Tech for Cybersecurity Is Different: A Podcast with Reblaze’s Eyal Hayardeny
On this new episode of the Designing Enterprise Platforms Podcast from Early Adopter Research (EAR), EAR’s Dan Woods spoke with Eyal Hayardeny from Reblaze. Their conversation occurred at RSA 2020 and focused on cybersecurity platforms. They discussed Woods’ four questions for the conference, which include:
- Have platforms and cybersecurity been slower to develop than in other domains?
- Why has the rise in point solutions been so broad and persistent in cybersecurity?
- Are we entering a phase in which broad platforms will emerge and take more of the share of spending?
- And, if not, how will all the point solutions be made to work together?
Reblaze has a suite of related cybersecurity products and focus on integrating different cybersecurity components.
Key points in the podcast include:
1:00 – Reblaze’s offering
6:00 – The cause of the slower evolution of cybersecurity platforms
11:00 – Why point solutions have been so prolific
15:50 – The characteristics of the end point solutions aggregators
This is an edited Q&A of their conversation, which can be heard in full on the podcast.
Woods: Could you explain what Reblaze is and how it’s become a suite?
Hayardeny: Reblaze is a cloud-based security for web assets. That’s the major idea of what we are doing. We are a cloud-based solution. We run in all cloud providers though mainly with AWS, Google, and Azure. We focus on web only, websites, web applications, and API. Whatever with a web protocol can be protected by us and we provide all layers of security from A to Z with regards to web security. We are doing that by either deploying a virtual private cloud for each one of our customers if they don’t yet run on the cloud; or if the customer is already running in the cloud, we can be deployed within its own cloud. The only thing that we have to do is to route the traffic by DNS exchange to this virtual private cloud. Or if the customer already runs in the cloud, there is even no need to route the traffic by DNS exchange. When we meet the traffic, we monitor, analyze, and profile the level of the risk of each and every user. In approximately one to two milliseconds, we are able to monitor and to determine whether the user behind the scene is a human being or a robot. We collect information about the user itself according to which we are able to assess the level of his risk.
So to characterize Reblaze, it seems to me very similar to Zscaler, except with Zscaler, you run all your traffic to the Zscaler cloud and then it routes it from that cloud to wherever your data center is. You do a similar thing in that the traffic first comes to you and then inside of your virtual private cloud is the protective layer. The difference, though, is that their entire web application framework is inside that cloud. You are protecting the whole thing. They can’t get in or out except through your layer of networking.
This is correct. The difference is, first of all, that we are a single tenant solution. We are not a multi-tenant solution, meaning each of our customers are getting their own separate environment which is fully private. We deploy the environment very close to the data center, which creates almost zero latency. This is one thing. The second thing is that we can run within the customer’s own cloud because we are a single tenant solution.
You can also get that distribution benefit through your CDN integrations. So that if somebody wants to have local traffic feel local in India, for instance, it can still feel local without having you had to build that point of presence everywhere the way Zscaler had to.
Correct. We are behind the CDN so the distribution CDN is before us, only the static content is being cached by the CDN. Only the dynamic content should be monitored and analyzed by us, either in this virtual private cloud or within the customer’s cloud.
Do you think that cybersecurity platforms have been slower to develop than in other domains? We seem to have, in terms of the balance of vendors here at RSA, huge amounts of point solutions, small amounts of platforms.
Yes. I believe that the way that this industry evolved created this situation because we are playing the security against someone, those hackers or those cybersecurity threats that are evolving on a daily basis. New vectors rise, new attacks are coming. The industry creates new solutions against those threats. And we did not reach a point that we can wrap all these kinds of solutions in one package as you can see in other solutions. It’s like illness, if I may compare. There is one flu, another flu, different medicines. And at the end of the day, there is no one solution that provides you with the medicine for whatever you suffer from.
There’s also the commonality of requirements. If you look at why Salesforce has been so successful, it’s that most people want the same 20 percent of the 100 percent of possible CRM functionality. But in ERP, the reason that hasn’t been as popular as a SaaS solution is that everybody wants a different 20 percent of the 100 percent of ERP capabilities. Maybe it’s similar in cybersecurity—there’s a lower commonality of requirements.
I tend to agree with you. I think that’s exactly the layer of what we call an application layer threat. Whatever you speak about the network layer threat, whatever is common to all applications, to all APIs, that’s something that I believe is more a commoditized solution. But we say should be adapted to a specific application. And unfortunately, different businesses, different solutions, different verticals create different applications that derive different vulnerabilities and, as a result, different solutions.
Right. The idea of a broad platform may be too large a scope for productization.
In the case of Reblaze, that’s what we tried to do. And Reblaze is not an integration of several solutions. With us, what we try to do is follow the Israeli way of security that is more relying on profiling the level of the risk instead of analyzing the threat in itself. If I may give an example, in the Israeli airport, someone is being profiled for the first time seven kilometers outside of the terminal. When he comes with a car or with a cab, with a taxi, someone will just say hello and ask him several questions. The security guy is trained to see whether there is nervous sweating or does he keep an eye-to-eye glance or not. And the second time a person is profiled is when they enter into the terminal. Someone will just say hello to you.
The logic of the components you have inside of Reblaze are based on that ability to profile, but also they’re based on the operational ability. CDN isn’t there for profiling. It’s there to extend the operational kind of range of your cloud so that you don’t have to say, “Look, we’re in a virtual private cloud, but our reach is just as big as anybody else.”
The CDN is more for the point of view of a performance. But the performance should be very well distributed. It’s a more commoditized solution.
It’s not a profiling capability. It’s an operational capability.
Why do you think the rise in point solutions has been so broad and persistent in cybersecurity?
Most of the solutions are based on actual activity of the hacker or the one who wants to attack the website and less based on what we call profiling. That’s why you have to wait for an activity and to react. And because there is a different activity, you have to react differently. If someone wants to take advantage of a specific vulnerability, the solution will be at that point. If someone wants to put something within your websites, the alternative solution will come from another angle. With our approach, for example, while you start the discussion by profiling the risk, you are able to eliminate lots of risk that are based on activity. The level of signature are dramatically lower. A signature is what you allow and what you do not allow. For example, if you want to get into your bank account, they will allow you to try to get in three times, four times, six times. It depends on the policy of the bank. If you try to do that request within this page, they allow you to ask several requests per second. There are several thresholds.
To say that the level of signatures is lower, what does that mean?
It means that, first of all, it’s much easier to deploy and maintain our solution. With fewer signatures, you can make a decision faster.
What you’re saying is that the reason that there’s more point solutions is because there’s not this profiling approach. People are just saying, “When there’s an attack of this sort, I’ll deal with it,” not saying, “How can I get further close to the earlier in the cycle to deal with it?”
The implication of that is, do you think that if people take this profiling approach, they will become more like platforms?
I believe so. Whenever I go to the airport, I think about it. I am a veteran. I was injured in the army. I always asking myself, “Why should I again and again going through this process of security as if no one knows me, no one profiled me?” They don’t even look at us. It takes much more time and is more expensive, and you are not able to be more efficient. And you are not able to create a platform.
Right. You need a memory.
A platform that creates a memory would actually make things more efficient. Do you think we’re entering a phase in which broad platforms will emerge and take more of the share of spending? Or do you think that we’re at a permanently point solution–oriented cybersecurity industry?
At the end of the day today, we push the decision-maker within the organization to choose. To choose meaning to create platforms that will be able to solve as many threats as possible. They will not be able to work with so many platforms, to integrate with so many platforms, especially not today when the business is based on the web today. So it’s impossible in case of a problem to find who is responsible for this downtime, this solution, that solution, or another solution. So personally, I believe that there needs to be some kind of a consolidation of solutions. You can call it integration of solution, but at the end of the day, I believe that those platforms will merge.
Who will be the platform aggregators? Who will be the SAPs, the Oracle E-Business Suite type companies? What will be the characteristics that will kind of cause them to make this platform come to life?
That is a very good question. Immediately, I would say that you can find today more of the private equity firms that are collecting many security companies under the same umbrella. There is an idea to integrate those solutions and to come to a decision-maker with one security solution. I tend to agree with you that this is not the intention just to be big enough in order to maybe increase prices or to create better market standing and not an integration. Maybe we don’t create one platform against all layers of risk, but there will be a platform for web security. And maybe there is going to be another platform differently for emails or data.
How are we going to get all of these point solutions to work together? Each one of those components needs to be synchronized so that they get better and are able to work together more coherently with each cycle of development.
In this industry, we are not playing alone. There is a third party that is playing against us. The third party is someone that either is not satisfied with our solution or is not satisfied from our web applications or websites or the organization. There are advisories out there. All these integration solutions, big data analysis, everything is in place already. But you always will have to deal with the next threat, with the next trend of attacks. And that’s why, I don’t think they’ll ever just be one or two platforms serving all needs. Why do we need all these kinds of startups? The reason for that is that the time to market for a small startup against a specific, unique threat will be much faster in comparison to those large entities.
Right. It’s as if, if you’ve had a hole in your roof, you want to patch it up. You don’t really care if that patch is integrated with all the other stuff. You just want to patch it.
Exactly. So that’s why in those cases that you are playing with third parties, their target is only to find the vulnerability. You will always have to add additional layers and additional solutions. I hope ultimately the question will not be whether there will be one platform or not. The question should be how long it will take to add the new feature or the new patch as you mentioned and to integrate it with the existing platform. So I don’t expect that there will be one platform at the end, but I would expect that will be much less compared to what we are today. But it won’t be one.