WEBVTT - A Conversation With Slava Konstantinov From ThreatLocker 0:00:00.800 --> 0:00:04.939 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:04.970 --> 0:00:10.010 national security, AI, technology and society, and how best to 0:00:10.039 --> 0:00:17.810 upgrade ourselves to be ready for what's coming. All right, 0:00:17.810 --> 0:00:20.690 welcome to Unsupervised Learning. This is Daniel Miessler, and we 0:00:20.690 --> 0:00:25.520 have with us today Slava Konstantinov from Threatlocker. 0:00:25.550 --> 0:00:26.540 Thanks for having me. 0:00:26.900 --> 0:00:31.190 Yeah, yeah, yeah. Great to have you here. So, um, 0:00:31.700 --> 0:00:34.370 wanted to just jump right into it. Um, can you 0:00:34.370 --> 0:00:38.750 start off by telling us what's going on with Threatlocker overall? 0:00:38.780 --> 0:00:42.080 Like what? What does it address? What is the, um, 0:00:42.080 --> 0:00:44.390 the main the main product and what it does? 0:00:44.780 --> 0:00:50.510 Yeah. So Threatlocker were a cybersecurity company and we're protecting endpoints. 0:00:50.870 --> 0:00:56.300 And our main approach is a zero trust. Zero trust 0:00:56.300 --> 0:01:02.010 means that that we don't trust anyone Except what we trust. 0:01:02.040 --> 0:01:04.050 I mean, we have a lot of policies. We can 0:01:04.050 --> 0:01:06.990 talk about this like deep dive a little bit later. 0:01:06.990 --> 0:01:11.639 But yeah, in general we're working on a zero trust 0:01:11.760 --> 0:01:13.890 with zero trust approach. 0:01:14.760 --> 0:01:19.650 Yeah. So and that means by default nothing is allowed 0:01:19.650 --> 0:01:22.560 in general. Right. And then you poke poke little holes 0:01:22.560 --> 0:01:23.610 for what's allowed. 0:01:23.640 --> 0:01:28.140 Yes we we have multiple different products in thread locker. 0:01:28.140 --> 0:01:33.149 So basically we have one big thread locker machine as 0:01:33.150 --> 0:01:36.089 if I can say that. And also we have like 0:01:36.120 --> 0:01:39.690 different products. First of all like we have an application control. 0:01:39.690 --> 0:01:43.740 It's this basically is allow listing. Allow listing that we 0:01:43.740 --> 0:01:50.370 only allow to run specific software that it's basically in 0:01:50.370 --> 0:01:55.260 our list. Everything else, everything else gets denied. So what 0:01:55.260 --> 0:01:59.660 does it mean for for the enterprise it means that 0:02:00.200 --> 0:02:04.280 every company they have set of software they use. Everything 0:02:04.280 --> 0:02:07.910 else should not be allowed. And there is a lot 0:02:07.940 --> 0:02:12.410 of examples out there on the internet and in real life. Basically, 0:02:12.410 --> 0:02:16.190 when people are losing their jobs or company got hacked 0:02:16.190 --> 0:02:20.389 because someone installed something that was not supposed to be there. 0:02:21.080 --> 0:02:25.070 Yeah, yeah, that makes sense. And so how was the 0:02:25.070 --> 0:02:27.740 what's the process look like for. And I believe we 0:02:27.740 --> 0:02:29.840 talked to someone else from your company as well. So 0:02:29.870 --> 0:02:34.130 I heard about this before, and I remember being impressed 0:02:34.130 --> 0:02:36.080 with the way that you handled it. But how do 0:02:36.080 --> 0:02:37.700 you handle that allow list. 0:02:38.180 --> 0:02:41.720 So we have a set of rules. And rule can 0:02:41.720 --> 0:02:45.800 be like you can put like a path to the rule. 0:02:45.800 --> 0:02:50.030 You can. But mostly we use hashes. So basically we 0:02:50.030 --> 0:02:57.440 know what every executable in your system, every executable hash 0:02:57.440 --> 0:02:59.880 in your system. So we know that we have big 0:02:59.880 --> 0:03:03.390 database of these hashes. We also know the hashes of 0:03:03.389 --> 0:03:06.900 the apps and how we do that. If if there 0:03:06.930 --> 0:03:10.830 is unknown hash trying to execute on your computer, which 0:03:10.830 --> 0:03:14.760 is basically block it. So it's pretty straightforward and it's 0:03:14.760 --> 0:03:19.500 pretty easy, sometimes you need to maintain it because there's 0:03:19.530 --> 0:03:23.220 a we have two sets of applications we have built 0:03:23.220 --> 0:03:27.389 in applications. So basically we maintain them. We also check 0:03:27.389 --> 0:03:30.960 for updates for that applications. We update hashes. But there 0:03:30.960 --> 0:03:34.470 are sometimes specific requests from the customers. So they need 0:03:34.470 --> 0:03:37.650 to maintain it themselves. But it's not super hard. It's 0:03:37.650 --> 0:03:42.810 just it's just small inconvenience for as I would say, 0:03:42.810 --> 0:03:44.220 better security. 0:03:44.550 --> 0:03:47.850 Sure. And then like you were saying something for like 0:03:47.880 --> 0:03:52.980 a windows environment, like a very big, uh, software operating system, 0:03:52.980 --> 0:03:56.160 lots of updates coming out, lots of application updates coming 0:03:56.160 --> 0:03:59.290 out When those updates come out, I assume they come 0:03:59.290 --> 0:04:02.110 to you and you do. Hashes for those. And then 0:04:02.110 --> 0:04:04.900 you give the hashes to the customers so that. They 0:04:04.900 --> 0:04:06.820 can ensure that they can install them or. 0:04:06.850 --> 0:04:10.000 No, no. Basically what we do. We have a portal. 0:04:10.000 --> 0:04:14.860 So it's a web website and everything managed from there. So. 0:04:14.890 --> 0:04:18.190 We the customers, they have like admin pages and all 0:04:18.220 --> 0:04:20.950 of this so they can set it up. And when 0:04:20.950 --> 0:04:25.240 the update come up we have a whole team basically 0:04:25.240 --> 0:04:28.870 looking for that updates like running them, learning the new 0:04:28.900 --> 0:04:33.730 hashes and after update. So they just basically update the 0:04:33.730 --> 0:04:38.170 existing policies when the policy got get updated, they basically 0:04:38.170 --> 0:04:43.270 after that what they do is it's automatically updated on 0:04:43.270 --> 0:04:49.090 every customer we have. So we'll and there's also new 0:04:49.089 --> 0:04:52.780 product coming out that's batch management. So we're gonna basically 0:04:52.810 --> 0:04:56.820 we're gonna see if there's an old application not patched 0:04:56.820 --> 0:05:00.630 application installed on your computer. And you can install and 0:05:00.630 --> 0:05:03.719 you can patch it on the fly basically without even 0:05:04.170 --> 0:05:05.850 asking user to do that. 0:05:06.720 --> 0:05:09.239 Oh very cool, very cool. Okay, so you have the 0:05:09.240 --> 0:05:11.909 application one. You have this new one that's coming out 0:05:11.910 --> 0:05:13.169 which is patches. 0:05:13.200 --> 0:05:14.640 Patch management. Yep. 0:05:14.670 --> 0:05:18.029 Patch management. So what are the other products that you have. 0:05:18.060 --> 0:05:19.080 You mentioned other ones. 0:05:19.110 --> 0:05:23.160 Yeah. So the one we talked about it was application control. 0:05:23.160 --> 0:05:28.410 We also have storage control. So storage control is a 0:05:28.410 --> 0:05:32.940 is a product that basically can uh protect your file 0:05:32.940 --> 0:05:37.080 system from unwanted access. What I mean by that, you 0:05:37.080 --> 0:05:43.320 can stop some application from accessing your, uh, folders that 0:05:43.350 --> 0:05:49.830 may that may have some information, like a specific information 0:05:49.830 --> 0:05:52.680 that needs to be secured. We also have we can 0:05:52.680 --> 0:05:58.180 block USB devices. We also can block network shares, so 0:05:58.480 --> 0:06:04.930 this product helps users to protect their data from being 0:06:04.960 --> 0:06:09.370 accessed from unknown apps, for example, or even USB drives. 0:06:09.370 --> 0:06:14.620 So if your if your company's policy does not allow 0:06:14.620 --> 0:06:18.279 to USB drives, which can block USB drives from accessing 0:06:18.279 --> 0:06:20.260 your computer at all. 0:06:20.770 --> 0:06:25.330 Hmm. Interesting. Okay, so it's controlling like the media that 0:06:25.330 --> 0:06:29.680 can come in. It can handle network shares as well. Yes. 0:06:29.710 --> 0:06:33.010 You could basically you could block off things that are, uh, 0:06:33.160 --> 0:06:35.230 super sensitive. You don't want it to look at it 0:06:35.230 --> 0:06:36.070 at all. 0:06:36.100 --> 0:06:40.420 Yes, yes. So we have for example like specific uh, 0:06:40.420 --> 0:06:44.770 folder with uh, super secret data, your company data, and 0:06:44.770 --> 0:06:47.770 you have only 1 or 2 apps that allow to 0:06:47.800 --> 0:06:51.159 access that, like for example, like Word or Excel or 0:06:51.160 --> 0:06:54.469 something like that. So and you will allow only this 0:06:54.470 --> 0:06:58.039 helps to access that folder if some other app like 0:06:58.040 --> 0:07:03.260 malicious app for example, like lurking in your system and 0:07:03.260 --> 0:07:05.270 it tried to access that folder which is going to 0:07:05.300 --> 0:07:08.150 block it. So it means like zero trust, we don't 0:07:08.180 --> 0:07:11.600 trust anyone except with the ones we trust. 0:07:12.020 --> 0:07:17.780 Gotcha. Okay. So that's application control and storage control. Any others? 0:07:17.810 --> 0:07:21.440 Yeah. So we have ring fencing. Ring fencing basically means 0:07:21.440 --> 0:07:25.429 if we allow app to run. But we what we 0:07:25.430 --> 0:07:29.450 can do is we can say we can put this 0:07:29.480 --> 0:07:33.290 app into if we can say that sandbox. So saying 0:07:33.290 --> 0:07:37.400 like okay, you're allowed only you're not allowed to run 0:07:37.400 --> 0:07:42.410 other applications or you're allowed to run specific applications or 0:07:42.410 --> 0:07:46.220 you can you cannot access network or you can access 0:07:46.220 --> 0:07:48.860 the network, but some specific websites. 0:07:49.520 --> 0:07:52.400 Oh that's right. Yeah. So this is um, same. 0:07:52.400 --> 0:07:52.550 For. 0:07:52.550 --> 0:07:54.460 The stores are round in application. 0:07:54.460 --> 0:07:59.230 Yes, around the specific application. So for example you have 0:07:59.260 --> 0:08:04.030 I don't know like a file zilla or I don't 0:08:04.060 --> 0:08:07.150 know or something like that. So you will you can 0:08:07.150 --> 0:08:10.480 access FTP servers, but you have specific set of FTP 0:08:10.480 --> 0:08:14.680 servers that allow that you allow to connect to or 0:08:14.680 --> 0:08:18.340 any other app. I'm honestly right now. 0:08:18.610 --> 0:08:21.100 Netcat or terminal or something like that. 0:08:21.130 --> 0:08:23.739 Oh yeah. Yeah. Terminal for example. So you can ring 0:08:23.770 --> 0:08:27.280 fence terminal and say like oh terminal can run this, 0:08:27.280 --> 0:08:29.860 this and that and it's not allowed to run curl 0:08:29.860 --> 0:08:33.010 for example. So if it yeah, if it can't run 0:08:33.010 --> 0:08:36.250 curl if uh, some specific attacks. 0:08:36.520 --> 0:08:39.880 Or something like yeah, a way to download additional malware or. 0:08:39.940 --> 0:08:41.469 Yes, yes. 0:08:41.500 --> 0:08:43.929 Or outbound SSH or something. 0:08:43.929 --> 0:08:47.530 Yeah. Or you downloaded some app and you're not sure 0:08:47.530 --> 0:08:50.200 you need this app, but you're not sure what it's doing. 0:08:50.200 --> 0:08:52.950 And you can basically put it into that sandbox and 0:08:52.950 --> 0:08:56.250 saying like, oh, you're not allowed to access internet. So 0:08:56.250 --> 0:08:59.370 even if it it will try malicious software, it will 0:08:59.370 --> 0:09:03.360 try to download some like payload from the internet like 0:09:03.390 --> 0:09:08.520 obfuscated executable and run it. First of all, even if 0:09:08.520 --> 0:09:10.800 it's downloaded, we're not going to allow it to run 0:09:10.800 --> 0:09:14.850 it because of default deny application control. But at the 0:09:14.850 --> 0:09:18.750 same time, it's even if it stole something from your computer, 0:09:18.750 --> 0:09:22.170 it will now don't have access to internet to send 0:09:22.170 --> 0:09:23.130 it over. 0:09:23.490 --> 0:09:24.420 Right. 0:09:24.630 --> 0:09:29.880 Yeah. Same. Same for the. I'm sorry. Same for the storage. Uh, storage. 0:09:29.880 --> 0:09:34.290 Because we can reinvent storage access to specific apps. So 0:09:34.320 --> 0:09:39.630 storage control, we can control whole system, whole computer, different applications. 0:09:39.630 --> 0:09:44.250 But ring fencing, we can specifically say this application allowed 0:09:44.250 --> 0:09:48.210 to access that folder, that folder, that folder. Okay, so. 0:09:48.510 --> 0:09:51.420 And then can you define all these different policies in 0:09:51.440 --> 0:09:54.439 one place, or are they defined in the separate products? 0:09:54.830 --> 0:09:58.220 Yeah. So it's a separate product. So application control is 0:09:58.220 --> 0:10:02.209 one product storage control. And it's all different products. But 0:10:02.240 --> 0:10:07.609 it doesn't mean you're not allowed to reuse them between products. 0:10:07.730 --> 0:10:11.809 Okay. Yeah that makes sense. So a lot of this 0:10:11.809 --> 0:10:14.690 has been very windows focused. Is that right. 0:10:14.720 --> 0:10:18.740 Yeah yeah windows. But we also have Mac agent now 0:10:18.740 --> 0:10:23.540 for for a couple of years. And Linux we have 0:10:23.540 --> 0:10:27.770 version 1.4 I guess Linux right now. So it's pretty 0:10:27.800 --> 0:10:29.510 early stage. 0:10:29.690 --> 0:10:32.059 Okay. So tell me tell me about the Mac agent. 0:10:32.090 --> 0:10:36.320 Yeah. So I'm a mac lead architect. So, um, yeah, 0:10:36.800 --> 0:10:41.090 I'm basically I've been there since day one of Mac 0:10:41.090 --> 0:10:47.210 agents starting POC, and now we have version 4.2 coming 0:10:47.210 --> 0:10:51.410 out soon. So it's been quite a journey. We don't 0:10:51.410 --> 0:10:55.400 have all of the products windows has for now, but 0:10:55.400 --> 0:10:59.390 we're trying to keep up. So we don't have we 0:10:59.390 --> 0:11:03.650 don't have detect. I mean, we haven't talked about that yet, 0:11:03.679 --> 0:11:04.280 but yeah. 0:11:04.309 --> 0:11:05.540 Tell me about detect. 0:11:05.840 --> 0:11:10.220 Okay. So there's also multiple there's a couple more products 0:11:10.520 --> 0:11:11.690 that we haven't talked about. 0:11:11.720 --> 0:11:12.140 Yeah yeah. 0:11:12.140 --> 0:11:16.970 Yeah. So first oh not first. So one of the 0:11:16.970 --> 0:11:23.030 products is elevation control. Basically it's it's in some way 0:11:23.030 --> 0:11:26.570 it's a little bit different from zero trust because we 0:11:26.570 --> 0:11:31.520 can what we can do is we can allow applications 0:11:31.520 --> 0:11:39.140 or user to elevate uh specific actions in the system. Uh, 0:11:39.140 --> 0:11:46.280 as a, as an admin user. So without asking actual 0:11:46.280 --> 0:11:49.709 admin permissions. So basically you have a standard user on 0:11:49.710 --> 0:11:54.000 your computer that is not allowed to elevate anything, but 0:11:54.000 --> 0:11:57.420 your admin wants you to install some update, and for 0:11:57.450 --> 0:12:00.930 that update you need elevation or to access some folder. 0:12:00.929 --> 0:12:03.929 That's if we're talking about Macs that protected by root, 0:12:03.929 --> 0:12:08.490 for example. And what we can do, we can set 0:12:08.520 --> 0:12:14.700 up specific rules for that application. So if application tries to, uh, 0:12:14.790 --> 0:12:19.860 install update for itself and it requires root so users 0:12:19.860 --> 0:12:26.730 user is not, uh, basically user does not enter any password. 0:12:27.300 --> 0:12:32.489 So it would just automatically elevate user for admin privileges 0:12:32.490 --> 0:12:38.580 for for that specific request not whole system. Some specific requests. 0:12:38.580 --> 0:12:42.600 We can allow for application for user interaction with a 0:12:42.600 --> 0:12:46.949 system and a windows. It's UAC in a mac world 0:12:46.950 --> 0:12:50.540 or Linux world that you can. It's pseudo or it's 0:12:50.540 --> 0:12:52.910 just privilege elevation. 0:12:53.929 --> 0:12:59.150 Interesting. Okay. So that's an interesting layer. So it's basically 0:12:59.150 --> 0:13:04.760 a layer in between the actual um pseudo or admin capability. 0:13:04.760 --> 0:13:06.920 It's it's like a shim in between. 0:13:06.950 --> 0:13:12.080 Yes, yes. So basically if you're not allowed to run 0:13:12.080 --> 0:13:16.189 pseudo on your computer, for example, on Mac, any standard user. 0:13:16.190 --> 0:13:18.770 So we have admin user and a standard user, any 0:13:18.800 --> 0:13:24.200 admin standard user doesn't have access to pseudo at all. 0:13:24.559 --> 0:13:27.770 But what we can do, we can we can get 0:13:27.770 --> 0:13:30.800 this access to standard user, but just for some specific 0:13:30.830 --> 0:13:34.610 specific amount of time or a specific amount of actions. 0:13:34.610 --> 0:13:39.290 Like if you want to run pseudo uh, Linux apt 0:13:39.320 --> 0:13:42.380 get or something to update your packages. 0:13:42.770 --> 0:13:46.610 Right. So so it's like a policy based granular control 0:13:46.610 --> 0:13:49.530 when that actually doesn't exist with sudo. If you have sudo, 0:13:49.559 --> 0:13:50.670 you have everything. 0:13:50.700 --> 0:13:51.360 Yeah. Yeah. 0:13:51.360 --> 0:13:53.280 If you're taking that away. Yeah. 0:13:53.309 --> 0:13:55.559 Yeah. If you're admin it doesn't make sense. You can 0:13:55.559 --> 0:13:59.010 just type in a password or click like elevate privileges 0:13:59.190 --> 0:14:01.770 or something like that. It's not a problem. But if 0:14:01.770 --> 0:14:06.750 we have a yeah if user doesn't have any privileges 0:14:06.750 --> 0:14:09.720 on the computer, we allow user to have some of 0:14:09.720 --> 0:14:12.480 them if user needs to. 0:14:12.960 --> 0:14:18.780 Sure. Okay. So that's elevation. Uh, what's what's the next one. Yeah. 0:14:18.809 --> 0:14:19.830 What about detect. 0:14:19.860 --> 0:14:23.160 Yeah. So there's a detect. It's not on the Mac. 0:14:23.190 --> 0:14:26.220 It's not on Linux yet. It's just windows product for now. 0:14:26.220 --> 0:14:31.800 But we're working on getting it into Mac at least. Okay, so, uh, 0:14:32.160 --> 0:14:37.560 this is our MDR solution. So we have EDR that's automated, 0:14:38.070 --> 0:14:43.350 automatically detect and block something or make any decisions. We 0:14:43.350 --> 0:14:46.390 have MDR, we have whole MDR team and Threadlocker Threatlocker 0:14:46.390 --> 0:14:51.460 headquarters they basically check for, so you can set up 0:14:51.490 --> 0:14:57.250 rules and policies for your organizations to see, like, oh, 0:14:57.280 --> 0:15:03.340 someone like scanning my entire network or doing something. So 0:15:03.370 --> 0:15:06.790 and we have alerts for that. So our MDR team, 0:15:06.790 --> 0:15:10.600 they have alert and so they can lock your computer down. 0:15:10.600 --> 0:15:14.170 If there's some suspicious activity they can lock your network 0:15:14.170 --> 0:15:18.430 down or they can notify you like call you call 0:15:18.430 --> 0:15:21.880 your admin like saying, oh there's some suspicious activity. What 0:15:21.910 --> 0:15:24.880 what what do you want it to do with with that. 0:15:24.910 --> 0:15:28.270 Because there's a lot of we it happens. There's some 0:15:28.270 --> 0:15:32.920 false positives. But and that team, they basically monitor all 0:15:32.920 --> 0:15:36.670 of these events from all of our customers. And they 0:15:36.700 --> 0:15:39.640 and they make decisions by that okay. 0:15:39.730 --> 0:15:43.360 Okay. Great. So so essentially the agent is talking up 0:15:43.360 --> 0:15:47.370 to a centralized location. You could see centralized alerts. Like, 0:15:47.370 --> 0:15:50.040 for example, someone scanning the entire network or something, and 0:15:50.040 --> 0:15:51.900 they can they could choose to respond to that. 0:15:51.930 --> 0:15:56.910 Yeah. Yeah, yeah. Uh, also, the customer or our team, 0:15:56.910 --> 0:16:00.390 we can help customers with that to set up specific 0:16:00.390 --> 0:16:05.760 policies because every organization may have different policies. So we 0:16:05.760 --> 0:16:09.600 can set up their policies like in the way they want. 0:16:09.630 --> 0:16:14.310 So we can check something. We can skip something, something else. 0:16:14.880 --> 0:16:17.280 Makes sense is that, um, is that all the products 0:16:17.310 --> 0:16:18.030 you still got? 0:16:18.150 --> 0:16:21.480 Yeah. We have one more. Okay. One more old ones. 0:16:21.480 --> 0:16:23.430 We have three more new ones. 0:16:23.670 --> 0:16:24.150 Okay. 0:16:24.630 --> 0:16:27.840 So we have, uh, we have network control. Network control 0:16:27.840 --> 0:16:31.140 is basically we can, uh, and we also have default 0:16:31.140 --> 0:16:34.320 deny on the network if you want this. So basically 0:16:34.350 --> 0:16:38.430 we're not allowed and, uh, endpoint is not allowed to 0:16:38.460 --> 0:16:42.870 access anything except what you allow to do. Or you 0:16:42.870 --> 0:16:47.140 can just you can allow everything but block specific websites 0:16:47.170 --> 0:16:51.640 like even like if we're talking about protection default deny 0:16:51.670 --> 0:16:54.280 is better because you can say like, oh, you can 0:16:54.280 --> 0:16:59.290 go like to to access Microsoft.com, you can access like 0:16:59.320 --> 0:17:04.900 some other Adobe updates or something like that, uh, obviously 0:17:04.930 --> 0:17:08.619 like specific websites for your organization. But if we're talking 0:17:08.619 --> 0:17:13.510 about even controlling what your user does, like blocking Facebook or, 0:17:13.540 --> 0:17:17.350 or something like pretty simple. So we can we can 0:17:17.350 --> 0:17:21.220 do all of that with the network control. It's basically, uh, 0:17:21.220 --> 0:17:25.930 protecting your environment and your network. We also have a 0:17:26.080 --> 0:17:31.359 thing called objects and challenges. So the, uh, the multiple 0:17:31.359 --> 0:17:36.970 computers can talk to each other with specific challenges and 0:17:37.000 --> 0:17:40.659 objects and saying like, oh, this computer, I know this computer, 0:17:40.660 --> 0:17:45.170 it's allowed to access my network. Mhm. Doesn't matter where 0:17:45.170 --> 0:17:48.379 you are. So it means like because for firewall you 0:17:48.380 --> 0:17:50.900 need to set up your IP like you can, you 0:17:50.900 --> 0:17:54.260 need to like or VPN or you have to call 0:17:54.290 --> 0:17:56.840 someone like your admin. Can you allow this IP to 0:17:56.869 --> 0:18:00.379 access our network. But if you're like on on the 0:18:00.410 --> 0:18:06.080 go somewhere like basically traveling, you can your network control 0:18:06.080 --> 0:18:10.790 will send specific objects to your to your network and 0:18:10.790 --> 0:18:15.230 you will uh, and they will respond. It's, it's a 0:18:15.230 --> 0:18:19.190 double check between like if it's legit or not. And 0:18:19.190 --> 0:18:22.459 it will allow your computer from any location to access 0:18:22.460 --> 0:18:24.620 that network in this rain. 0:18:25.850 --> 0:18:30.560 Interesting. Okay. Okay. I have a question before you go 0:18:30.560 --> 0:18:34.280 into the new products, is is anyone thinking about I 0:18:34.310 --> 0:18:38.209 have to assume the answer is yes. Is anybody thinking 0:18:38.210 --> 0:18:42.170 about a single policy editor where you go in as 0:18:42.170 --> 0:18:45.790 an organization. And you basically define the policy of like, 0:18:45.850 --> 0:18:50.290 here's what we care about for network overall for this 0:18:50.290 --> 0:18:56.230 particular host, it's like like a more centralized single policy. Um, 0:18:57.310 --> 0:19:01.630 in that single policy, which you like, write in English, 0:19:01.660 --> 0:19:05.050 gets translated down to the specific rules that apply to 0:19:05.080 --> 0:19:08.229 the specific products. So it's still being implemented inside the 0:19:08.230 --> 0:19:12.460 separate products. But really it's like this like abstracted up. 0:19:12.670 --> 0:19:13.270 Um, yeah. 0:19:13.300 --> 0:19:14.919 So we need policy editor. 0:19:15.430 --> 0:19:19.660 So we need to, uh, implement some AI stuff for, 0:19:19.690 --> 0:19:21.340 for that obviously. 0:19:21.369 --> 0:19:21.790 Yeah. 0:19:21.790 --> 0:19:24.760 Yeah. To translate from human language to that one. We 0:19:24.760 --> 0:19:27.670 don't have it yet. It could be our next product. 0:19:27.670 --> 0:19:28.510 We'll see. 0:19:28.810 --> 0:19:31.720 Yeah. Yeah, that makes sense. So what are the new products? 0:19:31.750 --> 0:19:36.220 Yeah. So there's, um, at least three new products. Uh, 0:19:36.220 --> 0:19:39.310 so there's, uh, if we're talking about agents because there's 0:19:39.310 --> 0:19:42.649 one more product called Cloud Detect, It's a little bit 0:19:42.650 --> 0:19:45.619 different kind of product. I'm working on the agent side. 0:19:45.619 --> 0:19:50.990 So it's it's not agent related products. It basically means 0:19:51.020 --> 0:19:56.420 product that can, uh, allow access to your, uh, cloud 0:19:56.420 --> 0:20:01.850 services from, like, Microsoft or like AWS or something like that, 0:20:01.850 --> 0:20:05.600 with a specific app on your phone. And it connects 0:20:05.600 --> 0:20:09.680 to same as, uh, and wherever you go with this app, 0:20:09.680 --> 0:20:12.590 it knows your IP address, and it basically can allow 0:20:12.590 --> 0:20:18.590 you access from that location to your cloud services. So it, uh, and, uh, 0:20:18.590 --> 0:20:25.340 but other three products is, uh, web control. So it's, 0:20:25.760 --> 0:20:29.930 it's not. Net so it's similar in some way to 0:20:29.960 --> 0:20:34.399 a network control still. Uh, but it only works for browsers. 0:20:34.400 --> 0:20:38.120 So if you want your organization to block like all 0:20:38.119 --> 0:20:41.970 gambling websites or poor websites or something like that. You 0:20:41.970 --> 0:20:46.650 just can choose category that you can block or allow. 0:20:47.070 --> 0:20:49.950 And we basically will do that. So this this one 0:20:49.950 --> 0:20:53.550 of the newest products, it's it's for someone who doesn't 0:20:53.550 --> 0:20:57.300 want to deal with network control. It's much more simpler 0:20:57.300 --> 0:21:02.460 and it's much more it's more uh, just uh, it's 0:21:02.460 --> 0:21:06.390 more restrictive. Not not protective, I would say. 0:21:06.960 --> 0:21:10.650 Gotcha. Okay. And is that is that all of them? 0:21:10.680 --> 0:21:11.340 One more. Right. 0:21:11.369 --> 0:21:14.160 No, no. Two more. Two more. Yeah. We have a 0:21:14.190 --> 0:21:17.310 lot of products. So we all, we all we also 0:21:17.310 --> 0:21:21.120 have patch management. It's coming soon. So this this three 0:21:21.119 --> 0:21:25.950 products coming soon. So it's in beta now and it's 0:21:25.950 --> 0:21:33.600 coming live. Uh, maybe months maybe a couple of weeks. Okay. So, uh, 0:21:33.600 --> 0:21:37.830 the patch management. So as we spoke with you about 0:21:37.830 --> 0:21:41.540 this a little bit earlier so we can patch. We 0:21:41.540 --> 0:21:45.950 can have set of policies and we can check versions 0:21:45.950 --> 0:21:49.220 of the apps that that's on your computer. And if 0:21:49.220 --> 0:21:53.510 it's if the app is outdated, we can alert your 0:21:53.510 --> 0:21:57.050 admin saying like, oh, there's a new there's a new thing, 0:21:57.290 --> 0:22:00.230 there's a new update for the app, and you can 0:22:00.230 --> 0:22:02.540 basically press the button on the portal and it's going 0:22:02.570 --> 0:22:08.810 to automatically patch your, your, your application. So, so it's, 0:22:08.810 --> 0:22:14.510 it's much easier way and simpler way of patching, especially 0:22:14.510 --> 0:22:17.720 in some cases if you want to allow or uh, 0:22:17.720 --> 0:22:20.869 some specific version to run on your computer. 0:22:21.470 --> 0:22:22.070 Okay. 0:22:23.030 --> 0:22:29.300 There's one more called insights. The insights is basically we have, uh, 0:22:29.300 --> 0:22:34.910 a database that stores all of the applications and interactions 0:22:34.910 --> 0:22:41.550 with applications, uh, from all of our clients. It's totally anonymous. 0:22:41.550 --> 0:22:46.470 So it's it's different. It's different set of data from 0:22:46.470 --> 0:22:51.780 our customers data. But what it can do basically see 0:22:51.810 --> 0:22:56.490 every app that was allowed or denied or set of rules, 0:22:56.490 --> 0:22:59.550 specific set of rules that apply to that app. And 0:22:59.550 --> 0:23:03.060 we can show user oh, if some app got blocked 0:23:03.090 --> 0:23:06.570 on your computer and you will see the small statistics 0:23:06.570 --> 0:23:09.750 like the admin on your organization can look at the 0:23:09.750 --> 0:23:13.619 statistics saying, oh, this app got denied or got allowed. 0:23:13.619 --> 0:23:16.109 This is how many times this is how many times 0:23:16.109 --> 0:23:18.720 this domain was accessed. This how many times it was 0:23:18.720 --> 0:23:20.970 denied a lot of times. So it's like it's a 0:23:20.970 --> 0:23:24.960 small insight of like what others do. And you can 0:23:24.960 --> 0:23:30.510 create interesting set of policies, especially ringfence policies on what app. 0:23:30.540 --> 0:23:33.450 Some specific app. Oh, usually this app goes to that 0:23:33.450 --> 0:23:37.560 folder or access that website and you can automatically press 0:23:37.590 --> 0:23:41.650 like create a ring fence policies for this app so 0:23:41.650 --> 0:23:44.920 it makes life of our customers a little bit easier. 0:23:45.100 --> 0:23:48.790 Yeah, that's that's smart. That's smart. Because like a ring 0:23:48.820 --> 0:23:52.540 fence policy could be like 12 different rules to like 0:23:52.570 --> 0:23:53.800 12 different things. Right? 0:23:53.830 --> 0:23:54.460 Yes. 0:23:54.460 --> 0:23:57.040 And that might take a little while to figure out. 0:23:57.040 --> 0:24:01.149 And each time it's like a manual add versus somebody else. 0:24:01.150 --> 0:24:03.970 Or hundreds of other customers already figured that out. So 0:24:03.970 --> 0:24:04.930 now there's a template. 0:24:04.960 --> 0:24:07.180 Yes. Yeah. Exactly. 0:24:07.210 --> 0:24:13.750 Yeah. That makes sense. That makes sense. Um, well, what 0:24:13.750 --> 0:24:16.690 can you say more about the, uh, the Mac agent? Um, 0:24:16.720 --> 0:24:20.260 how how are things different, like threat wise right now 0:24:20.260 --> 0:24:23.290 with Mac versus windows? Are you seeing different threats? Like, 0:24:23.320 --> 0:24:27.250 is the installation process different the management of it? Is 0:24:27.250 --> 0:24:28.090 it different? 0:24:28.119 --> 0:24:31.300 I mean, like the threat, the attack vectors, they pretty 0:24:31.300 --> 0:24:34.930 much the same everywhere. Like, yeah, it's the same thing 0:24:34.930 --> 0:24:39.540 like Linux, Mac, windows. Most of them are social engineering. 0:24:39.540 --> 0:24:42.420 Some of them are like zero day vulnerabilities. Some of 0:24:42.450 --> 0:24:47.610 some of them is, uh, supply chain attacks. Right. But like, 0:24:47.700 --> 0:24:52.860 it's still the same, like how how Apple and Microsoft 0:24:52.859 --> 0:24:56.550 approach this is a little bit differently because Mac they 0:24:56.580 --> 0:25:00.869 I mean the windows they have Windows Defender, they have UAC. 0:25:00.869 --> 0:25:04.439 So they have their own protections. Apple goes a little 0:25:04.470 --> 0:25:07.649 bit further with that because there's a lot of more 0:25:07.650 --> 0:25:14.369 protections like uh, uh, TCC. It's uh, I forgot how it's, uh, 0:25:14.369 --> 0:25:19.320 consent and something. Consent and control. I was honestly, I forgot, 0:25:19.320 --> 0:25:25.169 but basically there's a specific set of rules for each app. 0:25:25.200 --> 0:25:30.090 It's what we do. But from from Apple standpoint, it's 0:25:30.090 --> 0:25:34.649 a little bit simpler. So they can deny access for 0:25:34.650 --> 0:25:39.730 any app to access to file system, for example. So 0:25:39.730 --> 0:25:43.450 it runs in its own small sandbox or or user 0:25:43.480 --> 0:25:47.350 have to approve if app wants to access your documents 0:25:47.350 --> 0:25:49.270 folder for example. Right. 0:25:49.300 --> 0:25:49.840 Yep. 0:25:50.109 --> 0:25:55.420 And Apple has X protect. It's like Windows Defender X protect. 0:25:55.450 --> 0:26:00.700 Their probably it's built in antivirus but it also runs 0:26:00.700 --> 0:26:05.200 only for uh known malware. So it works only for 0:26:05.230 --> 0:26:08.530 it can block only known malware. It's not like it's 0:26:08.530 --> 0:26:10.270 not even reactive. 0:26:10.420 --> 0:26:14.890 It's not looking at behavior for all applications. Okay. So 0:26:14.890 --> 0:26:17.770 you're hooking into the the Mac functionality and doing your 0:26:17.770 --> 0:26:19.030 own functionality or. 0:26:19.060 --> 0:26:22.869 Yeah. So what we do Apple restrict us from accessing kernel. 0:26:22.869 --> 0:26:25.750 It happened like five years ago I guess or something 0:26:25.780 --> 0:26:29.229 around that time. So and we have a lot of 0:26:29.230 --> 0:26:33.250 complications because of that. So they, they have their own 0:26:33.400 --> 0:26:38.190 driver running in and we basically see what this driver 0:26:38.190 --> 0:26:41.430 sends us events and we can apply to that events 0:26:41.430 --> 0:26:45.659 like allow or deny. But what driver can do it 0:26:45.660 --> 0:26:51.840 can access other processes memory. It can access, uh, other 0:26:51.900 --> 0:26:55.860 low level things that we can do to make protection 0:26:55.890 --> 0:26:59.010 a little bit better, I would say, but we're not 0:26:59.010 --> 0:27:02.280 allowed to do that. And there's also a lot of, uh, 0:27:02.880 --> 0:27:08.490 because they tried to make it for everyone. So there 0:27:08.490 --> 0:27:11.489 is a trade off between speed and some of the 0:27:11.490 --> 0:27:15.600 things they send to, uh, to us. So we need 0:27:15.600 --> 0:27:20.970 to approach some things differently, especially hashes. So we need 0:27:20.970 --> 0:27:24.030 to have our own cache for hashes and all of 0:27:24.030 --> 0:27:26.940 these things, because what Apple sends us is a little 0:27:26.970 --> 0:27:30.810 bit different. They call it KD hash. It's called directory. 0:27:30.810 --> 0:27:33.870 It's assigning hash. But we need to know hash for 0:27:33.869 --> 0:27:37.210 specific executable and it's a little bit different. And we 0:27:37.210 --> 0:27:41.890 need to calculate it like basically each time application runs. 0:27:41.890 --> 0:27:46.300 And there's some complications with that I would say. But 0:27:46.330 --> 0:27:50.919 it's we found workarounds for that. It's for network. The 0:27:50.920 --> 0:27:53.709 same thing. We don't have access to kernels so we 0:27:53.710 --> 0:27:56.590 don't have access to some low level packets. So we 0:27:56.590 --> 0:28:00.399 only work with Apple's gives us and we have complications 0:28:00.400 --> 0:28:04.060 with that either. So and also recently I guess it 0:28:04.060 --> 0:28:10.270 was 15.1 recent update. They broke third party firewalls. Uh 0:28:10.270 --> 0:28:13.450 not just us everyone. Yeah. If you run in built 0:28:13.450 --> 0:28:18.699 in firewall, if it's on, uh, we never got any, uh, 0:28:18.700 --> 0:28:20.830 events from the system, so it's like. 0:28:20.859 --> 0:28:22.390 Little snitch and all those. 0:28:22.390 --> 0:28:26.439 Yeah, yeah, yeah, yeah, yeah. Everything was broken. Like, for 0:28:26.440 --> 0:28:32.500 one specific Apple update. They broke it. Yeah. So we 0:28:32.500 --> 0:28:36.470 get events from the macOS. Everything. Every time someone tries 0:28:36.470 --> 0:28:41.390 to connect like a two or packet to send a 0:28:41.390 --> 0:28:45.380 packet or something like that, and we never received them 0:28:45.380 --> 0:28:50.780 as if built in firewall was on. Right. So this 0:28:50.780 --> 0:28:54.500 is a downside about that. So Apple Apple broke something. 0:28:54.530 --> 0:28:56.840 We couldn't do anything about that. 0:28:57.080 --> 0:29:00.830 Now they fixed that or it's just broken from now on. 0:29:00.860 --> 0:29:03.320 No no no it's it's fixed. But I was like 0:29:03.350 --> 0:29:07.130 you see everything is in apple hands basically. 0:29:07.160 --> 0:29:11.690 Yeah. Yeah that's that's a good point. They do do 0:29:11.750 --> 0:29:16.550 hold all the cards there. Yes. Um, okay. So, um, 0:29:16.550 --> 0:29:18.890 so the question I have for you is it seems 0:29:18.890 --> 0:29:23.540 like the product overall is the zero trust concept, and 0:29:23.540 --> 0:29:27.380 you're simply applying it at all these different module stages 0:29:27.380 --> 0:29:31.070 because they all need something slightly different. Yeah. So it's 0:29:31.100 --> 0:29:33.850 yeah that makes sense. Yeah, that's really interesting. 0:29:33.880 --> 0:29:38.320 Yeah. So, like, your system is not just simple applications. 0:29:38.320 --> 0:29:42.040 It's more complicated than that. So. And so we try 0:29:42.070 --> 0:29:46.960 to apply this to every single level to, to make 0:29:46.960 --> 0:29:48.430 better protection. 0:29:49.120 --> 0:29:53.080 Yeah that makes sense. And how different is the Mac 0:29:53.080 --> 0:29:55.150 side of it from the windows other than like the 0:29:55.150 --> 0:29:59.650 permissions and stuff that we talked about is the installation 0:29:59.650 --> 0:30:03.729 is pretty standard Mac installation. What about administration? Is it 0:30:03.730 --> 0:30:06.370 all look the same inside of the portal and everything? 0:30:06.400 --> 0:30:10.450 Yeah. So basically we're talking about like business logic of things. 0:30:10.450 --> 0:30:14.290 It's all the same obviously like paths are different right? 0:30:14.320 --> 0:30:18.070 Like windows, Mac, Linux like like we're talking about file 0:30:18.100 --> 0:30:22.570 system or something like that. So it's all this network 0:30:22.570 --> 0:30:26.230 completely say like for for from the user perspective it's 0:30:26.590 --> 0:30:30.610 the same thing like application control ringfencing is all the 0:30:30.610 --> 0:30:34.850 same thing. You can. You need to understand Mac OS 0:30:34.880 --> 0:30:40.670 to make better policies for in some cases. But in general, 0:30:40.670 --> 0:30:45.080 we're trying to make this seamless for all of the users. 0:30:45.080 --> 0:30:48.800 So they should not distinguish oh, I have windows, I 0:30:48.800 --> 0:30:53.450 have Linux. If they have specific app like Adobe app, right. 0:30:53.480 --> 0:30:56.840 They want to install it. We have built in policy 0:30:56.840 --> 0:31:00.770 for windows. We have built in policy for Mac, and 0:31:01.190 --> 0:31:07.790 there's nothing distinguishing that from user perspective. So they just 0:31:07.790 --> 0:31:10.820 can add this policy to their system and it's going 0:31:10.850 --> 0:31:11.720 to work. 0:31:12.080 --> 0:31:15.739 Yeah. That makes sense. Um, so when are these new 0:31:15.740 --> 0:31:16.940 products coming out? 0:31:17.060 --> 0:31:19.910 Yeah. So new products they coming out like pretty soon 0:31:19.910 --> 0:31:22.790 I hope I hope in a couple of weeks. But 0:31:22.790 --> 0:31:25.280 we'll see. Okay. Yeah. It's not it's not up to me. 0:31:25.280 --> 0:31:29.750 So there's QA stage. There's also but yeah, uh, I 0:31:29.930 --> 0:31:33.960 honestly I don't know. It's not on the Mac. On 0:31:33.960 --> 0:31:36.900 the Mac. Web controls coming pretty soon. But we have 0:31:36.930 --> 0:31:45.780 a couple of problems with the Chrome to browsers except Safari, Safari, 0:31:45.810 --> 0:31:49.050 Safari and Mac works a little bit better, and it's 0:31:49.050 --> 0:31:54.450 easier to handle some things from that standpoint. But other browsers, 0:31:54.450 --> 0:31:56.850 we we need to figure some things out. 0:31:56.910 --> 0:32:00.420 Yeah, browsers are tough because they're always changing their security stuff. 0:32:00.420 --> 0:32:02.820 And just it seems like it moves a lot, especially 0:32:02.820 --> 0:32:05.970 with like extensions and stuff. So. Yeah, that makes sense. 0:32:06.000 --> 0:32:06.420 Yeah. 0:32:06.420 --> 0:32:07.710 And so um. 0:32:07.710 --> 0:32:11.970 But on the Mac patch management and insights will come 0:32:12.000 --> 0:32:16.050 a little bit later. Uh, because we have like Mac, 0:32:16.080 --> 0:32:19.440 it's not as huge as windows. So we have a 0:32:19.440 --> 0:32:21.930 little bit smaller team, but we're trying to keep up 0:32:21.930 --> 0:32:25.530 as fast as we can. So it's gonna come out like, 0:32:25.530 --> 0:32:30.050 I hope, until the end of this month. Web control 0:32:30.080 --> 0:32:36.110 and insights patch management. I really hope it's gonna come out, uh, 0:32:36.470 --> 0:32:38.930 at until the end of the month. 0:32:39.470 --> 0:32:43.550 Okay. Well. Very cool. Um, anything else you wanted to share? Uh, 0:32:43.550 --> 0:32:47.150 where can we find more information about the products? 0:32:47.180 --> 0:32:50.810 Oh, we have we have YouTube, we have LinkedIn, we 0:32:50.810 --> 0:32:55.970 have website. So you can go anywhere. We're we're everywhere. 0:32:56.720 --> 0:32:59.930 Awesome. Well, it was great to chat with you and, uh, 0:32:59.930 --> 0:33:01.130 enjoy the conversation. 0:33:01.160 --> 0:33:02.180 Thank you. 0:33:02.720 --> 0:33:03.680 All right. Take care. 0:33:03.710 --> 0:33:04.640 Take care. 0:33:05.630 --> 0:33:09.350 Unsupervised learning is produced on Hindenburg Pro using an SM 0:33:09.350 --> 0:33:12.920 seven B microphone. A video version of the podcast is 0:33:12.920 --> 0:33:16.670 available on the Unsupervised Learning YouTube channel, and the text 0:33:16.670 --> 0:33:19.970 version with full links and notes is available at Daniel 0:33:19.970 --> 0:33:23.930 Mysa.com slash newsletter. We'll see you next time.