Adopting Zero Trust
Adopting Zero Trust
Adopting Zero Trust: Nonfederated Apps
0:00
-54:44

Adopting Zero Trust: Nonfederated Apps

Season two, episode 11: Cerby’s Chief Trust Officer, Matt Chiodi, discusses new research around nonfederated applications and shares his perspective on Zero Trust.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

Last episode, we brought to you a wild story of a victim who was SIM-swapped four times, and this week we’re back to basics with some fresh research and a closer look at a critical piece of Zero Trust: Non-federated applications.

Cerby’s Chief Trust Officer, Matt Chiodi, was kind enough to add a bit of color to a research report they released at RSA that helps validate what they’ve been building the past 3 years. Before we get to that, it’s worthwhile to define what nonfederated applications are, as, like many cybersecurity concepts, it’s going through an identity crisis.

Nonfederated applications are essentially the opposite of how organizations should be inventorying, tracking, and providing access to applications (SaaS platforms are a good example). To align with Zero Trust, or really any modern cybersecurity strategy, SSO, SAML, and other solutions designed to scale are necessary so IT and security teams can properly manage access. However, there are always outliers, which the business still needs access to, such as managing admin access to a social media profile.

This brings us back to Matt and the Ponemon Institute, who produced the recent research report: The Hidden Cybersecurity Threat in Organizations: Nonfederated Applications.

Key Takeaways

  • The majority of new SaaS apps don't support modern off, but that's because the actual buyer of the technology is no longer requiring that.

  • The majority of respondents in the survey conducted by Cerby and the Ponemon Institute (44%) said that management underestimates the cybersecurity risk of nonfederated applications.

  • The cost and time of provisioning and deprovisioning access to applications quickly add up.

  • The total average annual cost to investigate and remediate cybersecurity incidents involving nonfederated applications is $292,500.

  • Fifty-two percent of respondents say their organizations have experienced a cybersecurity incident caused by the inability to secure nonfederated applications.

Editors Note

Neal and I are slowly ramping back up to our regular cadence and schedule. In the next few weeks, we have a few of the biggest names in Zero Trust set to join a round table, a few practitioners who are on the cutting edge of their space, and I’m working on a new web show/podcast pilot. If you happen to be a Series A or earlier cybersecurity startup, reach out if you might be interested in participating in the short season.

PS, Matt also hosts his own podcast called Cloud Security Today, which we can highly recommend checking out.

Research Conducted by Cerby and the Ponemon Institute

A key takeaway from the research is that organizations don’t know what they don’t know when it comes to nonfederated applications. Less than half (49 percent) of organizations track the number of nonfederated applications they have that are not managed and accessed by their identity provider (IdP). Of those respondents who track nonfederated applications, 23 percent say they have between 101 to 250. The average number is 96. Despite efforts to have an accurate inventory, only 21 percent of these respondents are highly confident that they know all the nonfederated applications used throughout the enterprise.

Matt Chiodi discusses the research conducted by Cerby and the Ponemon Institute on nonfederated applications. He notes that the research was conducted to quantify the cybersecurity risks and cost impact of nonfederated applications. The survey sample frame consisted of approximately 16,000 people, and the survey respondents were practitioners who were familiar with or somewhat involved with their identity and access management strategy. The survey found that only 49% of organizations track the usage of nonfederated applications, and only 21% are confident in knowing all the applications that are used.

The episode provides insights on the risks associated with nonfederated applications and the importance of a Zero Trust architecture. The research conducted by Cerby and the Ponemon Institute highlights the lack of awareness among organizations about the usage of nonfederated applications and the cybersecurity risks associated with them.

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello, and welcome to another episode of a z t. You're Adopting Zero Trust. I am your producer Elliot, alongside your co-host and, uh, the one who'll do hopefully most of the talking. In this episode, Neal Dennis. And today we have a wonderful guest who will shortly detail a pretty extensive backlog of what they're working on at a company called Serb.

But I also wanted to tee up, uh, where we're gonna go with this episode. So we're sort of back to our more standard format this week, um, where we have a technology vendor who has been absolutely integrated within our space for years upon years, and worked for some varied large brands and absolutely know some of the key players.

So we'll be able to kinda dig into that. But to kick things off, I do wanna highlight some things. So, This episode will probably ear a little bit later down the road, but, uh, RSA had just occurred. You dropped some new research there. Um, um, and I, I'd love to just kind of dig into that kinda at the gate.

But before we do that, um, why don't we just kind of start with some basic intros. So Matt, I'd love to, uh, just learn about what you do over at Serbia and what a, um, not a CT o, but a chief trust officer is.

Matthew Chiodi: That's a great question. One that I get um, quite frequently cuz depending upon the company Chief Trust officers can do a lot of different things. But at Serbia my role is multifaceted. We are seed stage and as chief trust officer, I have oversight of cybersecurity. Privacy and also, uh, from a go-to-market perspective, how we talk about the product.

So product marketing, uh, thought leadership, and also also research. So that's a lot of different things, but you will see that is somewhat common at seed stage companies when you're, you're still, uh, really working out, you know, how things are gonna work out in the market, how you're gonna speak about the product.

So it is a. Multifaceted role that, um, I've come to love being able to do, you know, some days I'm, I'm working on, you know, policy stuff. Another day I might be working on some intellectual property around patents. It's, it's fun.

Elliot: And correct me if I'm wrong, if I'm wrong on this, but you also wrote in your own podcast too, is that correct?

Matthew Chiodi: I am, I am. Thank you for giving me the ability to plug it cloud security today.com. If you go to cloud security today.com, and I actually use the, uh, same platform you guys do. So, um, yes, it's a, I am quite busy. I don't know how often you guys do releases. I only do my podcast every month simply because, I, I barely have time, uh, to get those monthly ones out.

People are always asking me, can you do 'em weekly? Can you do 'em every two weeks? And I'm just like, no, not right now.

Elliot: That is, that's spot on. So we do it like every two weeks, but we try to like record our episodes and batches. So that's why when we're recording the, just off the heels rsa, it'll be like a month later. So, um, that's the only downside, but it, it's always hard to like fit everything in there. Plus Neal likes to travel a lot, so, uh, I gotta coordinate his calendar of course too, but, uh, yeah.

So folks, Absolutely. Make sure you check out that Podcasty, we'll make sure we put that in the show notes so that people can link towards that. But let's kinda get to that, uh, subject at hand. So you recently dropped some new research and I think maybe we should, uh, give a little bit of context of background on what SEBI does.

So that kind of aligns, it makes sense for. Why that even makes sense. Um, so I'm gonna throw this out there and I'm gonna be wrong, but feel free to correct me as soon as I mess all this up. But if I get this right, so as part of Zero Trust, IDPs are pretty big components of that to, uh, help with access control, but they do not cover absolutely every piece of that puzzle.

So, Um, I will get the word wrong, so I'm gonna skip over that and mess that up. But, um, you all come in and kind of fill that gap, is that correct? Where you're able to help, um, reduce the keys to the castle, going to people for platforms that otherwise IDPs can't handle.

Matthew Chiodi: That's right. That's right. And what we do, we call those applications, we call them non federated applications, and the, the challenge of this whole topic is that there is no industry accepted way to talk about applications. That don't support standards like single sign-on SAML Skim, all those different protocols.

Gartner calls them non-standard applications. Um, Okta calls them non federated. So we, we, we landed on non federated, or you know, the one that we created is unmanageable applications. That was a little more provocative cuz people say, well, what do, what do you mean there? Unmanageable. And we like to say that, you know, if you've got these applications in your, your enterprise, um, they are unmanageable for you at scale because you can't leverage your IDP and you certainly, um, are going to struggle to bring them into a zero trust architecture.

Elliot: Yeah, that absolutely makes it to me. And I mean, from like a branding perspective, which Neal can, uh, battle me on this, that is very, uh, straightforward and it just kind of explains it, uh, out the gate. Whereas I know like Gartner and Okta, I'm sure they have spent hundreds of thousands and maybe millions of dollars to determine how they're going to define it.

But yeah, I, I totally get where your perspective is. And I think if you just see it on paper, you're like, oh. That makes sense. You don't really have to like go down 20 layers to understand exactly what this is saying.

Matthew Chiodi: pay 20 consultants

Elliot: Not yet. I mean, one day when you're big enough, you'll, you'll, you'll get there. That's how that all works.

Um, so that is all to say, uh, you'll have recently re uh, dropped some new research and some data points. Um, maybe we can kind of highlight that a little bit. So, You said un federated applications. Um, I see decentralized management as a recipe for disaster. We're seeing like 63% of your surveyed, respondents are em admitting to their business units rather than using IDPs that, um, they're probably like manually doing it, if that's correct.

Um, but where are you seeing some of these challenges? Maybe you can also give a little bit of background of like the type of people that were part of that survey.

Matthew Chiodi: Absolutely. Absolutely. So this was, you know, the company sebi, and that's C E R B Y, sebi. Um, we founded it about three years ago, and as usually with any kind of company that's a startup, there's a thesis and the thesis is, is there's a problem, whatever that is. Right. Changes on the company and we wanna solve it.

For us, it was that our co-founders. Um, actually were not from the cybersecurity industry. They had been doing a lot of other things in tech and they kept realizing that there were all these applications that didn't work with identity providers. And so they started to study just like, how large is this problem?

They did their own research and, uh, looked at it, and what we wanted to do with this research with the Panama Institute was really quantify. Two things. One is the cybersecurity risk around these non federated applications. Also cost, was there a cost impact? Because again, we know that when it comes to the Skim protocol, which is the system for cross identity management, it's a standard basically, that allows you to automate onboarding and offboarding of access.

So just think of it this way, I, you know, two or three years ago, I had no idea what Skim was either. I hadn't even heard of it. Um, but for those, those that are listening that aren't familiar with Skim, what it does essentially is, is, you know, on Neil's first day on the job, On a company, he gets entered into an HR system, whether it's a workday or an SAP or something like that.

That is then typically tied to an identity provider, whether it's an Azure ad, Okta paying one of those and those two talk to each other, um, which basically says, Hey, Neil, Neil, employee. He's a member of these groups. What's supposed to then happen is those downstream applications, if they support the skim protocol, Neil will be automatically added to the right groups on all those downstream apps, whether it's one or a thousand different apps. The challenge is that roughly 85% of applications, they actually don't support the IM protocol, and so what ends up happening is there's a lot. Of manual work of having to add and remove users, update their access. So that's, you know, that's kind of a little bit of a diatribe on skim, but we wanted to understand cyber risks and also the cost impact specifically around skim.

So that's where we started. In terms of, uh, methodology, there was roughly, we started out with around 16,000. Uh, Folks that were in the sample frame, and if you've done anything with research, you know that, you know you've got this sample frame, you don't need to actually talk to all of them. Uh, we, we screened out making sure that hey, we wanna make sure we're talking to, uh, uh, people in the United States.

We wanna make sure that they are, uh, practitioners who are familiar or somewhat involved with their identity and access management strategy. End of the day, we ended up with just around 600. Survey respondents and, you know, I'll, hopefully you guys will put a link to the, um, actual research in the, in the show notes.

But what you'll see is that it's a, a very broad survey in the sense that it's very representative of, uh, multiple different types of software and also multiple different industries. So that's, that's kind of the, the high level of, of, of where we wanted to dig in and the why. And then if, you know, if you guys wanna go through and kind of. We can talk through some of the points in there. It's, it is a lengthy report. I think it's like 27 pages. Um, I did a blog article on it that kind of summarizes it. Um, but um, yeah, I'm happy to, happy to chat about any of the big data points in there. But that's really, that's kinda why we wanted to do it, was to really validate. That validate the thesis. You know, we've, we've also, we've already have from a company perspective, really good market traction. We've got, uh, a number of very, very good, uh, logos that are, that are using the Serb platform. But this was more of a, you know, almost a sanity check for us as well, just to validate the thesis and to also really kind of educate.

Cause that was one of the findings as well, is that I think it was 44% of respondents said that their, their management under underestimates. The cybersecurity risk of non federated applications.

Elliot: Yeah, I, I think that makes significant amount of sense to do that for any layer of business because if you're doing stuff manually today,

um, I mean, you're just setting yourself up for a whole sort of a mess and disaster. Um, especially at a startup level. So, you know, an organization, they might be able to use an idp, but if there's so many gaps, like really simple use case, and I saw it even on your website, front centers, um, like act.

Management of like social media accounts today? Yeah, like an organization might use HubSpot and they have some things linked in there. So you don't really have the keys to castle, but what happens if someone leaves and they had like an application on their phone cuz they were at an event or something like that.

Um, and it's just such a huge time suck to rotate all the passwords and update like one password last pass or whatever. Sorry, bit warden cuz we just interviewed them. Uh, whichever platform of you're choosing. Um, you know, there's just not like a really efficient way to handle that. Plus you don't really want people to have access to those in general, um, like the actual password.

So, um, that makes a lot of sense in my mind where you're able to do that and scale it and make it just a little bit more easier and not tracking spreadsheets either. Um, but that all to, to that extent I. Love to just hear from your perspective if there was any really standout things, uh, in that report that you just feel, um, obviously you were saying that it validates what the thesis was, but uh, was there anything outside of like time saving cost, anything in particular that just really drove home what you were building and you know, what you saw in the survey that reflects that?

Matthew Chiodi: Yeah, I mean, I, I think the, there was, there was a couple things that stood out to me. Um, but, you know, probably the largest is that, you know, we talked about, I used, I talked about that one statistic already, and one is that, you know, people by and large. Said that, you know, almost, almost half, 44% said that management is underestimating the risks around these non federated apps.

Um, part of the reason that they're likely underestimating the risk is that, uh, we found that only 49% of organizations actually track the usage of non federated applications in the enterprise. Right? So if you have half of. Of of organizations that are, that are tracking well, uh, you know, and only 21%. We asked, we, one of the questions we asked was, well, well, how confident One was like a very kind of yes or no question was, you know, do you track yes or no?

And that's the, um, 49% that said, um, only they, they track it, but only 21%. We're confident in actually knowing all the applications that are used. So it was kind of like, yeah, like half of us are, are kind of doing it, but we're, we're not really confident that we're doing it well. And so this is a classic case of, you know, I I, I posted on, on LinkedIn earlier this week, um, about the famous, you know, Donald Rumsfeld quote about the unknown unknowns.

Which was always a quote that kind of bothered me and I, but I finally read the full context of it, and it, it's kind of, it fits very well here where, uh, organizations. There's, there's thousands and thousands of risks that a CISO or security team is trying to manage. Non federated applications seem like one of those, um, that may fit into the kind of the unknown, unknown category because, and most of the time organizations just have written it off as either, uh, a risk that is not solvable or it's one that they think is just, or they're, they're not even, it's not even on their radar.

So, That, that's probably the biggest ones that I, I took away from this. And you know, we can go through some of these other numbers here, but for me it was just that. When I talk to, um, security leaders around the country, and I do this quite a bit, both with, uh, my work at Serbia is also the consulting and advisory work I do with Ian's research.

That's probably one of the largest questions CISOs have is like, what are the risks? What should I be worried about? There's a lot of things out there. You know, there's the kind of the known knowns, the phishing, the uh, the human errors, those types of things. But what are the things that are emerging?

Obviously, everybody's talking about AI right now. Uh, certainly that will exacerbate these types of things. So that, that was probably kind of my, my 10,000 foot after reading all this, doing a deep dive that was, uh, I think is significant.

Elliot: Very interesting. Um, actually, you know, before I steamroll past you any uh, perspective that you'd like to throw in there?

Neal: No, I, I think it's kind of. It, it's due time for this mentality with the whole yo-yo for cloud, right? So whatever we want to. Label cloud, this go round, cloud this, cloud that. But 30 years ago, everything was OnPrem. 20 years ago, things were in self-hosted server space, somewhere else, right? Like in rack space or up and coming, aws, Google, Azure.

But now, you know, we're, we're back. We went through another on-prem iteration. Now we're back to cloud. Pre being a big push. So I think from an app security piece, one of the things you mentioned, being at rsa, one of the things I saw, I, I was expecting to see AI. Marketing this AI marketing that crap everywhere.

But in reality, what I did see was more AppSec type thought flow, I think at a lot of tables and a lot of booths and, but it's not, it it, to be very blunt and candid about those promoting it, they were just some of the same companies that just slapped AppSec on top of things of what they were already doing.

So I don't think they were trying to actually outright solution around AppSec and, and. Cognizant of what that really is. I think they were just trying to get onto the buzzwords. Cause I think now is the time, right? The last couple years with the covid procurement cycle and being what everything is, everybody's got a million different things that they went out and bought and have no clue what it is or who the heck's doing what with it.

And so the, the time has come for the reckoning of, of AppSec in a more holistic approach. I think it's kind of fun to think about and hear about and how that plays into what we'll get down here in a minute with the zero trust mentality. Right. And, and, uh, Migrating over to that more holistic approach between on-prem versus off-prem security product.

Matthew Chiodi: Yeah, I mean, I think it's funny you mentioned that about, you know, the, the covid induced, um, buying binge of tech and, and that's just absolutely true. I remember back when I was at, uh, Palo Alto Networks, we did research on that as well. Worked with some external agencies and there was absolutely, there was absolutely a huge buying impulse around that When it comes to like, where do like these non federated applications?

Come into play. Um, what, you know, there's other research that, this is not the research that we've done, but I, I think it might be Gartner that talked about the fact that today about half of technology spend occurs outside of it and it's actually trending, they think to closer to 90% by the end of the decade.

And what that talks about is that there's actually a, there's been a major shift. In the buyer, in their, in the buying habits, who's buying. And what that does is that changes the actual threat model around, uh, the, the applications themselves, right? Because, you know, before when the procurement of, of technology was primarily coming through it, they could act as, as somewhat as gatekeepers, right?

They could say, Hey, we're not gonna bring on any apps that don't support SAML 2.0 or don't support, you know, X or Y technology when you have business units. That are now doing a lot of the procurement especi, especially when it comes to SaaS. It's not that. It's not that they're trying to purposely be insecure, they're just not concerned about those, those things, right?

Yes. They go through their security training, but they're trying to get something done, and that's why these non federated apps, it's not just legacy. Yes, you have legacy on-prem apps that don't support modern off. That's one part of. The non federated application challenge, but then you also have, um, by our research, the majority of new SaaS apps that also in some cases either, uh, maybe they do support saml, but they're gonna charge a 10 x or a hundred x upcharge, you know, the SSO tax.

You know, if your listeners, I think if you go to SSO Tax, I think that's the site kind of has the wall of shame of vendors that charge. Like a massive upcharge for, you know, single sign on technology. So, you know, but the reason that exists is because the actual buying habit, the buyer of the technology is no longer requiring that.

So that's part of why this, this problem continues to grow. And definitely C O V I D, uh, was a big part of that, that, that buying binge. Cuz people are just told, Hey, go home, be productive. And they did. They did. They bought a lot of software and they don't ask the same questions that, uh, security teams typically ask.

Neal: And I, I'll unpack real quick on earlier statements. I, I just think it's amazing how many techs new and old don't support some kind of. Federated access of any sort, period. It, it's mind boggling that that number is so high. I, I'll be very admitted to that, that I didn't think it would be that grandiose. I get startups, you know, getting there trying to figure out how to do things from the scratch point, but the fact that there are legacy as well as larger scale toolings, that it's just not part of that, that, yeah, it, it's weird.

It's, I think it's, uh, I don't know. It's a standard, right. It should be in the sense, and to your point earlier on, there's not really anything. Fixating on that in the security standards as a whole, it's, hey, best practices is to allow X, Y, Z. Um, but you know, 10 years ago, eight years ago, whatever it was, we decided passwords shouldn't be changed.

But people still mandate password changes and things as an example, right.

Matthew Chiodi: it's been a while, right since NIST came out with that.

Neal: So, yeah, it's, it's mind boggling for me to see the scale of this and then on the plus side, you know, with a company like y'all's trending positive to be able to overcome these hurdles. So that's what I really wanna talk about is overcoming that hurdle and how y'all obviously are managing that problem and bringing a wrapper around that for the sake of people like me who did buy a lot of random stuff.

So,

Matthew Chiodi: Yeah, I mean, just, um, to, to your question there, right? The way Serbia. Helps with that problem. And Elliot mentioned this at the beginning, is Sebe, you know, we work with all the major identity providers, Azure ad, you know, we're a Microsoft, uh, for startups portfolio company. Um, Okta Ventures is one of our, was one of our lead investors.

So a lot of the IDPs, big identity players, they have a vested interest in trying to, um, solve this problem of non federated applications. But the challenge is, is that they've got this massive network of, you know, Thousands of applications that may potentially not support it. And so where Serby comes in is we act as that bridge where, um, you know, there's a couple different ways that we do it.

If the application, for example, has APIs that we can leverage, we'll, we'll use those. Um, if there's not, what we do is we have a browser plugin that, uh, works in all major browsers in mobile. And what that will do is that will actually carry out automations on behalf. Of, uh, of the end user. And that's really how we do it.

So yes, we're vault, we are vaulting credentials, so we have a lot of the same functionality as an enterprise pass manager would have. But instead of just managing the password, we go beyond that and we use, uh, take advantage of some, uh, patent pending robotic process automation. It's actually carry out automations itself.

So for example, if you look at how a traditional password manager works, it's just vaulting the password, right? Uh, in the case of like shared accounts, Elliot, you mentioned like corporate use of social media. That's probably one of the, the most common use cases where you see shared access, right? Because you know, if you're, you know, company X, you have a handful of social accounts and anybody that's on your marketing team or maybe third party agencies, You, you have to share that username and password, right?

You can't connect it to Okta, you can't, um, you know, use Azure ad. It just doesn't work. So for us, what we do in that scenario there is, is once somebody is, you know, authenticated, uh, via their idp, uh, we have then the ability when it comes to those shared accounts to be able to, uh, securely share out access where no one actually has to know the password for.

Those social accounts, or for that matter, any account. We see this a lot with, uh, organizations on their finance teams. A lot of times they have shared, uh, shared bank account access. And so we're able to individualize that access, add on two factor authentication on top of it, where all of that is, uh, being automated with our, uh, with our RPA system.

So that's kind of a high level of, of, of how, of how we work, but then also the the skim component, uh, as well. So it's, uh,

Neal: Yeah,

Matthew Chiodi: a holistic solution around that.

Neal: so I think this is kind of neat. So if we go back to the example of the Covid buying, you know, one of the things that I, I've personally been promoting in some fashion or another here as well as at my nine to five and some other places is, you know, the necessity for automation outside of SOAR and automation outside of, you know, The IR process in general and how when it's done right, whether it's purpose-built like sebi or whether it's something doing other translations and process, that automation becomes a bridge between disparate data stacks to do this, right?

So y'all saw the problems that y'all see what the issue is. And overcome it by being, like you just mentioned, the bridge between things that don't do what they're supposed to, to things that are doing what they're supposed to, and making sure that there's that confidence layer in between. So I think that's kind of neat.

This is a, a really fun take on, on what that, that machine to machine layer could look like and should look like to help solution a problem. And obviously to the point of this, make life a little more secure and more, more practical and more in tune with where things should be. Right. Um, Realistically. So I think that's a pretty neat approach.

Matthew Chiodi: Yeah, we, we, we, we think that, you know, there's what we're doing today with the platform with RPA and RPA is not new in and of itself, right? RPA has been around for a long time. You've got companies like EY Path, which is, uh, one of our investors as well, that has done a lot of amazing things with, with rpa.

But the challenge with, um, that traditionally has been around RPA with security is that if anything changes, I. With the kind of the login path or if anything changes with the ui, there's drift. A lot of times those automations will fail. Part of what we've built and part of what's patent pending with our platform is the ability to recognize those changes and then automatically correct from those or adjust from drift.

So I actually absolutely agree with you. There's, there's, I think that. Soar was the first generation of, you know, specifically SOC teams trying to automate, you know, level one playbooks, right? Something that an A level one analyst might do. Trying to automate that, quite frankly, that grunt work of going out, gathering data, building a case log, and then, you know, handing it off essentially to a, either a higher level analyst, maybe a third party or somebody to process it.

And I think that's still good. I was just speaking with a, um, um, a deputy CISO of a large, a large healthcare company the earlier this week, and they continue to invest in their, in their SOAR platform. But they're realizing, uh, they've realized that there is still a lot of limitations within so platforms and it, it's not quite everything that vendors, you know, three years ago, uh, cracked it up to be.

It certainly solves challenges, but is not, is not the be all to m all. There's a lot of other places. Where I think automation can be and should be, and certainly authentication is, is one of those.

Neal: Yeah, agreed. I. Preaching the choir on that part. Holistic approach to automation beyond just IR is, is literally what I like to go out there and yell about people. I usually take it on from an Intel perspective as an analyst, right? So, you know, there's a lot of things that I do that, uh, I don't wanna be a data scientist, but, um, automation in the right place allows me to act like I'm a data scientist sometimes.

So it's, it's kind of nice. It's a good force multiplier for a lot of different things. So when we think about, uh, You know, the aspects of this from a, a platform perspective and tie-ins and zero trust, you know, being able to get all these desperate apps tied together to some kind of larger scale process.

You know, I think it obviously fits nicely in with, with the general identity access management picture that we've been talking about, but this is really, I think for us, this is really the first time we've really legitimately had someone talk specific to app. Sec in that true sense. So, you know, we, everybody else comes in, you know, secure the people.

Secure the people. And technically by proxy, what you're doing, you obviously are securing the people, but more aptly, you're, you're, you're obviously focused on the App SEC itself specifically versus just the person. So, I mean, I, and, uh, I had a question two seconds ago, and then I got distracted with the AppSec piece of this, so I apologize.

But what I was thinking about was, uh, you know, when we think about the two different approaches, uh, you know, Where are y'all bridging the gap? I guess between, you know, you're obviously doing some password security pieces, but are y'all doing like, uh, anything from like a app discovery type perspective as well?

Or are y'all taking in constructs from other tools to help do that and then help build out policies or predefined roles and policies around that type of process flow?

Matthew Chiodi: One of the, one of the biggest questions that, uh, that we get and when we kind of talk about what we do with security leaders is, um, When are you gonna help me be able to discover these applications? And so that's a challenge that we are working on solving right now. We've got some things that are in a, uh, private beta around discovery, uh, because that's one of the biggest things is it's, you know, if you guys remember probably seven to 10 years ago, cloud access security brokers, casbs, right?

That was kind of like their initial way into the market was they introduced the term. You guys might remember Sky High Networks. They got acquired by, I think McAfee. I think it was. I think it was McAfee and they were the ones that introduced the term, shadow it into lexicon, right? 10 years ago, people had no idea what shadow it was.

And, um, casbs essentially started out as being discovery mechanisms. Hey, we will, you know, drop us on your network, feed us your, your, um, secure web gateway, logs, secure, you know, feed us your firewall logs. We will highlight for you all of the shadow IT usage, basically the SAS usage. And that was kind of V one of it, and they've kind of gone through some different iterations, but what a lot of security teams have realized around CASB investments was that that was, that was helpful when most of the network traffic was on network.

Of course Covid blew that all up, literally, right? Everybody went home and all of a sudden Casby investments went. Um, the ROI on CASB investments dropped precipitously. So yes, to your question is like, right now in our GA product, we don't, we don't, we're not doing discovery. Uh, but we will, uh, shortly have the ability to discover and then also be able to, um, onboard those apps as they're discovered.

Into Serb. So, uh, one of the things that um, we're getting asked for is not only the ability to discover, but cuz you know, when I tell you there's a problem, that's great, you're aware now, but then you very immediately want to say, okay, now. What can you help me do about it? Right. It was like, uh, it was like the old IDs systems, you know?

It's like, oh no, I've got all these things that are happening and you're not gonna actually help me do anything about it. Right? Then we moved to ips and, you know, that was years ago, so I'm dating myself, but, but anyway, you, you get, you, you get the point that, um, or discovery is a critical component of, and it's something that we're, we're, um, we're very focused on right now.

Neal: I think he's dating himself with IDs and I P s. Yeah, I mean, I'm the one here with the gray hairs. Um, I just use really good lighting to hide them. Uh, no,

Matthew Chiodi: Yeah, apparently I don't, because you can see all mind humor.

Neal: no, it's, no that, that's fair points though. You know, it's evolutions of technology and if we step back into the orchestration piece and, and Cas b, it's combined, you know, orchestration 1 0 1 is really what sim was supposed to be day one. You know, like you mentioned tier one L one analyst. Support and, and automation of those roles.

We're kind of there ish now, and then, you know, the, the whole covid piece is, it, it's fundamentally intriguing for I think everybody in the security world and how to overcome these issues. You know, I've seen companies in enforce a, uh, Uh, policy exclusive. When the laptop turns on, the VPN turns on. So everything, no matter what's on that laptop, is going back through a corporate network, guaranteed.

I see other people who just literally ship a laptop with no monitoring installed on it whatsoever. Default factory, no service. Right? And here's your passwords. Um, so it runs the gambit, so it's kind of, kind of intriguing. So your take on, on some of this then, from a remote work perspective, you know, are y'all looking at this from like an agent driven thing where someone would.

Stall something on, on a laptop. Um, not necessarily obviously e D r Xdr R type flow, but conceptually an app driven solution to help monitor and, and or control kind of stuff like that. I'm, I'm curious about that flow. To be fair.

Matthew Chiodi: Sure. Yeah. I mean, um, again, being seed stage, like today, our, our approach is, is focused on, uh, that, that plugin based approach. No one likes agents, so plugins are. I think a little bit more, uh, lightweight living right in the browser. And really our, our our, what has worked really well for us to date is the fact that is realizing that work happens everywhere now and therefore, what's the thing that's everywhere?

It's the browser. If we can be in the browser, um, our goal is not be, is not to be, um, like another firewall or another, you know, WAF or anything like that. Right. Our, our, our goal is to be in there so that. When a user is onboarding, let's say a new SaaS app, let's say they're trying to create a new, uh, a new subscription for Slack or whatever it might be, is to be able to say like, Hey, did you know that you already have, you know, and here are all the different subscriptions that you already have, your organization, or, here's the one just trying to catch that. Right at the time of it, rather than doing it after the fact where you already have the sprawl and then you have to go out and try to pull things back. That's really our, that's really our, our, our, the way we see things today. And I think, and quite frankly, that's what, you know, we we're hearing a lot of, so one of the things that I, I love about being back at a, a seed stage startup is, You know, in order to be successful as a seed stage startup, you absolutely have to be in listening mode with your, you know, with your customers, with prospects.

And so we're, we're just, you know, that's part of the reason why I love coming to work every day is just being in that, just that heightened sense of, of listening and really trying to be perceptive and, and listening to what, where customers are struggling specifically around these non federated, uh, non federated applications.

Neal: So with that in mind, I mean we kind of talked about some of those problems already a little bit, but what's your highlight reel for things that are kind of getting brought to bear? Obviously app discovery, I'm assuming like we just talked about, um, management, but what's some, you know, maybe dive down a little bit more specificities on some of those things.

I know once again, we've already talked about a few of 'em, but I'm just kinda curious, a little bit more insights on that.

Matthew Chiodi: Yeah, absolutely. Yeah. I think, I think from the research, the, the kind of the, the headline that came out around, um, Specifically around cybersecurity risk, like what's the true risk? Cuz I, I'll be, you know, just being fully transparent. I've, I've spoken with a lot of, uh, CISOs over the last, uh, year who've said, okay, yeah, I understand it, but like, how much of a risk is it?

Well, we were able, we're able to quantify that now, and what we found is that, uh, 52% said that they have experienced a cybersecurity incident specifically with. From or from non federated applications. Of those 63% reported that they've had a minimum of four or more than five incidents. So it, it's not, you know, it's not like, it's like, Hey, this is something that happens.

Uh, almost never. So there's, there are incidents that are happening from this. If you extrapolate and coordinate that data with like the Verizon D B I R from, uh, last year, 2022, we can estimate that breaches from. Non federated applications are likely somewhere in the neighborhood of nine to 14% of breaches overall.

So it's not a, you know, it's not like it's a, you know, a 1% number. It's a statistically significant number of breaches that we believe are coming from non federated applications. So there is a risk. Uh, to businesses. And, um, there's also costs, right? We talked about this, but what we found is, again, we wanted to quantify the costs around it as well, specifically around the incidents. Um, it's costing organizations around 300 K annually, uh, for, for dealing with incidents from non federated applications. So there are hard costs. Now, if you're a. If you're a, uh, multinational with, you know, 50 billion in revenue, you know that 300,000 a year in cost, you probably would say, Hey, that's like 3 cents.

So maybe that's not as big of a deal. Uh, but the fact that there are incidents coming from this, and this is a risk that we think is, uh, fairly easily managed, uh, I think, I think this is something that most people would, would want to do something about.

Neal: No, those are obviously very substantial stats, so that's kind of neat to think about. So I'm very curious to see how, you know, if y'all were to run this again later this year, end of this year, how chat G P T and the other AI stuff obviously impacts that cuz we've already seen in the news exposure and, and things like that from the, uh, from pick a flavor, whatever they're doing in Chad g, BT from p ii and all this other stuff that went into there and companies now banning it, right?

So, Quick curiosity question. Do you think that, uh, obviously like we talked about earlier, AppSec was a big thing that at least I saw. And maybe that's just cuz that's where my lens was at rsa. But do you think moving forward with the constructs of things like chat, G B T, which, you know, uh, is not a federated access tool, uh, do you see this becoming more worrisome as things like this come online?

Matthew Chiodi: Yes, I do. I mean, I think, you know, as a, as someone who's used, you know, generative AI for, you know, probably, you know, six to six to nine months at this point, I. I think what it's going to do is just change the game in terms of the, the speed at which attacks can be carried out. Right? Because before, um, if an attacker could script certain things, right, you could script certain things, but it wasn't, it wasn't able to deal with like a lot of the different variables.

Right. Especially when you're carrying out like a, a, a very. Uh, far reaching campaign, right? It required a lot of resources, just like a, just like any other business, right? If you're, you know, if you're someone in the underworld and you're, you're part of one of these, you know, um, nation state acting groups, right?

They have, you know, hundreds of people that are involved in these things. Ai, generative AI specifically. And I'm not talking about open ai, open ai, cuz that's probably not gonna be something that a nation state is gonna be using, but they're certainly gonna learn from it. These, these generative ais are basic, are going to make these attacks, uh, faster.

And, uh, when it comes to phishing campaigns specifically, much more believable. Right? A lot of times, you know, phishing is, you know, it's gotten a lot better over the years, but, uh, ai, I think it was, um, um, I'm on faculty at Ian's and one of our, one of our faculty members put a, um, he, he basically had, here's a, here's a screenshot of. A real company's policy. And then he didn't tell you which one was which. He said, here, here's one that is a, it was real policy and the other one is generated by ai. Can you tell the difference? And I got it wrong. And so did like 70% of the people in the audience. I thought the one that was written by AI was, was the correct policy.

So that's where I think it's gonna change. It's gonna change the speed. And, um, one of the takeaways I had from, from rsa, I spent a lot of time in the. The startups startup, innovation sandbox area. Just cause I wanted to see like, what is everybody talking about here? Um, everybody was talking about ai.

Everyone's talking about ai. I did notice that there were quite a few vendors that would, they probably wouldn't call themselves, you know, they wouldn't, probably wouldn't put themselves in the app tech space, but a lot of people talking about, you know, software, supply chain, security, sbo, those types of things.

So yeah, I think that those are all. I think they're all critical areas, but all these things do seem to go in, uh, in cycles over the years. Right.

Neal: Yeah. No, that's, that's awesome. So, uh, mean we could spend a whole 10 hours talking about the wonderful ways to take chat, G p t and other things to make exploitations. I don't remember who it was, uh, but we had someone on. Uh, as you know, chat, bt chat stuff was coming up and he's talking about how he easily generated ransomware by obviously not calling, Hey, generate ransomware, right?

You just gotta know the language to get the system to talk the way it's supposed to talk. And you know, fair play on that cuz I've also done similar, uh, so you know, you know how to word it, but you're right though. I mean, it expands the landscape drastically. You know, whether it's because you're putting something in the tool or whether it's because the tool is being leveraged to target you more explicitly.

Right? So I think it's kind of fun to think about, um, you know, from a additional stats piece. And we think about the significance of this. You know, I, I imagine, I think we both agree that this is, while it's an easily easy to solve problem, it is going to only increase annually until people take it a little more.

Seriously. And so one quick curiosity question then, you know, just in general, from your perspective, working, working to help secure these constructs, do y'all work from a, from the perspective of also trying to push more standardized concepts down onto some of these non federated toolings, especially if they're larger scale or more well known?

Have y'all like thumped people in the back of the head and asked the question a lot? Why doesn't, why don't y'all have this type of, uh, Security endpoint in play.

Matthew Chiodi: Yeah, I mean, I think it's a great, a great question, and it's interesting, I won't say the actual company's name, but we reached out to, uh, one of these, one of these, uh, very well known SAS providers and basically asked them like, Hey, why, you know, why don't you support, uh, saml? You know, it's, it's not like it's a new standard, right?

SAML too has been out for a number of years and they said, Hey, it's, it's on our roadmap. Um, but quite frankly, our, our main user base is not asking for it. And if you guys, you know, anything about product companies, they, they're not going to build what their user or they shouldn't be built. I mean, maybe in this case they should, but most of the time you, you know, you're prioritizing your roadmap around, um, what users are asking for.

And as I mentioned in the beginning, that stat around like, who's buying technology these days? And 90% of it's outside of it. That's why, that's why. So it is, um, That, that's usually the conversation that we, we hear more often than not when we ask that question. And again, we know, part of what we found in the research that we did with the Panama Institute was that, uh, 63% of, of access management around these non federated applications is done by the business units.

It's not done by, it's not done by it, it's not done by the identity and access management team. Um, It is at 63%. So the majority of the access management is being done by individuals who likely don't understand security best practices. That that's why I think the breaches are being generated. Um, a lot of times the, the way organizations attempt to deal with this is they might bring in like an enterprise password manager and try to use that to solve the problem.

And it's certainly better than, than nothing. But the thing, if you look at all the major password, enterprise password managers, None of them have, uh, automation support, right? So they'll vault your password. In some cases they might help you, uh, with, uh, some level of shared access management, allowing most people to, to access a, you know, a single password.

But they really start, they really struggle. You know, guys, remember what happened with the last pass breach, uh, very recently. Where it was like, Hey, you need to go out and rotate all your, you should really go out and rotate all your passwords. Well, we work with another number of large enterprises that, um, were LastPass customers and, you know, trying to go out and manually rotate tens of thousands of passwords. Is something that will take weeks, weeks, and weeks. And so what's, that's something we've aimed, we've largely solved with our platform is if someone wants to do mass rotations, uh, they can do that. Uh, literally with a quick click of a button, what would've taken weeks will probably take, you know, one to two hours.

So I think, again, this is where, you know, The technology RPA in and of itself is not new, but there are challenges. There are some SAS apps that have bot detection, uh, specifically like the social media apps like TikTok. They are amazing with their bot detection. So, uh, that was definitely a challenge for us to, to work around some of their bot detection.

But, uh, some of the other platforms we, we've been able to do this with, um, platforms that maybe are not as sophisticated around that. So if you think of like electronic health record systems, EHRs, Uh, they, they have zero bot detection, so it's actually fairly straightforward to be able to build these automations and, um, be able to solve these problems around that.

Neal: So what I'm hearing is Serbia has a secondary business market to help me plus up my Instagram. No,

Matthew Chiodi: Absolutely, absolutely.

Elliot: gonna say, do you have a consumer version? Because I might have been on a platform you just mentioned and I switched to something else, and I still have to rotate like half of them.

Matthew Chiodi: There you go. Now, we do not have a consumer. We are B2B today. Um, perhaps in the future, we'll, uh, we'll, we'll maybe offer a B2C type, uh, model, but today we're a hundred percent focused on the, the B2B side.

Elliot: That seems like the, the right way to go.

Neal: and you get that first set of millions in. Tens of millions, then they can, they can focus on us plebeians.

Elliot: There you go.

Neal: Now I'll, I'll throw it back over to Elliot for a few. I mean, I know we still got a good 10 minutes here, but I, I know, I think there was a few more things he wanted to poke and prod a little bit.

Elliot: Yeah, absolutely. So, uh, I think it's been a hot minute since we've asked this, so I'm gonna ask the tried and true question, but, um, obviously you pal around with some folks who are really well acquainted with the world of Zero Trust. Um, but would just love a really simple, uh, one here, which is, you know, what is your take on zero trust?

How do you define it? Um, and then I think we can expand upon that a little bit further, but, You know, is that even a term that you throw around with people? Does it find, is there value in it or do you just cut to that layer underneath it? Which, you know, most organizations I think that we've chatted with tend to do

Matthew Chiodi: You know, I'll, I'll start out with. Where, uh, one of the comments I made at the beginning of the podcast, which was around Donald Rumsfeld's famous quote around unknown unknowns, the only way that you can truly deal in the world of, of tech and cybersecurity with unknown unknowns. Is with a zero trust, uh, architecture, a zero trust strategy, that is the only way you can do it.

Right? And, uh, that is what I love about Zero Trust. And I learned a lot about it from my friend John Kinder Bagg, who's of course the, uh, the granddaddy creator of Zero Trust back at his time at at, uh, Forrester. And, um, I spent a lot of time with John when I was, we were both at Palo Alto Networks together and. At first, I had to admit, I actually, let me tell you a quick, funny story about the first time I met John. So I had read about Zero Trust, uh, not from John. I had read about it from, uh, Google's project. You might remember it. Do you guys, have you remember that they did it? It's probably been. It's probably been seven or eight years.

It's been a number of years ago that, that Google did there. Um, beyond corp. You can you think if you Google beyond corp, I think b e y o n D Corp, all one word, you can probably find the white papers. But Google was the first one to actually, I think, to really do this at scale, to actually deploy zero trust across like everything.

Anyway, so that was my, that's where I, I thought Google invented zero trust and so I got on this call with John Kinder Bagg to introduce myself. And, uh, I informed him that Google was the creator of Zero Trust, to which he politely informed me that no, he was the creator of Zero Trust. Needless to say, that was a, uh, that was a little bit of a humbling event.

But, but yeah, so just, uh, funny, funny story, which I remind John of often, but, um, but no, I do think that, I think that for most, I think that for many organizations today, Zero trust is still something that, um, they are likely still a couple years away from. And, you know, I've talked to John about this a lot too.

You know, he's worked with hundreds of organizations globally who are, you know, very serious about doing it, you know, defense contractors and they're, it doesn't have to take years, that's the point. It doesn't have to, but unless you're like totally bought into it. And, you know, a lot of, lot of organizations assume like, Hey, if I go out and buy technology x.

Then I automatically get zero trust. But zero trust does not work that way. You cannot go out and buy, you know, you know, whatever the best next generation firewalls are. You're not gonna get zero trust because there's just, there's so many other things that are involved in it, and certainly technology and cybersecurity tools are a part of it. They're, they're actually a smaller part of it, and it's one of the things I try to, I usually try to tell people when I give 'em, I have a talk that I do on Zero Trust, and that's one of the things that I, I try to drive home with people is yes, you know, Serb's a cybersecurity vendor, but even if you buy my product and you buy seven figures worth of it, which I would love by the way, so any listeners wanna buy seven figures of Serb, please reach out.

Be more than happy to broker that. But even if you did, you're still not going to get zero trust. There's a lot of other things you have to do with it.

Neal: I, I think we need to get some kind of recording app with an air horn. Uh,

Elliot: Oh, hold on now. All right. I told you I bought some new toys. It's just not set up yet, but I literally have a button with, uh, a lovely air horn. I will edit that in. We'll pretend I'm pressing this button a bunch of times for you, but yeah.

Neal: Uh, no, I think that that's the really fun thematic here is that, um, those who are paying attention to the concept, no, it's, it's, it's a concept. It's not a single purchase and I think that's the iteration that people need to be mindful of. Whether they're listening to episode one here or listening to episode 50 when we get there or reading a book somewhere else, they need to always be mindful of the fact it isn't a go out and buy a.

From pick a vendor, it's, it's a cohesive strategy to bring things together. And sometimes it doesn't require buying a net new product, at least from, you know, IAM perspective in particular. Sometimes it's just being able to more aptly tune what you already have or maybe plug in one additional little thing, whether it's from AppSec or other pieces, right.

That you were missing. Uh, I think that that's the key piece for everybody to make sure they're aware of. Don't just go out and buy the first thing that says zero trust and think it's done,

Matthew Chiodi: Yeah, there's a lot. There's a lot of those. There's a lot of that out there. So I think, you know, certainly I saw a lot of Zero trust marketing at, um, at rsa, but I think AI was. Probably the more dominant conversation that I saw, uh, this year. Maybe by next year it'll be back to, you know, IDSS again. I don't know.

So something we will, we'll be, we'll be back to something, but the last thing I'll say on the, on kind of the, the, where there's a relationship between Zero Trust and the non federated applications is, A big part of building a Zero trust strategy. John talks about, you know, the five steps of, you know, building a zero trust architecture or the five steps of zero trust.

One of those steps is building that layer seven policy where you define who, what, when, where. That's where that identity and access management component comes in. So if you're one of these organizations that has, you know, what we found is the median in terms of the number that organizations have of non federated apps, it's 176.

That's the median. Of the number of these applications that, that organizations have non federated apps. So let's say you're, you're that company. You've got 176 of these apps. If you have a zero trust strategy, you are not going to be able to bring these into it, these 176 apps, because they're not working.

It's not, they're not connected to your idp and you can't make them, you therefore cannot connect them as part of that layer seven policy. So this is what we call, and when I give this talk, I call it, it's the whole, in your zero trust strategy, it's these non federated. Applications. And that's one of the reasons that John Kinder Bagg, uh, we actually brought him on as one of our advisors on survey, is because we really wanted to make sure that we were covering that angle.

So as organizations who are going down the Zero trust path are able to do it in a holistic way, not leaving out large chunks of their application estate.

Elliot: Very interesting. Um, I will say the one thing that I think we forgot to ask any actual vendor, and we've only chat with a few, usually our, uh, guests have been on the practitioner side, is, um, And I know we all love like the eat your own dog food comment, but, um, do you all yourselves kind of build around like that zero trust, um, philosophy?

Because obviously you're, you know, you had mentioned you're working on policies and all that. Obviously you're well plugged in, but you know, as a internal structure, is that something that you align with or, you know, uh, maybe like aspire to work towards, if not already? Cause you're a younger organization.

Matthew Chiodi: Yeah, I mean, I would say that we're not, you know, there's different levels of, uh, different levels of maturity and that's one of the things that I think NIST recently came out with in their. Their recent, uh, zero trust framework, which maybe the name of is escaping me at the moment, but they came out with that maturity model.

And so that's definitely something that we are, we are working towards, uh, today is really, um, defining what that path looks like. Assessing, like where, where are we on that maturity model and, um, and, and, and building toilet. But certainly that is. That is part of our, part of our strategy. And, and from a, you know, drink your own champagne, eat your own dog food.

Yes. We use, we use sebi for our own. Cuz we, we see this all the time, even as a small company. I mean, we probably have, we probably have 40 or 50 apps that we use SaaS based, uh, that, that don't support either SAML or don't support Skim. And, you know, it's, it's, I find ourselves, especially when I'm working with the marketing folks, um, they'll say, oh, hey, can, uh, I've had someone say, Hey, can you share the password for that?

And I'm like, no. Remember Serb, we, that's what we do. And they're like, oh yeah, that's right. So, um, so yeah. It, it's just, it's so embedded. It's just so embedded from being this way for, you know, 10, 20 years.

Elliot: I, I will say, um, for, I, I also work with fresh Off the boat, non-industry experienced marketing folks that, um, the ones that love our space. They will, they'll get well integrated, they'll finally pick up on it. But that level of exposure, it, it's just, you know, you can't get that kind of training anywhere else.

So, um, hopefully they stick with it. Uh, our space definitely could use some more, uh, industry specific specialization. But yeah, spot on. Uh, should not be asking for any passwords if they're working in our space. Hopefully, at least, at minimum, other organizations of passwords, managers and stuff like that.

So it's, uh, shared, uh, in that approach.

Neal: At least not live on a call.

Elliot: Oh my God.

Neal: That's what Slack is for. We all know that.

Elliot: my gosh. I'm pretty sure there's, uh, applications that, uh, spot when you do that stuff too. I've never actually seen those in use, but, uh, yeah. Um, that, that's definitely happened in some other companies I've been at that are cybersecurity companies. Don't worry, Neil, I'm not talking about the one you're at.

Neal: Uh, I doesn't bother me. I mean, I, we still live in a world where people will ask you if they can, you know, send you a message on Signal or WhatsApp for freaking password and like, Hey, which, I mean, at least that's a step, but it's still a signal. We know people are monitoring that stuff, so I'd rather you

Elliot: you know what,

Neal: in Gmail.

Elliot: I think I sent, uh, the password to our recording platform signal.

Neal: I know.

Elliot: Whoops. All right. We're gonna pretend that didn't happen. Edit.

Matthew Chiodi: gonna edit that outta the podcast.

Elliot: No, we're definitely leaving that in. We're gonna put all the flaws out there. That's how that works.

Neal: No, I mean, you know, the, the, the final point of that, at least, you know, we have secured, quote unquote, we have some secured things that we believe are secured. And regardless of if they are, aren't, you know, the average user's not gonna get targeted on a signal or WhatsApp. Right. You know, uh, regardless of my background, I've been out of it long enough now where I know I should not be getting targeted anymore.

Purposely and intentionally I should, I would be a waste of space for that, at least for my. My guilty knowledge maybe. Maybe somebody wants to get into the adopting zero trust.com domain or something. I don't know. But that, that's a different thing, right? Um, but yeah, you know, it's kind of neat that that's a whole nother segment I think, talking about how to not make yourself a target or when do you think you are a target?

And that's a whole nother fund, Intel drab and back to zero Trust being a great way to mitigate when you have those concerns. Along with, you know, AppSec, password security, all the other fun stuff that goes into it. So that's fun stuff too. So I appreciate it, Matt. Um, you know, I'm, I'm hoping we can get you back on and

maybe with another one or two individuals and, and have some fun panel based type stuff.

Uh, maybe we get a little, little froggy later on and we do a, a legit live plan session on like LinkedIn or something, and we get some q and a going on in there too at some point in time. Who knows?

Matthew Chiodi: That'd be fun. That'd be fun. Yeah, I'm actually doing a LinkedIn live on, on Monday, uh, doing a kind of a threat briefing of kind of running down what we found in the report, some of the takeaways. um, yeah, I always love those. Those are always fun, getting the community involved. Love it.

Neal: Yeah, we'll have to go harass you and, and maybe

Matthew Chiodi: Oh yeah, join

us. I think. I

Neal: and some others, and get

Matthew Chiodi: yeah. Well, speaking of, uh, Dr. Uh, Dr. Zero Trust, I gave a, a similar talk at, uh, CSA September event. Last guess what? September. And, um, he was sitting in the front row and it wasn't like a, this wasn't a huge room, so when I say he was sitting in the front row from where I was standing, he was about four feet from me.

And I was like, ah, great. I'm gonna be giving a talk on zero trust. With Dr. Zero Trust sitting in the front row. But he was really, it was good, he was really interactive and, um, he validated a lot of, a lot of what I

Neal: Do you have to push him back down into his seat? Like, no, this is my presentation. You got your

Matthew Chiodi: no, no. He was an absolute, chase was an absolute gentleman. So it was, it was, uh, it was actually pretty awesome in the end.

Neal: Oh.

Elliot: If we'd expect nothing less. Um, so we are at the top of the hour, so, uh, we will, we'll, we'll not take too much more of your time, um, but I do want to make sure we, uh, give you one last shout out, uh, not just for your podcast, but where can people learn more about Serbia in the report? And of course we will link in the show notes where they can access all that.

Matthew Chiodi: serb.com. C e r b y. We actually got a really great domain name. Serb is, uh, give you guys a monic is so se Sebus was the, uh, three-headed dog in Greek mythology that prevented the gates of hell from, you know, everything from breaking those. So that's where we came up with the name Serb. So if you go to se serb.com, c e r B y, Um, there should be a banner at the top where you can, uh, click and, uh, get the latest, uh, copy of that report.

And we'll probably do that on a, probably on an annual basis, uh, see how things trend and, and change. But we generally do some type of research generally about every six months. So, and far as connecting with me, just go on LinkedIn, look for, look for me, and I usually try to post a couple times a week and, uh, try to keep things interesting.

So thanks for having me on. It's been great.

Elliot: Love it. Thank you so much, Matt. We really appreciate it and your perspective and your time. Um, this has just been a really fluid conversation, so, uh, again, we just, uh, appreciate you kinda coming in here and carving out some time with us.

Matthew Chiodi: It was fun. Thank you.

Neal: Thank y'all.

Discussion about this podcast

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.