Adopting Zero Trust
Adopting Zero Trust
The Unstoppable Phish: A Discussion with Vivek Ramachandran

The Unstoppable Phish: A Discussion with Vivek Ramachandran

Season 3, Episode 10: Elliot chat’s with Vivek Ramachandran of SquareX about his approach to tackling the impossible: Social engineering.

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

For nearly three decades, social engineering, particularly phishing, has been one of the most impactful and financially draining cyber threats. Between security awareness training, email security gateways, generative AI, enterprise browsers, and a slew of other tech like EDRs and XDRs, social engineering has yet to be thoroughly thwarted. The reason for that is straightforward enough: social engineering is a psychological threat, not just a technological one.

In our last round of interviews from RSA, we chatted with Vivek Ramachandran, the founder of SquareX, who is attempting to tackle the challenge. Vivek also walks us through a more realistic perspective of how threat actors use generative AI today, which goes beyond the more unique what-if scenarios we’ve seen in headlines in the past two years.

Key Takeaways

  • Social engineering and phishing attacks remain a significant threat, and everyone can be a target. The sophistication of these attacks has increased due to advances in AI.

  • AI can craft messages that sound remarkably like someone the recipient knows, enabling rapid scalability.

  • Social media platforms are becoming common channels for launching phishing attacks. Attackers exploit the trust that users place in these platforms and their contacts.

  • Vivek Ramachandran's company, SquareX, deploys a browser extension that can attribute attacks and detect and block them in real-time, providing valuable information to the enterprise.

  • Traditional technologies like Secure Web Gateways (SWG) have matured, and attackers can easily bypass them.

  • Enterprise browsers solve the problem for a small niche group of websites but have adoption friction due to the inconvenience of having a dedicated browser.

Editor’s Note

It’s July, which means everyone will start disappearing for summer activities. Even if you have a road trip on the books, chances are you won't want to listen to cybersecurity-related chats (I know your family won’t), so we’re taking the month off. In the meantime, we’ll get some episodes booked and recorded and should be back in action in August.

Also, I kept a clear line in the sand between where I worked and our show, but I have since switched to a new role. To that end, I absolutely can’t discuss anything that happens over at the new spot, but I am working on a pilot series with a former colleague, Troy Fine, to discuss GRC and regulations since that was off-limits until now. Let us know if you have any suggestions for topics, but TJ will offer his unfiltered perspective as an auditor.

The Persistence of Social Engineering

Despite advances in cybersecurity, social engineering remains a significant threat. Today, everyone is considered a potential target, and the sophistication of phishing attacks has grown with technological advancement. As Vivek Ramachandran states:

"Phishing attacks have been there for a while. In recent times, I think they have gone ahead and become a lot more potent, primarily because of all the AI everything which is coming out."

Key points:

  • Social engineering and phishing attacks persist due to the growing digital nature of our world.

  • The sophistication of these attacks has increased due to advances in AI.

The Role of AI in Phishing Attacks

AI has revolutionized many aspects of our lives, including the nature of phishing attacks. AI can now create messages that sound exactly like someone you know (including a member of my family targeted by a clone of my voice), making it far more challenging to identify phishing attempts. Vivek Ramachandran believes:

While we have seen an increase of headlines that indicate threat actors are using gen AI to create malware, the most common scenario is a more direct spear phishing lure. A bit of web scraping, some copy/pasting, and a few prompts, and you have a series of lures that are highly personalized. Map that with other open source information about a company, who you work with and for, and abusing social account takeover, and you have a recipe for disaster. These platforms also make it remarkably easy to scale their attacks through automation.

Key points:

  • AI has made phishing attacks more potent.

  • AI can craft messages that sound remarkably like someone the recipient knows, increasing the chances of success.

The Infiltration of Social Media

Attackers are increasingly using social media platforms to launch their attacks. Whether through messages or links posted on Slack or WhatsApp, attackers are exploiting the trust users place in these platforms. Vivek Ramachandran comments:

"Attackers are not just using emails, They're actually they're trying to fool gullible employees to posting links on slack, WhatsApp, web, telegram, and whatnot."

Key points:

  • Social media platforms are becoming common channels for launching phishing attacks.

  • Attackers exploit the trust that users place in these platforms and their contacts.

The Role of SquareX

Vivek Ramachandran's company, SquareX, aims to tackle these issues by deploying a browser extension that can attribute attacks. This extension can detect attacks in real-time, block them, and provide an attack graph to the enterprise portal. According to Ramachandran:

"The moment we detect that an attack has happened, maybe, a ransomware was downloaded or a spear phishing campaign is in progress, we automatically block, rewind and then take that entire attack graph or how the employee ended up, ending in that location and sending it back to the enterprise portal where we can even do automatic remediation across the entire enterprise."

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Welcome to Adopting Zero Trust. Not so live from RSA Conference 2024. Today, we are going to be discussing there's actually a lot to discuss, but it is going to be a pretty simple topic with so many complexities and the challenges that has yet to ever be solved which of course is social engineering and phishing.

There's a little bit more that goes into it, but before I get into it let me maybe we can introduce yourself so I do not butcher your name as I am known to do. Vivek can you tell us a little bit about yourself where you were, obviously, that led you into these current shoes, and we'll go from there.

Vivek Ramachandran: Thank you so much, it is super exciting to be, on your show, especially live here at RSA. I'm Vivek Ramachandran, I've been in cyber security for the past 20 years. The last 10 years I've founded multiple companies which have exited. Thank you And really my speciality, right from the time that I started cyber security was really breaking security.

So I've done a bunch of research, discovered a couple of first in the world attacks, was a speaker at DEF CON, Black Hat, and all of these places. One thing led to the other, and that is really where I started Pentester Academy, a wireless monitoring company. And then all of those learnings, eventually led to SquareX today.

Elliot: So you could say you're probably a little passionate about our space. That is

Vivek Ramachandran: exactly what I sleep, dream, think, can't say eat, maybe one of the days they're going to have a pie, with security on it.

Elliot: Amazing. So you have obviously been in this space much longer than I have. So you have seen it grown, the threats, changes, TTPs, all that shifting landscapes.

Why today has social engineering not gone away? If anything, has it become worse? Why is it such a significant problem that organizations are unable to fight against?

Vivek Ramachandran: Yeah, that's a good question. Today, if you think about it, the whole world is digital, which is, no matter whether you're a mom or pop, grandpa, grandma, whoever, you're forced now to, transact digitally.

And that is really where compared to 10 to 15 years back, almost everyone is a tech product user. Unfortunately, technology has been growing in leaps and bounds when it comes to complexity, right? And, it's, most people are also very gullible, because they feel There is a sense of trust with whoever they communicate with.

Now, phishing attacks have been there for a while. In recent times, I think they have gone ahead and become a lot more potent, primarily because of all the AI everything which is coming out. So if you recall, back in the day, you used to receive, a very grammatically wrong email. But now, of course, with ChatGPT and whatnot, that sounds exactly like your boss, exactly like your friend.

But And this has led to, phishing and spear phishing attacks and all of that start to become a major concern for organizations because attackers have realized that the absolute weakest link in an organization is end users.

Elliot: I am so glad that you put it this way because I know it can be a little bit of a taboo subject to blame the users but that's how it works.

Social engineering is effective because it's not a technological issue. It is a, cultural phenomenon where people just want to believe and trust in what they have, which obviously loops back into that lovely world of zero trust where we trust and verify again. So building upon that maybe we can jump a little bit further.

And I think one of the main things that you called out, which I appreciate Is that you focused on the simple components of generative AI and how it can be abused. It's not necessarily people are creating ransomware and malicious code, which they can. Neil on our podcast has done that himself and he's done that in a legal sense for the record.

But Yeah, I would love to know. Maybe we need to get a little bit further. What have you seen? What is your organization seen? And then maybe we can talk about how you're helping resolve some of those threats, which are again what we call the unstoppable fish. It's just difficult to go through. So yeah, what kind of threats have you seen in the in that regard?

Vivek Ramachandran: Yeah, so I think you know, lately what has happened is attackers are targeting enterprise users across multiple channels online, right? And I'll give you examples, right? Imagine that, someone is targeting multiple folks on your sales team by sending them a DM on LinkedIn saying, you know what, we are super interested in buying your product.

Of course, and by the way, we've attached a small document containing details of, the order and you know how we want to move forward. Now, of course, every salesperson is going to be super excited to see this download open. Unfortunately, get infected.

Elliot: Yeah.

Vivek Ramachandran: So attackers are not just using emails,

Elliot: right?

Vivek Ramachandran: They're actually using, LinkedIn, they're trying to, fool gullible employees to posting links on slack, WhatsApp, web, telegram, and whatnot. And this is compounded by the fact that now we live in a hybrid work world, where on the same office laptop, people have their personal Gmail, signal, telegram, every single thing open.

So attackers have realized that, look, why do we have to go ahead, send you that phishing email on your enterprise email, which probably is protected by email security tools like material security and whatnot. Instead, I should actually be targeting your personal email or your LinkedIn account. So I think this has intensified the way spear phishing attacks are now happening.

Also with LLMs. It is super easy. Imagine today that I could train an LLM on your entire organization chart so that it fully understands contextually, who you report to, who your coworkers are, your latest LinkedIn post, and then it can actually craft a very interesting message, almost a just in time phishing campaign about something that you were super interested and you just posted about.

Elliot: Interesting. So you're saying that this really just Scales, urgency, which is one of those significant factors that make people fall for it.

Vivek Ramachandran: Absolutely. Absolutely. And I think this is going to compound simply because attackers, and we know that, every company is absolutely running right now to adopt LLMs.

You know what attackers are doing the same, in the hacker underground. There are actually, GPT's like bad GPT where malicious code can be generated, malicious campaigns can be generated, and where you can actually do all of this spear phishing a lot more, accurately when targeting a person.

Elliot: Interesting. So one type of social engineering tech that I've seen is tied to account takeover. Especially as you were referencing social, is that organizations, they have. I'm curious if you have any particular thoughts on that approach, and how, how much worse it's going to be now that maybe a model can basically crawl, see who the entire org chart is and know exactly who they should attack on a trusted site where you already have those connections?

Vivek Ramachandran: Absolutely. And, you brought up a very good point. And that is really where what attackers have started doing is, almost everyone has social media accounts, whether it is on LinkedIn, Twitter, it's almost become mandatory to be present in many of these channels, and people literally say, Hey, you know what, if you aren't out there, like you aren't even considered serious when it comes to, your corporate career now, to your point, What has happened is many of these social media channels have also become ways to message between users and to interact, right?

And unfortunately, this is really where once, let's say, an attacker can seize your LinkedIn

Elliot: account

Vivek Ramachandran: or probably a Twitter account, which you haven't given too much of serious thought about how to protect. He could immediately start connecting to your co workers, to your customers, who probably happily respond because they are hoping that it is just you.

The best examples I can give you is a lot of influencers have actually been targeted, on YouTube and where not

Elliot: interesting,

Vivek Ramachandran: where, if I remember, even, this very big channel Linux tech tips, if I remember, right? Oh,

Elliot: yeah,

Vivek Ramachandran: His entire account was taken over completely.

He was locked out. And had he not been an influencer with close to 100 million followers, I'm guessing he would probably never have gotten that account back. So this is intensifying where attackers are figuring out that well, you know what your identity is spread across both your personal and your enterprise channels

Elliot: that I appreciate that you called that particular piece out because we wrote an article probably last year, there was a massive wave of linkedin accounts that were having account takeover issues, but it wasn't a linkedin issue.

Users are in multiple different breaches. And of course, those passwords are reused. And it's just like this horrible chain and cycle, where if you're hit somewhere else, then there, there's all these different components. And it's hard for an organization to be able to protect against a scenario where your user, again, ends up being the weak link.

Vivek Ramachandran: Exactly, and you brought up a very good point, right? Organizations are very used to protecting resources that they own, right? So your corporate email is something, you know what the organization owns, they can do whatever you want, whatever they want. Now your personal email, your personal LinkedIn account.

If an organization reached out and said, you know what? We want to protect this. You would view that as an intrusion, into your privacy. And unfortunately that's really where they really can't do much, but most employees would end up opening the same account on their corporate laptop. exposing, that device.

Elliot: Yeah. And obviously organizations can block social networks and all that. But in today's world, being on LinkedIn and all these other sites, it's kind of part of the territory, even as cybersecurity practitioners, that's one of the sort of safer zones. No one's going to be on like meta properties, for example, but yeah.

So let's pivot over to your world. You have ways to help resolve some of these things, which again, are considered unsolvable. Maybe we just start right there. What have you built? How are you protecting organizations? How are you trying to reduce some of that blast radius, right?

Vivek Ramachandran: So I'll start off with the problem that organizations face and how Square Enix is solving it So I'll give you an example where you know, an attacker is approaching organization, employees across multiple channels like LinkedIn Twitter email and whatnot and Sending them a link or a ransomware which finally gets downloaded, right?

And once it downloads onto your employees computer God hope that your endpoint security picks it up. But for a second, let's give endpoint security some credit and say, you know what? It does something. Now, at that point, your IT security team is looking at it and saying, Okay, all endpoint security is telling me is the Chrome browser ended up downloading a malicious file.

So he goes to the user and says, Rob, what did you do? And Rob is he either doesn't remember or doesn't want to admit. And this same pattern ends up, going across the whole enterprise. So what Square X is really doing is we deploy our product as a simple browser extension, which can run on any browser.

And really, we sit down over there and we can attribute that attack. So the way we do it is as an employee opens a tab and kind of goes through, different websites. The moment we detect that an attack has happened, maybe, a ransomware was downloaded or a spear phishing campaign is in progress, we automatically block, rewind and then take that entire attack graph or how the employee ended up, ending in that location and sending it back to the enterprise portal where we can even do automatic remediation across the entire enterprise.

Interesting. So the very first time that Rob faces this. Immediately, everybody in the enterprise is automatically secure. Now, what this helps the enterprise admin with, is of course you know that an ongoing attack is happening. Endpoint security had no visibility into the browser, and now you have visibility into that.

Most importantly, you can even figure out your most insecure users, who unfortunately are, the target of most of these attacks.

Elliot: Interesting. Obviously higher value targets like financial Departments and whatnot. I'm sure there's probably other ways to keep an extra eye on those folks.

Vivek Ramachandran: Absolutely. I think, your finance department, customer support is a very big target. Especially

Elliot: recently.

Vivek Ramachandran: Exactly. And human resources, because they are used to getting things like resumes from unknown people. And they're expected to open it up and view it.

Elliot: That is a really good point.

So I'm curious, there are obviously other I'm sure you don't like to talk about competing solutions and what have you, but there's enterprise browsers today Which might be downstairs and ranking and I don't know maybe a billion dollars somewhere. They're pulling a lot of money There are other technologies which are legacy and is not tied to the browser like email security gateways So I'd love to know in your perspective how you're are you trying to cover all of that?

Multiple use cases and resolve some of these other things, or are you trying to attack a specific use case and niche? Yeah. How are you? How are you approaching this?

Vivek Ramachandran: So that's a great question. So I'll begin with the more traditional technologies like, SASE, SSE, secure web gateways. And really, these were cloud proxies.

And the whole idea was your organization's web traffic, as your employees are on the browser, goes through these SSL intercepting, SWG proxies. And in the cloud, they're supposed to look at web traffic and that's really just network traffic of HTML and in for application layer attacks.

So you already see how difficult that jump is going to be. SWGs were invented almost a decade back, and to be honest, they have come of age. It is fairly easy for attackers to evade secure web gateways, do bypasses using last mile reassembly attacks and whatnot. Yeah. And hence, hopefully, most organizations realize that apart from, some very basic URL filtering and whatnot, they aren't very good.

Interesting. Now, coming to enterprise browsers, I think the whole genesis of that field happened primarily because I think, enterprises felt that at least for their internal applications and SaaS applications, they wanted to make sure that they very tightly control, that access control part.

So enterprise browsers are complete browsers that you have to download and install, most of them off Chromium. And once you do that, your employees can only access your internal portals and SaaS, websites like Salesforce and whatnot through those browsers. So the problem that they solve is just for that small niche group of websites.

Downside of this is, unfortunately, we all use a cocktail of browsers, right? We use Chromium for something, people have their social media open on Firefox, brave when you want to visit those news websites, which are, completely full of ads and whatnot. So the biggest friction, within organizations is to force users to use their browser which is the enterprise one.

The second thing, of course, is, being based off Chromium. A lot of times when vulnerabilities are detected in Chromium, there is this huge timeline between that detection and these browsers syncing, those patches and fixing it. Interesting. Lastly, from what I've heard, the kind of adoption has had a lot of friction simply because of the inconvenience of having a dedicated browser.

Right now, we don't specifically look at access control. What we look at is. The wild west, malicious websites, files, networks, scripts, and whatnot. And because we deploy as a browser extension, which can work on any browser hey, organizations can adopt it in a matter of minutes. Interesting.


Elliot: I'm curious on back in the day, for an org that had an email security gateway, they would have crawlers that would go across the web to basically find anything that looks a little iffy. Especially if they're using popular brand names and they're on domains that don't belong. What is the technology behind the scenes that allows you to attack that?

Is it like, you're reliant on someone to report something, which is obviously how most of that email side work. But yeah, how does that technologically work to help reduce some of the stuff that even like the standard Chrome browser doesn't, avoid a phishing lure?

Vivek Ramachandran: Yeah, no, that's a great question.

I think. Email security gateways, good example. Now, unfortunately, when you crawl the web or any target link from your cloud servers to check whether it is good or bad. Yeah. It is fairly trivial for attackers to detect that this is actually coming from a data center. And serve you a nice, sweet, innocent looking page.

Now, this is really where it is very important to assess the threat from the perspective of the user while he's surfing the web. Yeah. And by sitting in the web browser. We have that vantage point where we can look at everything on the web, but from the user's perspective. What we do is, we deploy as a browser extension, and that monitors every tab, every page.

We look at DOM changes, we look at browser events, we look at network events. And then we correlate all of that, and we run ML models right there in the browser using WebAssembly. So the best part is, we are where. The security metrics and the availability of, raw data is at its maximum, which is in the browser itself.

Now, had you to sync all of that data in real time with a cloud service to go about detecting attacks, you can imagine the sheer amount of megabits that you would have to go ahead and sync, making it absolutely impractical. So we feel that if you have to detect attacks happening against your employees on the Internet.

The best place is actually to sit in the browser itself. That's super interesting.

Elliot: I'm trying to think of a way to like properly position this. Back in the day when I worked with an organization that focused on the, capturing lures and CT sites, trying to take those down. A lot of what you were saying is the defensive mechanisms.

And at any time there is a new popular way to track or try to I don't know, identify these issues, they would change their techniques again, to the point where if you're not on the right device, maybe not IP address, but they have so many defensive measures to make sure the right target is seeing it.

So you're basically saying that is how you're resolving it sits on the browser. So it looks exactly like the user in the exact experience.

Vivek Ramachandran: Exactly. So almost imagine us as a security co pilot. Like a little parrot, like sitting on your shoulder almost looking down and seeing exactly how you view the internet and, God forbid you are on an attacker's website, then how the attacker is going ahead and serving that website to you and that gives us a full idea about detecting the attacks and all of that because, hey, we have access to every single thing right there in the browser.

Elliot: Very cool. Okay. I love that you're basically trying to attack their defensive measures because I know there are solutions out there, but you're able to do that. And eventually as you gain, I'm sure in popularity, they will try to identify that there's a little writer on there or something to that extent, but that just comes with the territory.

That is why it is impossible to fully squash out cybersecurity challenges.

Vivek Ramachandran: Yeah, absolutely. I think, and that's a good problem to have because, that validates our thesis. And really, I think, from that perspective, it's going to be very difficult for attackers simply because, they'll always be guessing and they probably have to figure out if something like Square X is really sitting and watching their every movement, but you're absolutely right.

And to be fair to attackers, they learn, they evolve, right? So I'm guessing at some point of time, there is going to be, that little arms race. Yeah. And hey, that's going to be a great problem to have. And the team and I are excited for business

Elliot: to get there.

Very cool. I want to totally derail this conversation only because I am intrigued. You're not just a technical co founder and not just launching things that, companies have sold and been acquired, but you have a very creative background to your colleague over there shared I guess what would be a comic book of sorts.

But you. For a young organization, and I say that trepidatiously a little bit only because you've done this before, but you get branding and it's weird because cybersecurity brands are terrible. They're ugly, but you've got like mascots, you've got character in there. So I've got to know like where does that come from?

Because that is complete opposite side of the brain.

Vivek Ramachandran: Yeah. So I can tell you something. It was around a very interesting incident. So once I sold Pentester Academy, my previous company, which I exited. I had a little bit of time and one of the days my elder son came to me and he said, Dad, what do you do?

And, he's old enough. So I told him, Why don't you go Google dad's name?

Elliot: Yeah.

Vivek Ramachandran: And I was very curious. You know what the internet would tell him about me. And what he read was, hey, Vivek Ramachandran is, one of the top hackers. And then he googled the word hacker. And what came out was, hey, bad folks who, you know, yeah, who end up, going ahead and, fooling people and doing this and doing that.

So that to me was a very big shock and surprise because I figured that unfortunately the mainstream, like media narrative of hackers is akin to bad people rather than folks who are curious around systems and how to break them and all of that. And even if you remember the very first hacker manifesto, that line is very beautiful.

Curiosity is my crime. So I felt, that I wanted to do something where we could try to change the at least for young folks. And that is really where I said, what better way than a hacker comic, right? Yeah, all of us as we grow up we go through this phase where we read comics.

We love superheroes I don't know if it's a phase some of us don't go out of it Yeah, I mean I have not you know I still buy all the superhero comics and you know can't wait for some of the marvel movies And that is really where I said, why not we go ahead and create a hacker vigilante comic book series Yeah, but with the key difference that this is a very realistic portrayal Of the attack Yeah, rather than a matrix style or swordfish style, right?

You know where you know, Neo just waves his hand and you know All the systems give way. Yeah. So what I did was I hired a creative team I can't draw to save my life But I went ahead, you know wrote everything out and that's when we launched the comic and I think it's been received Very well, people come to us and give us great compliments.

Elliot: Very cool I will applaud you there that and I say that carefully because I Neil and I are very careful about being vendor neutral, but having that kind of elevation is super important because if this is new technology and a new approach, being able to communicate how it works and like the role is important because as you can see, walking around RSA, it is it's not so much zero justice here.

There's a little bit AI, but it is just buzzwords and word vomit, and there's no value in information. But if you can tell a story in a way that's engaging and interesting and exciting. Entertaining. It makes sense. I will applaud you there obviously outside of the technology and all that.

I will leave that for someone else to evaluate. But, yeah, that is very cool. I appreciate that approach.

Vivek Ramachandran: Yeah, thank you so much. We appreciate it as well and, especially coming from you. I think you're absolutely right. What we, in my previous companies as well, what I figured out is, if you can help educate users, If you can impart knowledge which they can take away from your booth and go out and basically say, you know what, I learned something new, they will come back to you because then they start to view you as a thought leader, as somebody who's elevating their own understanding about a space.

And I think that's what we've always done. I think people are intelligent enough that if you give them the right information, they can make their own decisions. And all the marketing jargon never really helps and everyone tries to run away from that.

Elliot: Yeah, I and I love that you call that out because that is one of the reasons we created this podcast is Again, not this year, but every booth for years had zero trust on it.

And it was just different flavors different definitions and it's really simple. There's Sisa. There's NIST John Kindervog, Chase Cunningham. They have You proper vendor neutral approach. Maybe not Chase, but I only like to terrorize him because he is the reason why all those stickers were on the booth.

But yeah, that, that's exactly right. I think cybersecurity practitioners, they don't want to get sold into. Maybe startups and less mature organizations, that's fine because they don't know what they don't know, but if they've been in your shoes for as long, they know how to find whatever they need to find.

They'll do a quick Google search or, what not, and they'll find it.

Vivek Ramachandran: Absolutely. 100 percent agree with you. Today we are in a knowledge age where people like to do independent research and not just rely on what you've just heard, and I think that is for the better for the whole industry, right?

Yeah, because that way we know that, people are starting to build their own knowledge and understanding and which is going to make it more difficult for attackers in the long run.

Elliot: Excellent. We're close to time here, but I want to give you an opportunity to maybe Tell people where they can learn more about what you've built and how they can get their hands on it.

Vivek Ramachandran: So I think the best place would be sqrx. com, which is our website. And what we've really done is, and hopefully just people have found this content engaging, we write blog posts literally every week talking about different aspects of browser security, different attacks, case studies much of it in a product agnostic way.

So at the very least, when you come to our website and blogs, you will go out learning a lot about, state of the art attacks, defenses, browser security and whatnot. And of course, if you like what hey, then you can also try out our product, go ahead, sign up and we can sign you up for a free trial.

Elliot: I love that approach. It's definitely aligned with how I do things, which is why sometimes they pissed off people with my day job, but hey, that's how this works. So thank you so much, Vivek, for being here. I really appreciate your time and your expertise. We will definitely be bringing you back on for more conversations because we have not fully jumped into the island of enterprise browsers to the extent that we can.

And obviously you're dabbling between that and SASE and some other zero trust solutions. So thank you so much. Really appreciate you being on with us.

Vivek Ramachandran: Thank you so much as well. This was an amazingly interesting talk and looking forward to having similar conversations with You know, in other conferences and even online.

Thank you so much. Excellent. I

Elliot: know you're just being a little bit extra nice there, but I'll take it and we're going to print it. All right. Thank you.

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.