A

Foreign. And welcome to this soapbox edition of the Risky Business podcast. My name's Patrick Gray. For those of you who don't know, these soapbox editions of the show are wholly sponsored. And that means everyone you hear in one of them paid to be here. But that's okay because we have excellent taste in sponsors and wind up having really interesting conversations in these sessions. And today we're going to be chatting with with two of the founders from Airlock Digital. Again, regular listeners would know that I'm a huge fan of Airlock Digital. It is a allow listing platform. Right. So it allows you to do, you know, deny by default execution control and host hardening across Windows, Linux and Mac. They have customers with like 200,000 endpoints doing this stuff. Right. It works amazingly well. Just there's a sea of happy customers out there. It's fantastic. And they're an Australian business too, although doing a big push in the US right now. And I guess that's a place to start, Dave. I should say so. Daniel is the CTO still. Dave, you've actually stepped back from the CEO role so that you can have an American go and build American operations and push the company over there. I mean, I guess I want to say congratulations because I've known a lot of founders and I know being the chief executive of a rapidly growing software startup is not actually a whole heap of fun. So what's your new gig?

B

Yeah, so I'm a chief Product officer now and still retain the co founder title of course. And it's, I'm so excited to be able to concentrate on product. Well, you know, what I have done in this business from the start and you know, it continues to be the forefront of everything we do. So continuing to build the best thing, deliver, leaning forward for our customers and make a product that does what it says on the tin is the, the, you know, the primary goal there. And I can't wait to continue that and have focus on that.

A

Real quick, who's the new CEO?

B

Oh, Kevin Dunn, based in New York and really excited to have him as part of the team. And you know, he's such a great operator, really understands the business, what we do. And I can't wait to enhance everything that we do under Kevin's leadership.

A

Okay, so the first thing I want to talk about today is last time we spoke, we had a discussion slash argument about AI because you've built this incredible sort of instrumentation tool which can control execution on an endpoint, right? And that's all controlled from a central console. So like My position last time we spoke was, well, you could just use AI, couldn't you, to manage the allow list from this central console. And you're like, well, but at that point you've kind of lost insight, you've lost control, like you've lost understanding of your own context at that point, which is kind of what allow listing is good at in the first place. We had that conversation a few months ago. You've gone away and actually wound up building something that can assist with managing those allow lists, but it's not actually contemporary AI.

B

Well, it was very interesting and a lot of reflections off the back of that conversation and I'm somewhat conflicted between the two camps, which is you do need AI, but you also don't at the same time. And since that time we've actually built an AutoTrust feature into the product which we haven't released yet, but we're going to soon, which basically provides rule recommendations and also can, if you choose to do so, you know, make some automated decisions on your behalf. And we haven't actually used AI in order to do that this time. And there's a number of reasons why we did that. Even though AI provides fantastic context externally that it can bring in to enhance

A

decisions, but it's non deterministic, which is like when you're putting it in charge of an allow list. Is that why you allow, like did not want to go there?

B

Exactly, because we can't, you know, context is king, but because we are powered by data that is inside the customer environment, that's quite a specific static set of information that you've always got coming in, which is already scoped to what you need to pay attention to. So really we can use, you know, we, we can get most of the way by looking at things like prevalence in terms of execution frequency and also in terms of the data that we bring in externally from for example, a great partner of ours in VirusTotal, you know, to be able to come to quite a sensible decision without necessarily saying, well, this binary.

A

Hello, Computer God. Yes, exactly, Computer God. Tell me. Yeah, what's really funny, what's really funny about this is I remember like we had this convers conversation quite literally, not on the podcast, but quite literally years ago about. Well, if you wanted to, you could plumb this through to like VT and set sort of whatever threshold is right for that organization, which is if any engine via VirusTotal thinks that this thing looks bad, just don't run it right, or you could throw it in a sandbox and whatever. And what was interesting about that discussion as a thought experiment back then was you're actually removing the decision logic about whether or not something executes on a host for. From the host and you're abstracting that out elsewhere. So basically you've got this really lightweight client on, you know, allow listing client which just says, yes, no, this thing can run or not, but it actually offloads the decision elsewhere. Which is an interesting change to the way that we've done anti malware. Right. So, yeah, I mean, who's, who's embracing this? Like what sort of customers are turning that on? Well, I guess it's not out yet. Right. So you don't know.

B

Yeah, it's not out yet. However, I think the thing is, what we've done, well as a product, we've built a great framework to make decisions. We've brought in, here's all your data. You sort of choose your path. But I think the power is in saying, hey, based on this environmental information and bringing it together and stack ranking those recommendations, whether it's automatic or not, is really providing the customer with a guided path of saying that. Here's how you get to a point of enforcement. You know, the worst outcome for us is if a customer doesn't actually get to a point where they're locking a system in enforcement mode and they're getting the proactive protection of deny by default. So for us, in order to get that setup phase going really, really quickly by providing that sort of prioritized recommendation work list is where that power is, you know, And I think, to be honest, the majority of customers are going to end up using that system for recommendations at the very least, if not auto trust in the early stages. And then, you know, the critical thing for us is also providing visibility into what decisions are being made and why. So there is a little bit of natural language going on about why the system has chosen to make that recommendation, but not using natural language or LLMs to make that decision in the first place, if that makes sense.

C

Yeah, I'd say based on what we're building at the moment, if you looked at, you'd think it was LLM driven based on the content that's coming, the plain language that's coming back to you. But it's really a lot of decision trees and a lot of intelligence from what we've learned internally ourselves, what mistakes people make building allow lists, like making sure that you take into account low bins or hey, you don't want to trust PowerShell. It's a trusted process. Pretty good idea. Because it can do bad things and just layering all the stuff out of our own heads. What we know and you know, all of our customers now, what they're seeing and sort of rolling that up into sort of recommendation rules. It's all contextual, you know, and I think the big flip here as well is that, you know, we built this framework product where you can see, hey, here's all the executions. You've seen your environment now make some decisions on it, sort of. That's great. If you've got a pretty good context about, yeah, I trust these publishers and these files, it makes sense to sort of do this reconciliation. But flipping this, this flips it a little bit on its head, either in automatic or in a recommendation mode where it says based on what we've seen in your environment, these are the suggestions of what you should be adding. So it's all guides users and I think it lowers the bar a little bit for operators as well.

A

Yeah, yeah. I mean, but was there a reason that you didn't try. I guess what you're saying like both of you is like the reason you didn't use, you know, contemporary AI here is you just didn't need to. Didn't make sense.

B

I think it's, I think it's excessive because you're your look not to say that they can't be added contextual value. And I think the contextual value from LLMs externally is what is this software? I've never seen it before, you know, like, is there data floating out there somewhere that can bring some, you know, some, some clarity?

A

Well, I know when I see a funny process somewhere, Dave, like the first thing I do is I go hit Google, you know, and like LLMs can kind of do that for you, right? Like they can go and find out other things.

B

Exactly. So I think that's the benefit there. However, because we're running on essentially closed system because we're flipping the problem, we're not trying to make trust decisions on behalf of customers. There are some other allow listing companies that are trying to do that, but that's an infinite scale problem, right, where you're making broader and broader decisions for everyone and therefore you kind of have to have that context. Whereas with a customer environment, the customer knows their own operating environment, so they automatically have a much higher threshold of I kind of know what I expect to be here or not, even if it's just an IT operator and we can making sure that we've got those suppression lists for LOL bins and other information and bringing in some static context from what we see in our environments, we can get 90, you know, 95, 97% of the way there just by taking this approach.

C

Yeah, and I think this is a building block that we'll get here, we'll feed that out there and then we'll take the learnings back as well. And you know, it's just a step on the way.

A

I'm sorry, that is corpo speak. That is forbidden on risky business. You are not allowed to say learnings. Daniel. The word I believe you're looking for is lessons. You learned some lessons. You didn't learn some learnings because that's not a word. But anyway.

B

And I think also we're in a period of time and this does play into our thinking a little bit where there is a lot of skepticism about AI from, you know, not, not all businesses, but just, you know, oh, there's a wide range of opinions that are out there as well. And if we can pre process using AI models to get to some sort of static classic classification set and get nearly all the efficacy there without putting another. Hey, how can I help you today

A

without putting people's allow lists in the hands of a non deterministic model, that might do something crazy.

B

Exactly.

A

Yeah, yeah, no, I get you, I get you. I feel you.

B

It's a, it's about look. But this landscape is changing very quickly and of course we're always looking for ways that we can make sure that we're giving people the greatest outcomes and you know, using the best tools for the, for the right problem, which is, I think, how we need to think about AI generally, which is like, what problem are you solving? Is this tool the best way to solve that problem? And, and you know, one day that may be. Yes.

A

Now look, another thing, you know, I've been reflecting on you guys. Like, I think you've been a sponsor of Risky biz something like eight years. I think companies existed something like 12. One thing that's interesting is that Airlock Digital basically hasn't changed in that time. Right. So this is when, you know, you've hit an enduring control. Something that's durable is fundamentally the product hasn't changed. But where that gets interesting is that frees you up to do a lot of really fundamental engineering. So I think when you, when you look at a lot of endpoint security software, they have to chase the latest red balloon floating across the room because, you know, they've got these big sort of threat research teams and they have to look at tradecraft and build detections and whatever default deny, allow, listing. Not really like that, you don't have to play that game. And you could just look at core engineering. Now, one of the things that you've built is this assembly reflection feature which we did speak about on a previous show. But these are these deep sort of features that when the tradecraft evolves enough, they actually wind up being extremely handy. Daniel, did you preempt the attacker behavior by building, like, what prompted you to do the work, the engineering work on that feature in the first place?

C

Yeah, I think what we really, at that time, I guess at the end of the day what we're trying to do is stop code execution. So if there's a way that attackers can execute code that is sort of out of scope for us, it really becomes a giant hole in the solution. So at that time, I guess when your PowerShell reflection was sort of a new technique or was sort of in the news and customers were asking about it and ourselves internally were trying and we're like, oh, we got a bit of a gap here. So we put in a lot of work to build this feature. But as long as we cover again all these hook points for execution, then it will be effective regardless of for any tradecraft that uses that type of execution. So what we're seeing here is another example, good one would be browser session control. You know that we're now seeing that as a form of execution. So we want to make sure we add visibility into that space. And what's been really, I guess what I've been learning the last couple of years or even the last couple of months is although we built this great security framework which does things like blocks click once, it blocks vsto add ins and all these other things over time where we go, oh, airlock already blocks this. That's a great surprise. Now we need to really sort of start communicating to our customers and the market. Like, hey, it turns out that all these things you're seeing, we can actually control that. And rather than making it maybe like an advanced block listing rule or an advanced allow listing capability, so build some UIs that go, hey, here's the qlik once UI builder and where you can make rules based on the different sort of capabilities, but the fact that we've got that ground floor in place and it's so sturdy and can just see everything, it just, you know, we're not scrambling after attacks.

A

Yeah, I mean, this is what came up last, last time we spoke, right. When you were talking about these. Click once. These are these, you know, I think Adam and I spoke about, I don't know if that was on the show or not, but I was just like, I remember talking to Adam about, I'm just like, my God, these click once things like, you know, Microsoft brainwave of like these packaged applications anyway. But basically Microsoft has a way for you to package up these applications which will sideload stuff. You would do all sorts of weird crap which just doesn't make any sense. And obviously attackers have figured that out. And yeah, this was a problem, wasn't it? Yeah, you actually had a customer reach out to you and go, can you build something to take care of this? You were like, well we already have something that takes care of that. So I mean, how do you go about like what, what, what's the thinking about how you can begin to communicate that to your customers? Because you know you can't put it front and center in the console because that's just going to get annoying. Like you put it in an email, people are going to ignore it. Like what's, what's the approach there?

C

Yeah, I think it's maybe not front and center on the console, but I think it sort of moves into like, you know, attack surface hardening or something. Attack surface reduction. So like where you can build a simple way to build the rules. I guess I don't want our users to have to go make this logic tree of detection and prevention to make this custom crafted block list because they're only going to be able to do that once they know the knowledge about that exact thing. So I'd like to sort of like maybe front end it a little bit, but it just sort of moves into that sort of hardening space. Or if this keyword comes up where someone's like what are we doing about? Click once or that's what trade. Then you go, oh, we know airlock covers that. At least educating that there's something we can do about it. And that airlock, you know, they can link that together that they might have an existing control in place.

A

Have you had to resist the temptation to build detections into the product to say, well there's been some execution events here that we think are bad and you should probably have some rules around them, Dave, like you've got face, like

C

you have opinions there.

B

No, I don't think so. I think what we've been pulled in is ways that we can cut to the foundations of, of what made the attack work. So the more interesting thing when we look at attack trees on a particular piece of security research is not about the end of the tree, about what it results in, in catching that. It's about what interesting techniques are actually used along the way that we can actually prevent or take out. So you know, using, you know, catching assembly, reflection, which is what we're talking about, you know, Ms. Build, taking that off the table so attackers can't compile, you know.net projects on the fly and get an executable directly in memory, you know, and making that sort of point and click available. So we're getting rid of classes of attacks rather than just focusing on the, the code or the outcome or how they got there. So it's just taking tooling off the table and as Daniel said, in hardening, so it's focusing on those pieces, how we break the chain rather than catch it at the end.

C

Yeah, and what's been interesting, and I'm sure we've said this before in the past, is like when you look at modern attacker tradecraft, it's very complex. Like they'll drop a W VB script that makes a batch file that drops a DLL which calls an exe and does this downloader, there's so many components and they're trying to get around these static behavioral detections, trying to find a way through the machine that won't trigger like an EDR detection, when for us it's just 20 more cases of code execution that gives more opportunity to stop it along the path.

A

Now look, I'm privy I guess a little to how well things are going for airlock and they are going extremely well. I guess the question is you still don't seem to have much competition in the market. There's one that I can think about that's quite obvious, but the reason I'm not naming them is because I don't think their technology is actually very good. I think that they've made some very weird decisions actually in the way that their product works. So I don't want to just be seen trashing, trash talking them. But apart from them, and you know who I mean, them, there's not really, it doesn't seem to be anybody else out there. Like why is that, Dave? Like why is it that still 12 years later, you know, and you guys are like making terrific headway in the market. Why is no one else out there doing this?

B

The majority of the security industry sells a product, whereas we sell a product that allows you to implement a strategy inside your business. And all too often I think the security industry comes up with a solution and says, hey, just install this, you'll be fine. Whereas for us, it's not just about installation, it's about management, it's about life cycle. And that's what we are focused on solving. And I think that at first glance it's not the easiest path as compared to installing an antivirus or installing an edr. That's the, the tooling is there. However, I think that as the threat

A

lands, I don't know, man, like, I think installing and correctly configuring an EDR versus installing and correctly configuring airlock, I mean, your stuff might be easier.

B

In fact, well, it cuts off a whole class of other surrounding challenges that you may have in terms of, well, you know, if you're preventing, then you don't really have much to respond to on the other end. So we're cutting out a lot of, of sort of adjacent work. But you know, I think that also there's. Everyone's heard of deny by default, everyone's heard of allow listing, but there's still a level of skepticism there as to the operational, not the efficacy, but the ability to operationalize it within a business. And I think one thing that's been working great for us is just rather than saying, hey, we make this easy is demonstrating that through, you know, great, you know, actual customer deployments and references as still our greatest source of business. But you know, I think that the market is now ready to start looking at this approach and that is, you know, the last 12 months has been extremely busy as a result.

A

So I mean, what I heard there is our approach is too nerdy.

B

Yeah, because, and look, to be honest, I think that's something that we've struggled with a little bit, which is C suite messaging. It's how do you turn up with a board? Because we're not just selling security, we're selling an endpoint strategy, which is often a subset of endpoint. So it's sort of like how about we do this particular subsection of this sub industry on our endpoints. It's extremely effective. And that's something that we're really starting to make sure that we're resonating as we continue to grow the business. But we've got a way to go on it.

A

I guess I just do wonder why it is that you get the whole thing to yourself. I mean, hey, it's great. Good to be you. It's great to be you.

C

Yeah. I think at the end of the day it's the fact we have agents across Windows from XP onwards, old versions of Linux across Mac, maintaining these, you know, caring about all the different code executions. Like, we've been like, like I said, like, we've been building this for a very long time. It's actually pretty hard. You can't just vibe code this up, you know, that you're doing. And there's a huge part also on performance and architecture as well, where how much memory do you use, how much load? It's unacceptable to put this much Iops on a VDI host. And these are all journeys or challenges that we've sort of gone through maybe six, seven years ago on this one particular customer. But that's all been building on building and lessons learned that we got to that point where now we're like again, this sort of solid, lightweight found framework that we've built all this on. But I think just for someone else to build that framework, it's very hard. And there are new, smaller competitors coming to market, but they're really focused just on one operating system or they're focused on just block listing, even though they're saying they're doing app control. You know, there's a lot of mixed messaging from PAM vendors and you know, just the market in general as well about who does what.

A

That's always been something that's driven you spare is the PAM people saying, yes, we can do allow listing as well? It's like, no, you do pam.

B

Well, I think that's, that's the point to your. This is a nerdy problem, which is you can block an executable and you can say, look, we stopped the app, but if you look at how attack

A

is run, but you can block an executable properly.

B

Yeah, well, yeah, and plus any associated libraries, the reflection techniques, you know, anything.

A

You could block execution properly.

B

Execution, yes, that's a better way to look at it.

A

But yeah, well, now. And now too. Like, I think the other thing that's happening with you guys at the moment is you guys are working very much on like integrating with all of the other stuff around the enterprise that you might find, for example, in a society. Right. Like this is. This is a big area of work for you right now.

B

Yeah, we, we talk a lot about how, you know, we're. The primary thing that we solve is a process problem when it comes to allow listing, which is how do you get the right, you know, the right trust the right people at the right time without impacting the productivity of the business. But in order to do that and being generally focused on really a point solution space in the market, we need to make sure that we're playing nicely and integrating well with all of the tools that are around us. So you know, if you want to approve something, well, we've to bring those decisions into your workflow, be that Microsoft Teams or Slack or ServiceNow, you know, if you need to issue an exception for someone, we need to bring that to you. Because I'm, you know, totally understand why people don't need to go, I need to improve that. I need to go over to the console and you know, this is about driving a process through an organization and weaving it in amongst the business tooling. So there's a massive focus for us, you know, over the next three months and has been in order to to integrate with all of these other productivity platforms. And I think that's what's been interesting. It's not other security tools, it's business productivity and workflow tools which is the biggest enabler.

A

I mean everyone starts off building their security startup to tackle Chinese apts and make the Ministry of State security cry and it always ends with like we're writing a ServiceNow integration. This is how it goes.

B

I mean it's true, but it's where we're at now and it's orchestrating business workflows and it's an exciting time. And I think that the more accessible, the easier that we make allow listing, the more adoption. I really think every release we're just getting started.

A

How much has it changed though? When you pitch airlock now when you pitch allow listing like is that a lighter lift than it used to be?

C

For me it definitely is. It used to be converting the haters or it was just like that's impossible or you can only do it on ATMs and static kiosks. That was sort of the legacy we inherited and I guess why we exist as a company as well. And I think now and thanks a lot to compliance standards, people haven't had a choice and they've had to implement these things in certain places.

A

Great way to get a sale

C

and because of that now. But at the end of the day it worked and I think that's helped a lot. And now a lot of it is when we sort of come or when I come across someone who's like, well that will never work. I'll ask them, well, when's the last time you tried? What did you try with? And can you explain how we've got customers with 200,000 endpoints under management and full enforcement in end user computing dynamic environments and then just talk about our successes. That's the best way I think often to convince people that maybe I should have a look at this or something. Something different going on.

B

One of the best conversations that I've had was actually someone that came to our booth and I was sort of geeing this up a bit, but he's like, I got applocker to work. And then we went into all the different mechanisms about how he actually made that possible. Because there's only been a few other people that I've actually run into, which is surprising, that have really gone to the nth degree to try and process drive, you know, that technology. So, you know, he was definitely a believer in that. But, you know, eventually came back around with some interest as well a few years later being like, yeah, I remember that. So it's, you know, I think that there's better awareness that there's ever been out there about deny by default in general. And, you know, it's also great to have a competitor, I should say, that is helping prove out, you know, this is a market. You never want to be the only one that's in space. So, you know, and I think it drives me crazy the how the nomenclature of zero trust has. Has morphed over the many years. But, you know, I think it's a pretty common term that people resonate with and the concept is simple and I think, you know, better at explaining it as well.

A

All right, we're going to wrap it up there. Dave Cottingham, Daniel Schell, thank you so much for joining me to discuss, I guess, what's. What's been up with Airlock Digital lately. Great to see you both.

B

Thanks so much, Patrick.

C

Thanks, Patrick.