A

You're listening to the Cyberwire Network, powered by N2K.

B

Welcome to threatvector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior director of thought leadership for unit 42.

A

There is huge importance in looking at things across the board. The most visibility you can, shifting left with everything you can to reduce the risk for that, for that environment, but also being able to protect on the right and prevent from bad things from happening. That holistic view is crucial for proper security strategy for any company.

B

You know, the word proactive gets thrown around a lot in security, but what does it actually mean when you're dealing with cloud environments that change by the hour? AI that accelerates both innovation and attack speed, and teams stretched thinner than ever. In this episode, I had a chance to sit with Elad Karan, a security leader who spends every day bridging the gap between engineering realities and customer challenges. We talk about why reactive models can't keep up with modern complexity, how to unify peacetime and wartime security, and what it takes to shift left in a way that truly empowers developers. Glad brings a pragmatic view rooted in what's really happening inside organizations today. And we explore how proactive security isn't just about prevention, it's about acceleration. So if you've ever wondered how to get ahead of the next threat instead of chasing the last one, this conversation's for you. Welcome to Threat Vector. I've been looking forward to this conversation. We've struggled to get this one recorded as our schedules keep passing each other, but you made time today. Thanks for coming on the podcast.

A

Oh, thank you, David. I was really looking forward to this one and I was really making the time today because I think this is an important piece that all of our listeners should hear.

B

Ilad, let's start with this question of urgency. Why is the current threat landscape making reactive security models increasingly less effective?

A

So there's an interesting paradigm that's been going around for a while is if you have your environment properly configured, posture a hygiene a, you'll be good. But this is not true. And we are seeing that becoming more and more complex. Right? The cloud is becoming more and more complex with more services added almost on a daily basis by cloud services service providers. It's their way of doing money. It's just the way the world works, right? Capitalism. The problem is that it adds complexity. And as it adds complexity, I haven't found a single Organization that was able to maintain this amazing posture and even if they could achieve it, maintaining it for a while, it's impossible. And add to that the fact that there's someone on the other side constantly working to identify those gaps that zero days really any potential exploit to be able to then leverage that to steal data to create potential damage. And when you add those together, you identify that the threat that we have now, it's real. It's real and it's becoming more and more real. And as more sensitive data is going to the cloud, because the cloud makes it much more available and easy and approachable, accessible. At the end, what you get is risk is higher, availability of attack surface to attackers higher, and your level of protection getting lower. You need better protection. This is why we've been, we've been looking at everything that led us to this point in the cloud and we essentially got to the conclusion that you cannot just rely on that posture piece. You cannot just rely on making sure that you have everything well configured in your environment because you can be amazing in this. But the result would still be that your data is stolen because someone got in and you missed it. You didn't have the right protection tools. That is the key to why we've been thinking about it differently. Right. And I think this is, it's highly required.

B

I totally agree. And I want to ask, you know, you're in with customers, you're talking to our engineering teams who are studying the problems that our customers face. What are some of the warning signs that a security team is really stuck in reactive mode?

A

Oh, it's a, it's a good one. The, the security teams have been going after the security outcomes for, for a while now. Many of their practices, they fit the old legacy technologies. And as you start seeing more and more organizations go to a more modern architecture, DevOps Cloud based HYBR hybrid, you see the security teams are lagging now. It could have been okay if they had all the right tools for cloud and other areas, but you see how they keep those security teams keep on trying to chase the technology of their organization and you have two trends again, you have two trends that are kind of going against each other. The business of any organization wants to move as fast as possible. Cloud is making it possible and they're trying to adopt more technologies to move faster. But the security teams, it's not serving the business directly. You're, you're seeing situations where security teams need to fight for budget for people and they need to prove that they need more people or more Technology to address all the risks that the business is not necessarily aware of. I think that is where what needs to be kicking in is the understanding that there needs to be a change. And when you look at turnover of security teams, when you look at the size of the security team compared to the business ar size of development teams, this is where you can really identify those gaps. And this calls for a few things. Either bigger teams, which I don't think any organization wants, or more efficient tools, more efficient tools, consolidation of tools, making sure that you're looking, looking at things in one single pane of glass, or being able to pull information from several sources and make better decisions, more informed and more efficient decisions, and ultimately efficacy of the team and being able to take the real threats and tie them back to the original point. Right. Fix them at the source. Having all of that would make a security team go from being super reactive to chasing things, having a flood of alerts, to actually turning the tables around and then having to go proactively and say, hey, this threat that I'm seeing, I've already seen how previously when I didn't fix, created an incident that I had to run and block potentially. Now I can actually see that I can prioritize it. I think that is the way things are. They should change. And we are seeing more and more organizations that understand that, understand that this is actually driving the business forward. Less risk, more abilities, more possibilities, and ultimately better outcomes.

B

Yeah, I'm going to keep saying this because it was said by Mira a couple months ago when she was on the pod and I fell in love with her framing that security, at least here at Pan, allows her and the CIO organization to go faster. She feels confident that security is a strong brake when something needs to stop, but it allows her to take an aggressive approach to innovation, to development, to rolling out and trying something, knowing that we're never going to go off the road, off the trail, and because security is there. And I think what you're saying is, if security can move from reacting to those moments when a strong break is needed because innovation to one that is proactively figuring out where the curves are, where the twists are, where that risk is going to show up, that then allows the team to have a much better outcome and maybe adding more people, that's more communication overhead, that's more training, that's division of responsibilities. At a certain point, the added capacity doesn't add necessarily better outcomes. So it's an interesting shift in your strategy and your way of thinking about how to keep an Organization moving fast while also keeping it safe. ELAD in the unit 42 Global Incident Response Report we saw that attackers are using AI. They're using AI and automation together to launch more and faster attacks, more adaptive attacks. What's the risk if defenders don't match that kind of speed?

A

I think everything leads us to where we are today and heading right. Just go back four years, right. Covid started and we all really, we were at the point where technology pushed us so far, digitization and everything. I think what we're seeing now is that on steroids and any organization that haven't built the right processes in place is risking one of two things. Either being stopped by the regulator that will tell them, listen, you messed up, you outgrew your capability to protect your end users and you need to go back to the starting point and just build it all together or face the consequences of a breach. And I think neither is a desired outcome for any organization. So the reason why here in Palo Alto Networks and this is why you heard Mira say that and I love it. I think it's so true because we did what many organizations are expected to do. We built security into our entire processes and we did that because we have the right tools in place. So I'll take you back just a few years. One of the things that security have always, always pushed for is to be included as soon as possible in every process of building a product. Right. Every business process that leads to revenue leads to growth and success. If you add the security as soon as possible, then you can rest assured that it will not come back at the end and tell you, hey listen, you know all of this, it's great that you got this but you know, you have users information out there explicitly open to attackers to grab or monetary, potential monetary issue because of, because of potential mishaps on configurations on certain areas. I think what we've built now and what we have at our disposal these days is a well constructed set of tools that are fully adaptable to the operational flow of the customer. That means that they can take it and they can blend it into everything. I'll give you an example. We've identified, we had a research and we identified that it takes minutes, minutes between having a secret available in a repo in GitHub open before it's harvested. It wasn't publicly available. It was out there in one of the repos and there was somebody skimming this and taking that and trying to use that. Minutes. It took minutes to get to that point. And I think having that as Part of your CI CD process, being able to block it, being able to say, hey, I'm sorry, you cannot push it into production because you're missing a key security practice. It's something even the most outcome driven developers can relate to. They can really understand why it would be a risk. It would be a risk on them, it would be a risk on the organization. So you start there and when you start there, you can really get to a point point where you get the trust because that's what it's all about, gaining that trust with developers, that what you're doing is not slowing them down, you're actually enable them to move faster because they have the right guardrails. And I think I'll tie it back to the beginning. Having the right processes and guardrails is what keeping organizations today to be able to move faster because they know something will stop them. You can drive in the road really fast because you know you have all the right security controls in your car. You have the right guardrails, you have the airbags, you have everything you could. It's proven it's the same with software. And I think this is where we are at this very moment.

B

Yeah, I remember talking to Nathaniel Quest on our episode back in September of 24 about this and he talked about the Honeycloud and how they put that credential out on a GitHub repo and just waited to see how long it would take. And I think off mic, we were debating how long do you think it'll take? And we were giving some guesses. And I'll be honest, I was shocked to find out that it was mere minutes later that it was not only attacked, but people were using it and going after, you know, this, this honey cloud environment that was set up for research. It's, it's wild to think that that is the case because it wasn't public. But you know, people are, people are able to move so much faster and if you make that mistake, you don't have a lot of time to go through and fix that before you've been ultimately compromised in this case. Elad, a lot of people hear the term proactive security, but it means different things to different people. I'd love to start by def, you know, getting your definition of. What do you mean when you say proactive security?

A

To me, proactive security is all the set of security acts, actions you can take to make sure that you're properly secured in face of everything that you may encounter. It can be proactively hardening your entire environment it can be proactively looking at things whether or not they're properly configured and working to what you'd expect from either cloud or enterprise environment. I think traditionally many people looked at proactive security as the less appealing or interesting type of security because it's more of the hygiene and DevOps type of actions. But I think it's becoming more and more clear that it's a critical piece in having the right set of security practices in your organization. So I think proactive security is everything you do in peacetime before an attack has happened. Everything, everything. It by the way includes also having the right infrastructure to support the reactive security. Right. This is part of their proactive security, in my opinion. Yeah.

B

When you talk about that hygiene, it reminds me of years ago, not necessarily following my dentist recommendations on brushing your teeth, flossing, all those sorts of things. And boy do I wish I had done that a couple of cavities later. So I think the same thing for an enterprise, but scaled up. When the cavity is found, it's painful.

A

I think when you look at the entire threat landscape, right? When an organization needs to assess their threat landscape, vulnerability management is, is a subset of this, right? Vulnerability management and exposure management is an expansion of this one is taking the known things that can go bad, right? So they have CVE numbers, they have some assigned MOs and the ATTCK frameworks. The threat detection VS what threat is broader than just vulnerability? Vulnerability management is a very specific set of things, right? I think traditionally many organizations created that separation because it was easy. The different categories, the different ways to look at things, the categories evolved over time. That is where attackers adversaries became more aware of the fact that hey, somebody is tracking vulnerabilities here, somebody's tracking different threat areas there. And that threat detection was disconnected from vulnerability management piece. And I think what we are seeing more and more is how these areas are becoming closer entangled with each other. So you cannot really look at the threat detection piece without understanding the context of vulnerability management, exposure management that goes even beyond vulnerability management. For example, a workload and you see the vulnerabilities that exist on this workload. These are not the only things that you analyze when you need to understand the threat detection piece. You analyze the behaviors of any observed users there or processes that are running. You analyze which environments they can access. You analyze the different connections and the different relationships you have there. And that is how you take two seemingly different areas and you combine them together to make sure that you can leverage one. When looking at the Other, that unified data plane that looks at everything, looking at threat detection in real time, in production, in the right context of vulnerability, misconfiguration, and all the things that lead to it. From the posture perspective, if you're not tying those two together, then you're missing a critical piece in that investigation.

B

So you've spoken about unifying peacetime and wartime security. I gotta know, why is this concept so important right now?

A

The things that we've observed over and over again with the AI being so common. I think what we are seeing is that attackers are, and you mentioned it yourself, right, Attackers are leveraging more and more and more. It means that if you are not fixing the peacetime fast enough, it will come back to bite you really, really quick on the wartime. And being able to tie those two together and have that full visibility is a crucial piece in being able to then have better outcomes in both, not just one of them. If you take a look at the. Not just the security that we have today, take a look at the security in the past. I'll just take one example. Right about two decades ago, I was working for a different company in a different situation. Security was in a very different, very, very different world back then. But when we were examining transactions over the wire, right, Digital banking just started protecting digital banking was a key thing in, in making users trust digital banking more. And it was just the beginning. What we observed is that we can assess the risk of a transaction or anything that is done online. But if we combine it with the ability to understand if there's an actual threat on the machine of the user doing that, like malware or Trojan horse, we can have much better outcomes because you can connect those two together. So we've been seeing that in every category of security happening over and over and over again. And this is the time where we need to look at it holistically for the organization, look at the peace time and how that connects to the wartime and having that context, because things are moving much faster. Things are happening so much faster that if you're not using all the information that you have at your disposal for automated or conscious decisions, then you're doing partial, you know, partial job there. And I think we're getting to a point where we cannot afford that anymore.

B

So let's shift gears again and talk about data. I know that fragmentation is this huge barrier to proactive defense. What kind of data needs to be unified to enable this true proactive threat management that you're talking about?

A

Honestly, everything. I think if I look back at how Data science have been done now. You know, AI, machine learning driven set of capabilities. It was widely known. Garbage in, garbage out, right?

B

So.

A

When you really want to get to a better set of decisions, better set of identification, detection, everything, even posture things, even that peacetime identification of areas that you need to focus on, it really requires all data on all assets that you have to be truly unified. Because if you don't, you're missing a big chunk of information. I'll give you an example, right? So you can look at all of your data, you can classify the data really, really well, you can make sure that you, you can spot that data asset that has sensitive data, but you're missing all different information on the identities that can actually access it, or you're missing a piece on the workloads that you're using that can go over, or you're even missing that endpoint that the DevSecOps or the DevOps engineer has and then can go into your cloud accounts and set up those roles or those workloads. If you're not having all this data in one place and you're trying to create that integration in a very artificial way, I would say what you're risking is the ability to make informed decisions based on these data sets. So when we say that you really truly need unified data layer, you really, truly need unified data layer that you can control and you can update and you can expand because technology moves forward really fast. And that is the point where having that all in one place in an extensible manner, that's the key differentiator to also future proofing things. So I think at the end it all boils down to that.

B

So I'm going to take a swing at this. As you're describing it, I'm getting the sense that having a gap in the data is like not having the full context. And then when you're trying to figure out what the problem is, or where the threat's at, or if it's truly a threat or if it's a false positive, you're missing those key things. And I'm picturing getting a blood pressure reading that says it's very, very high blood pressure, but you're missing the context that you were just, you know, coming off of a 5k, you're running for half an hour and of course your blood pressure's up, right? You're just on a roller coaster. That context is huge, it's not really a problem. But if you don't have that key piece of information, the context, then the data could Tell you the wrong thing and you're off to the races to go lower the blood pressure or lower the risk for the business. And it wasn't an issue. And in other cases it could be an actual issue, but again, you couldn't test against it and go, what was this moment before? What was this context? And sometimes it's good enough to know blood pressure's high, that's a problem. But not always. And that's where that, all the information. I think when you said that I was, I was a little like, wow, that's, that's a lot. But if you can bring that in, then you can get to that full context anyways. That's my swing for the fence of kind of playing that back. But does that seem right as a way of telling this story?

A

Yes. And I think, I think you're spot on. It's funny, when you just started talking, it was the exact same analogy that came to my mind with like maybe pulse and running and basically the same. Exactly the same. I think the, the key here and when you're looking at these things, when I say everything, it's not like, I mean, data can cost money, right? But sure, truly like think about the different things that you can, that you can do that you're not even aware with the data now. And being able to use anomaly detection, AI based capabilities in systems because you collect the right set of data and it's all stitched together. I think this is just like you said, informed context based facts that you can derive on your environment. Just one more thing I'll say about this one. If you could take for example, a potential incident that you're investigating now and you could understand not just what the user is doing or what the potential attacker is doing, actually what it can also do across your entire estate, right? Moving laterally in your environment, being able to then take control. That level of assessment is only available if you truly have the data properly connected and properly collected in your data lake, right? Being able to also not just analyze what happens now, but what can potentially happen later, that is a huge thing.

B

So ultimately proactive security is about shifting left, getting ahead of the threats before they manifest. How do you guide CISOs and security leaders into making that shift in their organizations?

A

When we're coming from our own story, right, and we are sharing our own experience. I'm saying, listen, part of actually going through this is gaining the trust of the developers, right? We as security people, we need to gain the trust of the developers that what we're guiding them through is not just throwing them off, it's not slowing them down. And that comes with actually providing real evidence, real proof. So they need those security practitioners, they need to feel empowered to go and chase this one internally and make sure that their processes are actually adapted to that new level of mindset where you can go as left as you can or as left as you should. It does not come with just a statement that says, trust us, it'll work. No, it needs to come with data, it needs to come with evidence. It needs to come with, you need to fix this because this is the risk. Being able to highlight the potential risk if you're not doing that properly or the actual result of not doing that previously. Right. Even that highlighting the secrets that were found or the vulnerabilities that weren't blocked on the CI CD pipeline. These by themselves are great proof for those security practitioners to go then talk with the developers and tell them, listen, just take a look at that. This is the threat that we're adding and they get it, right, they get it because that's their day to day job.

B

Elad, once again, I get the advantage of being in the interview seat where I get to learn from somebody who's so deeply knowledgeable about this and I come away with it. I hope that this was a fun podcast, a good conversation for you and thanks for coming in, talking to us about this urgent need for proactive security and the need to really shift your strategy away from just react as fast as possible to giving yourself more time by shifting left.

A

No, thank you. Thanks for the opportunity and I enjoyed it very much. And thank you for making this happen.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help me understand what you want to hear about. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecore and Virginia Tran. Mix and original music by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

A

Sam. Sa.