A

You're listening to the Cyberwire Network, powered by N2K.

B

Welcome to Threat Vector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought leadership for unit 42.

A

The challenge here is one angle is again, one can question that why is it any different than shadow it? We have not solved that problem. Then we came to shadow AI. We have not solved that problem. But with shadow it, at least there is one angle is there is at least a human involved where that person was either using unapproved apps or downloading something that you have a way to manage or hold that person accountable. But when you go into agent report like somebody now has gone and enabled, let's say, multiple agents on a platform like Salesforce, that person leaves the company who owns them. And how do we know that this agent is making the right decision?

B

Today I'm speaking with Jafun Sapati, svp, Chief Information Security Officer of Medallia. Jifoon leads Medallia's global security strategy, driving transformation across product infrastructure and corporate environments. With over two decades of experience in product security, risk management and engineering led innovation, today we're going to talk about secure browsers, workforce security, and how organizations can protect data while enabling productivity in a cloud first hybrid work world.

Jibin, under your leadership, Medallia has helped global organizations navigate a really complex intersection of cloud AI, application modernization and cybersecurity. I'm wondering how do you balance those areas and then your clients are your customers business priorities?

A

Yeah, I think.

The way we prioritize is by basically going back to some ground rules or first principles that we say, right, so what's the main objective of a security team or a cyber security team? Why do we exist? The first thing is empowering or enabling businesses to run their business smoothly, securely, safely. Right. So how do, how does that work? So that's one of the key objectives that I set with my team. So one of the things that we have done is after I joined here, is identifying or determining what are some of the key priorities that we are going to focus. So how do you determine those priorities? So we take two major.

Items into consideration. One is business objectives. What is business wanting to do, what products they are shipping for our external customers, what products or services like SaaS, apps that our enterprise is adopting to increase productivity. That's like business drivers internally or externally. Second thing is risk. What are some of the major risks that are out there in our environment? And which one we should prioritize and why in general, you want to prioritize based on the most critical ones that you can address. So those two drive our prioritization. So for example, if we are now building AI apps and services for our external customers, we want to make sure that this is going through the right scrutiny, this is meeting the right security guidelines or the certification needs. So for that, what do we need to do, what kind of tooling we need to bring in, what kind of processes or how do we need to evolve the existing processes that can adopt these new use cases? Same thing internally. Like for example, IoT wants to roll out Google Gemini or ChatGPT or GitHub Copilot. These are all brand new use cases. So how do you drive that? So those are primarily how I see defining some of the themes which has helped us define our priorities.

B

So I was reading in the State of Workforce Security report that I think it was 42% of employees are expected to remain remote. And I'm curious how Medallia adapts its security model in that reality.

A

Yeah, so Medallia has been a remote first company for a very long time and we are still a hybrid work environment. So we fully support people working remotely and we are a company of about 2,000 people and we are spread across multiple countries.

Again, going back to the same principle of ensuring that medallions get the right tools, products and services that they need so that they can do their job right. So instead of forcing them to come to an office, what we do is we identify what are some of the key use cases, key challenges they face. So for example, we want to make sure they're using Metallia laptops. Right. Medallion provided endpoints. So how do we protect that endpoint so that whether they work remotely or in office, we have the right visibility, right protection on that. There are certain use cases. For example, some of our employees interact with customer data directly. So just having an endpoint would not solve that problem because we need additional controls so that we can earn customer trust. So what kind of tools can we introduce there? So this is where the innovation angle comes. For example, Prisma Access browser is helping us there. Right. So again, working backward from our employees needs, their location, their current situation on whether they are working remotely or in office, whether they are full time or contingent workers, what are their roles and responsibilities? High privilege users versus regular users. Using that angle. Again, business need and security risks will drive our current posture. So again, we can go into specifics, but this is the primary driver which determines how do we support them while supporting this hybrid work environment.

B

Well, earlier you talked about some of the LLMs that are out there and then mentioned a number of different tools that different employees need. And I really like how you start with the end user, the employee, and then work backwards into what the experience is going to need to stay secure and earn that customer trust, depending on the role.

And just today a cohort of mine was talking about are we going to use something, is it blocked? How do we go about having the productivity we want? The report was very clear that blocking access to some of the bring your own devices has a detrimental effect on productivity.

A

Yeah.

B

And you mentioned, you know, you want to issue a device and make sure that you've got an endpoint control on it. But how do you go about ensuring strong security for those employees that want to bring their own device without absolutely frustrating users or you know, turning them into folks that are clever in their way of getting around the security that you provide. And what you're really trying to do is protect them. You know, what does it look like to get them to adopt what you're doing?

A

Yeah. So I think first of all what we have done is identifying what are our critical infrastructure, critical systems and defining policies around it. For example, bring your own device and access GitHub, is that necessary? Probably not.

Accessing production environment from your device? Probably not. You would not do that. So if you look at it so instead of going and setting a policy or principle saying all your or bring your devices are not allowed, that would be a major hindrance to productivity because if you really look at it, depending on the Org, a good solid 70 to 80% of the time they spend on their time on mostly SaaS or browser specific apps and services. Right. So how do we make sure we secure that when they are accessing those services from their devices? So what we have done is maybe segment some of our critical assets from not so critical assets like production from corporate enforcing VPN when you're accessing those strong or extremely critical systems and that you have to use Medallia provided laptop to do that. But if you're accessing Slack email documentation or some of these SaaS apps, you can access that from your devices because we are providing some additional controls on your endpoints like either a browser or deeper monitoring on some of these SaaS services. So that has helped us.

Meet user experience needs that our employees have while also having the right controls in place.

B

So it's that flexibility and then as you're looking at something that's going to have a critical impact if there's a problem that's more locked down. Some of these other spaces that allow you to have.

Communication, we'll pick on Slack for a second. That may end up being a space where monitoring is enough. But I can bring my own phone or I could bring a device that makes sense for me to be able to flex where and when I work. So really similar to what I see here at Palo Alto Networks with how there are certain things only going to work on a device that's shipped from our IT team and then other things. As long as we're willing to bring in a little bit of responsibility and control, we can get that flexibility we need. That works out really well to have that balance.

Let's shift to talking about Genai. I know you'll be shocked and maybe some of those SaaS apps and the browser based workflows. This is a conversation that has come up over and over and I'm more and more surprised about how often work gets done in the browser as opposed to in the application. Can you talk to me about the best practices that that you'll have for maintaining visibility and control over browser based activity?

A

Yeah, I think the I would say the top of that list is adopting an enterprise browser in the first place. So I've done that here. I've done that in the previous company Snowflake as well where we use enterprise browser. It is not fully enrolled, sorry enforced here at Medeli just yet. But we are in that journey right? So first thing is have an enterprise browser or basically the first big strategic goal that I would say to enterprises to take is manage your browsers. The way you want to manage your browsers is first go use an enterprise browser which would help you manage all critical apps going through, let's say some sort of single sign on or IDP enforced through that browser so you don't have to deal with patching or updates for those browsers. You can set policies. So managed browsers or enterprise browser is one top of the list. Second one is I have been with companies where we don't prevent people from not bringing their own device or not using company provided devices for reasonable personal usage. So we have not enforced a rule saying enterprise browser is the only thing that you can use. But we also don't want to say you can use 20 other different types of browsers. So manage the non enterprise or non secure browsers in this case two or three. That is the second one. How do you manage unmanaged or somewhat consumer browsers like Chrome or Safari or Firefox have a plan for that. Manage extensions. Do you know that how many extensions are being used by employees within your company? If it is an enterprise or secure browser you can absolutely manage that effectively because that's coming from it. But if it is a consumer grade browser, you have to have mechanisms to manage that. So that is the third thing that we have done enforcing single sign on something that we have done. So if you want to procure any service and you want to access, you have to go through that single sign on and then we enforce enterprise browser on top of it. So you can do that. The other best practices, if you're using some sort of endpoint protection solution, then having the visibility and setting policies right, like for example what URLs can you visit, what systems you can access. Somewhat like a zero trust architecture in place where you want to validate the user location, user behavior purpose before granting access to some of those critical resources. So those are few things that I would recommend. Sam.

B

So let's, let's shift to the gen AI tools because this is one that over and over when I get feedback for the show I'm hearing about a lot of times you have really limited oversight into how employees are interacting with the genai tools. And I'm curious, what risk do you see emerging from this lack of visibility?

A

Yeah, I think one of the biggest challenges that we are facing with this gen tools first of all the risk posture is constantly shifting because the capabilities or use cases that are coming is constantly evolving. Right. You know, every month we see a new scenario, new use case with this gen AI or AI tools, right. So the first thing the challenges that we see is.

In general gen AI tools or agentic AI is now have the capability, even if human in the loop to reason and also make decisions to call different tools. Right. The tool calling that it can do. So the biggest risk that I see is some of the biggest risks that I see is again customer data or employee data being used by tools that it was not meant to be used. For example, if let's say we are using Google Workspace and we suddenly roll out Gemini. There are so many capabilities that come in Gemini every day or every week, every month. It's very difficult to stay on top of it. We might have only vetted the use case where somebody just you know a Google workspace and ask for summarization or email summarization. But what happens if there is a new Genai capability which generates video based on your campaigning email and there you go. So these are all the new Use cases. So one of the biggest challenges is that the unknown or the new use cases that we are seeing and.

Security teams are still playing catch up in regards to what should be the policy, what should be allowed, what should not be allowed, how do we get the visibility of their activity? So we have implemented certain mechanisms and Palo Alto Networks Prism Access browser is sase solution is helping. So at least getting a visibility of what sort of those GENIE apps or AI apps that our employees are using. But what are some of the high level activities that they are doing? But we are still early in that journey.

B

How do you see the convergence between a secure browsing environment and SASE helping organizations close some of those gaps that you're talking about?

A

Yeah, I see these are very complimentary.

Browser or secure browser is more like the. More like the endpoint or the interface between a user and browser based apps and services. Sase I feel like is the more like the backend engine or the data layer security data lake layer, which can comprehend data from multiple sources about an enterprise, especially about user activities, the systems, the access policies, the separation between, let's say production and enterprise. Crown jewel, non crown jewel. So you can use that data to set policies for users when they are operating in the browser. So for example, if suddenly we get to see certain risks or breaches from certain environment or certain geos that SASE should be able to inform and we can set certain policies, access policies within the browser. So maybe users using that browser from a certain location are prevented from downloading files versus copying files. Now let's say we're also using not just full time employees, but contingent workers. And we want separate policies for contingent workers because we don't provide them an laptop that they work on. Right? Like for example, if an endpoint detects malware or vulnerabilities on an endpoint, then we can set certain policies that hey, this endpoint device where the browser is running doesn't meet the security power that we expect from our endpoint. So the policy changes, right. So you can enforce the employees to either patch, update, upgrade your browser, things like that. So I see these are extremely complementary in regards to implementing a controlled environment while not disrupting user experience.

B

So let's talk about some of the persistent threats that are out there with unit 42. We're always reporting on things like phishing and malware bec credential theft.

In our research and in our thread articles, and I'm sure you're seeing some of the same problems. How do you protect your users from phishing from credential theft from malware.

That target the browser layer.

A

Yeah, I think you talked those three are the top three reasons for any breaches. I mean we talk about Genai specific risks or all the modern threat vectors that we are seeing. But many times if you look at the breaches or recent.

Major issues like just talk about npm, that happened two days ago, Right. If you look at it, the root cause of that is actually an account compromise through a phishing attack, right? Yes, somebody got into that account and that resulted in introducing malware. But not necessarily there was any bug in npm. Right. So we are still dealing with those basic issues in regards to having a strong phishing resistant system, managing credentials and fixing vulnerabilities. So specifically in the context of browser, what we have done is first of all enforcing strong MFA and strong authentication. Right. So you definitely want to have MFA in place, but not just any MFA. Want to have some sort of Fido 2 based strong MFA in place which reduces your man in the middle or phishing attack vector quite a bit. That is one. So we want to make sure that that's happening through the browser first thing that we do. Secondly, managing browsers, as I said, whether it is enterprise browser or non enterprise browser, you need to manage that. And we know for a fact that we somehow take managing endpoint is more important than managing browsers. But 85% of your employees time is spent on the browser. So we need to treat that browser as a completely separate endpoint and manage it effectively. What does that mean? It is patched, it is updated, extension are fully controlled. You don't want people willy nilly add any number of extensions that you want. Extension are another major source of introducing malware into the system. Right. And lastly credential manage your credentials have the right credential or so, no? Yeah, credential detection tools in place which would help detect them in the first place. So these are some of the preventive controls that we have in place in addition to obviously threat intel or detection capabilities to you know, see what's out there in the dark web. In regards to for example credentials and things like that. That is just controls. In addition to that, we run campaigns internally to detect how prepared our workforce is, for example against phishing or any sort of attack. And lastly training, I would say continuous training is something that we have done.

B

Let's talk about how to balance security and user experience. At the beginning of our conversation I ask you if looking back you're realizing the solutions you built were maybe a headache for the Folks in security. And that's a bit of a confession, right? Because I look back and think about the times that I leaned into building software or experiences that would delight someone. And a lot of times it was removing friction at any cost and not necessarily thinking through like, well, it might delight you the first time, but when it's immediately hacked or it's a, it's a type of experience that makes it easy to get into your bank account for anyone. That's not a great experience in the totality of things. So I want to get into this area. I'm personally interested in it. And I'm curious what your criteria is when you're evaluating tools that aim to secure work but not degrade productivity or that overall user experience.

A

Yeah, that's extremely important. In fact, I would say security teams need to start there and believe it or not, in general that's the case. But we fail to highlight that point. We only talk about the security language. We means the. I'm talking about in general, security teams and cybersecurity teams like to sell with the angle of risk and how their proposal or how the solutions or the tools can solve that risk, which in general is not very exciting for everybody in the company. Right. So I think we need to absolutely highlight the user experience benefits that we will get. And anytime I am talking to a tool or a vendor, a tool owner or a vendor, that is one of the key element, like how does it enhance. I'm not even saying it should not degrade. My ask is it should enhance user experience. Secondly, operational overhead or the productivity hit that it's going to have both on the team who is going to own it, manage it, and both on the teams or the users who are going to use it. Let me give you an example. Like, you know, we talk about strong authentication or strong mfa. So one of the things I've done in the past is enforcing some sort of Fido 2 based or biometrics based multifactor authentication. Right. So in general companies do have MFA in place, but that's more like a push based notification. Right. So you need your phone, you get something like an Okta Verify or something, then you go do that, but you completely replace that with something which is biometric matrix based. These days all the laptops, Macs or Windows they do come up with come with hardware already installed in it. So why not leverage that? So when you go and tell that story to the user base saying, hey, we are introducing a new way to do MFA where you would not need that second device, all you need is the same device and you don't need to Change your password 90 days or 6 months. Rather we will let you rotate it every year or maybe never because we are going passwordless. And in return you ask for them to go through that activation one more time. I don't think they will push back. They said, okay, this is really helping. But you are presenting to them where you are saying not, they don't need to know why you are introducing from the security side. I'm introducing that because I want to reduce the man in the middle likelihood attack vector or the phishing or I want to build phishing resistance system. They don't need to know that. Right. They are basically more interested in how their UX is getting better so they will support that. Same thing. On when you are talking about enterprise browser, I think I have done that now a couple of times so I know some of the challenges that you're going to face. Forget about just rolling it out. When you enforce, you tell the world that, hey, you must use this new enterprise browser for all your work related activities. Immediate question comes why do we need to do that? Because there are already consumer browsers like Chrome and others which are used by billions of users. So how do you convince them to move from that to something which is completely new? Right. So you highlight what are some of the challenges and you.

Reduce the burden on them. Like today, if somebody is using a Chrome browser or a Firefox or Safari, unless it is managing that effectively, we rely on users to update that, patch that and things like that. Right. You take that completely away from them. As in you don't have to do anything about it and your experience with browser doesn't change because this is built on the same Chrome engine or something like that. So you are basically highlighting user experience. So user experience is extremely important. You will not succeed. And user experience or developer experience similarly, if you're introducing new tools in development too. Right. So user experience, developer experience is extremely important if you want to succeed in changing process, mechanism, behavior, practices by introducing new tools.

B

Let's look to the future a little bit. What's the biggest cybersecurity challenge in securing the modern workforce that you see over, say the next year or two?

A

Yeah, I think some of the basics unfortunately continue to stay the same. So I'll not go through that. Like credentials continue to get leaked, vulnerabilities continue to remain in our environment, phishing continues to be one of the top reasons for breaches. So we're all evolving there. That's a journey Depending on company's maturity depends on their ability to defend against those threat vectors. But I think the biggest one that I see right now is basically the adoption of.

Agents or AI agents or workflows, both in corporate and sorry, enterprise as well as products that we are building. The challenge here is one angle is again one can question that why is it any different than shadow it? We have not solved that problem. Then we came to shadow AI. We have not solved that problem. But with shadow it, at least there is one angle is there is at least a human involved where that person was either using unapproved apps or downloading something that you have a way to manage or hold that person accountable. But when you go into agent equal, like somebody now has gone and enabled, let's say multiple agents on a platform like Salesforce, that person leaves the company. How do I know those agents are. Who owns them after that person?

B

Great question, right?

A

Yeah. Who owns them and how do we know that this agent is making the right decision? I know many frameworks are coming up, many tools are coming up to.

B

But.

A

I feel like the use cases or the innovation that is happening in that space or what these agents can do is far outpacing.

Than what tools we're building to defend against those threat vectors. So that's to me is going to get worse as I see, at least in the short term before we figure out how to contain it.

B

If you could speak directly to your counterparts in roles like yours, what's the one shift in thinking that security needs to make in preparing for what's next?

A

Yeah, I think we need to take a step back at times and question some of the existing processes that we have built. Is this scaling to new world of AI or adoption of it is what I would say. Look at your current vendor risk assessment process. So is it scaling? Is it moving fast enough? Are we looking at the right things? We probably need to drop or stop doing certain things. Like you know, when we talk about, let's say application development, we say we want to put the right SSDLC in place, but the processes are extremely slow in comparison to what teams are building. Right. If your 60% of your code is getting generated by GitHub Copilot and you are doing a threat modeling exercise, it's just too slow. There is no way you can do that. Right. So the way I would say is we need to take a step back and see the existing processes. How do we either not do it or do it completely differently? And I would heavily lean on the new innovation, especially in the AI space that is happening, the tools that are coming to tackle that challenge. So that's the shift that all of us need to do is what I would call.

B

I think that's really well put. We're not looking at a marginal or percent change as we look at this, especially the agent space. It's going to be significantly different. And to think that we can just move faster and follow the same policies, follow the same thinking and not innovate alongside some of the innovation that's going on in the AI space is wild thinking to me. So great advice. Jim Poon thanks for the conversation today. I really appreciate you sharing some of your insights on secure browsers and then digging into what it looks like to have a great user experience experience from those that you spend your time protecting and thinking about. You know, how do you keep us from clicking on the wrong thing, opening up the wrong thing, putting the business or their customers at risk? You know, it's really important work to secure the modern workforce.

A

Yeah, absolutely. Thank you, David for this conversation. It was fun.

Foreign.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. If you want to reach out to me about the show, email me@threat Vectorloaltonetworks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Bacore and Virginia Tran. Original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

A

Sam.