EP#80 - Maxime Lamothe-Brassard - The AWS Approach to Provable Security

Traditionally, companies have relied on the promises of vendors when it comes to reaffirming their security stance.

However, LimaCharlie has a far more radical approach—provable security.

How are they doing it?

In this episode, Maxime Lamothe-Brassard, LimaCharlie’s founder, explains the “AWS approach” the company employs for cybersecurity and how being born in the cloud provides infinite scalability and enables them to deploy a wide range of security capabilities.

Join us as we discuss:

Moving past promise-based security positions to knowable security
The extra level of control and breadth of security you receive with LimaCharlie
How infinite scalability enables support of both security and compliance
Doubling down on low-code approaches and integrations

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

You’re listening to The Virtual CISO Podcast, a frank discussion, providing the best information, security advice, and insights, for security IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

Hey there. And welcome to yet another episode of The Virtual CISO Podcast. With you as always, John Verry your host, and with me today, Maxime Lamothe-Brassard, and I probably screwed that up, so feel free to correct me.

No, that’s pretty good. That’s pretty good. It’s a really tough pronunciation, so this is good.

All right. So this may be recording this right after your Canadians beat my Women’s US Hockey Team, is maybe now the wrong time to be recording this, because I’m already a little angry with you.

I’m going to trust you on that. Actually, I’m a horrible Canadian for that. I don’t follow hockey or anything like that.

All right. Well, then I’m going to give you a little break. If you tell me you don’t follow box lacrosse… which is a passion, we’re a lacrosse family… if you tell me you don’t follow lacrosse, I’m going to be a little upset, so lie to me and tell me that you’re a lacrosse fan.

All right, there we go. You’re back on my good graces. All right. So let’s start easy. Tell me a little bit about who you are, and what is it that you do every day?

Sure. Sure. So, I’m Maxime Lamothe-Brassard. I’m Canadian. Cybersecurity’s kind of been my whole thing. I’ve been in a bunch of different companies, from CrowdStrike into Google and all that stuff. And nowadays I run LimaCharlie, which is sort of a security infrastructure, delivered in an AWS kind of way. So we do a lot of cybersecurity in a really accessible way.

Cool. Thanks. And before we get down to business, what’s your drink of choice?

You’ve never listened to the podcast have you, because I just give people shit every time they tell me they drink scotch.

The peat ruins a good whiskey is the way I look at it. All right, so you don’t like a Laphroaig. Do you like those PD ones, or smokey ones, or you more the Irish whiskey scotchy side of the family?

Okay. So you and I can’t drink… So, all right. So we can’t watch hockey together, we can’t drink together, should we continue on with the podcast, or you just want to call quits at this point?

So, thank you for coming on. I think what you’re doing is fascinating, and I think I’m going to struggle to really communicate it, and I’m hoping by the end of this, that everyone’s going to understand what you’re doing, because I think what you’re doing is really cool. So what we’re seeing in the industry of course, is that there’s growing regulatory pressure, right? Key stakeholders these days, everybody that processes a third-party’s data, needs to be provably secure and compliant. And one of the critical ways that you prove compliance and you become secure, and detect and respond to incidents, is some type of, I’m going to call it, log management, SIM, SoC, some type of technology that allows us to detect and respond to incidents. So it seems to me that you’re in that family mostly, but you’re taking a radically different approach. Can you describe the approach, because it’s crazy?

Sure. Sure. And it’s funny, because we’re radically different in a couple of different ways. At a fundamental level, I think what we’re putting forward is… And you hit it exactly. You said it, “Provably.” You’re right, provable security. So what we are putting forward, is a set of solutions, right? Sometimes when we talk about [inaudible 00:03:58] in one pitch line, “Like AWS for cybersecurity,” is kind of this idea that we’re putting tools that are made accessible for people to do cybersecurity. And the approach that we’re taking to those tools, is more… In cloud world it would be primitives, sort of the actual capability that we’re putting forward.

So what that means is, instead of relying on the promise of a vendor, right? I think historically in security, we’ve done a lot of this, of you talk to your CISO, “Are we safe on the endpoint against,” I don’t know, “ransomware?” “Well, our [inaudible 00:04:36] provider says yes.” And they have a good reputation, so we have to go and say yes. So you’re relying on the promise, whereas what we’re doing, is we’re saying, “No, no, no. Cybersecurity really has to evolve past these promised-based kind of security, into knowable security position.” If your CISO is asking you, “Hey, are we detecting this kind of odd behavior in our factories,” I don’t know, “somewhere in the US?” You want to be able to go back and say, “Yes, we are, and this is how we are doing this.” And so, we really know how we’re protecting against things. So that’s philosophically how we came through with a lot of our solutions, [inaudible 00:05:21] first big one for us has been EDR. So again, that means, we’re not a ML blockchain, secret sauce, duper magic, but rather we’re saying “No, no, no, EDR people…”

No, you didn’t mention next-generation, next-generation, which usually has to come in, in every description these days, right? I mean, you’re never going to be successful if you’re not next-gen, next-gen [inaudible 00:05:42]. Don’t you know anything about security?

We know things about security, but not about marketing, I’ll give you that. That’s the philosophical difference in the approach, and then the other big difference is in… I think it’s a generation thing in cybersecurity tools… there’s more and more of those… which is saying, “Look, if you need an EDR, and you need to go and deploy somewhere in your company,” having to go talk to a vendor, and negotiate a contract that plans your usage over the next two years, and negotiate it over three months, with huge minimums, and the really super ton of friction in that whole process, right?

And they’re going to give you a price, not because it’s the price of the thing, but that’s how much they figured out that they can get out of you. So we’re taking the AWS approach, which is, “Look, we put the tools… They’re available in a self-serve fashion, scale-up, scale-down, per month, billed monthly. So we like that for us what it means is, our customers like what they get from us, and if they don’t, then we know they’re not going to be there next month, right? It’s not because we’ve locked into a three-year contract.

Very different. So, this idea of spinning up components of a SIM, if you will, as simple as spinning up an EC2 instance in Amazon, is really intriguing. So let’s drill in a little bit on that. So let’s say I was deploying an application in AWS. I might spin up an EC2 instance, I might spin up a WAF. That’s a web application firewall, if WAF isn’t a familiar term to you. I might spin up an S3 bucket for storage, for file storage and things of that nature. And I’m buying these components, and I’m basically, “Oh, those three together equals what I need to deploy this application.” Are you doing the same thing, and if so, what are these components, right? So, what are the components that I’m gluing together? It sounds to me like it’s almost like the kids’ blocks that come together. Why am I drawing blank [inaudible 00:08:05]?

Lego blocks. Thank you. So is this almost like Lego blocks, and I can buy the storage block, and I can buy the correlation engine block, and I can buy the same API block that’s going to parse my data? Explain to me how these blocks go together, and what the pieces are that you sell that way.

So conceptually you’re on the right path. This is it. In practice, what we try to do, the line in there, is figuring out what those blocks are, and trying to stay on of the side of ease of use, right? So we want this to be Lego blocks, it is. It’s built so that they can work together, you can assemble them, but we also don’t want to over-segment the space, so that to do a little thing, you need to figure out a whole bunch of different Lego blocks, right? So, that’s the line we try to navigate. So what that means is, sometimes we present part of this vision in the following way, right? So LimaCharlie, we have sensors, and sensors is a really wide term for us, right? So it means it could be an EDR, which we have our own EDR super-wide platform support, so you can bring in telemetry from Windows, Mac, Linux, Chrome, Chrome OS, a bunch of different things.

No. So we are not, we’re using our own EDR, and that’s got a bunch of advantages. So we tend to be a lot more real time than osquery, right? Osquery is a very async type thing. In our case, the EDR, it’s a point of pride for us, but it’s a hundred millisecond round trip between the cloud and the endpoint.

So what that means is, you’re not thinking anymore in terms of like, “Hey, I want to collect this information from these hosts. Okay, I’m going to put in the request to my system, and maybe in a day, maybe stuff will happen.” You can start to think about all of your endpoints as an extension of the cloud. So you can write Python script, because like AWS, we’re API first, so you can take our Python SDK, and super quickly write something that literally goes against all of your endpoints, and gets some pieces of information, some tasking, and based on that makes a call, and that does something with that. And you can do that, and it’s running it directly in the box, right? It’s interactive.

So, that kind of capability gives us the ability… So, I mean, I guess the Lord giveth, and the Lord taketh away, and that’s always the case, right? So the Lord giveth in this case, is that I can make this do anything I want it to do, right? I’m not restricted by, “Oh, the product doesn’t have that functionality, you’re going to have to wait for the next build,” or, “No, you can’t do that for this reason.” And I would assume there is some compromise on the other side, that I probably have less canned functionality, so to make it do some things, I actually have to make it do that, where I might get something more out of the box from a packaged SIM, if you will?

Yes and no. Yes and no. The yes part, is that you’re correct, right? We call this fundamentally unopinionated, meaning it’s not so much an EDR, for example, that you’re deploying, as much as an agent that has EDR capabilities. And so if you want it to be a cookie cutter, super normal EDR, we make that really easy by layering things on top. So it’s not so much that, “Hey, everything’s really difficult, because you got to go and start from zero,” as much as, we give you the ability, we give you the freedom, to choose where you want to do it. And it’s not binary either. Most of our users use this as an EDR, and they’ll go and they’ll say, “You know what? I want to layer all of the SIGMA open-source detection rules.” Hundreds and hundreds of rules, that are maintained by the open-source community, so it’s a really great source.

And that’s a one click to just apply it to a tenant, and so you’re up and running. But even if you’re doing this, you still have the ability to go and take ownership of what you’re doing with it. So the example that I like to mention is… I’m sure you remember when WannaCry happened several years back now. But when WannaCry happens, and Twitter people start talking about it, WannaCry was incredibly easy to detect and stop. Really, really what? Static file name, you just killed the process, and that was it. So it was really easy. But the question is, that morning when this is happening, you have two possible universes, right?

One is, you go and you talk to your vendor, and you say, “Hey, are you protecting me against this?” And then they’ll tell you, “Yes.” And maybe it’s true, maybe it’s not. Maybe they’ll say, “Oh, mostly, but we’ve got a patch that’s coming up in a couple hours.” And so you’re like, “Okay. Now I got to hope and wait for my vendor.” Or the alternate universe, is where are you using something like LimaCharlie, you wake up, you see that, and you go, “Oh, okay.” Enter it, and there you go. You’ve put in your own rule, your own automation, onto the agent that you have, and it took you 30 seconds. And now you know for a fact, where and how you’re protected against this. So it’s an extension to that.

So in a weird way, in the same way that I could deploy a SaaS application, or I could deploy an application in an EC2 instance that I control, where I have that… It sounds to me like there’s a level of control that you have with your environment, that you wouldn’t have with a product. And it also sounds like, in the same way that you layer this functionality into the tool that’s available if you want to use it… And again, I’m going to use the analogy of the web application firewall at AWS, and we happen to run one.

And what’s cool about the web application firewall at AWS, is that I can do anything I want with it, but if I want, I can go in and say, “Hey, enable these core hundred rules that are going to protect 99.9%.” And I can use those by default. So it sounds to me like you take the same style of approach. “Here’s a building block. It’s preconfigured in a way that, if you want, you can select these sets of features. This is going to do 80% of what you’re ever going to want to do, and now you have the ability to do the last 20%, because you’ve got complete control.”

Yes. And the other part of that, that we haven’t mentioned, is because we take this very fundamental approach, it means that we can cover a lot more ground in security, right? We really don’t like the tight labels that are out there, and so what that means is, we enable people to do things like Windows EventLog forwarding. Instead of going and deploying your own other agent, that you’re paying a vendor, maintaining that relationship, more agents, more stuff, it’s built-in, free, automatic part of LimaCharlie. Maybe you need to do some forensics, because you’re investigating something, and you want to run Velociraptor. You don’t have to go and redeploy again more infrastructure, maintain more things. It’s trivial. We have an integration. You just go, “I want to collect these artifacts from these endpoints,” and go. And so we become that central funnel for all things security at the endpoint, around the sensor, but also in the cloud, right? Because now we also take as sensors, things like Office 365 audit logs, or one-password audit logs. So we’re that security bus that sometimes people refer to.

So I would imagine that if you can get to… I don’t know what the right word is… critical mass, a critical posture, if you will, right? Where you’re important enough in the ecosystem, then it sounds to me like you’ve got a bit of an open-source concept within you. Not that the code might be open-source, but you could create this environment where people could build their own blocks that would supplement your blocks, right? Is that part of the long-term vision of where you’re going? Is that like, “Hey, this is like Salesforce is a platform.” But there are tons of companies that make lots of money selling plugins to the Salesforce platform, and using the Salesforce platform in ways that maybe Salesforce never even anticipated. Do you see the same thing? Do you see yourself as getting to that point, where someone like us would say, “Oh wow, we figured a way to write this cool correlation engine, and we could plug it into LimaCharlie, and then we could license it to other people? Is that where this is all going?

That’s right. That’s right. So we are from an open-source background, so you’re right. Technically we’re not open-source, but like you said, there’s-

It’s the philosophical component of it, not the actual literal, “We’re going to give you [crosstalk 00:17:00].”

Exactly. And so what that means is, like you were saying, we absolutely want people over time to do that type of integration, and I think there’s two flavors of that, that are really important to call out. So one is, like the Salesforce is kind of like the marketplace type thing, we’re saying, “Hey, people can come in and offer things as part of the LimaCharlie ecosystem,” but what we’re actually really happy about, and what we want to promote, is the other flavor, which is the AWS flavor, which is, “Look, it’s not that we’re a marketplace. It’s not like we’re saying, “Oh, everybody has to pay for the LimaCharlie platform [inaudible 00:17:43] EDR, and then we’ll let people play in,” but with the opposite as well.

So, that means we are happy to OEM things. If you’re starting a tech company nowadays, you’re going to go to AWS or a cloud provider. You’re not going to rack and stack your own things, because how long is that going to take you, the financial and the room… They’re just so much complexity. You want to get to market quickly, so you’re just going to go to AWS, get going. We want people in security to take the same approach using LimaCharlie. So we want people that say, “Hey, you know what? We have this great idea for a product to do…” I don’t know. I’m making this up. But like, “Detection of intrusions based on machine learning through DNS data. That’s our thing. We’re experts, and we want to do that. We want to start a company.”

Your value is not in building an agent. You just want the data. You want to get to market quickly. And so we want those people to come to us and say, “Hey, you know what? Don’t have to talk to anybody, we can do pure-usage billing, so we’re not paying for a whole EDR, we’re just paying for the tiny bits that we need. We’re going to leverage LimaCharlie as infrastructure, so that we can get to market and touch every single device that exists out from day one. We don’t have to build our agent. We don’t have to build any of these things, and we can just do our own thing.”

That makes sense. And then I would imagine the other side of that would be integrations, right? If you get to a point where people think, “Wow, there’s enough people on LimaCharlie, I’m going to build an…” If you could get Atlassian to build, as an example, an interface, right? Or if you could get a big SIM vendor to build an interface, those types of interfaces, where you get to enough market share that people are building those interfaces instead of you having to build them, all of a sudden, I think it becomes really interesting.

Cool. So it sounds to me like one of your core… The simplicity of doing this and the control. I would also imagine that, because you’re inherently a cloud-based product, that just inherent scalability is one of the other really significant advantages to your solution. Anything else I’m missing?

Yes, scalability. And scalability applies differently to different people. Certainly we’re seeing a lot of MDR, MSSPs, MSPs. For them, that’s a huge value proposition, because they need to scale-up, scale-down all the time. A bit less so for enterprise. I think on the enterprise space, the other big value that people see, is that we’re putting forward that like, “Here’s a capability and its infrastructure, and we’re not interested in keeping your data locked into something complicated, we’re just designed to work with everything.”

So that means we’re seeing a lot of people that come to us, because they have a security pipeline to deal with parts of their infrastructure. They have a security team. They don’t want to have to scrap the way that they do things just to be able to bring in this one vendor. So what they love, is that they’re able to… I think of the board when I think of this, right? We’re able to go in, and they assimilate us as part of their platform, the way they do things. So many people will use the API as part of their automation to do their processes. They’ll just use us to go and do whatever they need to do.

I can understand why you almost smirked when I use the term SIM, right? Because SIMs are a lot of things to a lot of people, and now there’s so much… What is it you do, right? I mean, I know that’s going to sound weird. You have this toolbox, but if you think about it, what’s the primary use of… If someone’s going to use your toolbox, how are they going to use it? Are they going to use it as a SIM? Are they going to use an MDR? Are they going to use it as threat hunting? When you think about like, “Wow, I’m excited about waking up every morning to do this,” because you’re envisioning how people are going to use your toolbox, what are they searching for?

I mean, at the end of the day you got to sell this thing, right? And it’s an educational sales process. This is not an easy product to understand, right? Because people don’t wake up in the morning and go, “I’m looking for a security toolbox that’s out on the internet,” right? They’re looking for a SIM, they’re looking for an MDR, they’re looking for a SoC. What are people going to look for, what are they searching for, and how are you excited about people gluing your pieces together into which kind of solutions?

So I mean, there’s many different people doing really interesting things with LimaCharlie, certainly, for example, around incident response. It’s really cool to see people come in and in 20 minutes they drop a credit card. They go to 5,000 [inaudible 00:22:27] and they deploy to an incident, right, [inaudible 00:22:30] they go to a customer. Those are things that makes me excited, just because we haven’t really seen that out there before. But I think if I was to look a little bit of what we’re seeing, and erode where we’re going, the thing that would excite me the most, is seeing people that mostly come to us around EDR, right? It was our first big product, and it’s traditionally a product that’s really difficult to buy and all that stuff. So we make that easy, and so they’ll come for that.

And we take them through that realization. You said it’s an educational sale type thing. That’s very true. And that realization that, “Hey, you’re coming for EDR, that’s great. What are you looking for? We’re going to help you do the EDR use case. And by the way, you have a vendor for Windows EventLog forwarding.” That’s always the first one, because it’s just so easy. It’s such a simple thing. And, “Oh yeah, we pay $50,000 a year for that vendor, and it’s deployed and it’s its own agent. It’s kind of a pain.” “Okay. Well just by the way, you don’t have to pick us up on that offer, but if you click here, you’re going to start to get all of this in, and you’re going to have it one year. We do one year retention of every single thing that we bring in.”

And so they kind of light up and they go like, “Oh, that’s cool. Okay. Now I can take that vendor off.” And then we get a little bit further into discussion of, “Right now that goes into what? Into Splunk, right? Okay. How much are you paying per year? How many of your [inaudible 00:24:05] are you paying per year for Splunk?” And, “Oh, we’re ingesting, I don’t know, a hundred gigabyte a day into those logs.” And it’s like, “Okay but now, we have one year of retention, it’s all coming in. Do you need all of this?” “Oh, no, we only use that part and that part of the log, but that’s the deal.” “Well, if you click here, you set up a forwarding of just the type of event log that you want. We’re still going to retain all of it, but sometimes you still want it to Splunk, and you click here, and it’s going to go to your Splunk. Now we just cut your Splunk bill by 40%.” “Oh, well that’s cool.” And so we it’s this [inaudible 00:24:45]-

[inaudible 00:24:45] EC2. It’s Amazon, right? I mean, when people started going to Amazon, “I’m going to spin up one server,” and then you just start getting used to it like. “Oh, this is so much easier to do things this way,” which is why you have… I mean, you have cloud sprawl, right? Everyone starts with one or two, and we’re now to a point where for years we’ve had colocation facility with lots of servers and stuff in there to run a lot of our stuff. And increasingly, we’re just getting rid of all of it, because it’s just easier to click one more button. So really what you’re saying is, truly this is like Amazon, is that all of these services are there, and it’s like, “Okay, well do I really need to run ArcSite over here, or can I just click on this CloudWatch over here? It’s literally the same kind of progression that people go through.

That’s exactly right. That’s exactly right. And that’s why we don’t like the labels, because the labels have been there in the past, because one security company builds one product, it’s around one thing trying to… Very, very narrowly. And fundamentally what we’re saying is, “Look, we want to solve use cases that you have, right? We want to solve problems. That’s what we know what to do.”

You are going to have… I mean, this is such an educational sales process. It’s going to be hard.

Because it’s almost like the early days of that. I mean, originally it was just servers, and now it’s 68 different services that you can just layer on. I mean, it’s sort of the same thing with you, is that people have to get used to this paradigm of this existing. I mean, it took a while for people to get used to cloud, but once they got used to cloud and they understood it, man, voom, it took off. I think you’re going to see the same kind of thing if you can reach that point where people know it’s out there, so that’s really interesting.

100%. And I think, that’s part of our thesis, is that we’ve looked at IT in the past, and we saw IT’s been getting more and more complex. And with it, people used to have pretty low sophistication in IT, most people, right? There was a time where if you said, “How many developers do you have as a company?” They did, “Wait, developers? No, no, no. A vendor that’s very special does that.” And nowadays it’s like, “No, no, no. We in IT. We get it.” And I think cybersecurity, we’re starting to see that. We used to be like, “Oh, it’s a point and click thing, and a couple of vendors know the secret sauce of how to do security.” And now you have the MITRE framework, where people are saying, “No, no, no. As an industry, let’s think about this. Let’s reason about how and what we protect.”

And you end up with things like the Atomic Red Team, types of tools that are there to say, “Now that we have a map of what can happen security-wise, let’s get into testing this, so that we are not just taking promises, but rather we’re testing where infrastructure’s going.” So you’re totally right, it’s an educational sale, but we think that, that’s the direction that the industry’s going into, is more and more security professional, wanting more than just the boxed product.

Right. One quick question for you. So, there’s security, and there’s provable security, which are different things, because provable security has a compliance component to it in my mind. So are people using your product on that compliance side as well, because… [inaudible 00:27:59] an example. Are you sitting in people’s agile workflows, and if they’re running some type of code scanning, and things of that nature, are you sitting there grabbing those logs and documenting that in such a way that they can prove it as well, so that you’re scratching the compliance itch as well as the security itch?

I would say that, that’s the biggest growth aspect to what we’re doing. If you’d asked me a year ago, “Not particularly. We had people certainly automating very customized flow.” One I like to remember is, looking for open-source licensing inside of a software vendor firm that was using us, and they don’t want their devs to clone GPL code, because then the licensing becomes a problem. So they automated it through our agent. They would automate like, “Hey, I have file monitoring on any [inaudible 00:28:52] being created. When that happens, get the license file. If it says GPL, then create a ticket in Jira,” right?

So they used some of that, but I think it’s shifting dramatically for us, because we only started releasing this external telemetry ingestion for us, which is bringing in the one-password audit logs, the Office 365, generic CIS log, even other EDRs, so other products. We can actually open-source the protocol to bring in sensor telemetry. And so what that’s opening the door, is exactly to what you’ve been mentioning, right? Maybe you have a platform that does container scanning of the containers that you’re building and deploying. You can trivially bring that into LimaCharlie, and you get the one-year retention, but you also get the ability to have rules, “Run on this, and automate off of that.” So you could start easily saying, “If a user deploys a container that has this unsigned thing…” And you can start building workflows and going really at automated compliance.

Gotcha. The continuous compliance is really… I mean, I think when we look forward two or three years, if you’re not doing some level of continuous compliance, and you’re in an agile environment, I think you’re behind the curve. We’re seeing that. So those integrations are going to be critical, right? So what you’re saying is, that you could be the APIs that provide evidence of continuous compliance, but I might feed that into a GRC platform. A lot of our clients are sitting on a GRC platform. We have a GRC platform. They might be using a Tugboat Logic, they might be using a VAN to draw a secure frame, or something of that nature. So in theory, your APIs could you sitting there, you could be gathering all this data, and then we could have a rule that says, “When you get this type of data, because this is important, push this up to this system of record that the auditor’s going to be looking at?”

We’re probably going to have to talk to you a little bit about that, because right now that’s what I mean. We’re working our way through that with a number of our customers with our platforms, how do we get to that point where we’re just ingesting this stuff at line speed, and it’s no longer where you’ve got to prep for an audit. You could be audited any moment, and the most recent data’s going to be sitting in the right place, in the right structure, in the right format, and if it’s not, you’re going to know about it, because that’s the key. All right. Cool. We definitely should have a follow-up conversation about that.

So I would assume, based on this conversation, that your ideal customer is probably going to be an organization that’s got a high-technology component, that’s got some to either direct technical people working for them, or you’re a third-party service provider, somebody like us, or somebody like a managed services company, a security operations center, somebody that wants to spin up infrastructure in the cloud and offer it to their clients in a way that they can control the way it works. Those are going to be probably your primary markets. Am I missing anything? Anything else?

That’s exactly it. Usually the way we think about that is, we have a ton of MSSPs, and MDR, and IR firms using us, and then we have enterprise… To tell you the two big names, so we have [inaudible 00:32:17] and Snapchat that are our customers. So you get a little bit of a feel for what kind of organizations are they, and why they’d be a good fit into LimaCharlie.

Gotcha. And one of the [inaudible 00:32:28] also cool, and I know that you don’t like me using the word SIM, but I’m going to use it.

I mean, I think that’s a common use case for what you’re doing, or some variation of that, we can call that evidence collection, right? And that’s what SIM is, evidence collection and incident response. Whatever the hell we want to call that. So one of the things that I’ve struggled with over the years… Because I’ve been doing SIMs since 2004. If you remember [inaudible 00:32:50] security network intelligence, the Cisco MARS. I mean, we used to implement all that crap, right? Qradar, from the very beginning when [inaudible 00:32:59] first invented it. Those guys were just brilliant people. And one of the problems we’ve always had, is you can’t serve two masters, right?

You can’t serve security and compliance, because security is about signal to noise, and compliance is noise to signal, right? Compliance is about the noise, security is about the signal. And these systems could not scale fast enough. The EPS would get too high, you’d sync the database, which is why we went to these flat file logs, consolidators that forwarded to the SIM. They had to create these hybrid approaches. But what’s really cool about, I guess, a cloud-native solution, is you can serve two masters easily, right? Because you have infinite scalability, right? I mean, if I need to burst my data throughput to you to a hundred times the level that its normal run rate is, that’s not a challenge.

That’s right. It’s not a challenge, as long as you are on a cloud provider, you’re in cloud scale, and you’ve built things for it to scale horizontally like that. And I don’t want to trivialize the building for it as well, because anybody can deploy a single virtual machine, but anybody that’s tried to scale a server of some kind that isn’t designed for it, will realize there’s challenge to it. But you’re absolutely right, that we are able to do all these pretty magical things, because we were born in the cloud age, right? We don’t have that legacy of racking and stacking, so like you say, we can scale to a thousand cores, even to do retroactive hunting, right? I’m looking for this thing in my historical data, “Go for a thousand core. It’s cheap. Five seconds. No problem.”

Right. And now we’re in a situation where if I was sitting on a conventional SIM platform, I might hit the search button, and an hour later I come back and I’m still watching this spin. What you’re saying is I’m going to have an answer super quickly, because it’s going to parallelize it, and then soon as it’s done, it’s done, and it consumed what it did, and it costs me a quarter or something like that, but I have my data, and my time is worth a lot more than that.

This is really cool. All right. So you got this toolkit approach, which is awesome. I can imagine that you must be struggling to figure out which ways to take it, and which ways not, because your limit is your imagination, right? But you’ve got to prioritize. You’re not a company that’s got a billion people working for it, and you can attack a hundred different things. Where do you see the next most exciting directions? I mean, a lot of people talk about SOAR, the automation of response, we talked about some sec DevOps integrations. Do you see it as threat feeds? Do we see it as AIMLs sitting on top of alerts? What do you have in store that you’re willing to let your secrets out to me? And look, no one is listening, it’s just me, so you could…

For sure. For sure. So for us, the part that’s easy, that we’re not going to get into, that part’s easy for us, which is, we want to be an infrastructure company, right? We work with a ton of MDR and MSSBs and an MSBs, so we want to focus on where we bring the most value, and where our users, that’s where they bring the value. We don’t ever want to be in competition with our own users. So that means, if we are to go into ML kind of models at some point, it will be as a toolkit for people to do that. So all that being said, for us, the integration piece, all the integrations, is a constant. So we almost don’t count it, it’s just what we do.

So the two big things that we’re going to be doing in the very near future, one is we want to double-down towards low-code approaches. So we’re taking a very infrastructure approach thing, but what we know from ourselves and working with a bunch of people, is even people that know how to do the complex technical things, if you can give them something that’s just nicer, more intuitive, you can see it and just get it very simply, it’s a lot better. So for example, our automation rules will become a lot simpler to craft and the visual approach. So we want to make that easy for people to go and bring in and do. Not that it’s hard right now, but it’s [Haml 00:37:36], so it’s configuration, right?

The other big thing that we want to get into, is we are always in a very tight feedback loop with our customers. We want to get pain points for some of our customers. I know it sounds a bit cliche, but it’s a very real thing for us, and dilute them into an infrastructure in a toolkit kind of language, and then implement those. So that way we’re sure that we’re really targeting use cases for our users. So we’ve had a lot of requests for things around things like inventory management, so our RMM. So having the ability to build models about your endpoint around like, “What’s the patching status?” You can get the patching status today, but there’s layers that we can introduce to make it easier for people to reason about who’s missing this patch, and provide those [crosstalk 00:38:34].

That’s a good question. It’s remote something management? That’s a good question.

The simple version of it, is think of it like patch and configuration management, right?

Okay. I gotcha. So a quick question for you. So you have this agent that you crafted. I’m assuming that effectively that agent gives me administrative-level knowledge of what’s going on inside the box. So let me ask you a question. When you think about that, you could go in a bazillion ways, right? So certainly we’ve got the endpoint visibility, we’ve got this real time detection of things which shouldn’t be happening. We could almost take a trip wire style approach, where we don’t want… File integrity monitoring could be something which is in your stack and in your future. But you could also do things like-

Okay, good. So you got FIM. Now you’re into almost like, “Wait, if you’re into FIM, you’re into IPS.” And to me, that has been my biggest frustration about being a security practitioner. Cisco had the Cisco Security Agent years ago. I don’t know what happened to them, and that product, and why we’ve never seen this happen the way I think it should have, but I think that’s really exciting. And then you could also, if you think about it logically… If you can read you off the box and tell me exactly what’s going on, we could do configuration benchmarking, right? Maybe you already do this. Can you tell me if I’m aligned with CIS benchmarks, or DISA STIGs, or something of that nature yet?

Okay. Think about it this way, right? Everybody runs Nussus scans in their environment, or Qualys scans, or some other scanner. Why do I need to run a vulnerability scan if I’m already sitting in a box? Why can’t you just, through your agent, tell me, “Hey, this box…” I’m going to look up against the open-source vulnerability database, or something of that nature and say, “Hey, this box has a CVE on it. Why should I have to scan it? In fact, why wouldn’t you be able to…” And then you could do the automated patching in theory, right? So these are all things that are… When you start thinking about that toolbox, these are all things that you’ve already got in your head, and these might actually happen, and now I can just put the pieces together the way I want.

That’s exactly right. And that’s why, because we built this as a toolbox, we are in a great place to really start delivering on a lot of those in parallel.

You know what’s interesting about this? Is that we’re increasingly seeing that customers struggle with implementing multiple solutions, right? And the more we can implement integrated solutions, and you mentioned AT&T… Or I think we mentioned at AT&T Cybersecurity. But one of the cool things about the old AlienVault thing, is you install this thing, you get an IDS, you get some [inaudible 00:41:28] management, you get some Baas [inaudible 00:41:29] response, you get an open-threat exchange, and you get a vulnerability scanner, all in one box. And if somebody learns how to use it, a lot of your security problems… You could do the same thing with what you’re doing. And now, instead of having this [inaudible 00:41:44] approach, where I’m dealing with endpoint detection, I’m working with an XDR firm, I’ve got to run my Nessus scans, I’m running a patching system over here, in theory I could put together all of the tools and have one interface, one thing my guy’s got to be trained on, one thing that I got to pay for, one thing that I got to manage, and it’s going to address all of those problems.

You’re looking nervous, Maxim. And you’re not allowed to use a Canadian person in your answer, okay, just so you know. I’m trying to think. Brian Adams, Celine Dion, and hockey players. I think those are probably the only people that are famous from Canada, right. So give me a fictional character, or a real person, you think would make an amazing or horrible CISO and why?

I said all these nice things about your product, and now I’m thinking that I should take a lot of [inaudible 00:43:05].

I think it’s closer to a group of people, which is the engineers that worked on the Mercury program in the US, back in the 60s.

Because they had to go somewhere, right? They couldn’t say, “We’re going to eliminate all the risk and just stay home.” There is a really strong [inaudible 00:43:27], they had to move somewhere. And I think that’s something for a CISO that’s important to realize, that you’re never going to eliminate all the risks. The business got to keep going. But they had a really, really meticulous approach, because they knew that the cost of being wrong was so high, that so many people were looking at what they were doing. So that meticulous approach to saying, “What are we worried about, and what’s the likeliness of that happening, and how do we address this?” Not necessarily in an engineering way, sometimes it’s in a procedural way, right? Procedures and… And so I think that mentality would go a really long way as a CISO.

So first off, I think that is a great answer, so well done. Second thing is, that I’m going to be embarrassed here to ask the Canadian in the conversation, the Mercury program, was that Apollo 11, or is the Mercury program similar, but not that program?

If I recall, it was right before. So it was the ramp up to going to the moon, right? So it’s like, “We’re sending people in orbit. [crosstalk 00:44:32].”

Okay. I gotcha. I gotcha. I mean, I knew it was in that NASA stack, I just wasn’t sure which piece of the NASA stack, or which phase it was you were referring to.

And you’re right. That same approach. I mean, that was a great movie, Apollo 11, where Ed Harris is the… Even just that scene, which was what I was almost thinking you were thinking about, just that scene, it really explains what a great CISO would be. I mean, I think your answer was great. I mean that very sincerely, that you have to understand as a CISO, that you have to drive the business forward. You have a responsibility. It’s not only risk preservation, but it’s risk creation, right? Value preservation, and value creation, right?

So we don’t have a choice to not take the path. So now that we know we have to take the path, what is it that we need to do to effectively manage the risk? And I like the way you said it both from a technical and business, non-technical perspective, because you got to understand the business risk. There’s a risk associated with not getting there, so that was really cool. That was a great answer. Anything else you want to chat about before we say goodbye? If someone wants to get in touch with you, what’s the best way to do that?

LimaCharlie.io, or Twitter @_MaximeLB, so M-A-X-I-M-E-L-B. And from there, we’ll get in touch.

You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.

EP#80 – Maxime Lamothe-Brassard – The AWS Approach to Provable Security

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Poor Cyber Asset Management Enabled the Equifax Breach

4 Ways a Strong Cyber Asset Management Program Can Help Block Ransomware Attacks

Active Asset Scanning in OT Environments

Why Vulnerability Management Tools Fall Short for Cyber Asset Discovery

2 Biggest Challenges with Cyber Asset Management

How ISO 27001:2022 Attributes Might Impact Your Certification Audit (and Improve Your Security)

ISO 27001:2022—What is the Level of Transition Effort?

ISO 27001:2022—When Should My Org Make the Transition?

ISO 27001:2022—Insights into What’s New

RSA Conference 2023 Takeaway—“Shifting Security Left” is Now in Full Swing

RSA Conference 2023 Takeaway—Privacy Will Drive Data Governance

RSA Conference 2023 Takeaway—AI is Coming But It’s Not Here Yet

RSA Conference 2023 Takeaway—More Than Ever, a Product-Centric Security Strategy is Dangerous

How Long Before Software Bill of Materials (SBOM) Moves from Buzzword to Expectation

A Software Bill of Materials (SBOM) Benefits Both Vendors and Users

What is an SBOM and Why Are My Customers Suddenly Asking for One?

When You’re Doing Cyber Asset Management… What’s An Asset?

If your asset management sucks, your security sucks

Beware the Latest Funds Transfer Fraud —Deepfake Voice Cloning

Should We Implement DevSecOps? You May Not Have a Choice.

How can we help you?