[00:00:00] Ashish Rajan: [00:00:00] Hello, and Welcome to another episode of Virtual Coffee with the Ashish for Cloud Security Podcast. Throughout the year. We’ve been talking about how I do cloud security assessment, what does bug bounty look like?

What does infrastructure security look like in cloud? How do you automate that? Today’s an interesting one, because we’re going to go a level above talking about CISOs and what it looks like.

And without further ado, I’m not going to take too much time because I’m really looking forward to this .

Zane Lackey: [00:00:25] Thanks, man. Good to be here.

Ashish Rajan: [00:00:29] Welcome Zane!. How are you going, man? Thanks for coming in

Zane Lackey: [00:00:31] doing well. How about you?

Ashish Rajan: [00:00:33] Good man. Good. I don’t really think you need an introduction, but I’m surprised they would be people who might not know apart from all of the public talks you have done.

Zane Lackey: [00:00:40] If they don’t have Good taste. They have no idea who I am.

Ashish Rajan: [00:00:44] Yeah. If you don’t know, then you don’t know how , great days in life. That’s pretty hard. So my question , usually is how do you get into cybersecurity, man? What was your path into this.

Zane Lackey: [00:00:53] Yeah, it was actually, it was actually a funny story. The real story is actually pretty funny and pretty stupid.

[00:01:00] It was way back when I’m dating myself here, but let’s say the, the mid nineties or so saved up enough money to buy a separate hard drive for the family computer. Cause I was clearly very cool. Back then and spend a ton of time getting the Linux installed. This is when you still installed Slack where via 50 different floppy disks.

Ashish Rajan: [00:01:17] Oh.

Zane Lackey: [00:01:18] Yeah. So that was part one part, two part three

34, and don’t worry, like 15 of those floppies would go bad while you were installing them. So eventually get Linux installed and I was trying to figure out how to get my LINUX box online so I could hang out with all my friends on IRC back then from my linux box instead of from windows.

And , it actually took a month to figure that out. Cause the modem that I had in the ISP was like, Custom PPP settings. It was all like crazy. And eventually I , got it online after like two months and I get on IRC to go like celebrate and like basically brag to my friends. Like, yeah, I just got online and someone immediately hacks in and [00:02:00] shuts my box off.

It was so cool. And I was like, that was amazing how they did it and I’m going to learn how to stop it. And so I spent like, I think it really ended up influencing my whole career my whole life, because I was like, look, I’m really interested in both offense and defense. And it was so, so visual for me in terms of like, how cool that was.

And , that was kind of the light bulb moment. I got super into security. I was like, 13 or 14. , and , , I never looked back.

Ashish Rajan: [00:02:32] Well, I was going to ask, did you ever find out who hacked your machine?

Zane Lackey: [00:02:36] Yeah, it was a, it was a friend of a friend to play a joke on me. Yeah. Yeah. They had a, they had a really good It wasn’t a zero day, but it was a pretty new exploit at the time.

It was good. It was good stuff. And I eventually found like the exploit code on there. It’s like, great. Gotta use this against the friends box. Now I mess with them with their permission. Of course. Yeah,

Ashish Rajan: [00:02:56] of course. Of course. Yeah. I mean, we always ask for permission before we send a random, fast, [00:03:00] your friends, especially the ones who are send us the file in the first place.

That’s such a cool story, man. So yeah. , just so that people have a bit more idea about your background as well. So pen testing, is that each one?

Zane Lackey: [00:03:14] . Yeah. So I went from there, I went off to a university and said a few different things. And then I got super lucky where my very first job out of university was with a security consultancy called iSEC Partners.

And I was their first Employee and that was Alex Stamos and several other just incredible. Folks that was there Firm, there was five of them that they had started this from and, and they were somehow foolish enough to make me their first hire. And so I got to like, just learn from these incredible people and incredible colleagues and built that whole company.

And then I moved, I was in the Bay area at the time. Moved over to New York and started helping to build out that East coast practice for that contingency. And then it got acquired by NCC group, which a bunch of folks know now today. So yeah, [00:04:00] that was their first major acquisition in the US was iSEC Partners.

And then after that Yeah, I’ll give it another really amazing opportunity to go be the first CSO at Etsy global e-commerce and , build, and run their security program from scratch. And what was interesting was this was at a time when it was Etsy on the East coast of the US and Netflix on the West coast of the US, you asked that we’re pioneering what we now call devops and ultimately Digital Transformation in the cloud.

And so, yeah. It was really myself and one other guy that were kind of two of the first CSOs to live through that shift it was a pretty incredible journey there. And then from that, and final bit, I swear here was then we took those lessons learned from Etsy on how do we defend all of our apps and APIs?

And we turned that into, we stepped out from Etsy and started Signal Sciences and took those lessons, learned, turn them into a product, turn them into Signal Sciences. So my two co-founders and I, we all work together at Etsy. And we spent the last seven years building Signal Sciences and [00:05:00] just joined Fastly a few months ago.

Ashish Rajan: [00:05:02] . Congratulations on that by the way, a really interesting marriage for lack of a better word. Fits really well if you look at the product , sounds like when you, when you went to Etsy and I believe it was Jason Chan, I think on Netflix. Yeah.

So it sounds like it was a biggie and Tupac.

Zane Lackey: [00:05:22] Well, it’s funny, Jason and I both worked at iSEC Partners at the consultancy right before that.

Ashish Rajan: [00:05:26] Oh, really?

Zane Lackey: [00:05:26] Yeah. It’s all, it’s amazing how interconnected everything there is. Yeah, it’s really cool.

Ashish Rajan: [00:05:32] Wow. It’s a really interesting story, man. Cause I didn’t realize there was almost like this movement going on between the West coast and the East coast and that kind of, , There was a whole book and everything that came out, you know, the Phoenix project and everything people spoke about it. But no one was really implementing it. We were just like, yeah, it kind of sounds like a great idea.

Zane Lackey: [00:05:49] Here’s how crazy it was. My last project , when I was still a security pen tester and consultant. My last project was for a huge us healthcare company. They would make production [00:06:00] deployments once every 18 months.

So I left there on a Friday. I took no time off cause I was an idiot and started at Etsy on Monday morning. And the Monday morning, this was 2010. You know, 10 years ago or 2011 they sit me down on the first day. They say we make 30 production deployments a day. This is during a time when Facebook did one a week, right?

Like the leading edge tech companies that was even insane for the leading edge tech company. And so I was like, well, I mean, I guess you’re screwed. Like, I don’t know what to tell you. Like, that’s, that’s gotta be completely insane. And I went from thinking like, well, there’s no way this could be secure, which I think a lot of folks go through during this whole kind of cloud shift and dev ops shift to really realizing what, what I view as the truth now, which is that.

This actually makes us more secure because in all of the systems, you’re always getting an attack no matter what, but as you embrace cloud and DevOps and everything like that, you can now react so much faster than you ever could. And so if the attacks are the same, you want your reaction to be as fast as possible. [00:07:00]

Ashish Rajan: [00:07:00] Going to the topic then, , in terms of when you were Etsy CISO, What were challenges over there? Because to your point, if you’re doing multiple deployments a day, a lot of people would be looking at this going. I don’t even know where to start.

Like, what was your, plan of action at that point,

Zane Lackey: [00:07:17] step one was to go to the pub and have a drink immediately, because this is probably impossible. But after that you know, you start thinking about what’s really interesting is you start thinking about how many controls. That are just kind of taken for granted in a kind of classic security world fall over when you immediately go into that world.

I think thankfully for most security professionals, it’s not that abrupt. You’re not going from a deployment every 18 months to a deployment, you know? 30 a day. Like what happens in your enterprise? If you’re staying inside one company is that, you know, there’s some new and some new and it’s moving faster and faster, but you still have the legacy.

You still have the, you know, the older applications and you’ve kind of got everything in between. But maybe you leave one job, [00:08:00] you go to another and it’s much more pronounced. But in those kinds of early days, when it was such a pronounced shift, you realize how many of the technologies just weren’t built for that.

And so. There’s kind of infrastructure, security, application security, all of these different pieces where we recognized that we really needed to build net new technology in house because you look at like static analysis or dynamic scanning, and you’re like, that’s, there’s 30 deployments a day.

Like the static analysis scan, you know, takes five days to run while they’re 30 a day. So like, well, forget it. Like it’s already changed by the time they’re done dynamic. Scanning was just a nightmare. I mean, we ended up giving up on that. That was. 12 months of my life. I’ll never get that from a program that just didn’t really work.

Because as you started to really go towards single page applications or really API heavy and microservice that stuff just falls over. And then the two other areas that were really big for us, that we ended up building. Technology that, you know, I’m pretty proud of. One area was the infrastructure side and that we built what became a [00:09:00] OSquery out of that which was really fun and really cool.

And then the application side was what became Signal Sciences and really like thinking about we needed a better way to protect our apps and APIs on that side of things in the OSquery side was like we needed a better way to instrument our end points in our production hosts because.

Nothing existed for Mac and really for Linux at the time, that was really to the level that we needed.

Ashish Rajan: [00:09:24] DevOps kind of brought the shift of security to , become more developers as well.

We’re trying to code more on engineering. Like that’s the time . Generally a security person would either be a network admin, SysAdmin, or a pen tester, , so can do some programming where it’s very hacky programming. But I personally I’m guilty of that as well.

Zane Lackey: [00:09:43] Oh yeah. My python code is horrific.

Ashish Rajan: [00:09:46] That’s right.

Like anyone who looks at it like that is not what, this is such a bad chord. I’m like, but it works. Yeah. It works like it’s it’s all great to look at. So when you were , going through this transition and you guys ended up [00:10:00] founding signal sciences behind this were you guys already in cloud at that point or was cloud security thing when you were looking at

this?

Zane Lackey: [00:10:06] It was going in that direction. So some folks were more there were some parts of the business that were more cloud than others. But it was all kind of part of the same. And this is at the time. I kind of look dev ops cloud and digital transformation are three different things and you know, it can be real things can be total buzzwords, right?

Yeah.

But sometimes they mean totally different things. But oftentimes I think the frustration we all have as practitioners is people tend to use them interchangeably. Right. And this is where I think at the time. Cloud was used interchangeably and somewhat still today with modernization. Right. And like, are you doing cloud?

Well, if you ask someone that, that might mean amazing microservices inside Envoy or Istio inside, you know, AWS or GCP or Azure to other folks, like, yeah, we’ve got Salesforce, so we do cloud and you’re like, that’s not the same [00:11:00] thing whatsoever. Okay. So, you know, I think the bigger way to look at a lot of that, and especially at the time was that there was very rapid modernization going on and that was applying kind of across the board and it impacted.

So much of the organization, I think a bunch of what we’ll talk about today and to your point of, you know, at the time there were typically network security people and pen testers and application security, testers and security engineers, and all of that. And the reality and this, I don’t think is a controversial statement, you know, all of those are converging, right?

You can’t just be a siloed network security expert anymore, or a siloed application security expert, all of this is converging.

Ashish Rajan: [00:11:38] Yeah. And to your point, this is obviously the next evolution of security roles as it has become for SysAdmins. Now they have to be more proficient in cloud networking is still the same.

They just start to be doing cloud as well. So fast forwarding to this current lovely period of the pandemic as we are right now. Are you finding that the viewpoint on security has kind [00:12:00] of changed in terms of what priorities are with the pandemic as a CISO?

Totally.

Zane Lackey: [00:12:06] It, because they’ve had to kind of in the same way of cloud, right?

Cloud forced a change in priorities. For CSOs because the business changed. And I think the biggest thing there from a I’ll talk about cloud and I’ll talk about COVID. From the cloud perspective, it was that the business now suddenly started moving way faster than the security organization knew how to handle.

And historically the security organization always felt that it could say no. Right. And it was always kind of the blocker and everything there. And the cliche now is you have to be an enabler rather than a blocker, but it’s also true, right?

Because when you went to cloud, , the story that I’ve shared with a bunch of folks before, but I’ll share it here as well. Cause I think it’s the perfect story on this is a few years back. I met with a global consumer brand that everyone here, everyone listening knows And I met with the CSO and I asked them, Hey, how are you thinking about cloud and DevOps and [00:13:00] digital transformation?

And I said, let me stop you right there where I’m not allowing any of that to happen here. It’s all unsecure. I don’t believe in like cloud and dev ops. And like, that’s all insecure. I’m like, okay. Wow. You know, I’m 20. 16/17. Yeah, it was, it was real. And so I had a meeting with the CIO afterwards and I asked them like, Hey, I’m just curious, you know, every CIO I talked to is talking about digital transformation and cloud and DevOps, and I’m like, Oh yeah, absolutely.

It’s huge here. We’ve got 50 apps in the cloud today. We’re going to have 200 apps in the cloud by the end of the year and several thousand next year. And we’re like, Oh, you talked to the CSO. Yeah. We just don’t tell them anymore. And it was, I don’t think there is a more perfect example of how things can go wrong for security organizations then that, because it was, we’re basically just shoved off in the organization to say, all right, you do whatever you want over there, but you’re not at the adult’s table in terms of the real business decisions.

[00:14:00] All of that. Now, bringing it back to kind of your question around COVID the same sort of thing has happened to get right where the business that was take the businesses that were not remote friendly, like their world changed again, just like Cloud. And so for the psychos there that said, you know, Oh, we don’t allow apps remotely and we don’t allow anything like that.

Well, Now you’re caught completely flat-footed because all of that’s happening, whether you want it to or not, and you need to suddenly adapt a security program and, you know, three weeks in a way that like hasn’t changed in 30 years for them versus the folks who were already working remotely, like you had to adapt to scale, but not a net new idea.

And so it was, you know, very different there in terms of what we saw.

Ashish Rajan: [00:14:45] I hate to ask this question? Because the cheesy one, but what keeps people up at night and yeah. Do you feel that has changed as well? With the pandemic?

Zane Lackey: [00:14:55] Totally. I think hopefully less so now almost a year in. But I would say [00:15:00] certainly in March, April timeframe, I mean, at least in the US anyway, that’s when things were going completely crazy. I think what happened was scale, and it was scale in two directions, right there, scale in terms of network scale, what we’re all sort of used to.

Right. Which is your traffic was at one level and then suddenly it’s at a hundred or, and that happened for a lot of businesses overnight. But the other scale I think is actually much you know, to the point to the question keeps people up at night more, which is scale. What I think about horizontally instead of vertically, which is scale in terms of the number of technology platforms and the number of apps and API, something out there.

So I’ll give you an example of that, which is. We were working with a consumer goods company. So think like people who make Flour for, you know, cooking and plastic bottles to buy and paper plates and , things like that, you know, they always had a website. But it was just a marketing website.

Nobody really cared. They didn’t, you know, that application was not critical to their [00:16:00] business, COVID hits and now they have to become direct to consumer. And that application suddenly needs to become a e-commerce application. It needs to have APIs that support a mobile app. It needs to have partner APIs that support Grocery stores that now need to check inventory because, you know, toilet paper is flying off the shelves.

Who’s got it. It’s completely nuts. Right. And the way that they did business changed overnight, and that went from being a fringe part of their security program to now the most business critical part. And that was kind of horizontal scale rather than vertical scale. And so that I think kept a lot of people up and I know we got.

Historically Signal Sciences, a ton of growth on that in the early days of COVID, because CISOs we’re calling us up being like, we suddenly have these 12 critical applications that didn’t exist last week. How do we protect them? And it was, you know, a really big shift for them.

Ashish Rajan: [00:16:56] To add to your point, what is the now also means they are internal applications, which is [00:17:00] within your boundary now suddenly are on the internet.

Zane Lackey: [00:17:03] Yep. We saw a huge spike in that as well. And we.

Ashish Rajan: [00:17:07] Oh my God, I can’t even imagine it’s really interesting. Kind of like yourself, I’ve been lucky enough that I’ve primarily moved as a CISO or a head of security, primarily moving companies, which have been very forward-thinking to multiple deployments a day and like have to some extent figured out remote working and all that.

Right. So it was really interesting for me to kind of hear the story where a lot of people. Are able to kind of hide their internal sensitive applications behind the boundary of this so-called wall. But now suddenly you have to get them access from the outside because no one can be in the office and you’re kind of going, yeah, it’s super interesting at that point.

Zane Lackey: [00:17:42] And it was, you know, the, this might be a little bit more of a controversial statement, but I’ll say it anyway, which is that, you know, I think, I really feel like the perimeter was always in illusion, but this really shattered that illusion. Right. Yeah. These apps suddenly, fully externally facing, and you [00:18:00] know, you want to keep it CSO up at night.

Talk about a business critical internal app, suddenly being internet facing it. Got horrified.

Ashish Rajan: [00:18:08] . Yeah. I think are you saying this somewhere where a lot of the conversations now are not about, Hey which firewall or which zone is this internal application going to be in it’s more around a, what about account takeover, credential stuffing.

Like all these things are becoming a lot more prevalent. Are you seeing that as

well?

Zane Lackey: [00:18:27] Oh, absolutely. In some ways it makes total sense which is, Attacks follow the data right there. There was this famous quote from like a bank robber in the U S in like 1920s or something.

And , some press person asked him, you know, why you Rob banks? And he says, it’s because of where the money is. Right. And so from an attack perspective, right? Why are you attacking web apps? It’s where the data is, right? Like, if you think about from an attack perspective and like put our, you know, our pen tester hat back on, if you want to go compromise a financial services institution and you want to move money out of that, like if you’re [00:19:00] landing a shell on some database server somewhere like trying to actually make money, move out of a system that complex.

Is such an absolute nightmare. Like it, you just in practice, it never happens. But if you can go pop some admin credentials to a web app that has a nice web form that says move money from this account to this account, you don’t have to know any of the backend details for that.

Right. Like you have your objective as an attacker and it’s way more efficient to do that at the app and API layer than it is at the infrastructure layer anymore.

Ashish Rajan: [00:19:28] Yeah. Smiling because it makes me remember pre-COVID a lot of conversations were around having a single pane of glass or your security Risks.

Now it’s almost like. When all these applications are on the internet and doing this at scale as well, right? To your point, like if it’s a global organization, I think if you have offices all around the world, how do you like, are you expecting everything to be in a single you know, everyone to have their own individuals, single pane of glass, .

Zane Lackey: [00:19:54] The reality is no CSO has a single pane of glass. They have 1500 single panes of glass, [00:20:00] right? So this in my mind actually, I’ll go on a tangent in a rant for a second on this which is that, you know, I think in my mind, this is the line between legacy security, tooling and modern security tool is that legacy security tooling was designed to be only used by.

Like very deep experts in security that you had to log into the console when you could only use it that way. And it was a single pane of glass approach and modern security tooling is designed to be used, not just by security teams, but by dev ops teams and application teams, developers, parts of the business.

And yeah, it might have a really great console and I mean, , That’s super good, but it needs to plug into the rest of your tool chain, ? Like we saw this with single sciences all the time. Like we build the dashboard API first, so we could show everyone’s like cool console.

And some people would say it was really funny. Some people would be like, Oh, that’s awesome. Like, I can’t wait to use that. Like that actually it looks modern and that’s cool. Other folks would say like, yeah, yeah, that’s great. I don’t care. [00:21:00] I’m going to use the APIs to pull all of the data into Splunk. I mean to send alerts into Slack or PagerDuty or Microsoft teams, I’m going to like have my own custom tools that push things back via the API.

And they’re like, there are some of our, they were some of our most engaged customers and they never even logged into the console to exactly that point. Like you don’t need another single pane of glass. You need something that ties into the rest of your tool. Chain.

Ashish Rajan: [00:21:23] Also integration is key then.

Zane Lackey: [00:21:25] Absolutely. It’s the only way you scale, right? Cause if you look at the strategic challenge, this goes back to the first part of our conversation. I think where it all ties together is the scale is the problem that’s facing every security team. And that that’s not necessarily traffic volume or number of applications or anything like that.

It’s also that engineering teams are hiring faster than security, right? Like none of us, almost every organization I know has. Open headcount for security that no one can fill. And at the same time, this problem is getting worse, not better for security because the app teams are moving faster and faster.

You’re [00:22:00] going from the 18 month release to the 30 times a day. Now, most folks are not at one end or the other they’re somewhere in between, but the rate of change is increasing. So this problem is getting harder every day, not easier. And so the only way in which you actually solve that problem, it’s not for.

Security to move faster and faster. That’s one part of it. But the real way is for security to scale by bringing security capabilities, to the development teams and dev ops teams so that they can be part of it. And you can scale naturally with them.

Ashish Rajan: [00:22:29] And to your point, you don’t need to be a security expert to do these things as well. That’s kind of where a lot of processes are in the gap.

Zane Lackey: [00:22:35] Exactly. Like if you have to be a security expert to use a security tool, it doesn’t scale.

Ashish Rajan: [00:22:41] Ah, yeah, because then you’re limiting yourself as the people in the team versus the engineering side of the developer side, which is a lot more people.

Zane Lackey: [00:22:49] Yep, exactly.

And that’s how you scale. That’s how you build an effective security program to scale on that is you have to bring them capabilities that not only the security team can use, but also they can use. [00:23:00]

Ashish Rajan: [00:23:00] I’m thinking about, all the CSOs who have 150 single panes of glass, hearing this and going, Oh shit, this is too late for me, Zane.

Great. You should have told me this 10yrs ago ,

Zane Lackey: [00:23:13] My Linkedin is open, you can send me a message if you’re dealing with that problem.

Ashish Rajan: [00:23:19] Let’s try and bring it back to web applications that I guess would just kind of like where everyone’s going. And the space that Signal Sciences as well. So I’m curious to know in the WAF perspective, because a lot of people now are swearing by either a VPN connection , on the edge or they are swearing by a WAF basically that’s the two main things that people are swearing by these days.

So when it comes to over half kind of thing, I’ve already spoken about this before as well, where, how that’s also coming through our transition onto this new world. Yeah, of what it used to be in where it is now. So keen to hear that as well, man. And as this, especially from a CSO perspective, I know a lot of these are so swear by it.

No one is really happy with it, but

[00:24:00] Zane Lackey: [00:24:00] I’ve been happy with technology, right? There’s a reason that we built signal sciences. It wasn’t because we wanted to go build a laugh. Like we were not, it was because we got so fed up with all the legacy vendors that we worked with there. That way we were like, All right. You know, what, if no, one’s going to build something that we actually want to use.

We’ll do it fine. And so we ended up doing that and really kind of building a technology that we actually wanted to use. But the four problems that we really had that like I had very deeply at Etsy that kind of led us down this path was There are four things. One was architecture. So I needed a technology that would work with any of the architectures that the different engineering teams and dev ops teams were doing.

Right. Historically, I could have a physical appliance wack or a, just a CDN laugh in front of my one monolithic application in a data center. Right. Yeah, that was right at the time. That was fine. But now you’re seeing more and more cloud adoption, dev ops, digital transformation, all of this and what’s happening is you’ve got a million architecture is disappointing.

So what happens in most enterprises is you end up with five different [00:25:00] laughs historically, and you’re like, okay, we’ve got a physical appliance in the data center. We’ve got a CDN over here. We’re figuring out what we’re doing for cloud. We’re not sure yet. And so what we needed when we were in that position was one technology that could deploy anywhere that was software based, SAS based.

So it could go in the data center as well as baking into the most, you know, bleeding edge you know, Kubernetes, containerization, Istio all of these sort of things. Right? And so one technology that could do all of that. Number two, we needed one. I was so fed up with deploying. A technology for every little small problem.

So like, laugh was fine when it was designed around OWASP injection attacks. Right. But like it’s not sequel injection. And cross-site scripting that keeps me up. It’s a kind of takeover it’s box it’s credential, stuffing, it’s API security. It’s all of these things. So I wanted one technology that could deploy that covered all of that at layer seven.

Right. All of those different layers, having issues, you know, it didn’t go down and try to solve SSH issues or something like that. But it was one technology I could do horizontally across all of that [00:26:00] yourself. And then number three was the, like the open secret of laugh for anyone that’s ever worked with laugh.

Which is that the false positives were an absolute nightmare. Right? Never actually put the thing in blocking. Right? All of us that had last had them in monitor mode forever, or we put like two rules in blocking mode or something. One time you show the auditor that, and then you get them out of the room as fast as possible because you hope that they’ll notice the things in monitor mode.

And so we needed a technology that could actually be in blocking mode and we wouldn’t have to go. Retune every time the app changed for every time the API changed. And then number four, this is kind of what we just talked about, but we needed something that would integrate with the rest of the tool chains.

No more, just one single pane of glass have a dashboard. That’s great, but it needs to integrate to everything else. And so that’s really what we, those four principles were what led us to building signal sciences, a meeting, something that could go anywhere. That covered ATO and bots and API security as well as classic WAF issues.

And then the third one that was always like the funds that to get to share. That’s [00:27:00] actually true. It cracks me up is that 95% of the Signal sciences customers are in full blocking mode, Swhich no one believes you it until they try it. Like, if I heard that on some podcasts, like I would not believe that, but that’s the funny thing.

So everyone like tries it. They’re like, there’s no way that’s true. They try it. And I’m like, no, Weird. That’s actually true. Like I can actually be in blocking mode. And then number four, like integrating with all the other tools, they’re like, that’s so creative. Oh, wow.

And she too, it’s really interesting for me because the traditional of apps have never had that.

Like I think they’ll always be like,

I caused a one time at Etsy. I caused an outage for the entire UK because I turned on the way into blocking mode again. It broke everything in the UK because on the UK checkout page, it mentioned a union Jack flag, but the last call union, it’s also in one part of it and union in another part, and thought every request of the checkout page.

Was the SQL injection. Oh, okay.

[00:28:00] Yes, it’s coming at that point. Like basically where’s the ending at that way,

popular in the organization. If you shut down an entire entire country as a market, by the way.

Yeah. Wow. I can’t even, I’m not even going to go there because your point, the interesting thing about VF has always been the fact that I remember we used to have programs where any new application that would come in, do you need a security expert and they’ll go through, okay.

What kind of application, how SQL server in the background and what is it like also started the whole or Stockton as well. You had all these other things, like it was a program of what going for that. And we kind of liked you almost. Things that you’ve wasted so much time at that point, trying to find the unit every time and still not be blocking everything.

Yeah.

I mean, it was, you know, it was, it was a technology built for a certain time and certain type of applications. And I don’t think anyone was wrong for trying that sort of technology, but at the same way that all the apps and APIs have started to modernize the security needs to modernize with it as well.

[00:29:00] Right. And I think in the same way that like the comparison that I always use, that I heard, I got this from customers. Cause I heard this from so many customers. They’re like, look. You as signal sciences, did the whack, what like CrowdStrike silence, carbon black did the legacy antivirus, right? It was like take a space that was just like, sort of the right idea, but became such a huge pain and build something modern in that that is actually usable by practitioners and helpful to practitioners.

Interesting. Because as they’re going through different challenges here, we kind of spoke about the cloud challenge and the scale challenge you spoke about the lab challenge as well. The other conversation that we’ve been going on that’s been going on in my at least circle. And cause we’ve been doing this similar clubhouse where we’ve been talking about a size, those were our challenges.

And we’re talking about different things that we talk about. On a day to day basis that are, I guess on top of mind for people like a lot of people not talking about zero trust and micro-segmentation and all that. Like, what are your thoughts on that?

Yeah, I think, I think so. It’s [00:30:00] super interesting. I think more on the, I think more about the zero trust side of it than the micro segmentation.

So I’ll focus more on that part. Just I’m sure. I’ll say something extra stupid on micro segmentation. So I’ll focus on zero trust. What I th I think zero trust, like great idea, natural progression, like where I, I don’t think anyone disagrees with the idea. I think the thing that we’re all kind of thinking about is really how do we, how do we actually implement it for our organizations?

And what does it actually mean? Right. Zero trust is in that phase where. Every vendor hopped on the bandwagon of co-opting the term and says my product zero trust. Now my product zero trust and my product, and they’re all in totally different segments. Right. And so I think what most people think about.

Today. So let me talk about like, kind of historically what people thought about and where it’s going, or my opinion anyway, I’m where it’s going, which is historically it’s meant let’s get out of just trusted because you’ve got an IP address, right. And let’s go to some sort of device. Identity [00:31:00] and then some device attestation.

Right. So you’ve got to, you know, how it works in practice is like you’ve got a client cert now to be able to access something regardless of your IP address and then some sort of device health check. So if you’re a mobile app, like seeing that the mobile phone has been patched, or like if you’ve got a bit of software on the end point, like seeing that you’re running the latest versions of everything that, you know, you can do like general attestation and device health.

That’s kind of where the early product innovation in this space has been. Now I think where this is going is, and for one part of it anyway, right? Some part of that usage is to be able to access infrastructure layer component. So you need to do that to be able to SSH to a production box. Okay, great. But for a lot of this how it’s shaking out in the enterprise is.

At broader scale is to say, okay, you need this to be able to access some sort of web app or some sort of API for some critical piece. So now where that actually goes, and what I think is the forward looking part of a zero trust in a broader sense is kind of this [00:32:00] idea of continuous authentication. Right.

And you say, okay, well, it’s good that I did at testation to say or identity to say, yeah, this person has a client, sir. They’re not for somebody random and some at gestation to say, and some device health, rather to say that they’re running the latest version of something, but now they’re going to access this application.

Well, what happens when. They got an account takeover. That’s, you know, bouncing through their box and go into their, or to a weak password, or they accidentally posted their clients or to a get hub repo. And now everyone’s masquerading as them, you know, and people are actually attacking the app and not only attacking, but abusing the application.

Right. That’s where it gets really gray is someone who’s, you know, they’re not doing a SQL injection, but they’re incrementing an identifier to try to view somebody else’s record. Right. And this is where continuous authentication gets really interesting and cool is if you can sit in front of the applications and API APIs you can protect against those sort of things.

And if you can integrate with like the identity and the historically [00:33:00] zero trust providers, now you can start to say, Hey, Whoa, Whoa. We just saw something anomalous about this session. Let’s fire that back and let’s say, push a new two factor auth notification or disabled their session until you can confirm identity or something like that.

And this is where it comes together from historic zero trust into continuous off. And it all comes together. I think in under a broader term of the fuller zero trust vision. And that’s what I’m super excited about.

Oh, and to your point. We somehow keep going back to single pane of glass fashion.

different. One pane of glass, hopefully not integrated, but kind of integrated approach. I should say there’s multiple technologies.

Oh, right. Cause I always feel like there’s a need for a single point for policy. No, I don’t want to use the word enforcement, but at least to management, I guess that’s the right word because I unfortunately sounds like you’re trying to be a dictator.

Yeah, but management, but also the systems, you know, the other thing that kind of [00:34:00] comes out of that conversation is. Excuse me. Now you’re talking about multiple security controls actually working together, which is, I think something we’ve all been pushing for in the industry for a very long time. Right.

It was the siloed security. You had your firewall over here and you’re on your ATV over here. You had your legacy laugh over there. And like, you know, we, we pulled this stuff together via SIM and then the soar market started to say, okay, let’s automate, pushing things back out, but this is all the continuation of the trend of.

How do we start to bring these technologies more and more together? And this is where I think the legacy, you know, physical appliance players are in a really bad spot because they never built API for any of their stuff. Right. So this is all trying to bolt on things that they was never built for. And like the kind of SAS based modern security technologies that had to build APIs.

And they’re ready to go on this now. It’s like, how do we integrate those? Right.

Ashish Rajan: [00:34:52] Oh, I remember the time when we had to. Do click install, like you’ll click ups, install softwares as well. Like enterprise software is being installed like [00:35:00] that. There is no automation you’re dropping them. So you kind of, yeah, it was, it was a very different time.

I don’t know what projects used to be like six months, one year long projects. It would take that much time.

Zane Lackey: [00:35:11] Oh yeah. I mean, I remember at one point we were trying to write a Python tool to screen scrape the console of one of our secure, one of our, like. Security technologies to try to get data out because there was no API to get that data.

Oh,

actually that was one of the things that led to single science is actually that story. We were trying to like screen scrape one of the legacy laughs. But we were also highly do similar stuff on like infrastructure pieces that led to a whole bunch of other. Sort of security technology. Right.

Ashish Rajan: [00:35:37] And, you know, that’s, that’s probably a good segue into the whole thing.

We’re like work size as a thing at the moment to the whole dynamic thing, they kind of been okay. My web apps, my APIs, my internal potentially sensitive applications that are from the internet. Great. That I’ve thought about now, I’ve got some ideas, your trust as well, because I keep hearing about this everywhere.

[00:36:00] The other conversation that people so keep hearing about is, Hey DevSecOps, because we have to go to the market liquid. Yeah. You’ve kind of done this part in. I guess you were the, I guess the biggie off it or to back off. I don’t know.

Zane Lackey: [00:36:14] I’m pretty good at it. They’re both pretty cool.

Ashish Rajan: [00:36:17] I, I was trying to think who was in the East coast and he was on the West coast

because Tupac was in LA. Yeah. Fair enough. So, so from being the biggie of Etsy or being a big deal the DevSecOps. Yeah. W w what’s your thoughts on this for people who may be looking at doing, doing some of this cause now to your point scale is LNG. You can’t ignore anymore, right? So either people have accelerated their digital transformation or they put a pause to it, accelerated good security, like, Oh shit, this is going to, this has got to explore.

It’s like a ticking time bomb for us. So what’s your recommendation for those who might be looking at this to start.

Zane Lackey: [00:36:56] Totally. I mean, learn from my mistakes on [00:37:00] that, which is I started with technology on that and that was completely wrong. Like you have to, if you want to kind of build a successful dev sec ops program and recognize that that’s totally fuzzy, right.

But if you want to kind of the ideas of that, if you want to import them and be successful, it starts with culture. It doesn’t start with technology. Right. And it starts with recognizing the reality that in most of these organizations, security has been a negative experience for them, not a positive experience.

Right. And so. In most of the minds of most of the development teams and DevOps teams, not all of them. It’s not that they don’t care about security. I actually think the exact opposite. I think engineering teams tend to really care about security, but they’ve had historically negative experiences where security has said no to something that had to happen.

And so they’re like, well, you’re saying no, but it has to happen. So no tough luck. And so I think it’s really started about dev sec ops. The reason I bring that up first is that that problem that used to happen once every six months. Now it’s going to happen multiple times a day, right? As things move [00:38:00] faster.

And so you have to start with the culture of really leaning into enabling the teams to move and view your job as security as enabling them to move safely, rather than trying to stop them from doing bad things. Because if you’re trying to stop them, I’ll tell you, you might win one small thing. You’ll win one battle, but you’ll lose the war because you’ll say no to one feature or one product or something like that.

And they’ll say, okay, fine. No. And then they just won’t talk to you for the 18 other things that they’re working on. Right. And so you need to focus on the culture first and then you bring in the technology to say, This is where the modern versus legacy security points are important. You bring in the, the modern security technology that the dev ops teams and development teams can also use themselves in addition to the security teams.

And so that’s how you start to build on this is to say, look. We’re here to enable. We’re going to bring you technology that allows you to start to own security as well. And then we, as the security team will try to help out on top of [00:39:00] that and the experts to consult and, and really help you move faster.

But we’re not here to review every change you’re making, because it’s never going to work. Like it just doesn’t at, at the speed that you need.

Ashish Rajan: [00:39:12] I I, yeah, I, a hundred percent with you on that one, man. I think a scale and speed is something that’s always lag insecurity. Okay. It’s just the nature of, because we were never the the team that was making the money for for the business, but just the one sort of advising and being that expert.

Oh, this is the risk. You should stop it instead. So it’s a very different role.

Zane Lackey: [00:39:35] Don’t feel bad if you’re a security team that has like. Gone through that. You know, when I, when I talk about those sort of things, like they seem obvious in retrospect, they were not obvious at the time I messed up, literally every one of those steps that I talked about there for the first several years of kind of adapting our program to what would become known as dev sec ops because.

It wasn’t easy. It wasn’t straightforward. So don’t feel bad if you’re like, ah, you know, we still need to review [00:40:00] everything. Like that’s a natural part of this journey. You don’t end up immediately jumping into one thing. Like you kind of progress along

Ashish Rajan: [00:40:07] that journey. Yep. And that’s to, to your point, I think as long as you go with the mindset that, how do I automate this?

Because whatever I’m doing, I need to scale it. What’s the way to scale it. I definitely cannot scale with my 10 security people team, but in the hour, I don’t know, 200 developers and 10 security people. So, and one of them is an AppSec person, like, Oh, only one AppSec person, 400 developers. Great.

Zane Lackey: [00:40:30] And what happens?

They go on vacation for a week, you know, like, yeah.

Ashish Rajan: [00:40:35] Yeah. Oh yeah. That’s so true, man. I, and I’m so glad you brought this up as well, and it’s great. Definitely great challenges to kind of point that out. The. I guess the, I wanted to shift gears a bit and kind of talk about we spoke about different challenges that are facing and kind of almost like a starting point as well.

It sounds like it’s a irrespective of where they were to start the zero trust or defect offer, update their web [00:41:00] application firewall or internal application. There’s still a cultural connotation. First, before you go out on the whole technology part as a practitioner, you can probably say that. Yeah, no, one’s really a hundred percent figured, figured this out, but.

Be patient and just keep, keep taking away, I guess, a little pitcher by chip, I guess it’s for lack of a better word. Absolutely

Zane Lackey: [00:41:18] focus on the culture bit. First focus on getting that sort of security buy-in first. And then start to like, think about the technologies, right? If, if you just try to shove in one technology without the culture, like the reality is even if you get it deployed which is a big if If the culture is not there, the other teams will just kind of pushed back on it because they’re used to security causing problems rather than actually helping

Ashish Rajan: [00:41:40] them with it.

Yeah. Yeah. Once bitten twice show if that’s still how yeah. So I’m gonna switch gears as well a bit, cause I, cause you obviously have your, have had your own startup as well. And I’ve got a question from one of the, we have a few startup founders as well, who are part of the crew who listened to it as well.

So as a security person, [00:42:00] transitioning into a startup. Yeah, as a wait, let me just rephrase as a technical security person, transitioning into a startup, which is not, which obviously has done really well and gone to Fastly and everything as well. What’s your advice for some of the other cyber security founders are listening to this conversation for.

Great idea. Bad idea, obviously. It’s I, I imagine that any insight that you can share from your journey in terms of what the reality is versus the millions that people get, I guess.

Zane Lackey: [00:42:33] Totally. So here here’s the reality. It’s extremely tough. Right? And so if you’re starting something up and feeling like.

Every other company around you is succeeding and you can’t figure out like, why it’s so hard for you. The reality is it’s hard for everyone and it looks a lot easier from the outside than inside. And so, you know, if I had, you know, obviously this could be an eight hour long topic just on its own about like lessons learned for fountains.

But if I distill it down into just a couple things [00:43:00] here it’s yeah, it’s super tough. Keep going. Like, I don’t mean it’s super tough. So you shouldn’t do it. I mean, it’s super tough. So like, when you feel like it’s, when things are difficult, that’s. Because they are there, they are for everybody keep going.

You know, I think it’s really tough in terms of marketing and everything like that. I mean, I, I think a lot of times I say the only gotcha that I would warn technical security folks. About if they’re starting a company around some idea is making sure that it’s really applicable across a lot of areas.

You know, I, I’ve seen lots of places where someone wants to go solve this, this interesting problem, because it’s an interesting technical problem. But. It applies to 10 companies worldwide and eight of them aren’t going to buy anything for it. Right. And so like, it’s, it’s a cool project. It’s not a cool company.

And so you have to, this is often a conversation I have with when I’m advising or mentoring, like know security founders is the security bit is going to be easy for you. The heartbeat is going to be the company [00:44:00] building. And so step out from that and think about, you know, Your market and, and how many folks need this sort of technology and how you’re going to break through the noise.

And these are all really hard problems that are really fun to work through, but they’re big challenges. And so I think for technical folks, oftentimes that the final kind of adjacent lesson there is for technical folks, starting companies. It’s very easy for them to stay stuck in the weeds on the tech bit, because that’s the fun bit for all of us.

Right. It’s what we all know. And you have to recognize that you’re not building a tech project, you’re building a company and you need to kind of step back and you need to. Stay focused on tech. Cause you got to build good tech and good product, but you have to step back out and think about building a good company around that as well.

Ashish Rajan: [00:44:47] So just so you’re saying my hitch ascend problems should not be the reason I brought that up because we were having a conversation the other day with with Jeff from LinkedIn side, the LinkedIn size though. And I think it was yesterday or last night, and it was really interesting someone [00:45:00] else about, and hitches him a project that they’re working on.

What’s the future of it. And you’re like, wow. I mean, but I will be, I’ll be no hate on anyone. It was just sounded super interesting, but I’m like, well, how many people would use it? Right? Like

Zane Lackey: [00:45:16] there’s a difference between cool technology and potentially large company. And, you know, Neither one is right and neither one is wrong.

This is the thing. Like, it doesn’t mean you have to build something. That’s going to be a huge company. Like that might not be one. You might want to work on a cool technology project that you can not take venture capital on and get like some income on just so you can keep working on this thing. And that might be what you want.

And what’s exciting to you. And that’s awesome. Right? There’s like, there’s several different options here, but no, which my advice would be. Make a conscious choice about which one you want.

Ashish Rajan: [00:45:50] Yup. A hundred percent. All right. I think we’ve had enough of technical questions and bath and everything. So I’m going to switch gears to some fun questions or I’ve only got three.

Th they’re not too personal, [00:46:00] but it’s interesting to get to know the other side of the Zane as well. First one being, what do you spend most time on when you’re not working on value and technology and size of stuff? Oh, man.

Zane Lackey: [00:46:10] I love travel. So this has been a, everybody I got into a scuba diving a few years ago and I’m super loving that I love skiing and snowboarding.

I grew up doing that. And I also love good whiskeys so that depending on how much of that one, then I do less of the other activities the next day.

Ashish Rajan: [00:46:29] But Randy’s McKellen 10, like a good one. Oh yeah. I

Zane Lackey: [00:46:32] love, I love good scotches. I love good Japanese ones and American bourbons and rise.

Ashish Rajan: [00:46:37] Basically cybersecurity is for alcoholics.

Is that what you mean? Yeah.

Zane Lackey: [00:46:41] Agree. And that’s for sure. Right.

Ashish Rajan: [00:46:47] It definitely helps. Cause I was trying to go back to a lot of conversations that I’ve had with other folks as well, especially in senior leadership as well. They’re all, they all enjoy alcohol and you almost wonder, like there seems to be a pattern here either.

We are just [00:47:00] like people have good taste. Yeah, my job requires us to have a lot of this, I guess

Zane Lackey: [00:47:07] you want to drink after

Ashish Rajan: [00:47:10] the second question that I have is what is something that you’re proud of? It is not on your social media. Oh, Is there anything which is on, on social media? Like, I can’t imagine duplex,

Zane Lackey: [00:47:22] not a ton.

I mean, it’s mostly, mostly like industry stuff. I mean, there’s plenty of like life things. I’m super proud of. Like I’ve got an amazing wife who she’s totally awesome. I got the better end of the deal. That’s pretty

Ashish Rajan: [00:47:32] cool

Zane Lackey: [00:47:33] Blake twice if he’s listening. Yeah.

And we just moved to Austin and we got a cool new place. I’m super excited about I haven’t, I was living in New York for 11 years. And now I’m excited to try something new. I mean plenty, just kinda life things. And I think I’ve been incredibly fortunate. I’m super excited about, I get to hang out, chat with friends from all over the world.

Even when we can’t travel. That’s. That’s pretty cool.

Ashish Rajan: [00:47:54] Yeah. I think that’s, that’s a great answer as well. Final question. What’s your favorite cuisine [00:48:00] or restaurant that you can share?

Zane Lackey: [00:48:02] Oh, man, I like all of it for it. That’s the problem is I like a lot

Ashish Rajan: [00:48:06] like the alcohol and food and traveling so via normal people, people.

Zane Lackey: [00:48:14] One cuisine. I’ll tell you what my favorite thing with food or alcohol or just social experiences is, is getting to travel and try cool things. I’ve never gotten tried before, like something cool and local. I mean, like it’s not you know, hike last time I was in Australia actually.

And learning about the incredible coffee culture in Australia and being like, Oh yeah, he’s absolutely incredible. Like, I didn’t know that coming from the States, it’s incredible. Like, cool. I can’t wait to have a million coffees here when I’d normally drink far less than that. And you know, just find like having cool local food.

Local drinks, like all that sort of stuff. That’s more important to me than like one particular like, Oh, I love Italian food and that’s my absolute favorite. Like I like traveling,

Ashish Rajan: [00:48:55] trusting answer, man. And I love it because I’m glad you mentioned coffee.

[00:49:00] Zane Lackey: [00:48:59] perfect. Start bourbon

Ashish Rajan: [00:49:00] gun in there, right? Yeah, that’s right. That’s right. Going out really well, man. Thank you so much for taking the time out, man. So people have people having questions about this. We can reach out to you.

Zane Lackey: [00:49:10] Oh, yeah. Give me a shout on LinkedIn. Like LinkedIn is a good one on there.

You know, add, send me a message on that. That’s easy. I mean, I’m on Twitter and stuff too, but I, I probably end up like what I’m at the point in my career where I’m probably seeing LinkedIn more than I’m seeing Twitter, which makes me feel old. But yeah, Zane,

Ashish Rajan: [00:49:29] LinkedIn as well here at one plus one, what is one plus one, two, three, four.

What? Your options are? Two, three, four. I’m like. Or LinkedIn. So this is like, I feel like I’m on Facebook, but sure. Let’s go with that. But dude, thanks so much for taking the time or like having you back again, man. Thanks so much for this. Thank you.

‍