July 11, 2022

Mike DeCesare: Cyber, AI, Founders & CEOs | Turn the Lens #14

Identity becomes the new perimeter.
The concept of knowing what is logging into your environment, regardless of where that device or that application or that user comes from.
That is the next challenge for CISOs

- Mike DeCesare
Episode Description

The never ending cybersecurity battles have only increased as attackers and defenders have both integrated more advanced techniques, including the increasing use of artificial intelligence (AI). Mike DeCesare has been in the proverbial trenches, most recently at Forescout. Mike recently joined Exabeam as President and CEO to take the company to the next level with the assistance of a recent round of funding.  In this far ranging conversation, Mike and I discuss the evolving security landscape, Zero Trust, and the fundamentally different security posture required in today's world. Thanks again Mike, always enjoy getting the latest from you.

Date of record:

Chapters
00:00 Intro
00:12 Introducing Mike DeCesare
00:46 Cyber systems historically have been built around an in app single data repository for security events
01:11 New storage architectures are changing the cost and access dynamics in security applications
02:05 What the new architectures have done is make storage a lot less expensive and a lot more accessible
03:00 Cyber security is an industry were a start up can go from hardly being heard of to something big in such a short period of time.
03:34 It was difficult to define defensible perimeters before Covid, it's has only accelerated post Covid
03:57 Identity becomes the new perimeter
04:01 The concept of knowing what's on your network, regardless of where it comes from
04:12 It's not good enough to say when your in the building, you get higher access privileges, that doesn't exist anymore
04:21 The CISO priority and focus has shifted to data, understanding intelligence
04:29 Companies are inundated with security products
04:41 It puts of a lot of pressure on security teams to know what to prioritize, where to hunt, what's the most daunting thing that's come into the environment today
05:00 Having the data and intelligence to make priority decisions is the next big challenge for CISOs
05:44 Zero Trust was a strong concept before it's time
05:59 No one figured out what to do once the adversaries got inside the defenses
06:07 We have to expect that everyone's credentials have been compromised at this point
07:00 The system should be smart enough to recognize a bad log in, even with the proper credentials
08:19 Increasing technical sophistication of bad actors
09:16 The most profitable attack vectors are the ones that bring a business to it's knees
10:42 Security Budgeting
11:01 Companies are getting smarter at retiring products
12:47 Impact of Artificial Intelligence (AI) on security
13:46 AI lets us give the customer confidence that bad actor has been exfiltrated from their environment
14:01 Dirty little secret, its not obvious that the bad actor is ever out of the system
14:24 The bad actors are using AI too
14:45 Start thinking about the game of cat and mouse with AI, it gets pretty concerning
16:25 Mike on working with technical founders
16:27 At a young age, I was exposed to one of the greatest technical founders ever in Larry Ellison at Oracle
18:08 Mike's objectives for Exabeam

Transcript

>> Jeff: All right. Cool. So I'll just count us down, make sure I got it on your record. It's going okay.

Hey, welcome back everybody. Jeff Frick here coming to you from the home office. It's Turn the Lens and I'm really excited to have a guest who's been in this space that we all need to be paying more attention to, the security space, for a very long time. He's got a new role that we're excited to learn more about, and we'll welcome him through the magic of Zoom and the internet. He's Mike DeCesare. He is now the president and CEO of Exabeam. Mike. Great to see you.

>> Mike: Yep. Good to see you as well. Thanks for having me.

>> Jeff: Yeah. So tell us about this new opportunity. The press release has come out. You've got a new CEO role. Obviously we spent a lot of time together when you were at ForeScout over the last couple of years at a couple RSA shows, but tell us about Exabeam what's the opportunity? What brought you there?

>> Mike: I think if you look in the cybersecurity space for the last ten or even twenty years, kind of, one of the main areas of cyber has been this concept that there needs to be a single data lake that holds all your cyber events. You know, the SIEM market, security event management market. And it is fundamentally based off an architecture where the vendors that sell to customers, store all that data in their own repositories. There is a major transformation going on across the IT industry these days. Whereas a lot of those same customers are now looking to take advantage of some of the lower cost storage capabilities of things like Snowflake and AWS and Azure and Google. And it's really changing the dynamic of how data is stored for cybersecurity purposes. And Exabeam was just in such an amazing position in that we built this analytics engine that sits on top of that data regardless of where it sits in the environment and helps companies make sense. So I felt this company was just really well positioned to be successful.

>> Jeff: Now it's interesting you say that because our ForeScout was all about if I recall, the devices, right? And all this stuff kind of hanging on the network. Now you're talking really about all the data that's flowing through. I mean, is a single data repository, is that realistic? And how do kind of some of these new architectures like Snowflake really change the dynamic from a security perspective?

>> Mike: What these new architectures have done, is they've made storage a lot less expensive and a lot more accessible. So kind of the new architecture now is not to require that data to sit in a single repository, but to be able to play a meaningful role across that data, regardless of where it sits.

>> Jeff: Right. Right. So you've been in security a long time. We've talked about it at RSA. You know, I feel so sorry for the, the CISOs trying to figure out what to buy within this humongous portfolio of applications and options at the same time, you know, we continue to see data breaches and it seems like ransomware is the hot new topic today. So kind of stepping back from kind of a, an executive in security for a long time, as you continue to see this arms race, you know, kind of where are we now? How do the good guys keep getting advantages to stay a step ahead of the bad guys?

>> Mike: Well, I think that's why you see cybersecurity as a place where a startup can go from hardly being heard of to something big in such a short period of time. There's no concept in cybersecurity of a big company getting big and just having that installed base, you know, customers have shown time and time again, Palo Alto, the most recent to show how a very big older market called Firewall can be disrupted by newer technologies. So you were constantly seeing that leapfrog of you know vendors in different areas. I think when you back up over the last 18 months and consider what we just went through as a planet from a work from home perspective, just have to acknowledge the fact that it was getting difficult for companies to define the perimeter before COVID right? Things like cloud applications. All of those things were starting to make the concept for a company, drawing a circle around their company from a network perspective less realistic. That has only accelerated now post-COVID,

>> Jeff: Right.

>> Mike: where we have some people back in the office. We have many that are still working from home. And really, if you think about it, kind of identity becomes the new perimeter. The concept of knowing what is logging into your environment, regardless of where that device or that application or that user comes from. That is the next challenge for, you know, for CISOs out there. It's not good enough to say, well, when you come into my building and plug into my network, then you get a higher degree of privilege, that doesn't exist anymore and they've really got to deal with that dynamic. So what it's really done is it's just shifted the priority for CISOs towards data, towards understanding intelligence. You know, you get, I don't know, 30, 50, 100, depending on what company you ask, they'll tell you, they have at least that many different cybersecurity products. Each of those has their own dashboard. Each of them is blinking red or green for different reasons.

And it puts a lot of pressure on the security operations center, the part of the cyber team that handles all those inbound issues to try to make sense of kind of where to hunt, where do they go first? What is the biggest, most daunting thing that's coming to my environment today, versus something that I can just, you know, wait a little bit longer on. So just having that data and that intelligence to be able to make those decisions is I think the next big challenge, your CISOs really have to grapple with.

>> Jeff: Right. You know, Chase Cunningham from Forrester has got a great concept, he talks about all the time, which is zero trust, which is, you know, we've seen lots of data that, you know, once people infiltrate you, it takes, you know, days and days and days and months to find them. So this kind of concept of presume that they're in and it's really more about, you know, what do you do once you know that they're in and how do you, you know, kind of minimize the damage once people get in? What's your kind of take on zero trust and kind of the evolution of the position of the security professional as these borders, as you say, become less defined, a little bit more porous and not so cleanly, easily defended if you will?

>> Mike: It means zero trust was really a strong concept before its time. And it was, at the time that it was invented, there was this concept that companies believed, it was like the old war, you know pictures where you'd see all the cannons facing outward, nobody ever comprehended what happened once the adversary got inside the ring of cannons that we're facing on the outside. And that's why zero trust was invented. As a world, we have to expect that everybody's credentials have been compromised at this point, right, between all the breaches, the fact that we all use very similar passwords over and over again, it's not very hard to imagine a world where the adversary has the log in credentials of all of the things that they are trying to break into. And that's why Exabeam is so well positioned in this marketplace is it's a little bit more like a jewel thief concept in that, the way that the bad actors have worked for years is they just keep pounding away at the door.

Different passwords, different tries, different tries, different tries, until eventually one of those breaks in. Now we're getting to a world where the adversary gets one shot, and if Exabeam's installed, as soon as that device or that user tries to come on, if Jeff is logging in from a certain place in the world every single day, and all of a sudden your credentials, valid credentials are coming in from Eastern Europe, that is, you know, a system should be smart enough to understand that's not an authentic Jeff log-in and be able to respond to that. And that's what this advanced analytics use case is all about is taking all the input from your firewall and your end points and your CrowdStrike's and all the different products that companies have in their environments. Being able to pull all that together and create this holistic picture of what is it that is on my network at any given time. And, you know, if again, if somebody that isn't, typically in Eastern Europe is all of a sudden logging in, that company needs to be in a position to respond to that, and try to block that before that bad actor is able to sit online and eventually steal something very meaningful.

>> Jeff: Right. Right.

>> Mike: Just think it changes that dynamic of how the companies have to defend against the bad actors.

>> Jeff: Right. I want to talk, cause you talked a lot about analysis and taking a look at things, and that's really the essence of SEM, right? Is, incidents and keeping an eye on activities. As you, take a look at the changing scope of the threat actors, right? We're now it's a nation states and you know, it's a little bit more sophisticated than necessarily people trying to change your grades or hacking in from the basement and maybe move some money around. How has that changed your guys' posture, you know, from the good guy's perspective as a sophistication of the threat actors has gotten higher?

>> Mike: Well, I don't think that, you should not draw correlation to say that the sophistication equals state sponsored. There are lots of private, you know, bad actors out there that are very technically sophisticated and have some of the same exact skills and tools that major companies have. I mean, kind of the way I always look at this is, cyber talent is needed by the cyber companies themselves, by the governments, to be able to defend against cyber attacks and then buy all the private companies that are out there that want to build these big practices as well. So that same talent population is accessible for the folks that go to the, you know, to the dark side as well. I think something that has really changed over the course of the last couple of years is, we're starting to see the threat vectors becoming more daunting. Like it's one thing to see ransomware. It's another thing to see ransomware in an environment where somebody's supply chain is taken down and held compromise until that company responds.

And I think that's what you've seen with WannaCry. Now, the kind of most recent breaches over the last couple of months is that the bad actors are figuring out that the more profitable attack vectors are the ones that bring a business to its knees. You know, if you're a credit card company, the way you process credit cards, if you're a distribution company like FedEx, can you ship products from all those use cases become much, much more concerning. And I think that, you know, to that end, what you're starting to see now, is you're starting to see the CISO, the chief information security officer, A get elevated, it's quite often now to see those report directly into the executive staff and not through the CIO anymore, but B you're seeing those same individuals starting to take responsibility for the business part of their companies. They own the OT use case they might have, or they own the, you know, online commerce applications, because those companies are just so concerned about reputational damage and those breaches can be so high profile.

>> Jeff: Right. I'm just curious from a business point of view, in terms of budgets and again, we may have had this conversation, I bring it up with most people I talk to in security, 'cause to be it's kind of like insurance, and, you know, ultimately, you know, a ship at Harbor is the safest it's ever been, but that's not what ships are made to do, right. You're supposed to go out and sail. So you can't spend every single dollar to absolutely lock everything down and you can't do business, but how should people think about, you know, budgeting for security, because to your point, if somebody comes in and just takes your business offline, which we're seeing more and more, at least the threat of that, how should people think about the budget of security within the holistic approach of their whole business? Because it's not a tack on any more that's for sure.

>> Mike: I think that companies should think about their budgets on the cyber perspective the same way you do in jump basketball at the start of a game. Like every game, it's a different thing. This is not an area where a company can come in and get a hundred thousand dollars from a company and just get that hundred thousand dollars in subscription every single year. You know, as a cyber company, your product is being scored every single day by the customers that you, that you sell to. I think what you're starting to see is more larger companies getting smart and retiring products. That is like the number one thing that I heard, kind of pre-COVID going in was, well, what do you retire? If I buy your product, what is it that you take out of my environment? And there's not enough budget for it just to be additive. And it's the reason, again, I think, that you're seeing companies that are going from virtually nothing to a billion dollars in revenue.

You've seen several of those over the last five or ten years in cyber is because there's been a high willingness from customers to swap things out when there's a better, faster, cheaper approach towards solving a problem. But there's definitely not enough cyber budget to be out there for companies to buy everything each year and then never retire those products. It's constantly iterative.

>> Jeff: Right. Right. I want to shift gears a little bit and talk about artificial intelligence and machine learning. I mean, many, many people, John Chambers, Sundar, a lot of people are talking about, you know, AI is the next biggest thing since the internet itself. You're in kind of the business where you can leverage AI and really start to use advanced analytics and data processing to start to pull patterns and find things. I wonder if you can talk a little bit about, you know, kind of AI, both generically, you know, as you take this role and really more specifically, because I think, you know, people talk about AI generically, nobody cares, it's applied AI's for specific applications and specific business problems where we're going to see this tremendous value. So as you sit now and see the potential now to use this new tool in AI and machine learning as the compute and the, almost infinite cloud compute that you can use to apply, how is that going to change the game from your point of view?

>> Mike: So, first of all, Exabeam's core product set, which we started as an analytics vendor is an AI and machine learning built product. So we've been at the core of this since the company was founded, it's the way our product works. The ability for us to take all the feeds from the SEMs, from different log systems, from your active directory, from your firewall, from your CrowdStrike, from whatever it is you have in your environment, to be able to ingest all of that and translate in that, to what we call timelines, the ability for a customer to kind of almost hit the rewind button. When a breach happens, they can look backwards and say, oh, that device that came in that was, had WannaCry on it, well, if you look back an hour ago, it logged into something different. And then that system logged into a hundred different things. And I think when you think about artificial intelligence in the cyber world, there's no stronger use case than the ability to make sense of all of these volumes of data.

And try to translate that into recommendations to a company about what moves you specifically should make, you know, kind of our whole pride. And the reason AI is so critical is, it lets us go into organizations and give them confidence that at the end of a breach, the bad actor has been completely exfiltrated from their environment, which is always a very big challenge for companies, like when they get breached it's the, kind of the dark secret behind these breaches is, it's not obvious that the bad actor is ever out of that company's environment. That's not an easy thing for companies to be able to ensure. And I think when you look at it on a broader scale across the cyber industry, there's a good and a bad side to this. I mean the same way that companies like Exabeam and others can use AI to try to make sense for companies, the bad actors can use AI to try to get into environments more stealthily.

And, you know, in a way that allows them to exfiltrate data. I remember seeing and reading about one breach here in the last couple of years where the bad actor broke in, they stole data, they encrypted it while they were still inside, and then they left so that the company could not tell what data had been stolen. So you start thinking about that game of cat and mouse with AI, it gets pretty concerning, you know, it's one thing to have 500 people in some part of the world that, you know, is very cyber-centric, pounding away at a company. It's a totally different game when it could be 5,000 artificial machines going after that same company and be able to work in, you know, in real time speed. And when you throw the Cloud on top of that and recognize that companies like Snowflake and all the other Cloud providers are, are making storage and compute capacity more accessible, cheaper, easier to come by. That combination together, is a concerning one we have to pay a lot of attention to, for sure.

>> Jeff: Job security for you I guess for awhile.

>> Jeff: (laughs)

>> Mike: Cyber industry is going to be around for a while, for sure.

>> Jeff: Yeah. Yeah. I want to, I want to shift gears a little bit. So you, and talk about technical founders and technical CEO's and founding CEOs and hired CEOs. You worked for the ultimate technical CEO back in the day and Larry Ellison, early on in your career. And I'm a pretty strong proponent that if you can keep a technical founder around, there's a lot of value that they can add, whether they can be the CEO or not is a different question. Some of the qualifications is a different skillset. You've come in to work with other founding members of the team, and then you come in as a CEO. I wonder if you can share your thoughts about, you know, how that works best, what does it take for a founder to kind of give up a little bit of an ego. To kind of hand over the reins to their baby? We've seen it successfully done a number of times, but I still think there's probably a little bit of a magic and a secret sauce to really get the most out of that relationship.

>> Mike: I think first is, I was exposed at a very young age to one of the strongest CEO founders on the planet named Larry Ellison and Larry wasn't just one of the most technically advanced CEOs. He also was an operator. He knew how to scale. He knew how to run businesses. And he's been obviously in a very active role with Oracle since the very beginning, but that's not common. It is much more common, I think, to find the technical founders that get to a certain size and just the day-to-day running the business bores them. It's not what they want to be spending their time on. They want to be innovative and in the product and very close to that. So I was very fortunate coming into Exabeam that Nir, our CEO and founder still plans to stay with the business. He's going to be a very active member of the team. He's going to help me double down in the area that I did not grow up in. I'm not a technical founder. I came in through the sales and marketing side through my entire career. So Nir is going to help us really double down on making sure that the product stays best in class, that we understand what opportunities there are for other markets we can move into, but that's on me as the new inbound CEO to make it a comfortable environment for everybody to be there. And I think that's what a CEO has to do is figure out how to cater to the sales teams and the marketing teams and the R and D teams and G and A and just keep the machine kind of optimized and running efficiently.

>> Jeff: Right. So let's wrap on that in terms of what your plans are. So you're pretty new in the role. You just got some new, fresh powder with the latest round of financing, congratulations, I think it's 200 million, if I'm getting my press release right with a $2.4 billion evaluation, so a little pressure to perform, but you got some ammunition to work with. So what's kind of, you know, kind of your, I don't want to say next a hundred days, you didn't run for president, but what is kind of your objectives in the short term to kind of put the Mike DeCesare stamp on Exabeam going forward?

>> Mike: Yeah. So first is I'm thrilled about the round we just raised, you know, we had new investors that joined. We had a couple of our insiders that had been part of this since the very beginning. It's always good to see the kind of original investors continuing to believe and want to invest in companies. So, we do have a lot of capital at this point to build the business. I think we built an incredible product. I think we've got some of the biggest logos in the world. You know, we solve a major problem that every company in the world is dealing with, which is having context. It's the thing we don't talk about in a lot of these breaches is, let's just assume for a second, that the bad actor just had the login, and didn't have to break into the environment, was able to the same way you come onto a website and log into it, they were able to just log into the environment, a huge percentage of the attacks that go down these days. It's just not that hard for the bad actor, because they had the compromised credentials to get in to begin with.

And that's what Exabeam solves. We help companies. We, give companies the ability to connect the dots, to take all the outputs that's coming from these various cyber products that they've purchased and pull them together and make sense of those with a very specific purpose, which is to stop the bad things that are going down in the environment as we speak. So for us, there's still a lot of work we have to do in the product. We have a very ambitious agenda for ourselves. You know, we invented the UEBA category, which is kind of given way over the years to what's called TDIR, threat detection and investigation response. Inside of that is both XDR, that's where our analytics product sits and with the SEM industry, which, you know, the SEM players quite well. So we think we're really well positioned to be a strong TDIR player, but we also see this even larger category, called security operations, that then begins to bring in compliance, and a lot of the other areas that companies need to be able to deal with as ultimately Tam, that we can be a big player in.

So a lot of work across R and D to get the products, continuing to perform, a great sales and marketing team that has been active on building pipeline and hiring reps and all that. But it's a strong company. I'm very privileged to be able to come in here. This is not something that needs to be kind of redone. This is a company that just needs to figure out how to continue to scale as we move above those thresholds, closer up towards a billion dollars in revenue.

>> Jeff: Yeah. Well, that's great Mike. I mean it, congratulations for them for bringing you on, you know, you've been doing this now for a while. You've had a couple stops along the way. So, you know, you're a proven commodity and good for Exabeam for making the move and always great to catch up. I was looking, we last caught up at RSA, a couple RSAs ago, before the pandemic. It's ironic, RSA 2020 was the last big show we did before

>> Mike: It's amazing isn't it?

>> Jeff: it got shut down, right at the edge, crazy. But always good to catch up and thanks for spending a few minutes with me this morning.

>> Mike: Yeah. I appreciate the time. Thanks for having me.

>> Jeff: All right. Thanks. See you. Next time we get together, you got to, I want to see you play some of those guitars.

>> Mike: Next time, for sure.

>> Jeff: All right. He's Mike, I'm Jeff. Thanks for watching, Turn the Lens with Jeff Frick, we'll catch you next time. Thanks for watching. All right. That's a wrap.

>> Mike: All right.

Links and References

Alex Solomon, LinkedIn, Twitter

AWS

Azure

Bill McDermott, LinkedIn, Twitter

Christian Beedgen, LinkedIn, Twitter

Crowdstrike

Dr. Chase Cunningham, Forrester, Forrester Profile, LinkedIn, Twitter, theCUBE Profile Page

Databricks

Exabeam

Firewall

Forescout

Frank Slootman, Snowflake Profile

Fred Luddy, LinkedIn, Twitter

GCP

Jennifer Tejada, LinkedIn, Twitter

John Donahoe, LinkedIn

McAfee

IDC Identifies MDR as the Next Generation of Managed Security Services, IDC, June 2020

Michael DeCesare - LinkedIn, Twitter, Crunchbase, theCUBE Profile Page

Live Interview - Mike DeCesare - Turn the Lens Episode 14, Jeff Frick, YouTube, August 2021

Multi-factor authentication - Wikipedia

PagerDuty

Palo Alto Networks

Podcast - #14 Mike DeCesare - Are You Really You? Identity-as-Perimeter in a World of Compromised Credentials, Turn the Lens with Jeff Frick, Episode 14 on Spotify, Apple Podcasts, Google Podcasts, SoundCloud, Libsyn

Ramin Sayar, LinkedIn, Twitter

RSA Conference

theCUBE Coverage, RSA 2018, theCUBE, SiliconANGLE Media, 2018

theCUBE Coverage, RSA 2019, theCUBE, SiliconANGLE Media, 2019

RSA 2020 Conference Map (with Sponsor Names)

Security Information and Event Management (SIEM) - Wikipedia

Gartner Magic Quadrant for Security Information and Event Management, Gartner Reseearch, 2021

The Forrester Wave:Security Analytics Platforms, Q4 2020, Forrester, 2020

ServiceNow

Snowflake

Sumo Logic

WannaCry Ransomeware - Wikipedia

Zero Trust - Wikipedia

_________________________________________________________

Disclosure and Disclaimer

This is an unsponsored editorial

Fair Use - In good faith, this work contains fair use of copyrighted and non-copyrighted media from the public domain & web for non-commercial & nonprofit educational purposes. This work is distributed free of charge. The author has neither monetized this work nor sought any profit from its distribution. Copyright Disclaimer under section 107 of the Copyright Act 1976: Allowance is made for fair use for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-Profit, educational, or personal use tips the balance in favor of fair use. This work contains original work of commentary and critical analysis. Quotations are attributed to the original authors and sources.

All products, product names, companies, logos, names, brands, service names, trademarks, and registered trademarks (collectively, *identifiers) are the property of their respective owners. All *identifiers used are for identification purposes only. Use of these *identifiers does not imply endorsement. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and/or names of their products and are the property of their respective owners.

We disclaim proprietary interest in the marks and names of others. No representation is made or warranty given as to their content. User assumes all risks of use.  

Subscribe for updates:

Recent Episodes:

Lorem ipsum

Casey Neistat: Return to NYC, Discovery, Community, Collaboration, Connection | Turn the Lens #21

Martina Lauchengco: LOVED, Lessons, Modern Marketing Leadership | Turn the Lens #20