch their on-prem where a lot of data might be at risk? And how do we work together? How do we
get teams like DevOps, IT, SecOps to not fight each other for installing an agent for doing this?
Now, when I looked at Optics, I said, well, it does the EDR for corp stuff. It does the
host intrusion detection, the agent-based stuff, I think, well, it does the EDR for corp stuff. It does the host intrusion detection, you know, the agent-based stuff, I think, really well
because it uses a buzzword I don't like to use, OS query.
It's got a bunch of cloud security configuration on it,
which is pretty commoditized.
It does agentless cloud scanning.
And it really, I spent a lot of my career
just struggling to find these tools.
I've written some myself.
And when I saw Optics, I felt stupid.
I couldn't believe that I hadn't used this tool. I think maybe they've increased substantially
in their capabilities. But it was kind of amazing to me that I had spent so much of my time and
energy and hadn't found them. Luckily, I decided to join. Actually, I didn't decide to join. It
kind of decided for me. And they started giving it away for free. But I found that upticks needs a, you know,
they need a brand refresh.
People need to come take a look and say,
hey, this isn't the old upticks.
Take a look at it.
Maybe I'm wrong,
but I'm here as a technology evangelist.
And I'll tell you right now,
the minute I no longer am an evangelist
for this technology,
the minute I'm no longer passionate about it,
I can't do my job.
I'm going to go do something else.
So I'm the one guy who will put it to your brass tacks. I want this thing to be the thing I've been passionate about
for a long time. I want people to use it, contact me directly, tell me what's wrong with it, tell me
I'm wrong, tell me I'm right. I really just want to wrap my head around this from an industry
perspective and say, hey, I think that these guys are willing to make the best thing ever,
and I'm the craziest person in security. Now, Corey, who's the craziest person in security?
That is a difficult question with many wrong answers.
No, I'm not talking about McAfee, all right? I'm not that level of crazy. But I'm talking about,
I was obsessed with this XDR, CDR, all the acronyms, you know, we call it his. I was
obsessed with it for years. I worked for all these companies. I quit doing a lot of very good entrepreneurial work to come work at this company.
So I really do think that they can fix a lot of this stuff.
I've got my fingers crossed.
But I'm still staying involved in a lot of other things to make these technologies better.
And the software security space is going all over the place.
Sometimes it's going in bad directions.
Sometimes it's going in good directions.
But I agree with you about Amazon producing tools. I think it's just all market-based. People aren't going to use the
complex tools on Amazon when there's all this other flashy stuff being advertised.
It all comes down to marketing budget, and AWS has always struggled with telling a story.
I really want to thank you for being so generous with your time. If people want to learn more,
where should they go? Oh, gosh. Everywhere. But if you want to learn more, where should they go? Oh gosh, everywhere. But
if you want to learn more about upticks, why don't you just email me? And we'll of course put your
email address into the show notes. Yeah, we'll do it. Don't offer if you're not serious. There's
also uptickssecretmenu.com, which is apparently not much of a secret given the large banner all
over upticks' website. Have you seen this? Let me just tell you about this. This is not a catch.
I was blown away by this. It is not a catch. I was blown away
by this. It's one of the reasons I joined. For a buck, if you have between 100 and 1,000 nodes,
you get our agentless system and our agent-based system. I think it's only in AWS, but that's like
$150,000, $180,000 value. You get it for a full year. You don't have to sign a contract to renew
or anything. You just get it for a buck. If anybody don't have to sign a contract to renew or anything. Like it's just, you just get it for a buck.
If anybody who doesn't go on to the secret menu website
and pay $1 and check out this agentless solution
that deploys in two minutes, come on, man.
I challenge everybody, go on there, do that
and tell me what's wrong with it.
Go on there, do that and give me the feedback.
And I promise you, I'll do everything in my best efforts
to make it the best.
I saw the engineering team in this company.
They care.
Ganesh, the CEO, he is not your average CEO.
This guy is in tinkers.
He's on their hands on keyboard.
He responds to me in the middle of the night.
He's a geek just like me.
But we need users to give us feedback.
So you got this dollar menu.
You sign up before the 31st, right?
You get the product for a buck.
Deploy the thing in two minutes.
Then if you want to do the XDR, this agent-based system,
you can deploy that at your leisure
across whichever areas you want.
Maybe you want a corporate network on laptops and desktops,
your production infrastructure, your compute in the cloud.
Deploy it, take a look at it.
Tell me what's wrong with it.
Tell me what's right with it.
Let's go in there and look at it together. This is my job. I want this company to work,
not because they're Optics, but because I think that they can do it. And this is my personal
passion. So if people hit me up directly, let's chat. We can build a Slack, Optics, Skunkworks.
Let's get this stuff perfect. And we're also going to try and get some advisory boards together,
like maybe a CISO advisory board and just get more feedback from folks.
Because I think the upticks brand has made a huge shift in a really positive
direction.
And if you look at the great thing here,
they're unifying this whole agent lists and agent based stuff.
And a lot of companies are saying that they're competing with that.
Those two things need to be run together,
right?
They need to be run together. So I think be run together so i think the next steps here check out that dollar menu
it's unbelievable i can't believe that they're doing it i think people think it's too good to
be true you all got nothing to lose it's a buck if you sign up for it right now before the 7th
31st you can just wait and act on it any month later so just if you sign up for it you're just
locked into the pricing.
And then you want to hit me up and talk about it? Is it three in the morning? You got me.
Is it eight in the morning? You got me. You're more generous than I am. That's why I work in AWS bills. It's strictly a business hours problem. This is not something that they pay me for.
This is just part of my personal passion. I have struggled to get this thing built correctly
because I truly believe not only is it really cool, and I'm not just talking about optics.
I mean, all the companies that are out there.
But I think that this could be the most powerful tool in security that makes the world more secure, like in a way that keeps up with the security risk increasing.
We just need to get customers.
We need to get critics.
And if you're somebody who wants to come in and prove me wrong, I need help.
I need people to take a look at it for me.
So it's free.
And if you're in the San Francisco Bay Area and you give me some good feedback and all that, I'll take you out to dinner.
I'll introduce you to startup companies that I think you might want to advise.
I'll help out your career.
So it truly is a dollar menu then.
Well, I'm paying for the dinner.
That's my personal thing.
Exactly.
Well, again, you're also paying for the infrastructure required to provide the
service. So, you know, one way or another, it's just like cloud. There is no cloud.
It's just someone else's cost center. I like that. Well, yeah. We're
paying for a ton of data hosting. This is a huge loss later. Optix
has a lot of money in the bank, I think. So they're able to do this. Optix
just needs to get a little more bold in their marketing because I think. So they're able to do this. Optics just needs to get a little more bold
in their marketing
because I think they've spent so much time
building an awesome product.
It's time that we get people to see it.
That's why I did this.
My career was going phenomenally.
I was traveling the world,
traveling the country, promoting things,
just getting deals left and right.
And then Elias, my buddy over at Orca,
Elias, one of the best marketing guys I've ever met.
I've never done marketing before.
I love this. It's not just marketing. It's like I get to take feedback from people and make the
product better. This is what I've been trying to do. So you're talking to a crazy person in
security. I will go well above and beyond. Sign up with that dollar menu. I'm telling you,
there's no commitment. Maybe you'll get some spam email or something like that. Email me directly.
I'll kill the spam email. You can do it anytime before at the end of 2023 but it's only for 2023 so you got a full year of the services for free
for free right and one of them takes two minutes to deploy so start with that one let me know what
you think these guys ideate and they pivot very quickly i would love to work on this this is why
i came here so i haven't had a lot of opportunity to work with the practitioners i'm'm there for you. I'll create a Slack. We can all work together. I'll
invite you to my Slack if you want to get involved in secondaries, investing, and startup advisory.
I'm a mentor and a leader in this space. So for me to be able to stay active, this is like a quid
pro quo with me working for this company. Optics is the company that I've chosen now because I
think that they're the ones that are doing this. But I'm doing this because I think I found the opportunity to get it done right. And I think
it's going to be the one thing in security that when it is perfected has the biggest impact.
We'll see how it goes out over the coming year, I'm sure. Thank you so much for being so generous
with your time. I appreciate it. I like you. I like you, Corey. I like me too. Yeah. All right. Okay. I'm telling you,
I'll take it in or something. You, you, uh, I are very weird. Uh, it works out. Yeah.
Jack Charles Rorig, technology evangelist at Optics. I'm cloud economist, Corey Quinn,
and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star
review on your podcast platform of choice. Whereas you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice.
Whereas if you hated this podcast,
please leave a five-star review
on your podcast platform of choice,
along with an insulting comment
that we're going to be able to pull
the exact details of where you left it from
because your podcast platform of choice
clearly just treated security as a box check.
If your AWS bill keeps rising
and your blood pressure is doing the same,
then you need the Duck Bill Group.
We help companies fix their AWS bill
by making it smaller and less horrifying.
The Duck Bill Group works for you, not AWS.
We tailor recommendations to your business
and we get to the point.
Visit duckbillgroup.com to get started.
This has been a HumblePod production.
Stay humble.