Devin Ertel (12:32)

Foreign.

Dave Bittner (12:38)

Let'S be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, Trust Vanta to monitor compliance, streamline risk and speed up security reviews by up to five times and the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time you can get $1,000 off vanta@vanta.com cyber. That's v a n t a dot com.

Interviewer (14:02)

It is my pleasure to be joined here at RSAC conference by Devin Ertel, who is the Chief Information Security Officer at Menlo Security. Devin, welcome.

Devin Ertel (14:11)

Thank you. Thank you for having me.

Interviewer (14:13)

My pleasure. So before we dig into our topics today, it's a busy rsa. Anything in particular you're you're looking forward to as you walk the show floor?

Devin Ertel (14:24)

You know I check out vendors just you know like everyone else here doing that I like hearing strategies. Usually you will find topics that are going to be they're up and coming and what people are thinking about and you have like a mind share here and I'LL be interested to see how many times people say agentic while I'm here.

Interviewer (14:44)

Yes, yes. It's funny. We were joking about how like we're sort of on the trailing edge of the hype cycle for AI, but now we've added the word agentic, so we're back up again.

Devin Ertel (14:54)

I feel like I heard it like two months ago now. I've heard it a thousand times already. Absolutely.

Interviewer (14:59)

Well, let's talk about enterprise security. I mean, for folks who are not familiar with the types of things you and your colleagues at Menlo do, can you give us just a brief overview?

Devin Ertel (15:08)

Yeah. So Menlo started over 10 years ago in the remote browser isolation space. So securing the web. So when users are going out and browsing stuff, if there's a compromised website or something's going on, we actually have our own cloud browser that actually everything executes there. We re render to make everything safe for the user. Since then we have added many more features and you can almost say it's what we're calling now Workspace Security. But yeah, so they've been in the browser. There's a lot of browser experts that know way more about the browser than I do there. But it's kind of crazy to think about, like 10 years ago, I don't think we thought we were not using the browser as much as we do now. Like I'm literally in a browser that's basically.

Interviewer (15:55)

Yeah, I mean, I think it's central to most people's computing experience. Certainly on the desktop.

Devin Ertel (16:00)

Yes.

Interviewer (16:01)

Yeah.

Devin Ertel (16:01)

You know, before we had thick clients and you know, all this stuff. But now, yeah, it's kind of crazy how that's changed so much.

Interviewer (16:08)

So help me understand, for folks who aren't familiar with it, this kind of browser, how does it differ from the day to day browser that I'm using that comes with my computer?

Devin Ertel (16:19)

Well, the beauty about Menlo is that no one would even know you use your browser and we add the protections so your user wouldn't even know that all these protections there might be some things like, hey, you're downloading malware, we stopped it. Right. So they might see things like that. But the day to day use, you wouldn't even know that it's even happening. Which as a security practitioner, as myself, the beautiful solutions, your end user should never know. Right. You do not want to be a hindrance, you want to be able to let the business run. So that's, that's a good thing, right? Yeah, yeah, yeah. So we tech, we integrate with Chrome, you can put Us as a proxy and get those. And we can put it. And you can put us in front of applications that we're kind of transparent and to the user, this, this word.

Interviewer (17:03)

I've heard of, I think to pre detonate things.

Devin Ertel (17:06)

So yeah, so think sandbox when you know. Yeah, absolutely.

Interviewer (17:12)

Well, what are some of the obstacles that you find some of your customers are facing here when they're, when they're coming to you and saying, hey, we think this might be a good fit for us. What problems are they trying to solve?

Devin Ertel (17:23)

So yeah, so of all the feature sets with the beginning one, I think everyone was trying to solve like users going and downloading malware. Right. Like that's like a very common thing. And that's what the remote browser isolation. What's happening now is we kind of flip it down its head and we put the isolation in front of applications. I like to call it like a WAF on steroids. So we protect the application itself and then we protect end user. What if you have a contractor? Normally 6 month contractor comes in, you give them a whole laptop and then you gotta go get the laptop back. Sending the laptop and getting the laptop is hard enough in itself. With this new solution, you basically can put all these controls in. Oh, you don't wanna let them download anything. You can't download anything when you go to this app. Oh, you don't wanna upload anything. You can't do that. You can watermark it to make sure they can't screenshot things. You can essentially lock in this application and ensure that nothing reaches the endpoint because you can't really trust that endpoint being that you don't have it.

Interviewer (18:24)

And is this outside or inside of the browser?

Devin Ertel (18:28)

All in the browser.

Interviewer (18:29)

It's all in the browser, yes.

Devin Ertel (18:31)

You can put all these protections in place without having to procure a whole laptop with EDR on it with all these security controls. And it's zero trust. Right. And you can manipulate, you can even manipulate the page. I don't want them to see the comments section of this. So I, you know, it's just, it's very, very tuning.

Interviewer (18:52)

You can actually go into the pages they're visiting and restrict.

Devin Ertel (18:57)

Yes.

Interviewer (18:57)

Yeah. Oh, that's fascinating.

Devin Ertel (18:58)

And since it's in the cloud, they have no, they can't change it if it was on the endpoint. The user can fiddle if they're technical enough.

Interviewer (19:04)

And I suppose, I mean for like you, you mentioned a contractor. If someone wants to be in like a BYOD position, you don't. The, the person doesn't have to. The, the, the security professional doesn't have to be in charge of the device.

Devin Ertel (19:19)

Yes.

Interviewer (19:20)

Because they have control of the browser.

Devin Ertel (19:22)

Yes. And it can be a pain. Shipping a laptop. Sure. Building it and getting it back, I.

Interviewer (19:27)

Think is the part that, you know.

Devin Ertel (19:30)

Right. It is getting it back. You're absolutely right.

Interviewer (19:33)

We really need it back. Yeah, absolutely.

Dave Bittner (19:37)

Yeah.

Interviewer (19:37)

Well, let's touch on the hot topic, which is AI, of course. How does that play into any of the things that you all are doing?

Devin Ertel (19:45)

So, yeah, so that's what we're using. We have a couple of things that we're using like computer vision, AI and that would be protecting like credential compromise. So phishing email comes in, they mimic your okta page or whatever, your Microsoft O365 page, steal your credentials. Right. This would detect that, basically using computer vision, knowing, hey, this, this is not O365 website, but it has your logo. It has this on there. This seems a little thing. It would just immediately. I think we call it zero hour detection. Like it would immediately detect it. Even if categorization, you know, it wasn't labeled bad yet. And a lot of times what the actors do is they just bring up a site for a little bit and then, you know, and. Right. Or put it up, let it be under the radar, get a good categorization and then. So then you can fish people onto it. That's one way. The other way, which we're really looking into it is with data. And that's where workspace security comes into play. I always say, like back in the day, you know, I don't want to age myself here, but we had mainframes and databases.

Interviewer (20:49)

Sure.

Devin Ertel (20:49)

We could put our arms around it. All right.

Interviewer (20:51)

That's right. I want to hug my server.

Devin Ertel (20:53)

Yes. And we put all we did, I think as a security industry, we did a great job with all the firewalls with the detonation before things come in. But now I really feel like the COVID era kind of kicked that up. Like the digital transformation and all that. There's so many SaaS tools, there's so many, like messaging apps. And data is just all over the place now. Right. So we're looking at AI to automatically detect data whether or not you labeled it correctly. Like a lot of people, they try to go around and put the labels on. You know, someone can forget that label. There's a lot of things that can go wrong with that where AI can come in, see, oh, there's a whole bunch of Social Security is on this document, are you sure you want to email it to this person and detect it real time redact and let it go through?

Interviewer (21:40)

Right. So I mean, you have the opportunity to kind of save the users from themselves. The errors.

Devin Ertel (21:46)

Yes.

Interviewer (21:46)

Unintentional sharing of things.

Devin Ertel (21:48)

And if they actually wanted a document back, they can, you know, if like this. So that's what we're looking at now. And that's what we're calling workspace security. It's like the modern thing where the browser is and there's all these like backend API calls. Like data is spread out a lot and a lot of people do not know where it is. It's. It's a hard thing to do. It's a challenge right now.

Interviewer (22:07)

Yeah. Well, I think for a lot of people, ignorance is bliss. You know, how do you sleep at night?

Dave Bittner (22:11)

I don't know what's going on behind the scenes.

Devin Ertel (22:13)

Yeah.

Interviewer (22:13)

I trust people like you to know what's going on behind the scenes.

Devin Ertel (22:16)

So.

Interviewer (22:17)

Well, let's touch on zero trust. Cause that's an important part of the equation as well. What do you all have? What's your relationship with zero trust?

Devin Ertel (22:25)

Yeah. So with a couple of our products, I always like to say with the browser, when people are browsing the web in general, you're not even trusting the web. Right. So that's not. It's a different take on zero Trust. But I do like to say that the other one, when I said it, we flipped it on the other side is so when you give that contractor that app, back in the day, we used to have to use VPNs. Right, right. And you are essentially tunneling them into your corporate underbelly, I call it, because the controls get weaker as you go in, usually on these big organizations. In fact, I used to be a pen tester for many years. And when I compromised something and I could go through a vpn, I was like, game is over now.

Interviewer (23:03)

Because the assumption is there's enough protection with the VPN that if you've made it past the vpn now, you got.

Devin Ertel (23:09)

To tunnel into it.

Interviewer (23:10)

We trust you. Yeah.

Devin Ertel (23:11)

We got to tunnel into the network. And then you just pivot on the other things.

Interviewer (23:13)

Sure.

Devin Ertel (23:14)

Where this, you're giving access to a single app, you're not going anywhere but that app. So and then like I said, you can put a ton of other protections around there to protect that app itself so they can't go elsewhere. So that, that is like the zero trust in my mind. I mean, I've been in organizations where we are always trying to like micro segment everything. And I know there's a lot of solutions for that, but that's really challenging of understanding where every server is talking to what and trying to zero trusted that way. This is always taking an approach of zero trust at the door where you can't even get in anywhere. And then you basically are just zero trusting that user to that app. You know, provide the security controls, provide the visibility of what they're doing, provide the ability to quickly cut it off if needed. So that is our play, which we call SAA Secure Application Access essentially is what that is.

Interviewer (24:07)

The folks who are experiencing success with this sort of, with this approach.

Devin Ertel (24:12)

Yeah, right.

Interviewer (24:13)

The thing that you are saying, we think this is the way to go at it. What does that look like for them? What are the things they're enjoying by embracing this approach?

Devin Ertel (24:23)

Well, one like the use case I used earlier, you know, being a contractor, that or bring your own device, you brought that up. Like even your phones, you can do that. You can literally say, okay, so you're allowing people to have their own phone, but maybe you shouldn't access the code base or maybe you shouldn't access the cloud infrastructure, but I will allow you to access, I don't know, the lunch menu.

Interviewer (24:48)

Right, right, okay, sure.

Devin Ertel (24:49)

So you have that ability. You can really get granular with this stuff. And so with bring your own device and that. And I can tell you the one thing that a lot of people I think is overlooked is the actual security. It's putting on the application itself as a forward pen tester. Attacking the app, you get access and then you attack the app, you get access to the host, the end user, then you attack the app. It's a waf, a web application security firewall is really hard to manage. It's a lot of rules, a lot of false positives. This is a plug and play. Like they cannot see or do or alter any of the requests that come into the application. So doing the SQL injection is next to impossible because you unless you somehow figure a way to do it in the form and individually. So you're really protecting the app what also you're doing. So what attackers are doing now is so everyone's going on the FIDO two factor authentication because the attackers figured out how to push bomb on phones, they figured out the one time how to fish the one time codes. So now what they're doing as people are using Fido, which is a much more secure two factor, they're just taking the cookie. So think when you authenticate via fido, Right. It's like, okay, well I'll take this cookie now and then I'll go and access it with this solution. The cookie actually never also touches the endpoint. So if that endpoint was compromised, they're not going to be able to get that authentication cookie and bring it somewhere else and then gain access. So you really are zero trusting that device where it can. I mean you're locking it down quite a bit without having a whole bunch of agents and ADR and all that. You don't need all that stuff saying you don't need adr. I believe that's a foundational thing. But.

Interviewer (26:32)

Yes, well, but when you all are designing and deploying this product, how do you balance for your users ease of use with powerful options?

Devin Ertel (26:47)

Right, Absolutely. Well, internally, you know, I say we're customer zero and we literally everything that we build, we put out in our company. So sometimes I have made users unhappy. So. Okay. Which Jen gives feedback and we change things like that. So there are things you can do. So you could say you want Okta to be that factor and then there's a cloud browser login that happens after the fact that you can loosen those controls because you have the door in front of that. That is the Okta and the Fido and your, your password rotation and whatever you're doing. I see authentication security wise. And then that allows you into the gate to actually app access the cloud browser.

Dave Bittner (27:30)

Okay.

Devin Ertel (27:31)

So. So you can leave. You can, you know, depending on your use case and you know, if you're in a big government and very sensitive, you might not want to. It all all depends on the your company and it's risk appetite on that one of how you want to turn and crank those levers.

Interviewer (27:47)

Yeah. Where do you suppose this is all heading? I mean we were talking about how the browser is central to most people's desktop computing experience is this the future is not having, you know, that soft underbelly on your machine available. Do you think?

Devin Ertel (28:06)

I would love for that. As a security professional, I would love everyone to have a Chromebook.

Interviewer (28:10)

Yeah. Right.

Devin Ertel (28:11)

But it's a cultural shift that in fact I was just talking to another practitioner. There's a joke where it's like to pay a bill, you know the old school, we have to open up the laptop, we don't bring out the phone. And I'm still that way. Right. So that's right.

Dave Bittner (28:25)

That's right.

Devin Ertel (28:25)

So there's always a cultural shift. But does do many people besides an engineer that is like coding that's going to take a bigger cultural shift. So like a salesperson or a marketing person, I think a Chromebook will be fine. The amount of stuff you can do in a web browser, which they already do, you know, if you see their laptops, it's just a Chrome page with a thousand tabs open.

Interviewer (28:47)

I'm with you. You know, I'm sure our listeners have heard me talk about when I was time to outfit my elderly father with a computer and he'd been a Mac user for many, many years. But there was a time when Chromebook, for my sake.

Devin Ertel (29:02)

Yeah, it was like troubleshooting.

Interviewer (29:04)

Yeah, yeah. It was just, you know, it's kind of. Kind of bulletproof for the simplicity, fit the user case, you know, in that particular case.

Devin Ertel (29:11)

Yeah, I think, I think that's where it's going. Which. The interesting thing is Chrome Safari, you name the browser. Yeah, they're a user. They're not like a corporate application. Right. And we haven't put the protections in place. And that's where Menlo has come in and said, okay, use your browser. Let us put a little more security on.

Dave Bittner (29:29)

And.

Devin Ertel (29:29)

And Chrome is doing stuff where they're continually adding, but you have a little more control over it rather than just being some cuz we. It's basically an operating system now.

Interviewer (29:38)

Yeah, absolutely. All right. Well, Devin, thank you so much for.

Devin Ertel (29:42)

Today to get with you. Absolutely, absolutely.

Dave Bittner (29:52)

Foreign what's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do. And finally, layoffs are hitting the cybersecurity sector hard this summer, with major players like Microsoft and Crowdstrike slimming down. Despite healthy profits, Microsoft recently let go of 6,000 employees, many in tech roles. As it shifts more investment into AI. CrowdStrike trimmed 500 positions while announcing record earnings. The message seems automation is in and human jobs are negotiable. But behind the financials are real people. Skilled professionals who've spent years building defenses now finding themselves out of work. And the ripple effects aren't just personal. Experts warn that sudden layoffs, especially in cyberteams, can carry serious security risks. Departing employees may, intentionally or not, walk out with sensitive data and stretched thin, security teams may miss emerging threats. As SANS Institute's Rob T. Lee puts it, you're not just losing people, you're losing the people who know how to stop attacks. Companies might see cost savings now, but the long term bill could come in the form of a breach headline. And nobody wants that. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Worried about cyber Attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire.