Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Kiran Vangaveti is fighting to prevent a $10 trillion disaster, know why!
150 Plays1 year ago
Delve into the evolution of cybersecurity in this episode- with firsthand experience, Kiran sheds light on the ever-changing landscape of cyber threats and recounts the journey of BluSapphire, a full-stack threat detection and response platform for enterprises. Tune in to gain insights into the frontline of defence against digital adversaries.
Get notified about the latest releases and bonus content by subscribing to our newsletter at www.founderthesis.com
Read more about BluSapphire:-
1.Cybersecurity platform BluSapphire in expansion mode, unveils new office in Hyderabad
2.Cybersecurity platform Blusapphire raises $9.2m funding in series A round
Recommended
Transcript
Introduction to Blue Sapphire
00:00:00
Speaker
Hi, I am Kiran Vangavati, founder and CEO of Blue Sapphire.
00:00:16
Speaker
The fight between the good guys and the bad guys is an eternal one. And in a way, you can say that it is what forces us to constantly innovate and build better technology. Thanks to the pervasive use of digital technology, today a theater actor could single-handedly take down the electricity grid of an entire country. In this episode of the founder thesis podcast, your host, Akshay Dutt, talks to Kiran Wangaveti, the founder of Blue Sapphire Technologies, about the evolution of cybersecurity products.
00:00:45
Speaker
Kiran has had a ringside view of this sector which allowed him to anticipate the broad trends in the space and start Blucifier, a full-stack threat detection and response platform for enterprises. Stay tuned to learn about the cutting-edge technologies in cybersecurity and please to subscribe to the Found a Thesis podcast on YouTube or any audio streaming platform.
Career and Challenges in Cybersecurity
00:01:14
Speaker
Give me an elevator pitch of Blue Sapphire. It's hard to give an elevator pitch of Blue Sapphire without telling you a little bit about myself. So I started my career, been in the IT industry for 25 years. The last 19 years have been specifically in cybersecurity. I work for Fortune 10 and Fortune 100 companies leading large cybersecurity teams across multiple global locations.
00:01:40
Speaker
in over 180,000 to 150,000 kind of use of this. In respect to where I was, my last gig was with Tudor investments, $18 billion hedge fund as the chief information security officer. In respect to where I was, there was a problem statement that I constantly encountered. And the problem statement was not associated with the budgets or the people. It was necessarily about the capability of what I needed to do.
Security Operations Centers Limitations
00:02:08
Speaker
I couldn't do.
00:02:09
Speaker
essentially in the Security Operations Center, it took us a lot of time to actually look at the incidents, triage them, and if we wanted to respond, we were very limited with the capabilities that other tools provided, and we were very reliant. We couldn't design our own responses.
00:02:26
Speaker
This has to be a better way. Give me an example. Like you're saying that this capability was not there with you to look at an incident triage response. Can you help our listeners understand this through an example? And what do you mean by triage? And what are the kind of responses that happen? What are the kind of incidents that happen?
00:02:51
Speaker
Sure. So when I was at one of these Fortune 10 companies, one of the world's largest employer, we were constantly under attack by nation state attackers. And we would see those artifacts, which in itself was pretty interesting for us. We would see those artifacts that actually were part of the attack. What's an artifact? Like my understanding of artifact comes from Indiana Jones.
00:03:18
Speaker
It's actually similar to that. So when you say artifact, it's an indicator of compromise. And what is an indicator of compromise? It could be a registry entry, it could be a file entry, it could be a privilege escalation log that we are seeing or a specific usage of a specific command.
00:03:36
Speaker
which is traditionally not done, or a new file in the entire ecosystem, which we never actually introduced, probably a malicious file or something. It could be a file registry entry, memory artifact, shortcut, browser artifact, which means that there was some activity on the browser, which we need to figure out what that activity was. And it is stored in browser forensics. And browser forensics is the only way to bring that data back. So the many of these, and it could be as simple as a log into.
00:04:05
Speaker
And also something that all of us are used to is an antivirus alert going off. Even that could actually be an artifact. So irrespective of where we were, once we identified an artifact, for us to verify if that artifact was present anywhere else on the network, what happened before that artifact was generated, what happened after that artifact was generated, we're very limited in our capabilities to do that.
00:04:30
Speaker
And we have to jump from tool to tool to tool to actually get the data we need because once I see something happening and I'm say for example, I see a PowerShell downloading a script.
00:04:41
Speaker
from an external party. And I'm like, okay, did that even try to, did that actually succeed? Did that connection succeed?
PowerShell's Dual Role
00:04:50
Speaker
I had to go back to the firewall logs to look at the data and I had to parse that information. Proxy logs, because most of the time the data would actually get read out into proxy. Or if it was an odd port, I need to know if the firewall allowed it or need to actually not allow it. And how do we actually make that determination? What's a PowerShell?
00:05:08
Speaker
PowerShell is a scripting language in Windows, a very popular scripting language in Windows. Usually used for system administration but can be used for malicious purposes. It is equivalent to what UNIX, back in the UNIX world we would call shell scripting.
00:05:24
Speaker
Shell scripting was very popular and Unix admins loved it and they geeked out about how Windows is for idiots and Unix is for the intellectually superior human beings. Then Windows decided to address that problem finally and start doing something about it and PowerShell was their answer.
00:05:43
Speaker
In fact, actually today, PowerShell is used extensively by Microsoft also. So all the Windows interfaces that are built for administrators is actually built on the backend of PowerShell. So everything runs on PowerShell in Windows environment today.
00:05:57
Speaker
Okay, got it. So PowerShell is like an environment in which you can access more things and you can write some code to get high level access than what the typical Windows UI. You can automate a lot of things without actually having to go through, navigate through the UI. Think of it like a bad job. Back in the day, most of us who have learned MS-DOS and others, we know what a bad scripting is. Think of it like bad scripting on steroids.
00:06:25
Speaker
you can do a whole lot of the activity in a more automated way faster than what you could do in a traditional way. This is supposed to help the administrators, system administrators and system engineers, so they can actually do faster deployments across their environments and work with user requirements on so forth in an automated fashion.
00:06:45
Speaker
rather than just point and click. We're just dumb, right? I mean, it would really take a long time for you to do something by point and click to create 100 users or 200 users. And in large enterprises, it's very often that you have to create some 300, 400 accounts overnight.
00:07:00
Speaker
That's a nightmare. You would actually use your own scripting to do that. That would make your job life a lot easier. Things of that sort. You can actually script pretty much anything in Windows today. Become very, very powerful and the most powerful entity that Windows has created. It became so powerful that the attackers have taken notice.
00:07:24
Speaker
And they use that to attack because it is present in every system. It's automated. Not everybody knows how to use it. Not everybody has a decent logging mechanism on it enabled by default. So attackers use it very often. Okay. So you said you had to use like a number of tools. There's no single tool, but there were a number of tools that you had to use to triage. Now, what do you mean by triage first? And what are the tools that give you some examples of tools?
00:07:52
Speaker
Basically, triage is actually understanding the data and understanding what happened behind an incident. And once an alert has been triggered, is that alert an incident or not? That determination has to be made. That is made through a process called triaging. Triaging is actually getting all the sources of truth sitting together and understanding if this actually is an incident or it's actually a false positive. It's basically analysis.
00:08:18
Speaker
Okay, so like determining the severity and whether this is a concern or not a concern. Yes, yes. Okay. So that kind of triage would take a lot of time because we have to jump between tools to tools to tools and a very simple example again, let's go back to the antivirus because a lot of people can relate to an antivirus alert on their systems. What happened before that antivirus electrocuted?
00:08:40
Speaker
It's great that the antivirus actually caught what was happening, and it actually quarantined it. In most cases, it actually does succeed quarantining the system, and actually gives an alert saying that I have quarantined A, B, and C, and you should be fine now. And that alert is actually received by the Security Operations Center in an enterprise, and an analyst takes a look at it, verifies that the quarantine was successful, and then closes the ticket. But that's not the full story.
00:09:09
Speaker
How did that actually file get there to get quarantine? What happened after that point? What happened before that point? These are all important aspects to understand if this was actually an incident or it's an isolated incident or what it is. Was it a part of an attack? And only one part of the attack got caught and we missed the entire rest of the attack because it went under the radar. What happened?
00:09:34
Speaker
That determination was very, very important. And sometimes it's also important that you may find an attack. And I'm asking myself the question, did it happen only on that system? Or I have 20,000 systems across my enterprise. Where else did this happen that we did not catch it? How do I get an authoritative answer on, I see this attacker here, is he hiding somewhere else on my network?
00:09:59
Speaker
There's no easy way to do this or get that data together. So performing the triage, and then analysis, and then figuring out a way to respond to that problem was becoming a nightmare. And we used to start writing our own scripts, and many a day, many times these scripts would take days to run. A type who could actually finish his job in a matter of hours, and we would be searching for days and weeks across our enterprise.
00:10:24
Speaker
There's no easy way to do it. I mean, there were antivirus tools or EDRs and all so on and so forth, but we had to rely on what they told us rather than what we want out of that tool, which means that we had to rely on the alert that these tools were throwing. And if we saw something suspicious that we wanted it to catch, we have to upload the sample to the vendor and ask him to build signatures for that or build detections for that and then help us detect it.
00:10:51
Speaker
He was great. We were a fortune 10 company. So the vendor would bend over backwards and try to accommodate us in a matter of three weeks, which is still too long. But what about others?
00:11:01
Speaker
So that's when I got out and said there's a better way to do this. The problem is that we have evolved as multiple tools over a period of last 15-20 years. But now there is actually technology currently available for you to build a single platform that can operate across the entire stack and give you visibility and build an automated storyline.
Agentless Security Model
00:11:23
Speaker
based on the data it already has. So when an analyst looks at an alert, the entire storyline is laid out for him. So in a matter of seconds, he can make a determination whether this is an incident or not. And how does he respond without relying on agent? The problem in many enterprises is that your agents are not up to date. Sometimes they're not even installed. And nine out of 10 times the attacker is more successful at finding that particular system than anything else on your network.
00:11:53
Speaker
So it ends up that you have to define something on which your agent does not exist. So we've been to a complete agentless model to actually be able to respond to situations like that. That became very critical for us based on the experiences I had both in large financial sectors, pharmaceutical sector, and so on and so forth. What's an agent?
00:12:21
Speaker
Agent is, it's an antivirus, it can be called an agent. Your EDR is an agent. What's EDR? Endpoint detection and response. So it's part of an evolution of how cybersecurity evolved. Back in the day, we used to call it antivirus. Then somebody said, hey, you know what, antivirus only depends on your signature. It's too old. It needs to be more modern. And we can detect this using machine learning models. So you don't have to depend on updates.
00:12:52
Speaker
And then the machine learning model of antivirus became popular. They called them the next generation antivirus and all of a sudden the attackers. And antivirus essentially is constantly scanning your hard disk for comparing if there is any script or file which matches a database of threat or threatening files and scripts. That is correct.
00:13:14
Speaker
But it's really easy to change the, what it is comparing against is hashes of a database, hashes of a file. Hash is a unique fingerprint of a file and no matter how many times you run it, the same file will generate the same hash and it's like a fingerprint of that file. It's like your identity. Your identity is not you, but it is just a fingerprint of you.
00:13:37
Speaker
Okay, so an antivirus will only work if the hash is an exact match, whereas if a virus is capable of evolving and changing its hash, then it will not work.
00:13:47
Speaker
DS, we call them polymorphic viruses. So they can actually change shape, change themselves constantly with every landing that they do. So very soon these antiviruses becoming irrelevant. So somebody said, hey, you know what, we have machine learning models that can actually look at the patterns and then tell you whether this is a virus or not rather than solely depending on definitions.
00:14:13
Speaker
We used to call them anti-virus definitions back then. Those are actually database of patches. And machine learning models became popular. And then we went into a model called next-generation anti-virus. It used to be called next-gen anti-virus. Then attackers wizened up. They said, OK, fine. You want to detect us that way? What we will do is we will use existing tools that are already present on your operating system. And we won't usually not download anything malicious.
00:14:42
Speaker
So there is a challenge. Even machine learning models depended on detecting existing patterns of activity, not unknown patterns of activity. So if it's an unknown unknown is what we call it. If it's an unknown unknown, it becomes a challenge. We have never known about it. There was no pattern for your machine learning model to run. And then you cannot detect it.
00:15:03
Speaker
That was a challenge with the machine learning models. But then attackers are also wise ending up. They are like, okay, fine. You're using machine learning models. You're using a combination of signature based detection. You're using a combination of those. So what we will do is let's walk away from downloading anything malicious. Let's start using something that's already present in your operating system. It is like, I will not bring a knife into the airport. I will use something from one of the airport kitchens.
00:15:34
Speaker
Okay. You don't have to pass those scanners. I will use something that's already available for me. Okay. So they're using something that's already present inside your environment because you're scanning everything that actually is coming from outside and you have pretty good decent systems. So they said, okay, fine. What does your Windows system have? What does your Linux system have? It has many capabilities to actually destroy itself, just like anything else. So we use the, we call them L-O-L.
00:16:05
Speaker
living of the land binaries. So what that means is your operating system has a lot of functionality. You're probably just scraping the surface of it. Ninety five percent of us probably use it for email, video and YouTube.
00:16:22
Speaker
That's probably covers the maximum extent and browsing, shopping, so on and so forth. So basically the browser, the email system and probably YouTube video streaming, that's probably the extent of our operations in most cases. But your operating system is believed to support a lot more than that.
00:16:39
Speaker
There are constantly updates happening across environments, your system administrators or administrators are controlling your operating system behavior to fine tune it to your organization requirements. A lot of capability to self monitor and self maintain exists. And an attacker can use those existing binaries, which usually are never touched, you and me would never touch it.
00:17:02
Speaker
and there are probably hundreds of them. And he would use one of those to actually go exploit your own system. For example, if I want to upload data from your network to an external party. Previously, what an attacker would do is download his own toolset and upload that information, which essentially caused problems because now he's getting detected.
00:17:24
Speaker
But if I use something called bits background intelligent transfer service that is built into most windows environments and in Linux there are other methods to do it. But let's focus more on windows because a lot of us can relate to windows environments which is used by windows natively to download Microsoft patches.
00:17:44
Speaker
It's a very intelligent system. It can actually stop the transfer in between and start exactly where it left off. It can do all kinds of broken downloading. It can download 10 kilobytes from this source, 20 kilobytes from that source, more like a bit taller. It can do a bunch of interesting things. Attackers just use that to download the data, which went completely under the radar.
00:18:07
Speaker
So many of these activities can be done using the native binaries. Well, there's a very popular command called who am I? It tells you who is the current lockdown user, is it part of a domain, is it a domain administrator? And what are the other users that are logged onto this system? Everything is part of your own operating system. So user attackers started using that and they don't get detected anymore. Then came the world of EDR.
00:18:33
Speaker
endpoint detection and response. They said, okay, your antivirus is looking for malicious stuff. Attacker is not using malicious stuff. It's only using what is already present. So essentially, I need to look at all executions and determine what is malicious based on certain rules. And these rules should be dynamic.
00:18:54
Speaker
So we went from detecting hashes, fingerprints of files, to machine learning models, to also extending it to a rule-based model. Then organizations become tired of input managing the EDR systems and the antivirus system separately. There are too many agents that are coming onto the system. So they said, okay, fine. The market responded. They merged both the endpoint and EDR and became EPP, endpoint protection pattern.
00:19:25
Speaker
Just give me examples of brand names also for like what's an EDR brand name I might have, Antivirus or McAfee Norton. Many of us McAfee, Norton, all of us remember. And when machine learning models and next-gen Antivirus came in, it was purely a silence world, the world of silence.
00:19:43
Speaker
crowd strike is still present but silence died in the hands of Blackberry but crowd strike was also a very strong contender at that point and actually they were playing second fiddle to silence but crowd strike pivoted into EDR
00:20:00
Speaker
which silence did not. And then CrowdStrike also became a next generation antivirus and EDR put together to EPP. They're pretty much the leaders in the space. So CrowdStrike and Sentinel-1 will be your typical EPPs today. There are many more, trenders caught up, so forth as caught up, bunch of others have caught up, but everybody's playing second fiddle to what these guys are doing. CrowdStrike undoubtedly is the leader in that space.
00:20:26
Speaker
Okay, got it. So EPP is essentially... But all of these, even within this advanced kind of models, you still can't tell it what you want it to do. It works based on what it was told to do. And if you wanted to do something, you have to go back to Karstag and say, I want to build this.
00:20:43
Speaker
They're not extensible. Their data sets are not extensible.
Unified Security Platform Vision
00:20:47
Speaker
You don't have direct access to that data if you want to correlate that information with something else. It only gives you alerts. It doesn't tell you what all it is looking for. It only gives you the alerts. So you're completely dependent on the alerts you're receiving. You have no intelligence, no saying what it is going to give you.
00:21:05
Speaker
These are all very rigid systems and we thought there was a better way to do this and that's how blue software was born in 2017. We got an honorary mention in 2018 by Gartner saying that we were thinking very differently from what the market space was thinking at that point in time. Low and behold five years later today XDR is a very popular terminology extended detection and response.
00:21:27
Speaker
So in between MDR became a thing managed detection and response, which is a MSSP service for EDR. What is MSSP?
00:21:36
Speaker
Managed security service. So that became very popular. So that would mean there would be like a call center in India or like a BPO in India where there's a human being who's looking at alerts and in conjunction with this operation. There's a security operation center run by these guys because EDR was very complex. It is actually still ease, very complex for a common person to understand.
00:22:01
Speaker
So it is usually run by a team of technology experts in a security operation center that became managed detection and response. Then today the world is talking about XDR, Extended Detection and Response. What that actually means is they finally realized that just looking at endpoint is not valuable because you don't know what your point of entry was versus what the attacker's point of entry was.
00:22:27
Speaker
But the single source of truth happens to be that a communication needs to happen, whether encrypted or not. And that fingerprint is available on the network. So if you're listening to your network, looking at the proxy data, looking at all the other logs, and combine that with the data on the endpoint, then you have a better footprint of what is happening. And you understand the storyline better.
00:22:51
Speaker
A lot of these companies were pushing the agenda of, you know, endpoint is the, EDR is the only grail of all detection because all action is happening there. But whether we like it or not, we believed strongly back in 2017 itself. We said, no, that data is not enough. Unless you're trying to become a rocket scientist within that space, you're looking at a very narrow set of data and trying to make determination whether something is an attack, which is a problem because
00:23:20
Speaker
The more data you have, the better chances that you have of detecting something. The narrower you get, the more specialized you have to become for no reason. Absolutely no reason. You have access to all of this other data and you could have easily picked up. But instead, you actually decide to actually focus down on that narrow lane and then figure out how to become an expert. And that is completely not valuable to the end consumer. Okay.
00:23:50
Speaker
A lot of jargon, I know. I'm going to recap it just so that I'm also clear on it and you can correct me if I'm wrong. And EDR is essentially looking at activity within the device with the end user, like say an employee of a company, the laptop that he uses.
00:24:07
Speaker
So it is looking at activity there. It is not looking at the interaction between that device and the network. That is what is currently missing. And that is what Bluesafire is doing. So you're doing both. You're looking at the device and the communication between the device and the network, or you're only looking at the communication.
00:24:30
Speaker
So we're looking at everything, right? Blue Software was born with the thought process that, hey, in this age of big data, back in 2017, I'm talking today, we all know big data. Back in 2017, I said, in this day of big data and last scale indices available, it's a shame that we have to jump tool to tool to tool to make this determination. And it's also a shame that we have to depend on such a narrow set of data, which the consumer who has paid for the product does not have access to.
00:24:59
Speaker
So we started with what we call an open data platform. We built this large scale open data platform that's scalable to petabytes of data. And we built it on open schemas. So any of our customers can look into the data and understand the data as is without having to come back to us. So they can build whatever models they want on top of it. That's number one.
00:25:20
Speaker
Number two, we built it on the premise that you have to look at the entire operations in entity. Your organization is not working in silos. What I mean by that is your technology division is not running in silos. Your technology is not running only on endpoint.
00:25:35
Speaker
You have your proxy systems, you have your firewalls, you have your switches, routers, data centers, your Kubernetes platforms, your cloud centers, your hybrid mesh. All of this is working together and you're trying to make a determination of whether something is malicious activity based on activity on only one of those components. That really doesn't make sense. Well, it does make sense, but that's not enough.
00:26:01
Speaker
So we need to look at all of these data points in Unision and bring all of them onto a common schema. So I can actually build a storyline and immediately tell you that activity that happened on that endpoint, this was the prequel to it and this is the SQL to it. Now you can make a stronger determination of what this is. Was it the general system administration activity or was it actually an attacker activity?
00:26:23
Speaker
While we were busy doing that, MITRE came up with what we call a MITRE framework of all possible attacks that attack techniques an attacker can use Agnes 10 Enterprise to succeed and did a good job of understanding and providing information on all different kinds of techniques.
00:26:44
Speaker
So today we map against them, but that was the fundamental premise with which we got in and we look at the largest set of data so we can tie all of these data points together. What is MITRE? MITRE. So they are actually a nonprofit, I think based out of Europe. What they have started to do is looked at all this attacks going on and said, okay, we have no consistent way of mapping
00:27:08
Speaker
what the attacker is doing. I'm calling it a specific name. Another vendor is calling it something. Another group of analysts are calling it something else. I may be calling it process following. Somebody else is probably calling it process emptying. Somebody else is calling it something else. Now with that kind of understanding, we don't have a common way of understanding an attack together. So the same attacker activity, I'm defining it differently versus somebody else.
00:27:36
Speaker
So in order to be able to define attack and activity consistently across the globe, you need to understand the activity in a standardized form. So they started mapping all different ways in which an attack can happen. So let's take the example of a bank. You want to go rob a bank. And let's talk about physical bank. We were talking about the physical world, physical bank. Back in the day, we used to hear a lot of these bank robberies.
00:28:03
Speaker
What they did in essence was mapped out every single piece of technique that a bank robber can use to attack the bank and mapped it out and said these are the only known ways to do it. Each of these techniques can be used in multiple ways and they said okay, usually they come in wearing masks. Now it could be a muffler, it could be a brown bag, it could be Rajnikanth's face mask, whatever it is.
00:28:31
Speaker
So, that can be accomplished multiple ways but the technique is hiding identity. Second one, there could be a car running outside which is not shut down, which is parked in a place which is very close to the bank ready for a getaway. Once the money is there and there's a driver waiting in there for the folks to come back and the engine is running. Now that car could be anything. It could be a small buggy all the way to a container truck.
00:28:57
Speaker
But that is a technique. And they need access. They're going to spray paint your cameras so they don't get detected. They're going to come with bags. They're going to try to hide their identity, wear gloves, those kinds of things. And in the cyber world, they've defined those kinds of techniques. And so when an attacker drops into a network, what are the things he does? So because he does not know your network, it is like a blind man dropping in a dark room. He needs to feel touch around and understand what's around him.
00:29:26
Speaker
In our world, we call it recon, reconnaissance, which essentially means he needs to understand where did he land first? What is it? Is it a Windows system? Is it a Linux system? Is it a Mac? Which user is this? Is this directly the admin desktop that I got? Or is it some Pune receptionist desktop that I got into? Or is it actually the CEO's desktop?
00:29:48
Speaker
He needs to make the determination. And then he needs to start fingerprinting your entire network. So he gets a better understanding of what is available for him to exploit. Then he launches his attack. But before he launches his attack, he will start building persistence. Now persistence is just a fancy way of saying he will open up as many back doors as possible. In case you detect this activity, he can come back through some other door.
00:30:14
Speaker
So those is called, we call persistence. Then we decide what to attack.
00:30:20
Speaker
Once he decides what to attack, then he knows what resources to go after, what domain administrator tokens to go after, who has access to what database, what service account, where is it written. Some people write it in text files. Some configuration files actually have passwords, API keys to cloud. Some code usually has API keys that are hard coded into the code itself. They're going looking for all of that that they can get access to.
00:30:45
Speaker
Once they have that, they steal data, which is then they'll package the data, they'll steal it out from right under your nose without creating big noise. Because if I start transferring terabytes of data outside your network, you will know, because your bandwidth will get choked. So it needs to be a very slow process. They'll bleed it out. Once they bleed it out, then it comes defense evasion, which essentially means I will try to cover my tracks. I will delete the logs as soon as they're created.
00:31:11
Speaker
I will delete every file that I have used. I will delete my working folders. I will delete everywhere that I package my data. So I will erase my footprints.
00:31:22
Speaker
And then I'm gone. Usually it is called impact. What that means is either you walked away with the data and started selling it in the black market or you walked away with the data and you're holding them ransom. You have ransomware encrypted their systems. Usually ransomware encryption is the only time an external file comes into the network and then it encrypts the entire network. So it's usually the last stage of the attack. They've decided, they've come together, a group of team of very sharp engineers have come together and said, okay, these are all the different ways in which an attack can happen.
00:31:52
Speaker
Each of these can be exhibited in multiple ways. But essentially, the baseline remains the same. So if you are able to reliably detect these techniques, then you know where the attacker is. They did not make a distinction of this is only on the endpoint, this is only on the network, this is only on the proxy server, this is only on the switch, this is only search. They did not make the detection. They looked at it as holistically as possible. When these people, when all the industry started mapping themselves against the MITRE matrix,
00:32:22
Speaker
they realized that they're shortfalls because you're not looking at it holistically. Then the industry coined the term XDR, Extended Detection and Response, which is nothing but what retail started doing back in 2018, which is what Gartner recognized us for and saying, okay, no, you need to look at it holistically.
00:32:42
Speaker
But they didn't call it that. They came up with a much stronger marketing term than a unified cyber defense platform, which we said. They came up with XDR, Extended Retouching Response. Spent millions of dollars on that marketing. Today, the end customer is confused. What is going on?
00:33:00
Speaker
Then there came OpenXDR initiative, which essentially is trying to explain what XDR is to customers who do not understand what XDR is and help them understand. Essentially, this has been there for ages. We always looked at this data in unison. We were looking at it in silos. We just needed to look at it in unison. There was no need for more and more acronyms, but that's how the world works.
00:33:27
Speaker
Okay, interesting. Who else is CrowdStrike also there now in XTR?
Cybersecurity Trends and Predictions in India
00:33:34
Speaker
CrowdStrike is the pioneer of using that term XTR. So they call it, they practically coined the term and made Gartner cough it out.
00:33:44
Speaker
Okay. So they practically coined the term. So CrowdStrike, Sentinel-1, now Sophos. Sophos is still talking MDR. They're not talking XDR. Trend is talking MDR. They're still not talking XDR. But essentially, the bane of cybersecurity industry is that all vendors speak exactly the same language on their website.
00:34:07
Speaker
It will become very hard for you to know whether he's actually a DLP vendor or a threat management company or a threat intelligence company or a cybersecurity endpoint company or a network detection company unless you get it to page two, page three. Front page, everybody says the same thing. Using AI, using ML, single pane of glass, right? Stop threats.
00:34:31
Speaker
and staff attackers. There's five things everybody says. Unfortunately... What is single pane of glass? It's a very abused term in this specific industry. When I say single pane of glass, I mean, I'm looking at everything in one screen and I'm able to make a determination without having to jump from one tool to the other to the other to the other. Everything is integrated so I can see a story end to end.
00:34:58
Speaker
None of them have it, honestly. I mean, even CrowdStrike has brought Humio just for that purpose, and they still don't have it. FireEye has bought one company. Cisco has unbelievably brought too many companies. Everything is a different tool. Nothing maps to each other. The only link there is a hyperlink pointing you to the other tool. That's the best they have gotten to. And it is very real, right? Some of us who are listening on the show, if you're architects, you know that when you actually start integrating different
00:35:26
Speaker
tools that have been architected differently, it becomes a nightmare to actually make them integrate. Your best bet is to just get them to talk just enough. But you can't come up with a single schema. You can't come up with a single platform to hold all of that information and build something valuable. It is very hard work. I mean, we've seen billion dollar companies fail. So we know it is hard work.
00:35:48
Speaker
Unlike that, Blue Sapphire was built ground up to be a single platform. So it's not a bolt-on solution. You see most of the bikes on the street making too much noise or too flashy or very big handlebar that came in. It was not designed for that bike.
00:36:07
Speaker
like that. I mean, these integrations never really work very well. When a bike is actually built ground up to support those kinds of things. So that kind of a analogy I can give you. So when you build something built on, from ground up you have designed it to be accommodative. From ground up you have designed it to be a single pane of glass. From ground up you're designed it to be a single data platform that is actually open in nature. It's a very different discussion versus tying in different pieces together.
00:36:36
Speaker
Okay, you mentioned DLP that you said that on the website is not clear whether this is endpoint or MDR or DLP. What is DLP? Data leakage prevention. Okay. So essentially it is like, you know, there are regulators who do not want you to publish or lose customer data into your text.
00:37:00
Speaker
Essentially that says that you should not be transmitted. For example, PCI is a great example because it's used across the world. It says your credit card information should never be transmitted in plain text. And if it is, it should always be encrypted. Now, how do I know that data is going out?
00:37:19
Speaker
I need to monitor the wire and sense the wire and see all the data transmissions going across and then try to detect it from there. So these systems are trying to detect if some data is getting leaked. And now this could be a malicious attack on leaking data out also.
00:37:34
Speaker
But trust me, when a malicious attacker tries to leak data out, you'll never find it. At least not by doing these systems because it's very easy to build your own encryption these days. You really don't have to use existing algorithms or you can actually do something very fancy yourself in a matter of minutes and these systems will fall flat on its face. Okay. So DLP is just able to check if data is going out unencrypted.
00:37:58
Speaker
Yes. There are proxy companies, proxy software companies. There are companies that are actually doing identity management. All of these, if you look at the front page, everybody claims the same thing. These five points. Single pane of glass, stop threats, stop attacks, and AI, ML.
00:38:24
Speaker
To the extent that I have a close friend who calls it Malai. It's ML and AI, you have to have Malai. Okay. So what are the...
00:38:42
Speaker
See, I'm assuming that a company which has, let's say, 52. So for example, I run a recruitment business in addition to podcasting. So I have about, let's say, 35, 40 recruiters on my payroll. And we use a couple of cloud technology tools, like a couple of SAS tools. So someone like us would never need XTR, right? You may be surprised.
00:39:11
Speaker
At this point, you don't have any visibility. So you are actually living with the happiness that you don't know what you don't know. But everything I'm using has its own. So for example, let's say we're using Salesforce for ERP. So Salesforce has its own security using Gmail for communication. Gmail has its own Gmail and the whole Google Suite like spreadsheets, presentations, everything is on the Google Suite.
00:39:36
Speaker
And then we are like, let's say using LinkedIn for sourcing. So I mean, all of these tools are coming with their own security, right? So why would a company like us, which is using a bunch of SaaS tools to run their business, need XTR?
00:39:54
Speaker
And so let me put it this way. So you're thinking about it wrong. You're thinking about that each of these SaaS tools have their own security. So we don't use anything else other than this. So we don't have a large database in our system for some attacker to steal or so on and so forth. Let's think about it from the thought process of what if an attacker gets into your system and is able to impersonate you. What happens then?
00:40:19
Speaker
For a moment, let's forget about professional life. Let's just think about what kind of havoc it would lead in your personal life. If an attacker is able to impersonate you, point your friends in the wrong direction, mislead your friends, family, what kind of havoc can they cross? And if they're constantly recording what's going on on your system, how many bank accounts will they get access to? A lot of us have MACs.
00:40:45
Speaker
I mean, as secure as they are, they are still vulnerable to threats. And the reason I picked the case of Mac, but which is now also available in Windows now with Android, is that your text messages come into your Mac also.
00:41:00
Speaker
And the same feature is now available with a lot of good branded expensive Android phones on Windows. You can have that sidecar facility where all your texts are also displayed on your laptop so you can respond to them immediately. Do you think I really need your two-factor authentication anymore? Text-based authentication, do I need it anymore if I get access to your system?
00:41:25
Speaker
I'm not going to touch LinkedIn. I'm just going to reach out on LinkedIn out of the thousands of outreaches you do. I'm going to make few more outreaches on LinkedIn to your long-term connects and ask them for money or ask them for professional private information or ask them and lure them into clicking on links that they will trust because the trust factor is with you not with the attacker.
00:41:50
Speaker
So when Akshay sends a link and says, hey, this is absolutely funny in my entire 20 years of recruitment, I've never seen something like this, 90% of them will click on it.
00:42:02
Speaker
Right. And then now I have baited others and say, for example, I send out an email to all your employees from LinkedIn because all of you guys are active on LinkedIn and say, Hey, you know what? We need to, this is a strong initiative. Us, we need to start bolstering. This year we're going to double our revenues. These are the updated policies. This is the market strategy. More information click here. Done.
00:42:30
Speaker
I honestly don't necessarily need to know your data, know your logins, know anything. Most of this can be done. A lot of these scenarios start to crop up. Your two factor is defeated. Now I can start destroying your clients' reputations. I can get into most of your clients because all of your clients trust you because you probably have those relationships for a long years. And I can start getting into all of your clients. This is called supply chain attacks.
00:42:58
Speaker
Essentially, you pick the lowest hanging fruit and then go after that and start going after the big guy and your clients are actually working for larger clients. They are working for some other larger clients. That is how I gain my entry into a large enterprise, not by directly focusing on the large enterprise. That's not how I'm going to do it.
00:43:17
Speaker
At this point, you will be that lowest hanging fruit. Security at every level is important. Awareness at every level is very, very important. As part of our onboarding process and as part of our regular policy reviews,
00:43:32
Speaker
Security awareness training is a very mandatory piece that we very strongly look at. I think we do it almost semi-annually and onboarding it's mandatory. We sit with them, we help them understand. It's not a video that gets played out. Yes, it is a video that gets played out, but it is played out along with us.
00:43:51
Speaker
explaining the impact of what a single compromise from your end could mean, because that is your weakest link. As I say, human firewall is the weakest link at this point, because all of these attackers now know that that is where they have a higher chance of success. Rest everything, yes, we have technologies. If it's not Blue Sapphire, it's CrowdStrike, if it's not CrowdStrike, it's Cisco, it's not Cisco, it is FireEye, somebody else. We'll get detected at some point. All of us know how to detect it.
00:44:17
Speaker
But some user getting impersonated doing it willingly, it's a very hard problem to solve because a lot of it is a psychology issue, not necessarily a technology issue. And this is called social engineering, like trying to defeat the human firewall. 100%. Got it.
00:44:41
Speaker
Okay, so while you can technically justify why a small company like what I run would need XTR, but I'm sure if you created like an ideal customer profile, I would not fall into that, right? So who is your ideal customer profile? Well, our company's mission is to build enterprise class security for medium enterprises.
00:45:06
Speaker
And that has been the mission of the organization. Now we are extending it towards micro enterprises like yours. Yes, you wouldn't need the kind of large infrastructure needed to run security as other companies, but you would need some lightweight protection yourself, right? And how does an organization like that protect itself? Now we'll pass that for a little bit because I want to focus on our core focus. Our mission was to bring that enterprise class security possible for medium enterprises.
00:45:34
Speaker
Because we believe that the threats are the same, the challenges are the same, but they don't have the right resources to manage it.
00:45:42
Speaker
Right. And with that mission, we started building a parts and tools that aimed at the medium enterprises. And when we say medium enterprises, we're talking anywhere between 50, 100 million in revenue, all the way up to 2 billion in revenue. Now, we do have customers with 6 to 8 billion in range, and some of them are about 12 to 14 billion in range. But our ideal market size that we are focusing on is the medium enterprises.
00:46:08
Speaker
And largely our customer base, 90% of our customer base today is in North America. We honestly want to change that. Trust me, as an Indian company, we honestly want to change that and be in a position to say, hey, you know what, more than 80% of our customer base is in India.
00:46:25
Speaker
But from a maturity cycle, it is going to take some time. We are far ahead in some areas and quite a distance to go in some areas. So we're looking forward to it. We personally believe 2025 is the year of cybersecurity in India.
00:46:39
Speaker
And that's what I'm betting on. And that's what I'm telling my folks that this turnaround will happen. Revenue-wise, it may be different. But from a customer account perspective, I think the regulations will start flowing in, a couple of hits, a couple of fines, regulatory interventions will start driving that in India. And I think we'll have to wait till early 2025, mid 2025.
00:47:03
Speaker
for that to actually start taking off. It started to take off. Now, don't get me wrong. A lot of local companies are actually interested in securing themselves thanks to the ransomware attackers. No thanks to any of us. Thanks to the ransomware attackers who have made this possible. But it's still not a board level issue in India. That is actually some concern, but it's changing.
00:47:25
Speaker
Essentially, you would look at companies which have a position of a CISO. What you also used to be like a chief information security officer? A virtual CISO or somebody like that. In some cases, up until 150-200 million, most companies have a CIO who is doubling up as a CISO. Or they have hired a virtual CISO.
00:47:49
Speaker
A CIO and a CTO is the same thing. I mean in India, typically most startups have a CTO rather than a CIO. What is the difference?
00:47:58
Speaker
I think CTO is more technology focused. It's focused very heavily on the technology stack. CIO function is more comprehensive than just technology stack. It's both people, process and technology function for the CIO. But for the CTO, it's more about the architecture design of the corporate technologies and how they play in. It's more of an architect role for the CTO.
00:48:19
Speaker
I guess probably companies which are building SaaS products will have a CTO. Yes, more technology focused. Not necessarily. There are companies like banks and others who actually use CTOs and CIO roles. It's a more comprehensive role than what is CTO. CTO of more technology, CIO, more business function, and board focused. OK, got it.
Extending Security to Micro Enterprises
00:48:49
Speaker
You're saying that you want to also extend your product further to micro enterprises. So you would create like a lightweight version of the product for them? Yes. So we are looking at a lightweight version of the product for the micro enterprises. The idea is to do a self-serviceable model for the micro enterprises that does not need any deployment cycle or any
00:49:14
Speaker
heavy lifting from the micro enterprises themselves. It's going to be very, very light touch for the micro enterprises. It's as simple as like you guys need, didn't need huge kind of efforts to sign up for LinkedIn or sign up for your own antivirus that you have on your systems or any other SaaS products. We want to keep it that level of light touch where we handle most of the policies on the backend for you.
00:49:39
Speaker
And you can customize those to your wish if you want to or we will provide the support on that back. This is something that we've been playing with for the last one and a half year. Now we are very confident that we built a very scalable platform for that. And now the biggest challenge is obviously getting the word out there.
00:49:59
Speaker
Okay, interesting. Can you help me understand what is your product at its core? You are capturing data which is being generated at the endpoint which is the device of the consumer and the data which is the communication between device and network and all of that is getting put into a database and there is some sort of a
00:50:25
Speaker
way to pass the data to figure out if there is some unusual behavior? Is that what it is? At a very, very nascent level, yes, that is correct. I mean, the data interactions are not just between your device. There are so many security tools, security layers in between. We're looking at data from every single layer. We're looking at the flow data. We're looking at the endpoint data. We're looking at user activity from a domain.
00:50:51
Speaker
from any other identity management tool. We're looking at vulnerability management data. We're looking at network traffic analytics. We're looking at file behavior, user behavior, entity behavior, and bringing all of these data points together from multiple data sets and bringing them onto a common schema to stitch them together and use machine learning algorithms and some artificial intelligence models to figure out
00:51:18
Speaker
where there is actually a critical alert and where the alert has a real attack that is behind it, which needs to be solved right now. And what are the things that you can solve in the next five days? Essentially, that's what we're trying to do. And this takes a lot of time and effort in security operations centers.
00:51:37
Speaker
Today's security operation centers are largely overwhelmed with the number of alerts, right? A typical security operation analyst's life is very boring. They usually look at the alerts, verify that it's done, close the ticket, so on and so forth, and they're being measured for the wrong things. How quickly can they look at the ticket? How quickly can they own the ticket?
00:51:57
Speaker
is what they're being measured on, which is actually a wrong measurement. It is OK for an IT system, but it's not OK for a security system. A security system is how efficiently am I able to manage that information and how efficiently am I able to make a determination whether something is a false positive or is actually an incident. That becomes really important, for which triage is very important. So the level one analyst, level two analyst, level three analyst, and the skill scarcity is actually real in cybersecurity.
00:52:26
Speaker
I'm sure Scale City must exist in other areas of infrastructure, information technology, but in cybersecurity, it is a very real problem. And when I said this the other day, some of the podcasts was mentioning, hey, I see people applying for all kinds of jobs and we open up one role and I receive 100 resumes. And I'm like, that does not mean you have this skill. That only means you have a number of people interested.
00:52:54
Speaker
My problem is that, and my problem and many clients that I talk to is, it's not that they cannot find people, it's that they cannot find people with the right skill. And that is the problem, right? And that skill security is real. And if you look at it, right? I mean, we had information technology for what last 40, 50 years. And there've been professional education training institutes offering this kind of, when I say graduate level, postgraduate level courses for the last 30, 30, 35 years. Cybersecurity is brand new.
00:53:24
Speaker
So that skill gap does exist. I'll still rely on that and say that if I can get people to operate at one level above them, if I can allow analyst to punch about their weight, then I call it a success. If I can make it very easy for the analyst to understand this is an attack without him having to put too much effort.
00:53:44
Speaker
Then I think it's a strong value proposition, and that's what we are here to do. Before the analyst even looks at the alert, the triage is already done. The storyboard is laid out. The response and remedial actions are also laid out. If you want us to take automated action, we have our own source, security orchestration, automation, and response tools that we can use to do this. Or you can point and click and get it done. It's really up to you.
00:54:10
Speaker
And bringing all of that together is what we really do at scale. And that's what we really excel at. Case in point, having built ground up, we are very efficient in our operations. So we're able to do this at a cost that is totally unheard of. I mean, this podcast may be a good place to announce it also, right? So we're able to offer to our customers $1.25 per gigabit on a consumption-based model.
00:54:39
Speaker
which essentially is what Cloudy, right? Today, you don't pay for AWS by a number of instances. You pay by how much CP you're utilizing, how much data transfer you're doing, how much storage you're doing, how much memory, so on and so forth. It's a pure consumption-based model. And we believe that being a SaaS company, we should also be a very consumption-based model, not necessarily a per-user license, per endpoint license, per EPS license, which actually is very confusing to the end customers.
00:55:08
Speaker
So we're going with a power and especially when our customer, our specific customers, our direct customers are turning out to be service providers, not necessarily the end-cust client himself, because most clients are getting rid of their internal teams and outsourcing it to a service provider for efficiency and to address the skill problem at large and saying, hey, my job is to, you know, do research and build tablets and syrups and other things. Why am I spending so much time in cybersecurity?
00:55:37
Speaker
or my job is to build widgets and moisturizing cream or build cups, wages, whatever I do, my widgets. Why am I spending so much time in cybersecurity? Let me answer it to a subject matter expert, which is a service provider, and let him handle, and I'll only be responsible for the outcomes. He will be responsible for the execution management and ownership.
00:56:00
Speaker
Service products could be like say an Infosys Vipro or like who are these? Those are what we call a solution integrator. The areas are a little great in India, but largely diverse in more advanced countries. Take it with a pinch of salt, especially if you look at the evolution of cybersecurity, the West has always been a little ahead of India. Take a look at technology evolution, India has always been ahead of the West.
00:56:26
Speaker
So in Europe and affluent Europe and in US, service providers handle a lot of this. Managed security service providers are very different from solution integration. Any big name that I would have heard of? You know, Dell SecureWorks. SecureWorks is name Verizon. Verizon Business is one of those names. AT&T Business is one of those names. A lot of these people do managed security services at TA1 level.
00:56:56
Speaker
And these are one of the biggest players out there. I don't know, I have never looked at something as an Indian name or an American name, pardon me, because you only know, see the tech minds, the Infosys, the TCs, the Vipros, all of these are existing in US market as managed service providers also. In India, SIs are also doing the MSSP work.
00:57:22
Speaker
It's very uncommon. The cognizant of the world are also doing MSSP work. That happens to be one of the business lines. But when you look at the markets, those are more at a large enterprise level. For the medium enterprises that we are focused on, these work a lot with security service providers who are MSSPs, managed security service providers, not SIs or anybody else.
00:57:45
Speaker
So that turns out to be our co-market because the whole market is moving towards a pay as you go model if you will. Everything we are doing today is a pay as you go model. Most building apartments today, even your electricity is a pay as you go model anymore. So I think it makes more sense for us to actually start that revolution and say, hey, you know what? Don't worry about owning anything. Just pay as you go. Pay for only what you use. Pay for only what you consume. That's it.
00:58:14
Speaker
What is the difference between MSSP and MDR? So your MSSP is responsible for the care and feed of the appliances also. Your MDR is responsible for the outcomes and proactive detection of threats. MSSP is more reactive. MDR is more proactive. At least that's the expectation of the market.
00:58:40
Speaker
Okay. Okay. Okay. Got it. Okay. So what you're saying is that your customers end up largely being MSSPs and you're trying to... MSSPs and MDR providers. And MDR providers. Okay. And you charge them $1.25 per GB. What is a GB here? A GB of data that... It's a gigabit of data that we have ingested from the customer to process the logs, raw log, whatever, and make sense out of it, right?
00:59:05
Speaker
That's what we're talking about. So this GB is also getting stored in your data center, or from this GB7 part of it is stored in your data center? Actually, all of it is stored within our data centers, within our cloud environments. Now, we stand very unique in this space today, where we offer the capability to use our SaaS platform but still store the data within your environment.
00:59:30
Speaker
That is something that no other provider in this ecosystem does. We are the pioneers of that. We allow people to keep the data within their own environment and only use our interfaces for that. That's something that's very, very unique to us. Okay. Okay. For an MSSP, this makes a lot more sense because they would want to have that, like they would see that as more proprietary, the data they would want to not really share it out with their further.
00:59:58
Speaker
Yes. So MSSPs actually don't want to keep that data. They don't want to manage the infrastructure. They don't want to manage the software. They only want to manage the outcomes for their clients.
Managed Security Service Providers' Advantage
01:00:09
Speaker
So they're more than happy to let us keep that. But there are some banks, financial institutions, clients that want to keep the data themselves, but still want these capabilities.
01:00:21
Speaker
those kind of customers we are able to address. There is no other vendor in the market today including ExaBeam, CrowdStrike, Qmeo, we already will pick. All the data has to be given to them. We don't have that requirement.
01:00:33
Speaker
We stand pretty unique in that space. So essentially your product has two broad capabilities. One is ingesting data and second is parsing the data or like creating intelligence based on the data. On streaming, so we do that not at rest. We do that while the data is streaming itself.
01:00:57
Speaker
Okay, real-time intelligence on that data. For ingesting data, between these two, which one was harder to build? Is it easy to ingest all the data which happens? Are there well-established pipes through which you can ingest that data through APIs and all that? No, you didn't see.
01:01:21
Speaker
I honestly would say the detection engineering is the harder piece, mapping them to a common schema is the harder piece. But I don't think pipelines are that hard. Pipelines are relatively easy to manage and control. But pipelines take more care and feed than detection engineering, if you will.
01:01:40
Speaker
detection engineering is yes it's hard but I would say it's relatively easy and it's not monotonous. Building pipelines and working with these large data sets and you know when most customers when you work with them they have some legacy systems for which you have to build parcels. That's a little monotonous that can get a little monotonous.
01:02:03
Speaker
So being able to provide that visibility to our customers that they did not have for the last 10 years, that's eye-opening. And when the customer comes back and gives you that feedback, that is well worth the effort.
01:02:17
Speaker
How did you build intelligence? You have this whole bunch of data which you're ingesting through pipelines coming into your data center. How did you build intelligence that this is something which needs to be flagged and this is how you find out that what happened before, what happened after. This is how you give a recommendation. This is the recommendation for this kind of a red flag and so on.
01:02:42
Speaker
So, I mean, I have close to 20 years of experience in the cybersecurity industry and put together within my core team, we have close to a century of experience in the cybersecurity industry. A lot of that intelligence is coming from us and a lot of research work that happens in this space. We have our own threat research team that is constantly vetting what we are doing versus what the industry is doing and where we are landing up, how good our detections are.
01:03:07
Speaker
and what the attackers are doing and where we need to go, what is the future state, so on and so forth. So we rely very heavily on our research team. But at the same time, we also rely on a lot of signal intelligence data we get from our own sensors spread across 30 countries. What is the signal intelligence data? We have our own sensors that we spread across
01:03:29
Speaker
over 30 countries across the globe and we listen for what kind of attacks are happening, what kind of attacks are being conducted like this, what kinds of applications, what is the most popular attack vector, who is doing what. And we also ingest data from sources like Verizon threat reports and AT&T threat reports, so on and so forth.
01:03:52
Speaker
So a lot of this data actually goes into as part of our research into building new detection models, faster detection, faster response, faster remediation. That's really cyber resilience delivered for you. That's what we've focused on. What do you mean by sensors? I didn't get that. When we say sensors, these are just small lightweight systems that we host in multiple areas, multiple data centers to look for malicious traffic and analyze it.
01:04:21
Speaker
So like, say there is this data center, I think Adani has a data center in Mumbai. So you would have a machine there and that machine would be listening to what is happening in that data center and trying to identify if there is. Who is trying to attack that data center? What kind of attacks are coming in? What kind of attacks are going out and all of that data we try to use?
01:04:44
Speaker
And this is with consent of the provider, the person running the data center? Yes, yes. OK. We can't get any data without the consent of the actual provider himself. OK, interesting.
01:05:00
Speaker
And why do they give you this? But that's why there are threat intelligence companies that work like Verizon in the 80s of the world. See, Verizon, after it bought MCI WorldCom, it owns over, I think, close to 60, 64% of the world's traffic.
01:05:16
Speaker
goes through their pipeline. Okay. In some shape or form, when the bottom CI won't come. If I remember that was like 16, 18 years ago. Yeah. So they became the owners of close to that level of traffic and their intelligence is usually the best.
01:05:32
Speaker
because they see the most traffic and they sell the most of it. But the good news is a lot of these companies come together and share that intelligence with the rest of the world because there is no one winner, one loser when it comes to cybersecurity. We're all going to lose, we're all going to win.
01:05:50
Speaker
So if you're attacked, your clients can't say, hey, I don't really care if Akshay gets attacked. No. If Akshay gets attacked, also it becomes your problem. And your client gets attacked, his clients become problem. I have a problem on their hands. So it is not one Ivan you lose kind of a situation. We all have to win together. We all have to lose together.
01:06:15
Speaker
Okay. So right now how your intelligence happens is through like a directory approach. You are creating a directory of all possible threats through a research team and through like gathering information through the sensors and so on. So that's how the intelligence happens. Yes.
01:06:33
Speaker
Then there are many threat intelligence companies that actually specialize only on threat intelligence, which is like telling you a disruption attacker is coming from this address and he's trying to deploy these kinds of files and so on and so forth. We consume that data also. Commercial threat feeds that customers subscribe to. We can actually take a feed from any of those sources also. So it's not that only our generated data will be given.
01:06:57
Speaker
you have freedom to choose what you
Cybersecurity as a Big Data Problem
01:06:59
Speaker
want. As I said, I started this company because I did not have the freedom to do what I want. So would you say right now XTR is what version one of antivirus was, like a directory approach?
01:07:13
Speaker
No, it has always been what was needed was always been an XDR and essentially this is going to become a data problem and we've been saying it for over a decade that security is a big data problem, security is not.
01:07:30
Speaker
specific detection, specific ML or anything like that. All of this collectively comes together and becomes a big data problem. And that's what we are also solving here while most of our competitors say 30 days hot, 40 days hot, 60 days hot. We are saying- What is hot? Hot is the amount of data you can have online and the rest of the data goes and sits in an archive. Okay.
01:07:58
Speaker
It's very interesting when we come out and say without new release, we are today able to provide unlimited hot storage without charging anything extra. So all of your data is available for you in a split second for you to analyze whenever you need to. So today the problem is if I have a 30 day hot, that means that at any given point last 30 days worth of data is actually available for me. If I need to look at data from January,
01:08:27
Speaker
for example today we are sitting at October 2023 if I want to go back to January and look for the data because my auditor is asking or because I saw a threat or I got intelligence that there wasn't a tag that happened on my network or from my network and the 13 thousands company has reported to the regulator and regulator wants me to verify I cannot load that data I have to pay extra that data has to get loaded analyzed and only then I'll be able to
01:08:53
Speaker
work with it. And that may be January, that may be one month, that may be 30 days, that may be 300 days. You really don't know. And it's humongous work for these companies to actually go look for that kind of work. In the world of Blue Sapphire, if you are a Blue Sapphire customer, you just switch the date to January and you're there.
01:09:13
Speaker
There's really no dependence on anything else. Data is always online. So we're doing this with a very large provider in the US. They don't want to be named, but they are one of the world's largest trading platform providers.
01:09:29
Speaker
than the finance company and they use a particular SIM which is our competitor and they send all the data archives to S3 buckets. We know today they are actually moving towards giving all that data to us because today they have it on S3 but they don't have any capability to work with that data after it hits the S3 bucket. What is the S3 bucket? It's a storage blob.
01:09:58
Speaker
For an S3 bucket, essentially, we all know storage as being attached to a compute unit. If you have a hard disk, your laptop is actually the one that is actually attached to that hard drive in your system, and that's how you have access to it. You connect a USB drive or something, and then you have a backup drive, and that's how you have access to that storage. Otherwise, our storage is not online.
01:10:25
Speaker
To bring that storage online, you have somebody called something called mass systems, network attached storage system that vendors are willing to sell you, which you can actually attach into your network and from anywhere within your network, you can reach it. Now, extrapolate that to a global scale. And anywhere from internet, you are able to reach it. That becomes your S3 in short.
01:10:50
Speaker
Okay. So you're saying that one big USB of Luca file is that a CISO or a security team can read data, which is even a year old. Is this data readable by humans? I mean, what do you mean? Through our interfaces, we provide a very fast analytical user interface that they can actually use to read the data.
01:11:12
Speaker
query the data, perform analytics on it, all in near real time, irrespective of how old that data was. Give me an example. You'll tell them this was a network traffic or this was an amount of GBs. For example, let's just take an example of a banker, some banker X in India. Certain came back and said, hey,
01:11:41
Speaker
They are a computer emergency response team and they are usually responsible for all cyber intelligence to nation state that affect nation state to the organizations that are too big to fail for the nation. They share that intelligence within the organization. So it is like a government thingy.
01:12:00
Speaker
government-driven entity that does not have direct influence, but that is responsible for sharing and acting on all nation-state attacks and assets that the nation deems critical, banking sector being one of them. It could be oil and gas, it could be anything, right? Just taking a bank of X, and a lot of these customers today, they do process logs, they do look for threat intelligence matches and all of that, and then they archive that data.
01:12:30
Speaker
as regulated by the regulatory provider. Maybe he's asking them to store data worth of two years, quite possible. Then six months down the line, certain comes in and says, hey, we saw a Russian attacker targeting you. I'm just taking names randomly. And we see that going back.
01:12:49
Speaker
We see we came across some data which was six months old and that got published just now and that information is six months old and that information belongs to you. Can you go back and tell us how this happened? And confirm that that attacker is no longer in your network. How are you going to do that? If you don't have the data,
01:13:14
Speaker
you will have to bring that data back from archives, load it back to your indexing systems, whatever they are, and then start going at piecemeal basis. If you're a customer of BlueSafire, you just launch the BlueSafire tool, change the dates to the relevant dates, and start looking for the data right away. There's no time gap, there's no compute, additional storage, additional infrastructure that you have to stand up just to process this data. None of that exists. What are you looking for when you load that date?
01:13:44
Speaker
It could be anything. It could be network footprint. It could be network traffic. It could be data exfiltration. It could be a log activity that some data was lost. Or it could be user credentials that were compromised. Or there were login details from an external third party, which were supposed to be maybe in Mumbai. And you saw a login from somewhere outside the country. Any of that could be an identifier. And any of that could be an artifact for that matter. And you're looking for all of that information.
01:14:10
Speaker
For you to load all of that data, build all that infrastructure around demand, and then load all of that data, process that information, and dedicate infrastructure for that, all of that is a huge headache. With BlueSuffer, all you need is a browser. Got it. Change the relevant dates and look for the data you want. It's already there, pre-tagged in most cases.
01:14:32
Speaker
How do you sell? How do you get your foot in the door? How do you convert from an initial lead into a sales? Do you have some best practices around it, which you have discovered that this is what works best for us? And because you're selling in North America, so it's a very competitive market.
01:14:57
Speaker
competing with let's say CrowdStrike which is like a well-known brand and so on. So how do you manage to sell? And you bring up a very important question right and especially this is a problem for a lot of Indian startups. Indian startups are not known for their product prowess
01:15:17
Speaker
They are very well known for their service capabilities across the globe, but not for product profits and especially not for cybersecurity profits. Israel is the go-to country for most of these companies and they believe in that profits coming from Israel, not necessarily from India.
01:15:38
Speaker
Well, this is a change of perception we have to fight. That goes without saying, and you know, it's a process. But more importantly so, right? Cybersecurity is a big issue, primarily because, and especially where we operate. We operate at the core of cybersecurity and security operations center, and we offer an entire platform. And it will be foolish of us to expect that somebody will actually totally replace all everything they're using and use us.
01:16:01
Speaker
that doesn't happen. In some cases it does but most cases it doesn't. Most cases customers look at what is the difference between what they are using today and what we can offer and just buy that difference.
01:16:15
Speaker
and start with that. Maybe it's agent-less threat hunting. Maybe it is network behavior analytics. Maybe it is UEBA, whatever the case might be. Those are the things usually customers start with. And as they start seeing the value of the platform and the efficiency, they start spreading and retiring their existing technology debt and taking more and more of Blue Sapphire modules into their ecosystem.
01:16:40
Speaker
That is typically how we sell. A large portion of our sales has moved into service providers. That's the practical truth. I think it's global truth everywhere because everything in security has turned into a service and we don't want to be a service company. So we typically work with service companies. And security is a hard sell for multiple reasons, right?
01:17:04
Speaker
It's very easy for customers or some folks to compare them and say, hey, you know what, we're able to sell so fast and effectively, but that may be an ancillary piece that a customer needs and may be able to survive in case of a catastrophe in that area. And that could be anywhere from, you know, sale doesn't stop because sales force is not online.
01:17:32
Speaker
So a ticketing system is offline, doesn't stop infrastructure from being managed. But when security malfunctions, it hits at the core of the organization. So it is like replacing your engine and asking you to buy an inferior quality engine for your car.
01:17:52
Speaker
that nobody will do. And it takes time to build brand presence in that area, as opposed to any other area. I'm not saying other areas are not difficult. But you- I'm just trying to set the perspective that this is actually a very difficult area to break through because you said, you know, there are big brands in the US and it's a very difficult area to break through because customers look for that trust value. And trust is not earned overnight, especially with something that they hold as close to their chest.
01:18:20
Speaker
So you don't actually need to convince the end customers as much. If you're selling to MSSPs, then your sales pitch is not about security is important, but rather about how my product is better for you. No, that is the sad part, right? The customer is also interested in what is being used for the MSSP to secure his environment. And he wants to have a big say in that area.
01:18:47
Speaker
So a lot of what the customer does and feels is very important. The very few customers in the space, maybe micro enterprises say, hey, I don't care, this is what I need. But a lot of them just want to know what is being used in respect of whether they want to have a say in it or not.
01:19:03
Speaker
So evangelization with the end customer becomes very important for us. There's almost no deal that we have not spoken to the end customer, showcase our prowess to them and our capabilities and we've not gone into a POC battle. Those doesn't happen. Almost every customer we meet, irrespective of whether it is through a service provider or it is the lead that has come directly from us.
01:19:25
Speaker
Okay, got it. What kind of revenues do you do currently? This year? We're hitting close to 3 million right now. And we're looking north of 6 million by March. We'll see how that goes. I think we're trying to be very aggressive in a down market. But I think we have what it takes. Okay. And you've done a fund raise also, right? I think around 9 million.
01:19:50
Speaker
Yes, we raised about 9.2 million series A and had some global investors participate and we raised it in India.
01:20:00
Speaker
Oh, you raise it in India, okay. Why did you choose to raise it in
Entrepreneurial Journey to India
01:20:03
Speaker
India? Your company is incorporated in India? Yeah, company is incorporated in India. And we have an extended arm that is 100% subsidiary owned in the US that operates independently in the US. Except for financial reporting, it doesn't actually tie into the company. But yes, it's 100% owned and operated as an Indian entity. Why did you choose that, like to incorporate in India?
01:20:24
Speaker
Because you spent a lot of time in the US, you could have just started off in the US. That's what you would think. But the fun thing is, for my entire time I spent in the US, I've never thought of starting a company.
01:20:40
Speaker
I've always remained a geek, technologist, I still am a technologist at heart and I love technology discussions, participating in technology conversation that has been my core strength, architecture, cyber security, defense, attack, all of these areas. I've built my career ground up in those areas and that still remains my primary passion.
01:21:04
Speaker
With that being my primary passion, I didn't interact with the community that much. I was very close into my own shell. But that's also not why we did not raise in the US. We primarily raised in India because that's where the product was actually built. The entire product was built out of India. I came, I moved to India just to build the product and we thought it was actually appropriate for us to do it that way.
01:21:30
Speaker
Honestly, India is a lot harder to work with. India is a lot harder country to do business in than in the US. I'll give you that. India is much harder to raise capital and work with capital with respect to regulatory compliances and other stuff as opposed to the United States. But I think we did what we did and we are very happy how we did it.
01:21:53
Speaker
How did the fundraise happen? Was it a journey of lots and lots of no's before you heard a yes or did you have credibility already and so it was not that difficult?
01:22:07
Speaker
We are going to be on air. I'm not going to say we heard no's at all. I have to market myself. Put me in a hard position. But yes, it is going to be a journey of no, it's going to be a journey of yes, and it's going to be journeys of maybes. It's going to be a journey of yeses that actually don't materialize. My advice is that, you know, just understand that, you know, a lot of this investment happens when
01:22:31
Speaker
you and your investor are in the same place at the same time with respect to your thought processes and what he is thinking also. A lot of it, when you hear and know, a lot of it is not because of you or your product.
01:22:47
Speaker
Well, some of it maybe you'll need to be able to make the distinction yourself. But a lot of it has to do with what the investor profile is and what he's committed to investing in. And it may not match with what you're trying to do. And that's usually why you here know.
01:23:03
Speaker
And the investment community is very professional for that matter, actually. I've heard, I've had really, really good conversations where people were more than willing to offer help in making connections, when asked, share information that they have, that they're privy to in the market, so on and so forth. So, my experience in US is also similar.
01:23:28
Speaker
When I speak to investors from US, the experience is similar. So as an investor community, they are committed to investing. It's just that you and your investor have to be at the same place, both psychologically, financially and economically for this to work. So that's something that you have to understand. Okay, got it.
Regulatory Changes and Cybersecurity Awareness
01:23:52
Speaker
You said that there are regulatory changes you anticipate in India, which will make 2025 as the year of cybersecurity in India. Give me a broad overview of what's happening on the regulatory front with respect to some of the data privacy regulations that are coming on board and they need to find their teeth while they come on board.
01:24:11
Speaker
You know, the SEBI does a good job of maintaining control. RBI does a good job of doing this, but bringing something into law is a very different aspect from bringing something into a regulatory compliance mode. Law is a law.
01:24:28
Speaker
Right? And it is punishable by jail time. It is punishable by some real hard facts that will hit you. Compliance usually is a slap on the wrist. If you don't comply, you get to pay some fine and move on and so on and so forth.
01:24:44
Speaker
The law needs to get time to gain teeth, grow, and become as widespread as it needs to. It will take a couple of years. And I think that's where I see 2025. Is there a specific law, like one flagship law, which you think will be a game changer? No, in India, it is DPDP.
01:25:06
Speaker
which is what is fulfilled. Data privacy law that just got launched. And I think data localization laws in India will also grow. We already started asking most of the multinational companies to store India citizens data within Indian boundaries. So these kind of things will actually start expanding globally and data privacy will become big. The challenge always has been why security is a little slow to pick up in India is that people don't care about their privacy that much.
01:25:35
Speaker
We've always been in such tight-knit communities that privacy was something that was never given autopsy. I mean, everybody is nosy and everybody is into everybody's business. But I think that's changing slowly because they understand it's not about being nosy or people knowing about you. It's what they can do as they impersonate you.
01:25:58
Speaker
A larger portion of that is not necessarily because the government is doing a great job of vocalizing that information or the community itself is doing a great job of vocalizing that information. They are, but not really. It's more the financial loss that individuals are facing across that is allowing them to learn those lessons very, very fast.
01:26:20
Speaker
the phishing attacks, the phone phishing attacks, the banking frauds that most individuals are getting impacted by, that is where the reality is beating. I was surprised by this little story I want to share with you. I had a driver that I booked for Delhi when I was in Delhi last year, not even last year, two years ago, to take me around because I was tired of getting through Uber's and waiting for them and so on. At the end of the day, I would pay the same amount, so I just hooked the driver for the entire day.
01:26:49
Speaker
He was sharing with me how his mobile gets information and he's being fished for pin on his car. And he's like, they were so convincing when they called me. They were actually talking about my bank account. They're talking about the loans I had. They knew pretty much where I live. They know what I do for a living. They pretty much sounded so genuine. So I gave them the pin and I lost 5,000 rupees.
01:27:19
Speaker
may not be much, but it is still a lot for somebody who works on a daily labor basis. And the lesson he learned out of it was more interesting. He still does use his phone a lot and does financial banking, everything through his phone, but he knows immediately how to identify a project and calls now.
01:27:41
Speaker
So I think that is doing a much better job than what others can. It's all about security awareness. We do this at enterprises, like in our organization, as I said, it's part of our onboarding, but we also ensure that they take those lessons back home because it's not just our employee, it is our employee's family as well that needs to be cyber secure, for Glucifier to remain cyber secure.
01:28:03
Speaker
The supply chain attack. Yes. Interesting. Cool.
Insights for Late-life Founders
01:28:11
Speaker
Any last words of advice for people who are looking to become founders? You became a founder fairly late in your life. For someone who's like you, thinking of should they become a founder or not, any advice? Largely a personal choice, but it opened up my world.
01:28:32
Speaker
I never realized I was living in a cocoon. There's a very popular saying Kupasta Mandukam, you know, frog in a well. I never knew what was happening outside my comfort zone. This really opened up.
01:28:49
Speaker
If you are getting into this to say, I want to be a master of my own domain. I don't want to report to anybody. I want to be the king and all that. You're in for a big surprise. Because now you report to everybody in your organization. Not just your friends.
01:29:09
Speaker
Not just your investors, not just anybody. You report to every employee in your organization and you're answerable to every employee in your organization. So be very careful. But it is a fun journey. And I think the future is all about micro enterprises. That's where the future is. The long term jobs and all of that is gone. If there's something that you want to explore, now is the time. It is really the golden era of entrepreneurship.
Future Strategies and Audience Engagement
01:29:38
Speaker
Do you see Blue Sapphire becoming a unicorn one day? I don't believe in unicorns and popcorns. What I want to become is a billion dollar company. And I have charted out my journey with that aspiration in mind. We'll get there. I don't want to do it overnight. I'm not a big believer that things happen overnight. What's the path to... You're saying billion dollar in revenues?
01:30:09
Speaker
A billion dollar value and I think we'll get there fairly quickly. Which would mean like about 100 to 200 million revenue. About 200 to 200 million in revenue, yeah. So what's the path? I think we'll get there fairly quickly. With just this one product or the micro enterprise second product that you have in mind also or like?
01:30:31
Speaker
all together. I think every, because I think we have actually democratized security operations and this is what will take us to the next billion, including our micro enterprise model. And we have the potential to be that next billion dollar company. We'll take our time. We're slow. We're patient.
01:30:53
Speaker
And that brings us to the end of this conversation. I want to ask you for a favor now. Did you like listening to the show? I'd love to hear your feedback about it. Do you have your own startup ideas? I'd love to hear them. Do you have questions for any of the guests that you heard about in the show? I'd love to get your questions and pass them on to the guests. Write to me at adatthepodium.in. That's adatthepodium.in.