0:53

How's it going , charlie ? It's great

0:55

to get you on the podcast . You know , I think

0:57

, that we've been planning this for quite a while , but

0:59

I'm really excited for our conversation today .

1:02

Thank you , it's great to be here .

1:04

Yeah , absolutely . So . You

1:06

know I start everyone off with

1:09

telling their background . You know how you got

1:11

into IT , what made you want

1:13

to get into cybersecurity overall . You want to get into

1:15

cybersecurity overall , and

1:21

the reason why I do that is because there's people that are listening or watching

1:23

on YouTube . Of course , at this point you

1:26

know that might be trying to make that transition

1:29

for themselves , and I feel like hearing

1:32

someone's story and maybe

1:34

it lines up . They can say , oh well , if he

1:36

did it , I might be able to do this

1:38

thing too . You know , I

1:41

look back on my life earlier on Right

1:43

and all I ever needed was

1:46

to see someone else do it

1:48

. It's like , oh well , if he could do it , maybe

1:50

I can do this too . So so where

1:53

does that story start for you ?

1:55

Well , I think I've been in and

1:57

out of IT or engineering

1:59

or technology , you know

2:02

, in different worlds . But

2:04

, to be honest , like going to engineering for

2:06

me was kind of like

2:08

the natural thing to do . The

2:10

fact that I'm today more

2:13

of like a business and management type

2:15

person , you know , running a company is

2:18

actually , you know , for me the surprising

2:20

part , like I would be , you

2:22

know , if I needed to guess when

2:25

I was 16 , where I'll be , you

2:27

know , at 45 , I would probably say I'm going

2:29

to be like an architect

2:31

, like a , like a , you know , technology

2:33

architect , software architect or engineer or something

2:36

like that . I was

2:38

super good , like you know , in math and physics

2:40

when I was younger . So , like natural

2:42

, kind of like , um , I

2:45

would say , path for

2:47

people you know , like me , especially especially

2:49

in israel , where you know software engineering

2:51

is so popular , was hey

2:53

, you know , you finish your army service , you

2:55

go to learn engineering , software engineering that just

2:58

what you do , you know . Uh , you finish your army service , you go to learn engineering , software engineering

3:00

, that's just what you do , you know pretty much . So I went

3:02

into that and , you know

3:04

, then I started working for , you

3:06

know , my first company After

3:09

school . I was an algorithms engineer . I

3:11

like I really like solving problems

3:13

. You know , for me , being

3:15

a software engineer and algorithms engineer was

3:17

just almost like continuing the

3:19

studies and solving more riddles

3:21

. It was like a new algorithm is like a

3:23

riddle for me and now you can make it most

3:26

effective . I wrote

3:28

a few patents under my name Back in

3:30

the days I wasn't in security , I was more in

3:32

algorithms for video compression

3:35

and multimedia , and

3:37

then I worked as an engineer for a few years

3:40

and then I moved to a security startup and

3:42

, kind of like got the hang of security

3:44

and did some security software development

3:46

. And then actually

3:48

, you know , my path went sideways

3:51

a little bit when I actually

3:53

went to do my MBA

3:56

in the University of Pennsylvania

3:58

in the States and that took me to

4:00

like another path of you

4:02

know . I went into management , consulting and advisory

4:05

and stuff like that and actually what brought

4:07

me back into technology was

4:09

, you know , being back in the startup

4:11

scene . You know , opening

4:14

a startup , first joining a startup and then opening

4:16

a startup together with my co-founders

4:18

.

4:21

What made you want to go down the

4:23

MBA route ?

4:26

It was a bit opportunistic

4:28

, to be honest . I

4:31

was like back in the days I was a team

4:33

leader in a software company in Israel

4:36

and a very good friend of mine

4:38

we are still good friend of mine , we are still good friends until

4:40

today . Unlike

4:47

me , he was like we were together in like , doing like our engineering degree together

4:50

, and he knew he was going to go down the business route . So

4:52

he was planning to go to do an MBA , you

4:54

know , right after school and he was

4:57

planning his entire . You know he's much more

4:59

planned than I like his life , much

5:01

more planned than I . I mean , he knew he was

5:03

going to go to do an MBA in one of the Ivy

5:05

Leagues and I didn't even know what Ivy League

5:07

means back in the days . And

5:11

then the reason I went there

5:13

is that he was there . He was

5:15

accepted to a

5:17

school called Walton , which then I joined him

5:19

, and he

5:23

called me one day . You know we were in touch as a racial

5:25

. You know you , you got to apply . You

5:27

know you got to apply . I know you . You

5:30

know you love studying , you love diversity

5:32

. You would love you know what's going on

5:34

, what's going on . You would love the

5:37

level of education that

5:39

these guys bring to the table . I

5:42

really , really encourage you to do that . That's

5:44

how I kind of like started . I said , okay , I will apply

5:46

. I wasn't really serious about

5:48

it , to be honest . I said , you know I'll apply and see what

5:50

happens . And then , when

5:53

you start to apply to these programs

5:55

, you fall in love with them

5:57

. As you apply to them , you know , you kind

5:59

of like start to

6:01

investigate them more and understand what's going

6:04

on and see how global and

6:06

what type of education they're going to give you . So

6:08

that's how I kind of like fell in love with it and then became

6:11

more and more invested and finally I went

6:13

ahead and you know

6:15

, and studied there .

6:19

Yeah , I've contemplated myself

6:21

about getting an MBA , but I'm

6:26

not sure what I would do with

6:28

it . You know , and for me like to put in

6:30

that kind of time and effort , you

6:32

know , into it , right , I want to see results

6:34

, I want to see roi on

6:36

it and I'm not sure what

6:39

I would do with that . To , you

6:41

know , create that roi . But

6:43

you know , I I totally relate

6:45

when you say , you know , someone

6:48

else kind of told you to get into it and you

6:50

know it would , you

6:53

know , expand you in different ways and whatnot

6:55

. Um , because I kind of went down that

6:57

path with the PhD , where

7:00

I've been exploring it for

7:03

years , really

7:05

thinking about it Every year

7:07

. It seemed I would reassess

7:10

the ROI that I would get from it

7:12

and things like that . If there was topics

7:14

that I wanted to look into or anything

7:16

like that that

7:20

you know , if there was topics that I wanted to look into or anything like that

7:22

. And finally , you know , this past year I finally pulled the trigger and

7:24

and got into it right

7:26

. So and I

7:29

mean it's , it's amazing that I , I

7:32

guess I finally decided to get into it right

7:34

. But now it's like , okay , I gotta , I

7:36

got to do the work and

7:45

and that's the part that's the part that's like really hard , I think , to estimate ahead of

7:47

time , because you don't . You don't know what you don't know . And getting

7:49

a PhD is completely different . You know

7:51

, you're not in a classroom every single day

7:53

. You're not having someone telling you hey

7:56

, you need to turn in this paper . Hey , you need to turn in this paper

7:58

, you need to turn in this assignment or whatever

8:00

it is . It's literally like

8:02

no , there's a body of work that you need to turn

8:05

in . However long it takes you is

8:07

how long it takes you . You know

8:09

it's like there's no

8:11

path . You know also , like

8:13

you're figuring out how to do it along the

8:15

way .

8:16

So , like you're figuring out how to do it along the way Exactly , you know

8:18

, I , you know , to be honest , I contemplated about a

8:20

PhD myself so many

8:23

times in , you know , even before I did the

8:25

MBA and after I did the MBA , just

8:27

because I love studying so much . But

8:36

the PhD is like you know , it's you need like extreme self-motivation , you know , in order to make

8:38

it happen and to do it well , because

8:40

life happens to you as you do it

8:42

. You know , before we started recording , we

8:44

talked a little bit about kids and family

8:46

, and then you have your work . So

8:48

, finding the time and

8:50

the balance to actually do it , I

8:53

really respect the fact that you're

8:55

up to it and

8:57

, yeah , it really , really , really requires a

8:59

strong self-motivation .

9:02

Yeah , you know , I approached

9:05

it from two different

9:07

angles , right ? So

9:10

you know , I'm someone that comes from

9:12

very little right ? Like my family wasn't

9:14

well off or anything like that . I

9:16

was the first in my family to go to college , um

9:19

, you know all all that sort of thing , right

9:22

? So when I look at my daughter and

9:24

I say to myself , well , I want to set

9:27

a good example for her of what's

9:29

possible , of , you know , setting

9:31

that bar as high as possible

9:33

, I would say , set it as high as possible

9:36

, and if they aim for the bar right

9:38

, they'll land . Even if they don't , you

9:40

know , meet it right , they'll land somewhere

9:43

. That is a good place , you

9:45

know , yeah , um , and just showing

9:47

you know , her and my future kids

9:50

. You know what that looks like , what's what's

9:52

possible , right ? Um

9:54

, and same thing

9:56

for my wife . Like , my wife is finishing up

9:58

her second master's degree , so

10:01

it's , it's , it's definitely

10:04

like a part of us and

10:06

who we are and everything . But then

10:08

I also took it another step

10:10

Right , because I'm always looking for trends

10:12

in cybersecurity . You know what's coming five

10:14

or 10 years down the road that

10:17

maybe I should prepare for right now . And

10:20

I did that with cloud security . You know , obviously

10:23

I didn't see the very beginning of cloud security

10:25

because I was , I was getting my bachelor's at

10:27

the time , it wasn't paying attention to it or anything

10:29

like that , but it wasn't . It

10:31

was nowhere near as big as what

10:33

it is today , you know . But I

10:36

figured that there was a lot of potential to

10:38

go that route , because VMware was

10:40

so big at the time and this basically replaced

10:43

it , and so I started going

10:45

down the cloud security path and here I am

10:47

now , in a larger

10:49

security area . And

10:51

so when I was looking at my PhD , I

10:53

took that same approach and started to dive

10:55

into satellite security . You

10:58

know how to actually secure satellites in

11:00

space ? How to , you know , protect

11:02

them against incoming attacks

11:04

? How do you relay you

11:07

know communications to them ? How

11:09

would they be able to interact with communication

11:11

systems , all that sort of thing , uh

11:22

, and so now you know , I'm really pushing myself to to , I mean , I , I , I have a hard time saying be

11:24

an expert , but I guess the phd kind of gives you that

11:26

without you know anything else , but

11:28

to really dive into this thing and learn

11:30

it , because there's so much that I don't

11:32

know .

11:32

yeah you know , just investing the

11:35

time yeah , you

11:37

know to , to learn a topic , and

11:39

you know , eventually you

11:41

just know more about it than other people because

11:43

you just spent more time with it . Right

11:45

, it's

11:48

just , you know the mathematics of

11:50

time .

12:00

Are there , you know , looking back now that you're , you know , in charge of this

12:02

company , right ? Were there any key skills , maybe two or three key

12:05

skills that you got from the MBA that

12:07

really influence how you

12:09

operate today ?

12:12

Wow , I think

12:14

. So

12:17

. You know I was a very , very , you

12:22

know , analytical person . You

12:24

know I was an engineer math , you know

12:26

everything for me was like . You know I

12:30

don't want to exaggerate by saying everything for me was

12:32

black and white , but you know what I mean . I was a numbers

12:34

type person . You know what I mean . I was a

12:36

numbers type person and

12:39

the , the soft skills that you learn

12:41

in in

12:49

an MBA and and the variety of people that you meet , I think are the key , you know

12:51

, benefit that I got from it . Um , also , you know , specifically for myself

12:53

, it's not just about the MBA , it's about

12:55

also , you know , moving to to another country MBA . It's about

12:58

also , you know , moving to another country with your family

13:00

. So , just , you know , just the mere

13:02

experience of

13:04

you know , moving to the United States , experiencing

13:06

the culture , experiencing , you know

13:09

, the values and

13:11

the work ethics and how

13:13

you know processes are done

13:15

in a different country , you know , gives

13:18

me , gives you a lot of perspective and a lot

13:20

of , you know , new skills

13:22

that you acquire . And

13:24

then , and then , quite frankly , frankly , you

13:27

know , my first job , you

13:29

know , after the MBA , was in the Boston

13:31

Consulting Group , which for me

13:33

was really an extension of the MBA . You

13:35

continue learning and you know

13:37

that companies you know I

13:39

don't want to promote them or anything , but they are so

13:41

good at building your capabilities

13:44

. You know giving you frameworks to analyze

13:46

situations and

13:48

you know structure your presentations

13:51

and and communicate your

13:53

thoughts and understand complex situations

13:56

, which I think you know gave

13:58

gave me a lot of value into what

14:00

I'm doing today .

14:03

Yeah , it must be very beneficial to

14:06

come from that

14:08

engineering background , that engineering

14:11

mindset , and go into a

14:13

business , because you can break apart

14:15

problems and issues in different

14:17

ways than what

14:20

you would be able to without it . Know

14:22

, at least in my opinion , um

14:24

, because I'm just

14:26

thinking you know my day job , right

14:28

? I'm principal cloud security

14:30

engineer , right ? So I'm breaking apart problems all

14:32

day long , um , and

14:35

finding , you know , inconsistencies

14:37

and , you know , directing people

14:39

towards the , the a new

14:41

or a better solution , right

14:46

? That sounds a

14:48

lot like what running

14:50

a company is . You're encountering

14:52

with problems constantly and you have to filter

14:55

out the ones that you

14:57

want to pay attention to , the ones that will

14:59

make or break your company . Right

15:01

, those are the ones that get your time . But

15:04

then you also have this back burner

15:06

in your brain of like , oh yeah , I also

15:08

need to adjust these other 10 or 15

15:10

things . Being

15:13

able to do that and manage that

15:15

is , I mean , obviously

15:17

it's extremely important for a company , but

15:19

it's always interesting to hear how

15:21

people get that experience , because everyone

15:24

gets it differently , I feel how

15:26

people get that experience , because

15:28

everyone gets it differently .

15:29

I feel , yeah , I think you know , problem solving is probably one of the key

15:31

skills that any manager and leader

15:34

needs to have . And

15:36

as long as you're not , you know

15:38

, as long as you have some soft

15:41

skills to go along with it because there are

15:43

some great problem solvers that are

15:45

that have zero you

15:47

know soft skills or you know emotional intelligence

15:50

, and that's a big problem . But

15:52

once you have that combination , I think

15:54

that's where you know , you get to be

15:56

very successful . And you

15:58

know , even in my life , you know , as I

16:00

said , you know , for example , when I was in

16:02

in in a consulting company

16:05

, right , when I was in a consulting

16:07

company , right , you see that the

16:10

engineers that come into that company , they

16:15

become the best consultants because they have that mindset and the recruiting

16:17

process basically filters out the fact that

16:19

they will have , you know , some emotional

16:21

intelligence and capabilities , so

16:23

it makes them really , really good

16:26

consultants . I have to say that another

16:28

type of persona there

16:30

aren't many of those because

16:33

they usually stay . They

16:35

become doctors , but we had some people

16:38

who came from medicine school and

16:40

that's also , you know , a very good indicator

16:42

and if you think about it

16:44

like doctors are really engineers of the body right

16:47

, like they need to evaluate situations and

16:49

see signals and come

16:51

up with solutions . So they also

16:53

are very good , you

16:56

know , in problem solving in general .

17:01

Yeah , that is really

17:03

fascinating . You know , when people ask

17:05

me how

17:08

to get promoted , you're

17:11

already an engineer . You're

17:13

already a really smart , intelligent

17:15

area . How do you get promoted to

17:18

management or architecture ? I

17:21

always start with the soft skills , because the

17:23

soft skills is really what

17:25

separates you from everyone else , right

17:28

, because everyone is used to that

17:30

engineer . That tech guy that's

17:33

, you know , a little socially awkward

17:35

, isn't really used to talking to other people

17:37

. Everyone is used to that , right ? So

17:39

if you break that mold , you're immediately

17:42

going to stand out . Even if you're breaking

17:44

the mold in a controversial way or maybe a poor way right In the beginning , you're

17:46

still going to stand out . Even if you're breaking the mold in a controversial way or maybe a poor way

17:48

right in the beginning , you're still

17:50

going to stand out and hopefully you're standing

17:52

out to the right people in the right

17:54

frame of view or

17:56

frame of mind , right ? But

18:00

soft skills are extremely

18:03

important , especially today where

18:06

you know so many of us are remote

18:08

. You know the soft skills really

18:10

pay dividends when

18:12

you know you're on a video call and

18:15

you have to get across a point

18:17

and make sure that people are understanding

18:19

and break it down into a

18:21

way that suits your audience

18:23

. That's probably

18:26

actually the biggest thing that

18:28

I see a lot of people mess

18:30

up on is not adjusting

18:32

what you're saying to the audience . That

18:35

is in the call . You

18:37

have to be able to maybe

18:40

go just

18:42

an inch below the surface , right Like , hey

18:45

, here's all this stuff . None of it makes sense

18:47

to you . That's okay , because this is what

18:49

it's really doing . Give

18:52

them that good overview

18:54

so that they could take that slide and

18:56

put their own words on it and present

18:59

it to their management , right ? You have to think

19:01

about it like that , and making

19:03

that switch over in your mind is typically

19:05

a really difficult thing to do . I

19:07

have found , at least .

19:09

Yeah , I completely agree . You know

19:11

the ability to simplify , you

19:13

know technology

19:16

. Simplify solutions , even simplify problems

19:18

, is something which is super critical

19:20

. One of the biggest mistake

19:22

we are doing everyone is doing

19:25

, I do it as well , right . The biggest mistake we are doing everyone is

19:27

doing , I do it as well , right in communications is

19:29

that we assume that the

19:31

other side is the same as us . It's

19:34

just easier to assume that you assume they have

19:36

your knowledge , they assume they have your

19:38

kind of like history , and

19:48

it's really really hard to put yourself in the other side and in the shoe of the

19:50

other person , as they say , and then we assume different things

19:52

and the communication breaks and

19:54

the value is not communicated , and

19:58

I think that's the biggest

20:00

mistake . Marketers do that mistake all the time

20:02

. One of the first thing

20:04

you need to understand as a marketer is that

20:06

you don't market yourself . Need to understand

20:09

, you know the other side . Um

20:11

, yeah , I think that's . It

20:14

is so natural

20:16

, uh , to assume that and and

20:19

and . It's so easy to forget that

20:21

. You need to really think about who

20:23

am I going to speak with you . You know what's

20:25

their objectives . You know what's their

20:27

background , what do ? they want

20:29

what they want to get out of the conversation

20:32

. You know what they need to do . Yeah

20:34

, it is just very hard to do . It's

20:37

not hard to do , it's easy to do if you think

20:40

about it , but it's very hard to focus on it

20:42

and really , you know , actually do it . Everybody

20:44

will say , do it right , but

20:46

to actually do it in

20:48

real time in a conversation , it's

20:51

not easy .

20:53

Right , so let's

20:55

dive into

20:58

a little bit about your company . So

21:00

what is the company that

21:02

you're in charge of right now and what's

21:04

the problem that you're trying to solve with

21:07

this company , with your solution

21:09

?

21:10

Yeah , so my company

21:12

, the company name is Armo and

21:15

we are a dedicated Kubernetes

21:17

security company Kubernetes

21:20

has grown to be pretty much , you

21:22

know , the de facto standard for , you

21:25

know infrastructure for cloud workloads

21:27

. And if

21:30

we think about application

21:32

protection platforms , you know

21:34

, if you think about what

21:37

Gartner calls ASPM today application

21:39

security posture management or if you

21:41

think about CNAP cloud network

21:43

application protection platform , there

21:46

are a lot of you know initials and a lot of

21:48

different kind of like words

21:50

to say one key thing , which

21:52

is you need to protect an application running

21:55

in the cloud and you need to protect

21:57

the cloud from the application running in the

21:59

cloud . And those applications

22:02

will 90% be

22:04

running on Kubernetes . And

22:07

that's why we believe that getting

22:09

intimate with Kubernetes , with

22:12

the configurations of Kubernetes , the configurations

22:14

of the workloads in Kubernetes , getting all of the

22:16

context of what's happening in runtime

22:19

, is crucial to

22:21

securing workloads running in Kubernetes

22:24

. And the main reason is that when you start

22:26

to secure , you know cloud and Kubernetes

22:28

native environments , there

22:30

is a you know I

22:32

remember I talked about it about a year

22:35

ago Kubernetes as itself

22:37

. Yes , it is super complicated and

22:40

you know enormous

22:42

and exponential

22:44

number of you know misconfigurations that can

22:46

happen . But

22:49

the main

22:51

reason for the complexity of

22:53

things running in Kubernetes is

22:55

not Kubernetes itself , it's the architecture

22:59

that it is enabling . So

23:01

once microservice-based

23:04

architecture is possible

23:06

, once microservice-based

23:09

architecture is possible , just

23:12

the number of software artifacts that are running in your cluster or in your cloud is growing

23:14

so exponentially , so vulnerabilities

23:16

are growing exponentially , the attack surface

23:18

is growing exponentially , the number

23:21

of alerts is growing exponentially . So

23:23

you have so much mess going

23:25

on that you need a more adaptable

23:28

security solution . And what

23:30

we are trying to do in Armour is

23:32

using that Kubernetes context , that

23:34

workload context , that runtime context , to

23:37

adjust the security

23:39

based on what's happening in your environment

23:42

. So we will apply stronger hardening

23:45

capabilities in places where the risk is higher

23:47

. And we will apply stronger hardening capabilities in places where the risk is higher and we will

23:49

apply more

23:51

detailed you know runtime security

23:54

. We will tighten the security in

23:56

places where we find the risk based

23:58

on the context of Kubernetes being

24:00

higher . And I think just

24:03

the fact that you know we secure all the same and

24:05

all workloads are born equally

24:07

. It's no longer the case . You

24:09

need to prioritize , because if

24:11

you don't , you just spread the thing

24:13

.

24:13

Yeah , that is

24:16

a really good point . What you said is that Kubernetes

24:19

is basically everywhere now . When

24:22

I started to get into the cloud , it

24:25

was kind of a niche area . Not very many people dove

24:27

into it , not very many people understood it . When I started to get into

24:29

the cloud , it was kind of a niche area . Not very many people dove into

24:31

it , not very many people understood it

24:33

, but it's becoming almost

24:35

like its own domain

24:38

within cloud security . I

24:41

was at a company where they

24:44

were actively mig , you know , migrating

24:46

their infrastructure in AWS to

24:48

Kubernetes instances

24:51

, and you

24:54

know it was really challenging because

24:56

our I mean , I

24:58

call it legacy but they're still top of the line

25:01

our legacy EDR . Yeah

25:03

, you know , of course they offer a

25:05

solution to protect your containers

25:07

and whatnot , but when you put

25:09

that agent on there , it's so heavyweight

25:11

and it's not coded

25:14

properly . You know to be running on such

25:16

a lightweight infrastructure that

25:18

you end up spending two to three times

25:20

more than what you actually

25:22

would have been spending , and that's a huge thing because what you actually

25:24

would have been spending . And that's a huge thing because Kubernetes

25:27

is so , I guess , nimble , so

25:30

easy to deploy . You could

25:32

spin up , you know , like

25:34

if the cloud is easy

25:37

to spin up resources . Kubernetes is

25:39

like a factor of 10 , right of

25:53

how quickly you can actually spin up resources and start eating up a budget , and so if you extrapolate

25:55

on it , you know you're spending a significant amount of money eating up resources that you really probably

25:57

shouldn't be . So I always

26:00

found that interesting , you

26:02

know . Can we talk a little bit about the challenges

26:05

of building

26:07

a security platform on

26:09

Kubernetes or for containers

26:12

?

26:13

Yeah , well , I think you mentioned

26:15

one of the most critical

26:17

aspects of it , which

26:19

is scale and resource

26:21

consumption . You

26:23

know when , when

26:25

you take like legacy , I'll call it

26:27

legacy even though , as you said , it's top notch . But if you

26:30

take legacy type , you know

26:32

solutions and agents and

26:34

deploy them , you know , in Kubernetes . And

26:37

then you know new pods spin up

26:39

, new nodes may spin up , you know , and

26:41

you grow . You know , horizontally , vertically

26:44

, you know , in many different

26:46

ways . First

26:50

of all , the resource consumption and the cost for the customer is getting

26:53

super , super high and that's why I think the first

26:55

challenge that we have faced in

26:57

building a Kubernetes solution is okay

27:00

, let's build it from the ground up . For

27:02

Kubernetes , let's make sure

27:04

when , for example

27:06

, a pod is duplicating

27:08

itself , you don't duplicate your memory footprint

27:11

or your CPU and you're staying

27:13

relatively lean . Let's use

27:16

Kubernetes native capabilities

27:19

in order to do security . If

27:22

Kubernetes provides network policy

27:24

, you don't need another agent to

27:27

now run all of the network policy

27:29

. You don't need another sidecar

27:32

and another sidecar . You know sidecars

27:34

. I've seen companies that have , like I

27:36

don't know , six or 10 different sidecars

27:38

on every pod . You know you spin up a pod , 10

27:41

other pods come up together

27:43

. So

27:45

being very mindful that

27:48

you're running like it's . You

27:52

know , on one hand , it's a limiting

27:54

factor the fact that you're running on Kubernetes . You

27:57

need to be as native as possible

27:59

. On the other side , it gives

28:01

you a lot of capabilities and a lot of native capabilities

28:03

that , if you know to use them correctly , makes

28:06

you much more efficient . Right

28:08

.

28:28

Hmm , yeah , how is that

28:30

? You know , how is that learning gap with

28:32

Kubernetes , how time and money and resources

28:34

in Kubernetes ? You know

28:36

they're probably not going to know it as well

28:38

as you or some of the experts at your company

28:40

what

28:47

it should

28:49

actually be . You know doing

28:52

how it should actually be designed , things

28:54

like that , because you know that's

28:56

probably an important part of

28:58

what you do . I would think , right

29:00

, because

29:16

you're you don't want to them . Why you know this is valuable over something else , why

29:18

it works this way . Right , why you wouldn't

29:20

go with that top of the line EDR

29:23

solution that everyone has in their infrastructure

29:25

, why you wouldn't go with that module

29:27

and why you would be going with something

29:29

you knowbuilt . Have

29:33

you run into situations like

29:35

that where you guys are the

29:37

experts , so to speak , in the room

29:39

and you kind of have to educate

29:43

your customers ?

29:45

Yes , and I have to say , over

29:47

the last two years , what

29:51

we need to teach or

29:53

work with our customers on have

29:55

changed , you know , dramatically . And

29:59

you know you're always or at least you should be

30:01

always ahead of your customers in terms of your

30:03

knowledge and what you're seeing , because you

30:05

just see more in the market in

30:09

that specific field . So if you

30:11

think about , you know , three years ago , or even four

30:13

years ago , when we speak with customers

30:16

about Kubernetes , I

30:19

always one of the biggest things

30:21

that we always

30:23

deal with is the fact that Kubernetes

30:26

has a joint ownership . Kubernetes security

30:28

has a joint ownership between a security

30:31

team and a DevOps team or platform team

30:33

or SRE team . You know the

30:35

term itself is always changing

30:37

, but

30:39

if you think about three or four years ago , we

30:42

would speak with the security teams about

30:44

Kubernetes security and honestly

30:46

, they would be clueless , right ? They would say

30:48

we don't know . You know

30:51

we know we have Kubernetes , the

30:53

DevOps team is running it , we

30:55

give them some guidance and

30:57

we scan images , but they

31:00

don't really know what's going on in

31:02

there . So

31:04

that was the place back then . It's just

31:06

getting ownership . Today

31:09

we are in a place where our

31:12

third leadership is much more around . How

31:14

do security and DevOps team work

31:16

together to secure Kubernetes ? We

31:19

see more and more DevSecOps roles in

31:21

the company . We see security engineers

31:23

who know Kubernetes , but they will

31:25

never know it as well as the DevOps

31:28

. So one of the key things

31:30

we need to help our customers

31:32

is to mitigate

31:35

between a security

31:37

requirement , which is a very security-oriented

31:39

thing , and then the remediation

31:41

of that within Kubernetes , which is a very DevOps

31:43

thing , and

31:55

we actually invest a lot of time into creating features that will , you know , cater

31:57

to that specific gap feeling . So , for example , you know just

31:59

a nuance . You know if our system gives an

32:02

alert to the security team about

32:04

a misconfiguration that might

32:07

be problematic in the environment security-wise

32:10

, we also issue the remediation

32:12

advice to the DevOps team to apply

32:14

, and we built it based off

32:16

the Kubernetes context and the runtime context

32:19

in a way that it will not break

32:21

the application . So you know we

32:23

are always you know . I would

32:25

say the main thing our platform

32:27

needs to do is to continuously

32:30

shrink the attack surface , but

32:32

in a way that the DevOps feel

32:34

confident to use , right , that

32:36

doesn't break applications , and I think that's

32:39

the first of all . I

32:41

believe it's one of our key differentiators , but it's also

32:43

, I think , one of the biggest bridges

32:45

that you need to build between security

32:47

and DevOps .

32:51

Yeah , that relationship is

32:53

so critical . It's

32:56

becoming more and more important to

32:59

really build that relationship between security

33:02

and the developers and operations

33:05

, because these

33:07

organizations , these environments , are getting so

33:10

large that it's no longer under you

33:12

know , one team or one manager , right

33:14

, like there's several different pieces

33:16

at play , and that kind of ties

33:19

into what we were talking about before being

33:21

that engineer being able to , you

33:23

know , break things down , have the soft skills

33:25

to be able to talk to , you know

33:27

anyone in the room and ensure

33:29

that they understand . You

33:31

know , one of the I

33:34

guess maybe one of the biggest challenges that

33:37

I have faced , even in

33:39

recent years , is being

33:41

that security expert . When

33:44

we're talking about Kubernetes , right

33:46

, without really knowing

33:48

Kubernetes and trying

33:50

to get across you know security standards

33:52

to developers and saying

33:54

, how do we achieve it ? Because

33:57

, from an engineering

33:59

perspective , I put on my engineering

34:01

hat it's like , okay , well , let's learn

34:03

Kubernetes . How hard could it possibly be

34:05

? How long could it possibly take me ? Maybe

34:08

a month or two . And then you

34:10

start getting into it and

34:13

two months in , you feel like you know nothing and

34:15

it's like , okay , I seem to be starting

34:17

completely over in this area

34:20

. So I need to lean more on the

34:22

knowledge of other people that have been working

34:24

with it every single day . Yeah

34:26

, and try to make these

34:28

security I guess requirements

34:30

you know make sense to them

34:32

, and try and reword it so that it

34:35

makes sense to them , so that they could translate

34:37

it into Kubernetes and

34:39

say , oh , there's this whole , this

34:41

whole other you know management plane

34:44

, right , that we haven't thought about before

34:46

. But that does the thing that

34:48

you're thinking of right , it's

34:50

a , it's a balance . It's interesting

34:53

how that conversation just tied together

34:55

with what we were talking about before

34:57

with soft skills yeah , completely

35:00

, and it's , you know

35:02

it's always .

35:03

It's almost like um , um

35:06

, you know there's this movie , you know men's

35:08

out , men are from somewhere and then women are

35:10

from marcelina . So it it's simple . Security and

35:12

DevOps and if I need to kind of like

35:14

pinpoint it , you know security many times

35:17

. You know they speak a language

35:19

of risk . Right , they speak

35:21

a language of you

35:24

know posture , which

35:26

is a language that the

35:28

engineers , the DevOps , they don't

35:30

speak that language . They don't talk in

35:32

terms of risk . They talk in

35:34

terms of you know configurations . They

35:36

talk in terms of you

35:39

know engineering

35:42

, right , they talk about configuration

35:45

. They talk about you

35:47

know software packages . They talk

35:49

about network IPs . That's

35:52

their language . They talk about network

35:54

IPs . That's their language . And what we see today is that

35:56

security , they

36:01

need to know Kubernetes well enough to kind of like translate

36:03

some of the risk requirement and the

36:05

risk terminology into

36:07

technical terms . But

36:10

also the developers on their side , they

36:12

need to learn the risk implications of

36:15

different things and they need to start thinking about risk as

36:17

well . I think that's what

36:19

every platform that gives security for

36:21

Kubernetes will

36:24

need to manage . Basically .

36:29

Yeah , and even recently , the past

36:31

couple of roles that I've had , it's been

36:33

acting as that security

36:36

bridge to the rest of to translate

36:38

, you know , these

36:54

security components into something that

36:56

they understand so that we can , you

36:58

know , make progress . It has

37:00

been , I mean , it's interesting , it's

37:02

probably the evolution of an engineer , so

37:04

to speak . Right Is , you know , you go from

37:07

being hands-on keyboard I'm going to write this

37:09

code and fix this problem and

37:11

you know , we're going to go through it like that , to being

37:13

, you know , the subject matter

37:15

expert in an area and

37:18

then translating it to other

37:20

, to other departments , right For

37:22

them to actually do that work . And it's

37:25

, uh , that that transition , I guess , has

37:27

been slightly difficult for me

37:30

to to , I guess , stomach

37:32

, right , because I I still , I

37:35

still want to get in there and I'm still kind of paranoid

37:37

because I'm not in the weeds

37:39

like I used to be , so to speak .

37:41

It's not like man , is someone gonna like think

37:43

I'm , you know , useless and lay

37:45

me off because I'm not in the weeds

37:47

like you know what I mean , like it's that yeah

37:50

it's that mental shift , you know yeah

37:53

, you know , um , you know , I

37:55

have to say you know , another time

37:57

in in my life at least , that I've went

37:59

through you know , uh , this type

38:01

of like dissonance that you're mentioning is

38:04

, for example , just when you , you know , when you

38:06

move from being a developer to

38:08

a team leader right , yes

38:11

, you , you know you just

38:13

lose the capability or the capacity

38:16

to know every function that every developer

38:18

writes and you need to feel comfortable with

38:20

giving guidance and being

38:23

more

38:25

of the architectural oversight . You're

38:27

the security architectural oversight , right

38:29

, and I completely

38:32

get it . We're all in some ways

38:34

maybe not all of us , but maybe you and I are

38:36

control freaks , right , we want to know

38:39

that exactly what's going on , and

38:41

it's hard , but it goes

38:44

again . It goes to what we

38:46

talked about before and I think you said it right

38:48

. It goes to the soft skills into collaboration

38:50

and working together , communicating

38:53

well , in order to feel comfortable

38:55

with this new situation .

39:00

Yeah , absolutely so

39:02

you know , if

39:05

you look , you know five , ten years

39:07

out , right In technology . That's extremely

39:10

difficult to do to look ten years out . It's

39:12

probably really difficult to look five years out

39:14

. Where

39:17

do you think cloud infrastructure

39:19

as a whole is going

39:21

? Because we have Kubernetes

39:23

, but I wonder what

39:25

that next iteration of Kubernetes

39:28

is . Is it serverless , do you think

39:30

?

39:33

it's serverless , do you think ? Well , there

39:36

are already some . You know , there's

39:38

Fargate or the I don't

39:41

know Autopilot

39:44

from Google which are kind of like they're running containers , but they are

39:46

serverless . I think that's . The

39:49

problem today is that it is very

39:51

, very costly to go . But

39:53

also , you know , kubernetes makes

39:55

it so much easier to manage the

39:58

server themselves . Then it

40:00

makes me think about okay , so

40:02

if servers are so easy to manage

40:05

, why go serverless ? You

40:09

know I try not to make

40:11

predictions because

40:13

everybody that ever made

40:15

predictions probably was wrong . But

40:18

one of the things that I'm

40:20

seeing is that I

40:23

think the cloud as a cloud service

40:25

is going to proliferate . So we have Amazon

40:27

, then we have Google , now we have Azure , we have

40:29

IBM . I see companies

40:32

starting to do their own cloud . So what I

40:34

suspect might happen is

40:36

that the cloud technologies will

40:39

just be . You know , in so

40:41

many many places where you

40:43

could utilize cloud type technologies

40:46

, companies are already doing that . You know Kubernetes

40:48

is running on premise and companies

40:50

are doing like cloud native , but it's on bare

40:53

metal in their own environments . It

40:55

costs them less than going to Amazon if they're

40:57

big enough . So I

40:59

actually think , you know , I

41:05

don't think the big change going

41:07

forward will be in you

41:09

know what servers we are using

41:11

, or the architecture of the server , or

41:13

Kubernetes . I think it's going to

41:15

be about the type of services that

41:18

you can get from the cloud provider

41:20

. I think cloud providers will win and lose based

41:23

on the ease of their AI

41:26

models that they provide via APIs and

41:28

the database

41:31

services and how quick those are

41:33

. I think that's where the next

41:35

battlefield is in .

41:39

That's really fascinating , you

41:41

know what you're describing really eliminates

41:44

a lot of the security misconfiguration

41:47

that goes on in

41:49

the cloud . In

41:57

the cloud , you know , recently , right , I ran a report in the environment and saw a bunch

41:59

of public S3 buckets and

42:01

you know I'm sitting here like

42:03

this is , you know , literally

42:06

you know , third or fourth time

42:08

that I've had to go over this with . You

42:10

know all of my developer teams probably about 150

42:13

different people and

42:15

you know I'm trying to figure out

42:17

how to like finally solve

42:19

this problem so that you know we wouldn't

42:22

still encounter it , because my

42:24

environment is a little bit unique . We have limitations

42:26

around what we can

42:29

implement from a security perspective

42:31

, which makes which

42:34

makes these findings a little bit more difficult . But

42:38

that that's really interesting

42:40

because you know what you're talking about is

42:42

kind of a overarching control

42:45

plane that is running

42:47

on the cloud and you just tell that

42:49

service , you know what you want to be

42:51

using , what you want to do , what you want to be using , what

42:53

you want to do , what you want to accomplish , and they figure

42:55

out the most efficient way to get

42:57

it done for you and

43:00

really leverage their own internal

43:02

skill sets to do that within

43:04

whatever cloud provider makes the most sense

43:06

. It's

43:08

really interesting . I haven't thought

43:10

about it like that before . Are you seeing

43:13

that anywhere in the market right now ?

43:16

No , to be honest , like what we see

43:18

, we do see . You know multi-cloud environments

43:20

and then everybody

43:22

is using multi-cloud . They started to think about

43:24

, you know , for example , security

43:26

wise . You know , do we have like cross ? You

43:29

know cross-cloud communication and what's going

43:31

on there and

43:34

can one attacker move from one environment

43:36

to another ? So we see a lot of

43:38

that . Also , you know I'm

43:40

very much in the security domain , so

43:43

I'm mostly seeing , you know , the concerns

43:45

of security in these domains and less about

43:47

the control plane , the applicative control

43:49

plane . So it's hard to me

43:51

, but I can say that we see more and more

43:53

. You

43:57

know every big company is now having a multi-cloud

43:59

environment and an on-premise environment

44:01

as well , and all of that needs to be managed

44:03

.

44:06

Yeah , it's a really good point . It'll be

44:08

interesting to see where the space goes

44:10

, you know , in the near future

44:12

, and I wonder if satellites will play

44:15

a role in it . But you

44:18

know , Shali , I really appreciate

44:20

you coming on the podcast . I really

44:23

enjoyed our conversation .

44:25

Me too . I really enjoyed it . Thank you for having

44:27

me . It was a pleasure .

44:29

Yeah , absolutely . Well , you know , before I

44:31

let you go , how about you tell my audience where

44:33

they could find you if they wanted to reach out

44:35

, where they could find your company if they want

44:37

to learn more ?

44:39

Yeah , so me , you know . Just Google

44:41

Shauli Rosen S-H-A-U-L-I-R-O-Z-N

44:45

. On LinkedIn I

44:48

think I'm the only one , or at least I'm

44:50

one of the ones that will surely

44:52

pop up my company , armo

44:54

armosecio , and

44:57

also as important as my

44:59

company is our open source project , which

45:01

we almost didn't get a chance

45:03

to talk about at all , which is called Cubescape

45:06

, which is today one of the most prominent

45:08

open source projects for Kubernetes

45:11

security out there . It's an official Linux Foundation

45:13

CNCF project . Hundreds of

45:15

thousands of users , super successful

45:18

and anyone who

45:20

will contribute or use that . It's

45:22

also a win for me and I really

45:24

, really encourage you to try

45:26

it out .

45:28

Yeah , absolutely . We'll have

45:30

to have you back on to talk more

45:32

about that project .

45:34

Yeah , we can do like 60 minutes on the

45:36

open source itself and

45:38

we talked about how did they get into security

45:41

and how did they get to funding the company , how

45:44

did they get into open source , and the open

45:46

source journey as a whole is a

45:48

fascinating journey on its own .

45:52

Yeah , absolutely , we'll

45:54

figure that out and make that happen .

45:56

Yeah .

45:57

So thanks everyone . I hope you enjoyed

45:59

this episode .