The Uptycs of Cybersecurity Requirements with Jack Roehrig

Jack is Uptycs’ outspoken technology evangelist. Jack is a lifelong information security executive with over 25 years of professional experience. He started his career managing security and operations at the world's first Internet data privacy company. He has since led unified Security and DevOps organizations as Global CSO for large conglomerates. This role involved individually servicing dozens of industry-diverse, mid-market portfolio companies.

Jack's breadth of experience has given him a unique insight into leadership and mentorship. Most importantly, it fostered professional creativity, which he believes is direly needed in the security industry. Jack focuses his extra time mentoring, advising, and investing. He is an active leader in the ISLF, a partner in the SVCI, and an outspoken privacy activist. 

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.

Corey: If you asked me to rank which cloud provider has the best developer experience, I'd be hard-pressed to choose a platform that isn't Google Cloud. Their developer experience is unparalleled and, in the early stages of building something great, that translates directly into velocity. Try it yourself with the Google for Startups Cloud Program over at cloud.google.com/startup. It'll give you up to $100k a year for each of the first two years in Google Cloud credits for companies that range from bootstrapped all the way on up to Series A. Go build something, and then tell me about it. My thanks to Google Cloud for sponsoring this ridiculous podcast.



Corey: This episode is brought to us by our friends at Pinecone. They believe that all anyone really wants is to be understood, and that includes your users. AI models combined with the Pinecone vector database let your applications understand and act on what your users want… without making them spell it out. Make your search application find results by meaning instead of just keywords, your personalization system make picks based on relevance instead of just tags, and your security applications match threats by resemblance instead of just regular expressions. Pinecone provides the cloud infrastructure that makes this easy, fast, and scalable. Thanks to my friends at Pinecone for sponsoring this episode. Visit Pinecone.io to understand more.

Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. This promoted guest episode is brought to us by our friends at Uptycs. And they have sent me their Technology Evangelist, Jack Charles Roehrig. Jack, thanks for joining me.

Jack: Absolutely. Happy to spread the good news.

Corey: So, I have to start. When you call yourself a technology evangelist, I feel—just based upon my own position in this ecosystem—the need to ask, I guess, the obvious question of, do you actually work there, or have you done what I do with AWS and basically inflicted yourself upon a company. Like, well, “I speak for you now.” The running gag that becomes more true every year is that I’m AWS’s chief marketing officer.

Jack: So, that is a great question. I take it seriously. When I say technology evangelist, you’re speaking to Jack Roehrig. I’m a weird guy. So, I quit my job as CISO. I left a CISO career. For, like, ten years, I was a CISO. Before that, 17 years doing stuff. Started my own thing, secondaries, investments, whatever.

Elias Terman, he hits me up and he says, “Hey, do you want this job?” It was an executive job, and I said, “I’m not working for anybody.” And he says, “What about a technology evangelist?” And I was like, “That’s weird.” “Check out the software.”

So, I’m going to check out the software. I went online, I looked at it. I had been very passionate about the space, and I was like, “How does this company exist in doing this?” So, I called him right back up, and I said, “I think I am.” He said, “You think you are?” I said, “Yeah, I think I’m your evangelist. Like, I think I have to do this.” I mean, it really was like that.

Corey: Yeah. It’s like, “Well, we have an interview process and the rest.” You’re like, “Yeah, I have a goldfish. Now that we’re done talking about stuff that doesn’t matter, I’ll start Monday.” Yeah, I like the approach.

Jack: Yeah. It was more like I had found my calling. It was bizarre. I negotiated a contract with him that said, “Look, I can’t just work for Uptycs and be your evangelist. That doesn’t make any sense.” So, I advise companies, I’m part of the SVCI, I do secondaries, investment, I mentor, I’m a steering committee member of the ISLF. We mentor security leaders.

And I said, “I’m going to continue doing all of these things because you don’t want an evangelist who’s just an Uptycs evangelist.” I have to know the space. I have to have my ear to the ground. And I said, “And here’s the other thing, Elias. I will only be your evangelist while I’m your evangelist. I can’t be your evangelist when I lose passion. I don’t think I’m going to.”

Corey: The way I see it, authenticity matters in this space. You can sell out exactly once, so make it count because you’re never going to be trusted again to do it a second time. It keeps people honest, at least the ones you actually want to be doing work with. So, you’ve been in the space a long time, 20 years give or take, and you’ve seen an awful lot. So, I’m curious, given that I tend to see about, you know, six or seven different companies in the RSA Sponsor Hall every year selling things because you know, sure hundreds of booths, bunch of different marketing logos and products, but it all distills down to the same five or six things.

What did you see about Uptycs that made you say, “This is different?” Because to be very direct, looking at the website, it’s, “Oh, what do you sell?” “Acronyms. A whole bunch of acronyms that, because I don’t eat, sleep, and breathe security for a living, I don’t know what most of them mean, but I’m sure they’re very impressive and important.” What does it actually do, for those of us who are practitioners, but not swimming in the security vendor stream?

Jack: So, I’ve been obsessed with this space and I’ve seen the acronyms change over and over and over again. I’m always the first one to say, “What does that mean?” As the senior guy in the room a lot of time. So, acronyms. What does Uptycs do? What drew me into them? They did HIDS, Host Intrusion Detection System. I don’t know if you remember that. Turned into—

Corey: Oh, yeah. OSSEC was the one I always wound up using, the open-source version. OSSEC [kids 00:04:10]. It’s like, oh, instead of paying a vendor, you can contribute it yourself because your time is free, right? Free as in puppy, or these days free as in tier when it comes to cloud.

Jack: Oh, I like that. So, yeah, I became obsessed with this HIDS stuff. I think it was evident I was doing it, that it was threat [unintelligible 00:04:27]. And these companies, great companies. I started this new job in an education technology company and I needed a lot of work, so I started to play around with more sophisticated HIDS systems, and I fell in love with it. I absolutely fell in love with it.

But there are all these limitations. I couldn’t find this company that would build it right. And Uptycs has this reputation as being not very sexy, you know? People telling me, “Uptycs? You’re going to Uptycs?” Yeah—I’m like, “Yeah. They’re doing really cool stuff.”

So, Uptycs has, like, this brand name and I had referred Uptycs before without even knowing what it was. So, here I am, like, one of the biggest XDR, I hope to say, activists in the industry, and I didn’t know about Uptycs. I felt humiliated. When I heard about what they were doing, I felt like I wasted my career.

Corey: Well, that’s a strong statement. Let’s begin with XDR. To my understanding, that some form of audio cable standard that I use to plug into my microphone. Some would say it, “X-L-R.” I would say sounds like the same thing. What is XDR?

Jack: What is it, right? So, [audio break 00:05:27] implement it, but you install an agent, typically on a system, and that agent collects data on the system: what processes are running, right? Well, maybe it’s system calls, maybe it’s [unintelligible 00:05:37] as regular system calls. Some of them use the extended Berkeley Packet Filter daemon to get stuff, but one of the problems is that we are obtaining low-level data on an operating system, it’s got to be highly specific. So, you collect all this data, who’s logging in, which passwords are changing, all the stuff that a hacker would do as you’re typing on the computer. You’re maybe monitoring vulnerabilities, it’s a ton of data that you’re monitoring.

Well, one of the problems that these companies face is they try to monitor too much. Then some came around and they tried to monitor too little, so they weren’t as real-time.

Corey: Sounds like a little pig story here.

Jack: Yeah [laugh], exactly. Another company came along with a fantastic team, but you know, I think they came in a little late in the game, and it looks like they’re folding now. They were wonderful company, but the one of the biggest problems I saw was the agent, the compatibility. You know, it was difficult to deploy. I ran DevOps and security and my DevOps team uninstalled the agent because they thought there was a problem with it, we proved there wasn’t and four months later, they hadn’t completely reinstall it.

So, a CISO who manages the DevOps org couldn’t get his own DevOps guy to install this agent. For good reason, right? So, this is kind of where I’m going with all of this XDR stuff. What is XDR? It’s an agent on a machine that produces a ton of data.

I—it’s like omniscience. Yes, I started to turn it in, I would ping developers, I was like, “Why did you just run sudo on that machine?” Right. I mean, I knew everything was going on in the space, I had a good intro to all the assets, they technically run on the on-premise data center and the quote-unquote, “Cloud.” I like to just say the production estate. But it’s omniscience. It’s insights, you can create rules, it’s one of the most powerful security tools that exists.

Corey: I think there’s a definite gap as far as—let’s narrow this down to cloud for just a second before we expand this into the joy that has data centers—where you can instrument a whole bunch of different security services in any cloud provider—I’m going to pick on AWS because they’re the 800-pound gorilla in the room, and frankly, they could use taking down a peg or two by and large—and you wind up configuring all the different security services that in some cases seem totally unaware of each other, but that’s the AWS product portfolio for you. And you do the math out and realize that it theoretically would cost you—to enable all these things—about three times as much as the actual data breach you’re ideally trying to prevent against. So, on some level, it feels like, “Heads, I win; tails, you lose,” style scenario.

And the answer that people have started reaching out to third-party vendors to wind up tying all of this together into some form of cohesive narrative that a human being has a hope in hell of understanding. But everything I’ve tried to this point still feels like it is relatively siloed, focused on the whole fear, uncertainty, and doubt that is so inherent to so much of the security world’s marketing. And it’s almost like cost control where you can spend almost limitless amount of time, energy, money, et cetera, trying to fix these things, but it doesn’t advance your company to the next milestone. It’s like buying fire insurance on your building. You can spend all the money on fire insurance. Great, it doesn’t get you to the next milestone that propels your company forward. It’s all reactive instead of proactive. So, it feels like it is never the exciting, number-one priority for companies until right after it should have been higher in the list than it was.

Jack: So, when I worked at Turnitin, we had saturated the market. And we worked in education, technology space globally. Compliance everywhere. So, I just worked on the Australian Data Infrastructure Act of 2020. I’m very familiar with the 27 data privacy regulations that are [laugh] in scope for schools. I’m a FERPA expert, right? I know that there’s only one P in HIPAA [laugh].

So, all of these compliance regulations drove schools and universities, consortiums, government agencies to say, “You need to be secure.” So, security at Turnitin was the number one—number one—key performance indicator of the company for one-and-a-half years. And these cloud security initiatives didn’t just make things more secure. They also allowed me to implement a reasonable control framework to get various compliance certifications. So, I’m directly driving sales by deploying these security tools.

And the reason why that worked out so great is, by getting the certifications and by building a sensible control framework layer, I was taking these compliance requirements and translating them into real mitigations of business risk. So, the customers are driving security as they should. I’m implementing sane security controls by acting as the chief security officer, company becomes more secure, I save money by using the correct toolset, and we increased our business by, like, 40% in a year. This is a multibillion-dollar company.

Corey: That is definitely a story that resonates, especially with organizations that are—or they should be—compliance-forward and having to care about the nature of what it is that they’re doing. But I have a somewhat storied history in working in FinTech and large-scale financial services. One of the nice things about that job, which is sort of a weird thing to say there if you don’t want to get ejected from the room, has been, “Yeah well, it’s only money,” in the final analysis. Because yeah, no one dies if you wind up screwing that up. People’s kids don’t get exposed.

It’s just okay, people have to fill out a bunch of forms and you get sued into oblivion and you’re not there anymore because the first role of a CISO is to be ablative and get burned away whenever there’s a problem. But it still doesn’t feel like it does more for a number of clients than, on some level, checking a box that they feel needs to be checked. Not that it shouldn’t be, necessarily, but I have a hard time finding people that get passionately excited about security capabilities. Where are they hiding?

Jack: So, one of the biggest problems that you’re going to face is there are a lot of security people that have moved up in the ranks through technology and not through compliance and technology. These people will implement control frameworks based on audit requirements that are not bespoke to their company. They’re doing it wrong. So, we’re not ticking boxes; I’m creating boxes that need to be ticked to secure the infrastructure. And at Turnitin, Turnitin was a company that people were forced to use to submit their works in the school.

So, imagine that you have to submit a sensitive essay, right? And that sensitive essay goes to this large database. We have the Taiwanese government submitting confidential data there. I had the chief scientist at NASA submitting in pre-publication data there. We’ve got corporate trade secrets that are popped in there. We have all kinds of FDA pre-approval stuff. This is a plagiarism detection software being used by large companies, governments, and 12-year-old girls, right, who don’t want their data leaked.

So, if you look at it, like, this is an ethical thing that is required for us to do, our customers drive that, but truly, I think it’s ethics that drive it. So, when we implemented a control framework, I didn’t do the minimum, I didn’t run an [unintelligible 00:12:15] scan that nobody ran. I looked for tools that satisfied many boxes. And one of the things about the telemetry at scale, [unintelligible 00:12:22], XDR, whatever want to call it, right? But the agent-based systems that monitor for all of us this run-state data, is they can take a lot of your technical SOC controls.

Furthermore, you can use these tools to improve your processes like incident response, right? You can use them to log things. You can eliminate your SIEM by using this for your DLP. The problem of companies in the past is they wouldn’t deploy on the entire infrastructure. So, you’d get one company, it would just be on-prem, or one company that would just run on CentOS.

One of the reasons why I really liked this Uptycs company is because they built it on an osquery. Now, if you mention osquery, a lot of people glaze over, myself included before I worked at Uptycs. But apparently what it is, is it’s this platform to collect a ton of data on the run state of a machine in real-time, pop it into a normalized SQL database, and it runs on a ton of stuff: Mac OS, Windows, like, tons of version of Linux because it’s open-source, so people are porting it to their infrastructure. And that was one of these unique differentiators is, what is the cloud? I mean, AWS is a place where you can rapidly prototype, there’s tons of automation, you can go in and you build something quickly and then it scales.

But I view the cloud as just a simple abstraction to refer to all of my assets, be them POPS, on-premise data machines, you know, the corporate environment, laptops, desktops, the stuff that we buy in the public clouds, right? These things are all part of the greater cloud. So, when I think cloud security, I want something that does it all. That’s very difficult because if you had one tool run on your cloud, one tool to run on your corporate environment, and one tool to run for your production environment, those tools are difficult to manage. And the data needs to be ETL, you know? It needs to be normalized. And that’s very difficult to do.

Our company is doing [unintelligible 00:14:07] security right now as a company that’s taking all these data signals, and they’re normalizing them, right, so that you can have one dashboard. That’s a big trend in security right now. Because we’re buying too many tools. So, I guess the answer that really is, I don’t see the cloud is just AWS. I think AWS is not just data—they shouldn’t call themselves the cloud. They call themselves the cloud with everything. You can come in, you can rapidly prototype your software, and you know what? You want to run to the largest scale possible? You can do that too. It’s just the governance problem that we run into.

Corey: Oh, yes. The AWS product strategy is pretty clearly, in a word, “Yes,” written on a Post-it note somewhere. That’s the easiest job in the world is running their strategy. The challenge, too, is that we don’t live in a world where monocultures are a thing anymore because regardless—if you use AWS for the underlying infrastructure, great, that makes a lot of sense. Use it for a lot of the higher-up the stack, SaaS-y type things that you don’t want to have to build yourself from—by going to Home Depot and picking up components, you’re doing something relatively foolish in most cases.

They’re a plumbing company not a porcelain company, in many respects. And regardless of what your intention is around multiple clouds, people wind up using different things. In most cases, you’re going to be storing your source code in GitHub, not in AWS CodeCommit because CodeCommit doesn’t really have any customers, for reasons that become blindingly apparent the first time you try to use it for something. So, you always wind up with these cross-cloud, cross-infrastructure stories. For any company that had the temerity to be founded before 2010, they probably have an on-premises data center as well—or six or more—and you’re starting to try to wind up having a whole bunch of different abstractions viewed through the same lenses in terms of either observability or control plane or governance, or—dare I say it—security. And it feels like there are multiple approaches, all of which have their drawbacks, which of course means, it’s complicated. What’s your take on it?

Jack: So, I think it was two years ago we started to see tools to do signal consumption. They would aggregate those signals and they would try and produce meaningful results that were actionable rather than you having to go and look at all this granular data. And I think that’s phenomenal. I think a lot of companies are going to start to do that more and more. One of the other trends people do is they eliminated data and they went machine-learning and anomaly detection. And that didn’t work.

It missed a lot of things, right, or generated a lot of false positive. I think that one of the next big technologies—and I know it’s been done for two years—but I think we’re the next things we’re going to see is the axonius of the consumption of events, the categorization into alerts-based synthetic data classification policies, and we’re going to look at the severity classifications of those, they’re going to be actionable in a priority queue, and we’re going to eliminate the need for people that don’t like their jobs and sit at a SOC all day and analyze a SIEM. I don’t ever run a SIEM, but I think that this diversity can be a good thing. So, sometimes it’s turned out to be a bad thing, right? We wanted to diversity, we don’t want all the data to be homogenous. We don’t need data standards because that limits things. But we do want competition. But I would ask you this, Corey, why do you think AWS? We remember 2007, right?

Corey: I do. Oh, I’ve been around at least that long.

Jack: Yeah, you remember when S3 came up. Was that 2007?

Corey: I want to say 2004, 2005 in beta, and then relaunched as the first general available service. The first beta service was SQS, so there’s always some question about which one was first. I don’t get in the middle of those fights because all I’m going to do is upset people.

Jack: But S3 was awesome. It still is awesome, right?

Corey: Oh yes.

Jack: And you know what I saw? I worked for a very older company with very strict governance. You know with SOX compliance, which is a joke, but we also had SOC compliance. I did HIPAA compliance for them. Tons of compliance to this.

I’m not a compliance off, too, by trade. So, I started seeing [x cards 00:17:54], you know, these company personal cards, and people would go out and [unintelligible 00:17:57] platform because if they worked with my teams internally, if they wanted to get a small app deployed, it was like a two, three-month process. That process was long because of CFO overhead, approvals, vendor data security vetting, racking machines. It wasn’t a problem that was inherent to the technology. I actually built a self-service cloud in that company. The problem was governance. It was financial approvals, it was product justification.

So, I think AWS is really what made the internet inflect and scale and innovate amazingly. But I think that one of the things that it sacrificed was governance. So, if you tie a lot of what we’re saying back together, by using some sort of tool that you can pop into a cloud environment and they can access a hundred percent of the infrastructure and look for risks, what you’re doing is you’re kind of X-Ray visioning into all these nodes that were deployed rapidly and kept around because they were crown jewels, and you’re determining the risks that lie on them. So, let’s say that 10 or 15% of your estate is prototype things that grew at a scale and we can’t pull back into our governance infrastructure. A lot of times people think that those types of team machines are probably pretty locked down and they’re probably low risk.

If you throw a company on the side scanner or something like that, you’ll see they have 90% of the risk, 80% of the risk. They’re unpatched and they’re old. So, I remember at one point in my career, right, I’m thinking Amazon’s great. I’m—[unintelligible 00:19:20] on Amazon because they’ve made the internet go, they influxed. I mean, they’ve scaled us up like crazy.

Corey: Oh, the capability store is phenomenal. No argument there.

Jack: Yeah. The governance problem, though, you know, the government, there’s a lot of hacks because of people using AWS poorly.

Corey: And to be clear, that’s everyone. We all are. I take a look at some of the horrible technical decisions I made even a couple of years ago, based upon what I know now, it’s difficult to back out and wind up doing things the proper way. I wrote an article a while back, “17 Ways to Run Containers on AWS,” and listed all the services. And I think it was a little on the nose, but then I wrote 17, “More Ways to Run Containers on AWS,” but different services. And I’m about three-quarters of the way through the third in the sequel. I just need a couple more releases and we’re good to go.

Jack: The more and more complexity you add, the more security risk exists. And I’ve heard horror stories. Dictionary.com lost a lot of business once because a couple of former contractors deleted some instances in AWS. Before that, they had a secret machine they turned into a pixel [unintelligible 00:20:18] and had take down their iPhone app.

I’ve seen some stuff. But one of the interesting things about deploying one of these tools in AWS, they can just, you know, look X-Ray vision on into all your compute, all your storage and say, “You have PIIs stored here, you have personal data stored here, you have this vulnerability, that vulnerability, this machine has already been compromised,” is you can take that to your CEO as a CISO and say, “Look, we were wrong, there’s a lot of risk here.” And then what I’ve done in the past is I’ve used that to deploy HIDS—XDR, telemetry at scale, whatever you want to call it—these agent-based solutions, I’ve used that to justification for them. Now, the problem with this solutions that use agentless is almost all of them are just in the cloud. So, just a portion of your infrastructure.

So, if your hybrid environment, you have data centers, you’re ignoring the data centers. So, it’s interesting because I’ve seen these companies position themselves as competitors when really, they’re in complementary spaces, but one of them justified the other for me. So, I mean, what do you think about that awkward competition? Why was this competition exists between these people if they do completely different things?

Corey: I’ll take it a step further. I’m a big believer that security for the cloud providers should not be a revenue generator in any meaningful sense because at that point, they wind up with an inherent conflict of interest, where when they start charging, especially trying to do value-based pricing as they move up the stack, what they’re inherently saying is, great, you can get our version of our services that is less secure, so that they’re what they’re doing is they’re making security on their platform an inherent investment decision. And I’ve never been a big believer in that approach.

Jack: The SSO tax.

Corey: Oh, yes. And many others.

Jack: Yeah. So, I was one of the first SSO tax contributors. That started it.

Corey: You want data plane audit logging? Great, that’ll cost you. But they finally gave in a couple of years back and made the first management trail for CloudTrail audit logging free for everyone. And people still advertently built second ones and then wonder why they’re paying through the nose. Like, “Oh, that’s 40 grand a month. That should be zero.” Great. Send that to your SIEM and then have that pass it out to where it needs to go. But so much of it is just these weird configuration taxes that people aren’t fully aware exist.

Jack: It’s the market, right? The market is—so look at Amazon’s IAM. It is amazing, right? It’s totally robust, who is using it correctly? I know a lot of people are. I’ve been the CISO for over 100 companies and IAM is was one of those things that people don’t know how to use, and I think the reason is because people aren’t paying for it, so AWS can continue to innovate on it.

So, we find ourselves with this huge influx of IAM tools in the startup scene. We all know Uptycs does some CIAM and some identity management stuff. But that’s a great example of what you’re talking about, right? These cloud companies are not making the things inherently secure, but they are giving some optionality. The products don’t grow because they’re not being consumed.

And AWS doesn’t tend to advertise them as much as the folks in the security industry. It’s been one complaint of mine, right? And I absolutely agree with you. Most of the breaches are coming out of AWS. That’s not AWS’s fault. AWS’s infrastructure isn’t getting breached.

It’s the way that the customers are configuring the infrastructure. That’s going to change a lot soon. We’re starting to see a lot of change. But the fundamental issue here is that security needs to be invested in for short-term initiatives, not just for long-term initiatives. Customers need to care about security, not compliance. Customers need to see proof of security. A customer should be demanding that they’re using a secure company. If you’ve ever been on the vendor approval side, you’ll see it’s very hard to push back on an insecure company going through the vendor process.

Corey: This episode is sponsored in part by our friends at Uptycs, because they believe that many of you are looking to bolster your security posture with CNAPP and XDR solutions. They offer both cloud and endpoint security in a single UI and data model. Listeners can get Uptycs for up to 1,000 assets through the end of 2023 (that is next year) for $1. But this offer is only available for a limited time on UptycsSecretMenu.com. That’s U-P-T-Y-C-S Secret Menu dot com.

Corey: Oh, yes. I wound up giving probably about 100 companies now S3 Bucket Negligence Awards for being public about failing to secure their data and put that out into the world. I had one physical bucket made, the S3 Bucket Responsibility Award and presented it to their then director of security over at the Pokémon Company because there was a Wall Street Journal article talking about how their security review—given the fact that they are a gaming company that has children as their primary customer—they take it very seriously. And they cited the reason they’re not to do business with one unnamed vendor was in part due to the lackadaisical approach around S3 bucket control. So, that was the one time I’ve seen in public a reference where, “Yeah, we were going to use a vendor and their security story was terrible, and we decided not to.”

It’s, why is that news? That should be a much more common story, but these days, it feels like procurement is rubber-stamping it and, like, “Okay, great. Fill out the form.” And, “Okay, you gave some wrong answers on the form. Try it again and tell the story differently until it gets shoved through.” It feels like it’s a rubber stamp rather than a meaningful control.

Jack: It’s not a rubber stamp for me when I worked in it. And I’m a big guy, so they come to me, you know, like—that’s how being, like, career law, it’s just being big and intimidating. Because that’s—I mean security kind of is that way. But, you know, I’ve got a story for you. This one’s a little more bleak.

I don’t know if there’s a company called Ask.fm—and I’ll mention them by name—right, because, well, I worked for a company that did, like, a hostile takeover this company. And that’s when I started working with [unintelligible 00:25:23]. [unintelligible 00:25:24]. I speak Russian and I learned it for work. I’m not Russian, but I learned the language so that I could do my job.

And I was working for a company with a similar name. And we were in board meetings and we were crying, literally shedding tears in the boardroom because this other company was being mistaken for us. And the reason why we were shedding tears is because young women—you know, 11 to 13—were committing suicide because of online bullying. They had no health and safety department, no security department. We were furious.

So, the company was hosted in Latvia, and we went over there and we installed one I lived in Latvia for quite a bit, working as the CISO to install a security program along with the health and safety person to install the moderation team. This is what we need to do in the industry, especially when it comes to children, right? Well, regulation solve it? I don’t know.

But what you’re talking about the Pokémon video game, I remember that right? We can’t have that kind of data being leaked. These are children. We need to protect them with information security. And in education technology, I’ll tell you, it’s just not a budget priority.

So, the parents need to demand the security, we need to demand these audit certifications, and we need to demand that our audit firms are audited better. Our audit firms need to be explaining to security leaders that the control frameworks are something that they’re responsible for creating bespoke. I did a presentation with Al Kingsley recently about security compliance, comparing FERPA and COPPA to the GDPR. And it was very interesting because FERPA has very little teeth, it’s very long code and GDPR is relatively brilliant. GDPR made some changes. FERPA was so ambiguous and vague, it made a lot of changes, but they were kind of like, in any direction ever because nobody knows FERPA is. So, I don’t know, what’s the answer to that? What do we do?

Corey: Yeah. The challenge is, you can see a lot of companies in specific areas doing the right thing, when they’re intentionally going out on day one to, for example, service kids as a primary user base demographic. The challenge that you see with this is that, that’s great, but then you have things that are not starting off with that point of view. And they started running into population limits and realize, okay, we’ve got to start expanding our user base somewhere, and then they went a bolting on those things is almost as an afterthought, where, “Oh, well, we’ve been basically misusing people’s data for our entire existence, but now—now—we’re suddenly magically going to do the right thing where kids are concerned.” I wish, but unfortunate that philosophy assumes a better take of humanity than is readily apparent.

Jack: I wonder why they do that though, right? Something’s got to, you know, news happened or something and that’s why they’re doing it. And that’s not okay. But I have seen companies, one of the founders of Scantron—do you know what a Scantron is?

Corey: Oh, yes. I’m much older than I look.

Jack: Yeah, I’m much older than I look, too. I like to think that. But for those that don’t know, a scantron, use a number two pencil and you filled in these little dots. And it was for taking tests. So, the guy who started Scantron, created a small two-person company.

And AWS did something magnificent. They recognized that it was an education technology company, and they gave them, for free, security consultation services, security implementation services. And when we bought this company—I’m heavily involved in M&A, right—I’m sitting down with the two founders of the company, and my jaw is on the desk. They were more secure than a lot of the companies that I’ve worked with that had robust security departments. And I said, “How did you do this?”

They said, “AWS provided us with this free service because we’re education technology.” I teared up. My heart was—you know, that’s amazing. So, there are companies that are doing this right, but then again, look at Grammarly. I hate to pick on Grammarly. LanguageTool is an open-source I believe, privacy-centric Grammarly competitor, but Grammarly, invest in your security a little more, man. Y’all were breached. They store a lot of data, they [unintelligible 00:29:10] lot of the data.

Corey: Oh, and it scared the living hell out of companies realizing that they had business users using Grammarly as an extension to work on internal documents and just sending proprietary data to some third-party service that they clicked through the terms on and I don’t know that it was ever shown the Grammarly was misusing any of that, but the potential for that is massive.

Jack: Do you know what they were doing with it?

Corey: Well, using AI to learn these things. Yeah, but it’s the supervision story always involves humans reading it.

Jack: They were building a—and I think—nobody knows the rumor, but I’ve worked in the industry, right, pretty heavily. They’re doing something great for the world. I believe they’re building a database of works submitted to do various things with them. One of those things is plagiarism detection. So, in order to do that they got to store, like, all of the data that they’re processing.

Well, if you have all the data that you’ve done for your company that’s sitting in this Grammarly database and they get hacked—luckily, that’s a lot of data. Maybe you’ll be overlooked. But I’ve data breach database sitting here on my desk. Do you know how many rows it’s got? [pause]. Yes, breach database.

Corey: Oh, I wouldn’t even begin to guess. I know the data volumes that Troy Hunt’s Have I Been Pwned? Site winds up dealing with and it is… significant.

Jack: How many billions of rows do you think it is?

Corey: Ah, I’d say 20 as an argument?

Jack: 34.

Corey: Okay. Yeah, directionally right. Fermi estimation saves us yet again.

Jack: [laugh]. The reason I build this breach database is because I thought Covid would slow down and I wanted it to do executive protection. Companies in the education space also suffer from [active 00:30:42] shooters and that sort of thing. So, that’s another thing about security, too, is it transcends all these interesting areas, right? Like here, I’m doing executive risk protection by looking at open-source data.

Protect the executives, show the executives that security is a concern, these executives that’ll realize security’s real. Then these past that security down in the list of priorities, and next thing you know, the 50 million active students that are using Turnitin are getting better security. Because an executive realized, “Hey, wait a minute, this is a real thing.” So, there’s a lot of ways around this, but I don’t know, it’s a big space, there’s a lot of competition. There’s a lot of companies that are coming in and flashing out of the pan.

A lot of companies are coming in and building snake oil. How do people know how to determine the right things to use? How do people don’t want to implement? How do people understand that when they deploy a program that only applies to their cloud environment it doesn’t touch there on-prem where a lot of data might be a risk? And how do we work together? How do we get teams like DevOps, IT, SecOps, to not fight each other for installing an agent for doing this?

Now, when I looked at Uptycs, I said, “Well, it does the EDR for corp stuff, it does the host intrusion detection, you know, the agent-based stuff, I think, for the well because it uses a buzzword I don’t like to use, osquery. It’s got a bunch of cloud security configuration on it, which is pretty commoditized. It does agentless cloud scanning.” And it—really, I spent a lot of my career just struggling to find these tools. I’ve written some myself.

And when I saw Uptycs, I was—I felt stupid. I couldn’t believe that I hadn’t used this tool, I think maybe they’ve increased substantially their capabilities, but it was kind of amazing to me that I had spent so much of my time and energy and hadn’t found them. Luckily, I decided to joi—actually I didn’t decide to join; they kind of decided for me—and they started giving it away for free. But I found that Uptycs needs a, you know, they need a brand refresh. People need to come and take a look and say, “Hey, this isn’t the old Uptycs. Take a look.”

And maybe I’m wrong, but I’m here as a technology evangelist, and I’ll tell you right now, the minute I no longer am evangelists for this technology, the minute I’m no longer passionate about it, I can’t do my job. I’m going to go do something else. So, I’m the one guy who will put it to your brass tacks. I want this thing to be the thing I’ve been passionate about for a long time. I want people to use it.

Contact me directly. Tell me what’s wrong with it. Tell me I’m wrong. Tell me I’m right. I really just want to wrap my head around this from the industry perspective, and say, “Hey, I think that these guys are willing to make the best thing ever.” And I’m the craziest person in security. Now, Corey, who’s the craziest person security?

Corey: That is a difficult question with many wrong answers.

Jack: No, I’m not talking about McAfee, all right. I’m not that level of crazy. But I’m talking about, I was obsessed with this XDR, CDR, all the acronyms. You know, we call it HIDS, I was obsessed with it for years. I worked for all these companies.

I quit doing, you know, a lot of very good entrepreneurial work to come work at this company. So, I really do think that they can fix a lot of this stuff. I’ve got my fingers crossed, but I’m still staying involved in other things to make these technologies better. And the software’s security space is going all over the place. Sometimes it’s going bad direction, sometimes it’s going to good directions. But I agree with you about Amazon producing tools. I think it’s just all market-based. People aren’t going to use the complex tools of Amazon when there’s all this other flashy stuff being advertised.

Corey: It all comes down to marketing budget, and AWS has always struggled with telling a story. I really want to thank you for being so generous with your time. If people want to learn more, where should they go?

Jack: Oh, gosh, everywhere. But if you want to learn more about Uptycs, why don’t you just email me?

Corey: We will, of course, put your email address into the show notes.

Jack: Yeah, we’ll do it.

Corey: Don’t offer if you’re not serious. There’s also uptycssecretmenu.com, which is apparently not much of a secret, given the large banner all over Uptycs’ website.

Jack: Have you seen this? Let me just tell you about this. This is not a catch. I was blown away by this; it’s one of the reasons I joined. For a buck, if you have between 100 and 1000 nodes, right, you get our agentless system and our agent-based system, right?

I think it’s only on AWS. But that’s, like, what, $150, $180,000 value? You get it for a full year. You don’t have to sign a contract to renew or anything. Like, you just get it for a buck. If anybody who doesn’t go on to the secret menu website and pay $1 and check out this agentless solution that deploys in two minutes, come on, man.

I challenge everybody, go on there, do that, and tell me what’s wrong with it. Go on there, do that, and give me the feedback. And I promise you I’ll do everything in my best efforts to make it the best. I saw the engineering team in this company, they care. Ganesh, the CEO, he is not your average CEO.

This guy is in tinkerers. He’s on there, hands on keyboard. He responds to me in the middle of night. He’s a geek just like me. But we need users to give us feedback. So, you got this dollar menu, you sign up before the 31st, right? You get the product for buck. Deploy the thing in two minutes.

Then if you want to do the XDR, this agent-based system, you can deploy that at your leisure across whichever areas you want. Maybe you want a corporate network on laptops and desktops, your production infrastructure, your compute in the cloud, deploy it, take a look at it, tell me what’s wrong with it, tell me what’s right with it. Let’s go in there and look at it together. This is my job. I want this company to work, not because they’re Uptycs but because I think that they can do it.

And this is my personal passion. So, if people hit me up directly, let’s chat. We can build a Slack, Uptycs skunkworks. Let’s get this stuff perfect. And we’re also going to try and get some advisory boards together, like, maybe a CISO advisory board, and just to get more feedback from folks because I think the Uptycs brand has made a huge shift in a really positive direction.

And if you look at the great thing here, they’re unifying this whole agentless and agent-based stuff. And a lot of companies are saying that they’re competing with that, those two things need to be run together, right? They need to be run together. So, I think the next steps here, check out that dollar menu. It’s unbelievable. I can’t believe that they’re doing it.

I think people think it’s too good to be true. Y’all got nothing to lose. It’s a buck. But if you sign up for it right now, before the December 31st, you can just wait and act on it any month later. So, just if you sign up for it, you’re just locked into the pricing. And then you want to hit me up and talk about it. Is it three in the morning? You got me. It’s it eight in the morning? You got me.

Corey: You’re more generous than I am. It’s why I work on AWS bills. It’s strictly a business-hours problem.

Jack: This is not something that they pay me for. This is just part of my personal passion. I have struggled to get this thing built correctly because I truly believe not only is it really cool—and I’m not talking about Uptycs, I mean all the companies that are out there—but I think that this could be the most powerful tool in security that makes the world more secure. Like, in a way that keeps up with the security risks increasing.

We just need to get customers, we need to get critics, and if you’re somebody who wants to come in and prove me wrong, I need help. I need people to take a look at it for me. So, it’s free. And if you’re in the San Francisco Bay Area and you give me some good feedback and all that, I’ll take you out to dinner, I’ll introduce you to startup companies that I think, you know, you might want to advise. I’ll help out your career.

Corey: So, it truly is dollar menu then.

Jack: Well, I’m paying for the dinner out my personal thing.

Corey: Exactly. Well, again, you’re also paying for the infrastructure required to provide the service, so, you know, one way or another, it’s all the best—it’s just like Cloud, there is no cloud. It’s just someone else’s cost center. I like that.

Jack: Well, yeah, we’re paying for a ton of data hosting. This is a huge loss leader. Uptycs has a lot of money in the bank, I think, so they’re able to do this. Uptycs just needs to get a little more bold in their marketing because I think they’ve spent so much time building an awesome product, it’s time that we get people to see it. That’s why I did this.

My career was going phenomenally. I was traveling the world, traveling the country promoting things, just getting deals left and right and then Elias—my buddy over at Orca; Elias, one of the best marketing guys I’ve ever met—I’ve never done marketing before. I love this. It’s not just marketing. It’s like I get to take feedback from people and make the product better and this is what I’ve been trying to do.

So, you’re talking to a crazy person in security. I will go well above and beyond. Sign up for that dollar menu. I’m telling you, it is no commitment, maybe you’ll get some spam email or something like that. Email me directly, I’ll kill the spam email.

You can do it anytime before the end of 2023. But it’s only for 2023. So, you got a full year of the services for free. For free, right? And one of them takes two minutes to deploy, so start with that one. Let me know what you think. These guys ideate and they pivot very quickly. I would love to work on this. This is why I came here.

So, I haven’t had a lot of opportunity to work with the practitioners. I’m there for you. I’ll create a Slack, we can all work together. I’ll invite you to my Slack if you want to get involved in secondaries investing and startup advisory. I’m a mentor and a leader in this space, so for me to be able to stay active, this is like a quid pro quo with me working for this company.

Uptycs is the company that I’ve chosen now because I think that they’re the ones that are doing this. But I’m doing this because I think I found the opportunity to get it done right, and I think it’s going to be the one thing in security that when it is perfected, has the biggest impact.

Corey: We’ll see how it goes out over the coming year, I’m sure. Thank you so much for being so generous with your time. I appreciate it.

Jack: I like you. I like you, Corey.

Corey: I like me too.

Jack: Yeah? All right. Okay. I’m telling [unintelligible 00:39:51] something. You and I are very weird.

Corey: It works out.

Jack: Yeah.

Corey: Jack Charles Roehrig, Technology Evangelist at Uptycs. I’m Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you’ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you’ve hated this podcast, please leave a five-star review on your podcast platform of choice along with an insulting comment that we’re going to be able to pull the exact details of where you left it from because your podcast platform of choice clearly just treated security as a box check.

Jack: [laugh].

Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Announcer: This has been a HumblePod production. Stay humble.