Mark Sasson has a wide-ranging conversation with Entro Security’s CEO, Itzik Alvas. They discuss the emerging segment of Secrets Security, differentiating the solution for the market, the evolution of concept to company, attracting investment, long-term business planning, and the human element.
00:00:01
[Music] thank you welcome to securing success where we get to know the professionals that make up the cyber security sector today we’ve got it’s a Galvis the CEO of intro security with us it’s glad to have you on yeah so I gotta tell you I was really intrigued when I came across intro so as you probably know we track funding for security vendors and when we do that we like to know which segment they compete in and when I saw Secrets it looked like you came up with something unique and I
00:00:59
was really excited to be able to talk to you about this and have you give anybody that’s watching some insight into what the secret space really is and and generally what does that mean sure so um maybe for a little introduce myself so Itzik Alvas I’m the CEO and co-founder of Intel security and uh being in the security space for almost 20 years now um started at the the idea of the Israeli Defense Force um worked on several several positions since then was a CSO for a while um so regarding regarding secrets and
00:01:40
the secrets vertical so let’s maybe frame a secret for a second um so every application that is being developed within any organization uh needs to use blog services so cloud services today right uh and those cloud services can be databases or storage accounts so code repositories and Etc and in order for those applications uh to access or authenticate against uh the cloud services delete keys and those keys are secrets all right so essentially uh secrets are programmatic access case uh and drilling a bit more
00:02:15
into that so those secrets are being created by teams which are not really responsible to secure them so they are being created by developers and devops or sres um and they are scattering them around right so that the name of the problem is he gets fall and hopefully when a developer or someone from the r d teams creating a secret hopefully they will start with game boards and we can touch a bit about later on but essentially storages in which signals can be stored so hopefully they are creating the secrets that maybe
00:02:53
database instances are installing those tickets those keys into volts and then the application can fetch it from that board and you said in order to authenticate against that database instance uh so those are secrets and again the main problem is that that are being created without any uh security oversight and they are being scattered around so they are being sent to the select messages all the messages being saved over Cod repositories or Confluence or other Wiki pages are cloud services and Etc so
00:03:25
fully security have low idea or security teams have no idea how many Secrets they have and and where are they so that’s that’s a real issue and you’re finding those keys we’re managing them how exactly should they be a non-technical person understand exactly what intro is trying to do with those keys right so again the main problem is not not having any idea about how many secret keys I have that can access my environment and then where are they uh and then maybe another key problem for
00:04:02
security teams is uh if you ever seen a cigarette it’s a it’s a long string right so you have no information about it you can find the ticket and then what cloud service it can access who’s using it when it was created why so maybe the two main reasons or the two main problems why security teams are thriving to add any protection oversequences they have no idea how many stickers they have they have no idea how many uh or where they are and then they have no idea once they found the secret
00:04:31
they have no information about it so what we are doing in Central Security we’re able to provide the secret inventory and and so those questions of how many Secrets have uh where are they and then we are able to classify and enrich each secret and basically take that long string and visualize the method of it I’ll say which application is using one secret to access word clock Service uh when it was created by whom what uh privileges that it got within the cloud service or any activity around
00:05:02
there it’s it’s like putting an air takeover Secrets right so from the moment it was created and until uh hopefully someone will delete it uh we will let you know what what’s happened with it who first did you used it uh why are we duplicated it we saved it well uh and then we also continuously monitoring those secrets for any abnormal behavior so if your secrets are being used outside of your organization we will let you know if they are being used from an unfamiliar geolocation maybe from China and you don’t have
00:05:35
businesses over there again we will let you know and then we have a lot of other pillars such as overall privileged secrets and public big secrets um dark web Secrets um misconfigured vaults and and a lot other more so we are an holistic solution for secret security for security teams and what other segments would you say you compete with so Secrets it’s a relatively new term something I haven’t seen much of that doesn’t mean anything maybe there’s a lot but what types of organizations are you
00:06:13
competing with and how are you differentiating what makes intro the winner in this in this situation all right Don um okay so cigarettes is it’s an ancient problem right um ever since application uh try to use external resource such as database which has been around for a long while uh you needed a secret that secret is connections thing in order to authenticate in order for an application to authenticate against a database they need connections things uh and that’s that’s the signal if an application I
00:06:51
would like to access the storage they need the secret it can be API key or certificate so so Secrets is it’s gonna have for a long while an organizational tried to solve the problem of the secrets ball of not being able to know how many Secrets they have and it was using them and why um so you you have your words uh and we talked a bit about them before so volts are a stalled solution uh it’s it’s a it’s a database in which developers or devops are using in order to store those signals but then for your average
00:07:24
organization you have at least five different volts out there so you have one for your production environment and one for your test environment and maybe run it uh North America environment Europe and then if you’re leveling kubernetes you will have the kubernetes volt offering and if you are using cacd such as Jenkins you will have Jenkins Secrets which is the world of rank of Yankees and GitHub GitHub GitHub seconds and Etc so all of a sudden you have a lot of phones uh so the problem really
00:07:52
increased uh over time uh and with the cloud adoption um so Secrets problem or Secrets fall is a long time problem but I mean currently the solutions out there are volts which are not adding any context over those secrets and you have a lot of them so you don’t know how many have also stickers you have stored within them and then they are missing the context right so you don’t know you can login into your wall then you have no idea what those Seekers can do who’s using them are they being used
00:08:23
properly are they compliant or secure uh the other may be offering out there is it’s a secret scandals and secret scanners are essentially a pattern scanner so they can find Secrets within your code but they can find also credit cards within your code uh they are more most of the time they are only covering the code part so if your secrets are routinely select they have no visibility if your second star routine config file so kubernetes or publicly exposed they have no idea and also they are missing the
00:08:59
context part and of course the monitor the monitoring so they can find I know 1000 Secrets within your code than one who’s the owner are those Secrets enabled and can still access my cloud service if so with what privilege or what service you have no idea you can’t really act on it so those are the solutions up today and people are adopting them in time to use them but they only solve a fraction of the problem and we are the the only solution out there that is that can really protect tickets and manage them
00:09:33
for all security teams that’s fascinating and and I’ve got to imagine given some of the past roles that you’ve held you’ve probably had this brewing in your head for a little bit right but a lot of people have ideas you’ve actually executed so I’m just very curious how does this idea right probably laying in bed thinking about how to solve this problem at night how does this idea go from an idea to a company what what drove that action on your part right so um yeah it’s a problem that I faced for
00:10:12
a long while um again almost 20 years in the cyborg industry and and I couldn’t really manage my cigarette when I tried I had no idea how many Secrets they have um and and I was breached that I won’t export the name of the organization but but I was bleached using a cigarette twice um and we had to come up with some solution right so are we thought about how can we solve that and I’m I talked with the friends and npus and Etc what they are doing and which don’t give you any visibility or
00:10:53
any inventory and it’s basically a database so database management no real security over there uh secret scanners that are missing that context so you can’t really act on them would exist I would have used it right um so I tried to find a solution and I couldn’t um and then it started to drill into the problem uh so I read reports and Etc and the main reports out the Verizon and IBM so the the for the past four years now in a row cigarettes targeted attacks are among the top three attack vectors out there
00:11:33
um actually 19 or 20 depends on the report of all attacks uh so that’s that’s I mean it’s again one of the top three out there right and I couldn’t believe that it’s such a loud problem and massive problem and no one is um handling that and then um when you drill down into the numbers uh some more you are understanding that it’s the number one or the most destructive attack to an organization so in terms of frequency uh top three and then in terms of destructiveness or costly Tech to an organization number
00:12:09
one average cost of 4.4 million dollars after after an attack like that um so so you’re seeing them every week and no Solutions uh and they needed the solution so I talked with a friend of mine from from the Army Adam I was currently my co-founder and CTO and we again started to investigate and talk with a lot of people a lot of csos we actually talked with over 200 csos and none of them had any idea how many seconds they have and where are they and what to do with them and how to protect them
00:12:42
um and all of them wanted to do that but no tours out there to help then do that so some of them have developed their own Solutions um again not covering anything around so we we started to work on a security so you basically said if no one’s going to do it we’re going to do it yeah I I need it so good for you so it’s been a pretty tight VC market right you have this idea you talk to a lot of csos you think you’ve got something that’s going to run yeah how how was it raising money in
00:13:20
this environment nothing is the environment right the market is going down um and yeah this is a tight but well you have a real problem and when you’re validating that problem and then also validating the solution so we begin by asking uh cisos and potential customers of about the problem right are you suffering from Secrets uh do you have any idea how to manage them um have you ever been breached by secret and Etc so we validated other problem and we knew there was a real pain out there and then we started to validating
00:13:54
the solution we started to validating okay do you need a secret inventory do you need to understand how they do we need to visualize the map around them and understand who’s using them uh what cloud service they can access what privileges who created and why and Etc um and then also we validated uh the other pillars such as volumes configuration or abnormal behaviors uh and and Etc and when those um basically discussions started to repeat yourself and everyone they said yeah I I must have that solution and if
00:14:27
it was exist I would paid uh you know take my money I need that uh we took we took that entire list and went to visit and said okay guys um it’s it’s a sophisticated algorithm you have ai’s over there you have machine learning uh we can build it this is this is how we’re gonna build that uh this is the plan and then we have over 200 csos that we need that solution uh and you can pick and choose talk with any of them um so it was it was a first round for us um we thought it will take several
00:15:04
months again because the market is decreasing uh but it was It was kind of kind of quick again when you have a real problem uh invalidated that and when you have a real solution that can answer the problem and you validate that as well um it shouldn’t be that hard to do so I’m I’m so glad you went into that level of detail sincerely as a business owner myself because a lot of times people that see the result they see you got this funding they see you’re making moves in the market you’re the there’s
00:15:40
news about the company they don’t necessarily understand the type of leg work it takes to get something like this off of the ground the type of effort a lot of the challenges that come across your desk that you need to overcome and so being able to hear you describe all the prep work and I’m sure it was just a small fraction of what you really had to do to get here I think it’s important for people to know because people hear about funding rounds almost every day even in this relatively slow Market
00:16:14
um and they just think well yeah they just got money and they don’t necessarily see that there’s several human beings putting 12 15 18 hours a day in to make this happen so sincerely uh hats off to you yeah thanks so we talked a little bit about it sick we talked about your idea how it came to fruition what your plan was to get money throughout this whole time did you also plan for what you wanted this to be one two five years down the line or was it like hey let’s put this thing together and see where it goes
00:17:02
um so you know all number who inside um it’s it’s all too because of course I had a six-month plan one month plan six month plan 12 months plan five years plans and Etc uh but then you meet the market but then you’re taking your solution and meeting the market and they are saying okay that’s that’s great I need that uh but what about that piece of data Maybe it could help me and you’re asking another customers about that so you’re asking okay what if I would add that one uh would it be more
00:17:34
eligible for you and it’s yeah so they change your your plans huh because the the customers um need some tweaks um so that’s that’s changing your plans and and uh you need to grow uh with the customers and really listen to feedback and understand what they need uh and build uh the solution according to the real problems they’re facing every day because the the world is keep advancing and changing right um so of course yeah you you have your your budget and your business plan and
00:18:06
you have your RND plan and product plan and Etc a lot of players out there and of course they are in a good framework uh and you are following them but then if your customers are asking you how to do a bit of adjustments and you are again validating that with other customers uh I guess you need to do that adjustments and that can and probably will change your plans a bit gotcha it’s like and I don’t know if you’ve heard it or not it’s like the famous Mike Tyson quote he said Everybody’s Got A Plan
00:18:39
until they get punched in the face um you met the market you had a plan it it’s getting it’s getting reshaped as you go and so from a business objective standpoint do you guys know what you want to be when you grow up I think we are already going out uh yeah I mean I mean yeah of course um so you know you have a lot of solutions out there that protects your human users exercise so human users when they authenticate into your core environment when they want to access their emails at your business or their drive at your
00:19:20
business uh you have a lot of solutions that protect them right so you have your vpns and you have your customers and Etc what about the programmatic access skills or programmatic users that can access your most sensitive databases right and your customers data uh you have you don’t even have inventory so we are starting from there uh and and our main goal is to be what we are doing and what we are now are the leader of programmatic users and programmatic access Keys uh and to truly find a solution that can go over time with the
00:19:55
organization and Supply everything that the security teams and the csos needs in order to protect their programmatic access keys are in programmatic users so so yeah to be the leader of that space and we are doing that so who buys this right we’ve talked a couple times now about customers but what’s the go to market for you who needs this is there a vertical or or specific uh size of a company that is going to be able to utilize this versus others yeah um so you know essentially every company that have internal development
00:20:36
team needs our solution right because if they have internal development they are creating Keys um and those keys are out there and if someone owns one of your keys or within a ticket owns one of your kids it’s a game over uh even your most even the kid that you never think can destroy your organization will most definitely destroy your organization so you don’t want to lose your keys and you want to keep them safe so every company with eternal development needs a solution such as ours and of course
00:21:11
software companies which are oftently moving fast and developing fast you have more kids uh so for your smaller organization with about 20 or 30 developers I will have at least at least 500 are secret Keys um I mean your average will be around um 150 um 100 keys so that like like a thousand five hundred keys that will be your average for smaller we totally developers organization so of course then the larger the company the larger the problem the larger the organization the r d uh or developers
00:21:49
um size that the larger the problem so of course uh software companies are a great uh vertical for us and we’re seeing a lot of structure and from there highly regulatory companies uh such as Banks or Finance credit cards insurance and Etc because you have a lot of Regulation over those case you must replace them rotated rotate them every six months and Etc so highly regulatory companies such as Finance but then again we’re seeing tax and form are retail and others gas and and others yeah
00:22:29
so I want to Pivot briefly here when we first started talking offline it’s like it’s morning time for me here in Colorado it’s night time or at least evening time for you over in Israel yeah you told me you still have six eight hours of work left to do so obviously this is a huge personal commitment um huge challenge what would you tell other people that are saying hey I have an idea and I’m gonna go be a founder and start a company what advice would you give them um yeah so commitment perseverance uh
00:23:08
listen to customers validate what you’re doing with your customers with your buyers um and and yeah I mean working out but but if you are working it’s something that you’re enjoying to do uh if you are solving your own problems and and basically realizing your dream of having a solution like that and when you are seeing customers are enjoying your product and protecting this protecting themselves um so so yeah of course um you will you will enjoy that it’s not gonna be easy um every time you know it’s very
00:23:42
you grew up in a process like that so you mature so every maturing process it’s not easy right but something you should probably do um so yeah I mean you you will enjoy it you will enjoy the ride validate what you’re doing and work out and enjoy it and so you said something I thought was really important and that’s really being committed to what it is that you’re doing right if you want to do it just to do it it might not be the right move is that what I’m hearing but if you believe in
00:24:20
it and you’re excited and and you want to make a change and you think that your efforts can do that then it might be the right time for you to jump in um yeah yeah yeah definitely definitely if you believe in it and if you again validate the problem and validate the solution uh because if you believe in it and all of your customers are telling you yeah I I don’t really need that um maybe someday but not now and you are keeping that then probably uh even if you’re believing in that you will need
00:24:54
to do something else but so so when I said perseverance uh I didn’t demand ignoring ignoring your customers but um I meant that it’s it’s not it’s not it’s not easy it can be it can’t be easy uh to start a business side uh but then again find something you believe in find something you can validate I will keep saying that with your customers and getting their approvals and go for it this has been a really intriguing conversation and and before I let you go because I know you’re busy it’s a I
00:25:31
gotta know what what do you do to keep yourself sane if you’re going to work the type of hours that you’re working have the pressures that you have to deal with is there something that you do outside of work that just makes you happy that that rejuvenates you and gets you ready to go for the next work day or after the weekend Etc well first of all I I enjoy my work enjoy I enjoy building my company and and protecting our organizations so just last week um we stopped we stopped um okay so we’re the customer who
00:26:11
basically all of his secrets were copied out from his environment to another environment and he had no idea uh that it’s even happening so someone is misdownloading your entire Secrets entire books and all of your secrets and you have no idea uh so when we a little bit about that um that was a very happy moment for me and that gives me my drive but I mean on a more personal load I play a lot of the guitar I like writing stuff um so yeah I have a lot of hobbies good good I mean there’s always that balance
00:26:49
all the time we have these conversations on LinkedIn everybody’s talking about business and it’s nice but we also have to remember we’re human beings and we’re not just a name uh so I think it’s important to communicate that kind of stuff it’s like this has been extremely extremely fascinating I cannot wait to see intro’s progression in the market we’ll be following you and hopefully we’ll have you on again at some time soon yeah thank you Martin thank you all right hopefully everybody enjoyed
00:27:21
this securing success podcast and join us for the next one