#361 From Hacking to Protecting: Vivek Ramachandran Discusses AI and Browser Security

[00:00:00]

Mehmet: Hello and welcome back to a new episode of the CTO Show with Mehmet. I'm today very pleased joining me from Singapore, Vivek Ramachandran. Vivek is the CEO founder of SquareX. Vivek, the way I like to do it is I keep it to [00:01:00] my guests to tell us a little bit more about themselves, their journey, and you know, what you are currently up to.

Mehmet: And then we can, of course, take the discussion from there.

Vivek: Thanks so much, Mehmet. Really appreciate you inviting me on the show. Uh, so hi everybody. I'm Vivek Ramachandran. I've been in cybersecurity for over 20 years, around 13 years of that as an entrepreneur. Uh, started off, you know, working for various deep tech companies like Cisco systems, building a lot of their layer to security and very quickly figured out that I enjoyed breaking security more than making it, and that is really where I transitioned into security research.

Vivek: Uh, you know, discovered a first couple of first in the world attacks like Cafe Latte, Broke Web Cloaking, uh, Spoke at Defcon, Black Hat, all of these places. Which finally culminated into me starting my first company, Binary Security, way back in 2011. So as part of that group, you know, I started a wireless monitoring [00:02:00] product.

Vivek: I started Pentester Academy. Uh, you know, eventually all of this got acquired, uh, in 2011, sorry, 2021. And then post that, I took a little bit of a break, wrote a hacker comic. And, uh, you know, after that I decided to start SquareX based upon a lot of the learnings and experiences I had while building the previous companies.

Mehmet: That's fantastic. You know, and I believe we're going to have a very, uh, you know, very like, uh, hot discussion, especially you come also from, you know, what we usually call, because, you know, Majority of the time we talk about cyber security. We talk about the preventive on, you know, like responsive approach.

Mehmet: We're like, very rarely we think about how how to do it from the other side. Now, I want, you know, to little bit understand from you Vivek, like Of course, you, you, you had this, this background, you've been like part of, of uncovering these, um, you know, attacks and so on. Um, [00:03:00] but there must be, you know, a, a, a gap in the market that you've seen, especially when it comes to, um, cybersecurity that, you know, you decided like you, it's the time now to start square X.

Mehmet: Can you like little bit, tell me which gaps you see in the market, you know, how did you come up with the idea and then how did you validate it?

Vivek: Correct. I think, uh, you know, Emma, that's a great question. So, you know, when I was running pen tested academy at that point, what we were doing was a lot of offensive cyber security attack training, and really that's just a fancy way of saying that you showed teams, security teams, it teams, how attackers break in.

Vivek: So a large part of what we used to do was show people how to design new attacks, which can subvert their existing security controls. Now, while talking to many of those red teams from fortune 500 companies, I realized that employees remain still the number one way by which they were seeing attackers [00:04:00] break into an environment.

Vivek: Now at that point in time, you know, you had endpoint security products and these would probably pick up any file or process which was trying to be malicious. Now alongside with that in the cloud, you had these products like which were SSL proxies or secure web gateways. Uh, as part of SASE SSE and their job was to go ahead, look at all the enterprise traffic, uh, going over the web and seeing if there were any interesting attacks happening and blocking them right there.

Vivek: Now this is really where I saw a very big gap and let me explain how. So all of these SWGs, SSL intercepting proxies, they came at a time almost a decade back when web applications were not very complex. The web browser itself was not a very, uh, platformized application. And what has happened in recent times is everything is a web app.

Vivek: You have progressive apps, everything is an API [00:05:00] and whatnot. And unfortunately these secure web gateways don't have context of what the user is doing, what the application is doing. And hence are very blinded when it comes to detecting attacks. And I can give you a very simple example. If today a malicious site ended up reading your clipboard.

Vivek: Encrypting that data and sending it, uh, SWG in the cloud would not have any idea whether what it's looking at is forum data, session data, clipboard, or just gibberish. So really all the context was residing in the browser. Now, at the very same time, attackers were targeting end users. Now, given hybrid work, uh, you know, people also tend to use their own devices and whatnot.

Vivek: And which is really where what we realized was attackers end up stealing credentials in the browser itself without the need to ever, you know, download or install any binary and perfect example. We all know spear phishing, [00:06:00] but I'll give you another one in the world of AI today. Where so many people are now installing browser extensions, uh, which are like AI co pilots.

Vivek: And what malicious bad actors are doing is they're actually putting out extensions, which at the backend talk to, you know, chat GPT, uh, or one of the established, uh, you know, AI players. And based upon that, people tend to feel like they're getting free access to these paid services. But the bad actors have these extensions also steal credentials.

Vivek: So the key hole that we realized is endpoint security solutions. Don't have any visibility into the browser. And at the very same time, cloud proxies, which work on a URL construct, unfortunately have no understanding of what's really going on in the browser and how an attacker may end up orchestrating some of these attacks.

Vivek: So that led to the conclusion that we also need to have visibility [00:07:00] access control, security understanding of what is happening within the browser itself. And that led me to kind of get to the whole idea about building a browser native security product, which is really what SquareX is doing.

Mehmet: So Vivek, you know, what you mentioned is very important and dangerous in a sense from, from attack point of view.

Mehmet: So correct me if I'm thinking out wrong here. So today, you know, and we know this, and actually one of the features that ChatGPT they have added recently is you just upload the screenshot. And then it can perform things. So if I'm using my browser today, and by the way, the platform I use, which is StreamYard is also like a web web application to your point, I spend maybe 99 percent of my time in, in the browser.

Mehmet: So using these extension, whether it's like a Chrome extension, other browser extension, so these attackers will be able to stream my [00:08:00] desktop, you know, whatever I'm seeing now, and then using. Artificial intelligence like chat GPT or whatever they can steal. Is this exactly what, you know, the scenario?

Vivek: This scenario will absolutely work.

Vivek: So basically what you're saying is here is an example. Imagine that chat GPT released a new feature only for its professional users, right? Who are paying. Now, social media, somebody says, Oh, and you see these posts everywhere where someone says, why use chat GPT, you know, paid product when you can actually get this for free.

Vivek: Right? And everybody starts clicking those links and going. And now imagine that there's a browser extension, which in the backend exactly uses GPT 4 or whatever. And once you install it, then it can even request, for example, record desktop record screen. And once you give access to all of that, it can stream back and really pretty much figure out everything that you're doing.

Mehmet: I think what is more bad and again, correct me if I'm wrong, I'm looking at technical guys, [00:09:00] but so, and these guys are using, you know, the legitimate ports of like. HTTPS 443 because they established this connection over maybe, you know, some, some specific, uh, servers that they are running, but actually I'm, I'm reaching to that server using a very legitimate port, which is 443, right?

Vivek: Absolutely. So you're right. Which means your network firewall, people monitoring regular web traffic, wouldn't see anything out of the ordinary. They will just see, you know, port 443 is being connected to and data is being sent. Uh, and the tricky part is, you know, most firewalls, uh, you know, higher level proxies, unfortunately can't even look at things like WebSocket data, because it's just, You know, binary data streaming through.

Vivek: So how do you even go about interpreting it? Right? Because every application can have its own way of how the data gets interpreted at, you know, either end.

Mehmet: That's really dangerous as I'm trying to think about [00:10:00] it now, you know, the market you've mentioned, you know, whether it's like, uh, secure web gateways, like SWG, SASE, SSEs, you know, there is no single time.

Mehmet: And maybe because I'm in tech. So. I see this a lot, but even like I hear from people, they ask me, what is this sassy thing? What is, you know, like, and the market is a huge Vivek, right? And there are a lot of players over there. So let's cover, you know, a little bit, the, that market, if you don't mind. And.

Mehmet: Also, but you know, you mentioned some of the things that they cannot do, but despite being a big market, and I think you can mention even some big players over there, you know what? I'm interested more into, and because everyone is talks about the zero trust when, when we mentioned this. So, so what's your point of view on, on that market and the players and you know, the, the relation with the zero trust, uh, over there?

Vivek: Yeah, no, I think all great questions. So [00:11:00] remember, you know, I think all, all technologies start with the right intent based upon, you know, the times when they began. Right. So if you look at, you know, sassy, uh, the whole idea really was and Gartner, if I recall, like coined this entire space term. Basically, you really wanted networking and security to be kind of like unified in the cloud.

Vivek: And you wanted, you know, primarily one or more vendors to be able to go ahead and provide that entire stack in the cloud. So this was the time when everything was moving into the cloud and people wanted security products to also reside in the cloud rather than on prem. And the way the transition happened is, you know, large companies like Zscaler, Palo Alto, Netscope.

Vivek: Uh, you know, I mean pretty much, you know, all the big guys that you may have heard about What they did was they took that on prem construct put it in the cloud And now they said all your organization's traffic needs to go through our data center Where we will [00:12:00] clean prune detect these attacks block it and ensure that only clean traffic You know, ends up leaving at the very same time, your end devices also only get a very clean traffic where you don't have to worry about getting attacked.

Vivek: So the promise was that let's say one of your employees is trying to download a document and maybe that has malware rather than, you know, in the previous construct, the employee ends up downloading it locally and then your antivirus finding it. The SASE or SSE provider can just, in the cloud, figure out that you're downloading a file, pause that download, scan the file in the cloud, and decide whether to allow or block it.

Vivek: Similarly for URLs, uh, and all of that as well. So the intent was good. SASE then eventually gave rise to SSE because what really happened is, uh, you know, Gartner ended up realizing it's very difficult sometimes for [00:13:00] security vendors to also offer networking capabilities like SD WAN and whatnot. And that is really where maybe security vendors can just give security products and, you know, that became SSE.

Vivek: Now, in all of this, the core component where you end up entering the cloud when it comes to, you know, all of these components, zero trust or whatnot is really secure web gateways. And the thought process is simple is look today, almost every website has SSL on it, which basically means once the traffic leaves, you know, the user's browser, the only person who can decrypt it is the site it is intended for, right?

Vivek: Gmail can decrypt Gmail traffic. Uh, and then, you know, process the request. Now one can imagine if that was the case, then there could be no security inspection possible because you know, you can't decrypt traffic meant for Gmail encrypted with, you know, Gmail's public SSL key. So this is really where secure web gateways came in and [00:14:00] said.

Vivek: Here's what we're going to do. We're going to sit in between. We are going to go ahead and decrypt all traffic from the user's browser coming into us, make sure everything is clean and then connect to the real destination. Which may be Google or whoever, and then send that data. And they do this, uh, by installing their own master certificates with which they end up issuing site specific certificates so that they can encrypt decrypt, you know, and kind of create these two concurrent tunnels.

Vivek: So back in the day when all of this started, and I think SSL intercepting proxies. Probably a decade old, which eventually became, you know, SWGs and all of that. At that point in time, the primary construct on how you could identify something good or bad was just a domain, just a URL. So Mehmet, what would end up happening is once you detect that abcfig.

Vivek: com, uh, is [00:15:00] malicious, you say, you know what, I'm going to block everything. This site should not load at all. And that was great for those times. Today, I'll give you a very simple example. GitHub. com. Now, if you went to an enterprise admin, he'll say, Hey, I have to whitelist github. com. My developers use it.

Vivek: My testers use it. Uh, but on github. com, anyone can end up creating a project, which means a bad actor can go in, create a GitHub project. Uh, attach a piece of ransomware. And now all of that is really running in the same construct of github. com. And then when he sends a link of that zip malware sitting on github.

Vivek: com to an enterprise employee, it completely zips past through the proxy simply because the proxy has been whitelisting github. com which basically means. Zero trust, you know, any form of verification for the proxy level is starting and ending literally with a URL construct. [00:16:00] Now, this is really where, you know, this, this entire paradigm of doing things has come off age.

Vivek: Of course, you know, any legacy player who's been doing this for 10 years, making billions of dollars, Would never want to cannibalize their own product. So I can tell you that today, many of these larger players are probably already aware about the limitations, at least some of the limitations of what these products have, but you know, the whole transformation where they're going to junk this and think about a brand new paradigm where zero trust extends to every single component of a page, not just the URL, you can imagine such a disruption only happens.

Vivek: When there is a massive wave of attack or somebody puts out some groundbreaking research on why the previous generation paradigm is completely faulty. So I think that is really where we are when it comes to the market ginormous billions of dollars, big players. [00:17:00] Still peddling around a legacy philosophy of the URL being the primary zero trust construct.

Mehmet: You know, and I think Vivek, correct me again if I'm wrong, so it's not like you gave GitHub, which is a great example, but what I start to see recently, and probably they do it today for phishing attacks. But they go for some of the, you know, famous SaaS applications and they create a subdomain over there.

Mehmet: Yes. Like, like for example, you know, like I, I've seen like, uh, of course, like I can spot them, but I would say maybe someone who's not in the tech might be tricked. So for example, they use something like a survey monkey or like, you know, like a HubSpot sometime. And then they put this material because it's a CRM or it's like a, it's, it's a like surveying.

Mehmet: platform and they can, and they can upload files and then they tell you, yeah, like you need to download this file or you need to click this link to get that, you know, to see this. And of course, you know how you know better than me. So they play [00:18:00] also on the, you know, the psychology of the end user to make.

Mehmet: sure that he or she they will click exactly that link which is brings to the point that you are saying that the traditional You know gateways that you just mentioned. I'm not saying they are not they're not You know, they are completely useless but yeah they cannot stop in front of this new kind or new era of of attacks and this is you know brings to the point like So I believe now Vivek, every single CISO, even CIO, everyone within the organization should be thinking, you know, how we can make, you know, web browsing more secure for all our employees.

Mehmet: Right.

Vivek: Correct. Absolutely.

Mehmet: Yeah. Now, but, but I, what I want you to, to, to highlight, uh, Vivek more is, so we talked about like little, some of the consequences, but how big can the attackers can go? I mean, um, Where they [00:19:00] can reach. So you mentioned about some, some, you know, maybe screenshot, we mentioned screenshotting or like maybe, but where they can go with, with, with these kinds of attacks.

Vivek: That's a very, very good question. Right. Uh, so Mehmet, I think, you know, if you look at it today, employees carries key to the kingdom. And if you look at a typical organization, Let's say you have technical people, then you have marketing sales, and then you have, you know, HR administration, right? Very broadly.

Vivek: And I'll pick each one of these verticals and tell you why employees have become more critical than even the corporate infrastructure. So your developers, they literally have access to your cloud, you know, AWS account, Azure account, GCP, whatever. And we know developers end up logging in doing all of that stuff.

Vivek: You know, definitely via the browser. Now, all of these cloud, you know, cloud shells and everything. They're also now accessible via the browser. So developers are spending a lot of time in the browser. Now, when you look at, let's say the marketing and sales [00:20:00] forks, marketing is all over social media, right?

Vivek: Like posting stuff, doing stuff, which means the marketing team is handling social media accounts and other important things. Sales folks are, you know, sitting on LinkedIn and other places and prospecting, you know, customers, people they can sell to and whatnot. Administration and HR now is literally online scouring the web for resumes.

Vivek: Uh, you know, connecting to people, going to various sites, putting whatnot. So what's happened as a common denominator is everyone is just used to doing their workflow in the browser, which means they are authentication into services, salesforce. com, AWS, you know, cloud, whatnot is also happening via the web interface.

Vivek: So an attacker who has compromised the browser or a page can end up now siphoning these credentials. And then impersonating the user. So imagine today that you end up [00:21:00] impersonating one of the marketing employees, because you have access to their accounts, you could literally go ahead middle of the night in that place.

Vivek: Put out an announcement saying, Hey, our company's faced a breach and we have decided to shut down. Like overnight you would lose reputation, customers, whatnot. Even the next day, if you just came back and said, Oh, this was false. You know, one of our social media teams accounts was hacked. Now, as a, if, if an attacker hacks into a salesperson, they can know the secrets of how the company is doing.

Vivek: But at the very same time, again, send a message to all your customers. Uh, announcing something as you, which may be very problematic to your company. So I feel almost every attack starts with identity theft today when it comes to targeting end employees of companies. And why this has become very difficult.

Vivek: You'll remember, you know, 15, 16 years back, When laptops and all of that had not proliferated as much, people used to just work within [00:22:00] the physical confines of an office. So the admin would walk up to you, look at your desktop PC, make some changes, make sure everything is locked down. Today we don't live in this world.

Vivek: Many a times, you know, your admin has never even met you. Because you work from some remote location. So now in this hybrid work world, I think attackers have understood that every employee is a great target. And the best part, he only has to win once against probably an organization's thousands of employees.

Vivek: And I'll give you a very simple example. Large organization development team. Imagine somebody poses to be a recruiter and messages everybody on LinkedIn saying, I'm from one of your competitors and we are offering two X the salary today. How many developers or how many professionals do you think will be able to resist not downloading and opening that job description document?

Vivek: Right? So attackers have realized attack the [00:23:00] weakest link and the weakest link are employees. Employees spend 90 percent of their time in the web browser, which means attack via the web browser, attack the browser. And then what do you get from that identity? Once you get identity, you can unlock everything that that person does move laterally.

Vivek: Pretty much compromise everything.

Mehmet: Now, we now, I think we agree that traditional ways of protecting, I mean, like preventing, let's call it, I like to call it preventing, um, will not work. So here's, I know, I know like, you know, browser security, which is exactly what, uh, uh, Square X does do it, right? So, I'm interested to know like what techniques, you know, or like, let's say if I'm, if I'm someone that, uh, coming to you today, Vivek, and they say, I have this problem, right.

Mehmet: And I'm afraid, you know, this is keeping [00:24:00] me. awake at night, that exactly the scenario you gave me now would happen. And, you know, the solution is, is, you know, what, what you currently do at Square X. But if I'm interested to know more, like what vectors of the attack, like you can help me with today, is it like stopping the malicious file?

Mehmet: Is it like on signature based thing? Like what exactly are the areas you can help me with today, Vivek?

Vivek: Yeah, no, that's a great question. And, and remember the way we look at it is, uh, what we do is the following, right? Once you deploy our product, which is a browser extension, we go ahead, monitor every web page that you open up.

Vivek: And we look at, you know, Dom events. We look at browser events and we feed all of this data to our, you know, machine learning models, also running within the browser itself. And that is really where, where we do anomaly detection, where you can apply policies, rules, [00:25:00] and all of that, uh, to think about any scenario where you want to protect yourself.

Vivek: And I'll give you a simple example. Uh, one of the places that we are deploying in, you know, they had a very interesting requirement. They said, Vivek, you know, the problem is our enterprise employees, they are logged into our enterprise Google workspace, which typically also looks like Gmail for employees.

Vivek: But at the very same time, everybody's also. Opening up their personal Gmail in one of the other tabs. So now when you just type in drive. google. com, depending on which was the account you logged into first, when you started the browser, uh, when you hit and file upload, you may sometimes end up inadvertently uploading the file into your personal account versus the company.

Vivek: Now, similar to this. Imagine where, let's say an attacker now ends up sending you a link, uh, for mega. nz, which contains maybe a document and probably your [00:26:00] existing scanners don't pick it up. And now you're thinking, should I open this document or not? So really what I'm getting to is the number of these possible cases is, is infinite really.

Vivek: And at the very same time, what we've also figured out to your point, detecting a malicious document or a malicious file. No vendor in the world, right? Can actually claim they can detect it 100 percent of the times accurately, right? If that was possible, there wouldn't be security vulnerabilities. There would be no hacks today.

Vivek: So what SquareX is browser does, or sorry, extension does is we allow the user, uh, allow the admin to do one of two things block and isolate. So block is when we absolutely know something is malicious using, let's say known threat feeds, uh, or additionally we have our own. Malicious document detection and all of that stuff.

Vivek: The second is where you can't be fully sure. Perfect example is maybe an admin [00:27:00] says any document downloaded via Gmail if it contains a macro and regardless of whether we picked it up as malicious or non malicious. isolate and open this up in a sandbox in the cloud, then what Square X can do is when a user ends up trying to download a document, we immediately check on the browser itself before the document hits the hard disk, that if this contains a macro, if it does, we open up a cloud sandbox in another tab.

Vivek: Upload the file projected back. So from a user's perspective, this almost looks like you opened up the document and another tab. That's how transparent experiences. So using this, what we end up doing is. All document cases where something could be considered suspicious. We open up in these disposable pods.

Vivek: Similarly, we have the same construct for websites as well, using disposable browsers. Now, [00:28:00] additionally, what we do is have the ability where you can actually write arbitrary rules, which will completely get evaluated on the client site. So as an admin, you could come in and basically say, Isolate all documents which users are downloading from websites coming in from a certain country and which probably are zip files but are encrypted and those sites have been, you know, registered in the past 45 days.

Vivek: And the way we've done this is you can write this in natural language and we using AI convert this to granular smaller rules. Which get evaluated completely in your browser. And when that, you know, entire rule set ends up hitting, uh, we go ahead and do exactly what you asked, which is isolate those files.

Mehmet: So it's kind of threat hunting Vivek, right? Like, if that's [00:29:00] the last thing you mentioned, is it like falls under the threat hunting?

Vivek: Yeah, great, great question. So, absolutely. So I think, you know, policies kind of, which have been created to detect attacks and when that policy gets hit, An organization can do threat hunting on that individual user.

Vivek: And we also allow automatic correlation across the enterprise, in which case we can show you if multiple users are being targeted using a similar attack.

Mehmet: I got it. Now, we mentioned AI a couple of times, and maybe we gave a little bit, uh, you know, sneak peek for the audience. And you use yourself AI machine learning and, you know, like a lot of, you know, every single Uh, company today tries to leverage AI to their benefit.

Mehmet: But when it comes to cyber security, it's a also known fact that the, you know, bad actors themselves are leveraging AI, right? So when we [00:30:00] think about that landscape, of course, like we have gave, uh, you know, I gave an example of what they can do, but really from your experience. And because you were on the offensive side also as well, Vivek, how do you think AI can affect, you know, the, the threatscape let's call it today?

Vivek: Yeah, I think great question. Uh, so I think, you know, AI, just like any revolutionary technology, when it comes to threats can be used both for good and bad. Uh, and I'll explain how let's look at the bad side first. So if you think about it, you know, the greatest difficulty attackers have. Is a, once they even know that an attack can happen in a certain way is to be able to build the tools, the attack exploits in order to compromise that scenario.

Vivek: Now, previously, this meant you had to have skilled people in your company, you know, or in your mafia enterprise who know how to code, who build these tools, tested, do all of that. Now with AI, especially code GPTs, [00:31:00] It has become exceedingly simple to go from concept to code. And this is allowing attackers to build attack tools, attack scripts a lot faster.

Vivek: Uh, I think probably sometimes within minutes, if not like, you know, much faster than that. So this basically means, uh, defenders can expect a lot of variations in the attacks. While previously they only had to worry about certain variations because there are only few tools capable and all attackers ended up just using one or more of those tools.

Vivek: So attackers have been supercharged. Another very simple example I can give you is most of the scam emails which come in, uh, previously, you know, used to all be grammatically wrong, right? Like Uh, you know, somebody offering you millions of dollars, you know, somebody offering you inheritance, which was left for you in a foreign land.

Vivek: Uh, but now, you know, an attacker can train an NLM to go to [00:32:00] all your social media accounts, understand what you're talking about, craft something very specific to a context that you have been talking about today, and then put it out. Simple example, you know, today, somebody the moment the this this show is released.

Vivek: Somebody could target me with an email or you with an email saying, Hey, uh, I saw the show. This was a very great summary, by the way, what do you think about this? And I've written my summary about the show with an article link, and maybe that hosts a browser exploit. And because it is so contextual, almost human beings are guaranteed to go click on it.

Vivek: So I think Mehmet, what's happened is we as human beings, we use our senses to decide what is, you know, good and bad, what is good and what is fraudulent. I feel with especially the current generation of AI revolution, human beings can no longer depend on their senses to decide. Deep fakes would actually mean that you don't [00:33:00] know if you're really talking to the real Vivek.

Vivek: Uh, and all of this is going to compound because I think most attacks disproportionately end up targeting people who are not technologically well versed. So that's the attacker side. Now, on the defender side, where it gets very exciting is security has always been a needle in a haystack problem. Which is, you know, you have millions of these alerts and all of that coming in and security teams had to sift through all of that and figure out the attacks in there.

Vivek: Now where AI is really helping is it can now munch through these millions of events almost live, at scale, and be able to look for, you know, certain trends and threats and maybe summarize and come up with exactly where attacks are happening. At the very same time, I think traditionally security products have been very complicated to configure the more granular you get.

Vivek: Now, with the help of AI, almost all [00:34:00] interfaces are becoming natural language, human interfaces, where ideally I would envision in a few years, You are driving every product, not just, uh, cybersecurity using natural language. And I think that is a very big force multiplier because most people can describe what they want in natural language way better than in codes and rules and stringing all of that perfectly together.

Vivek: So, so those are my thoughts about, you know, the both sides of the AI story.

Mehmet: It's really exciting, scary, positive, you know, however, I'm optimistic by default, but yeah, so We started to see, you know, these news, you know, about how attackers are trying to leverage this and how they They use Chad GPT and other co pilot to your point products to do this, but the good news to your point also that especially you're doing also with the, with the, with Square X today, leveraging the power of AI [00:35:00] to, to build these, um, you know, uh, defensive and preventive solutions out there.

Mehmet: Now it's, you know, before I shift to something else, um, if we want to think from, um, little bit bored perspective, C level perspective. Uh, on, you know, because I know this question is asked on board level, especially because you gave a very, very good example previously Vivek about, you know, when someone impersonate marketing sales, whoever, and then they post something that they can hurt and the board are really concerned today.

Mehmet: But, you know, what do you think from, from The people who are in charge, whether it's a CTO, CIO, CISO, what do you think they are missing today in their security posture?

Vivek: That's a good question. To have this, to

Mehmet: have this guarantee, to have this peace of mind, I would say. Uh,

Vivek: [00:36:00] I actually feel, you know, what tends to happen is when any new technology comes, which fundamentally disrupts existing workflows, uh, the initial response is to try to resist it.

Vivek: And, and the best example I can give you Mehmet is, you might remember the time when, you know, television started having cameras in them. And I remember there were many people who went out and said, I'm never going to buy a TV with a little camera and a microphone in it. Now fast forward three to four years.

Vivek: Every TV has a camera and microphone in it. Now, what do you do? The market has fundamentally changed and here you are trying to defend your stand based upon something antiquated. So drawing from that parallel, if you look at a lot of the C level posture at this point, they're like, look, AI is this new crazy thing.

Vivek: I probably don't know how to handle it at this point because I don't want to invest the time and the money and the resources to research and to build [00:37:00] defenses. Let's just block chat GPT. Let's just block every AI site till somebody else smarter than us figures out and probably puts this out and we'll just go copy it.

Vivek: So I feel unfortunately, uh, a large part of, you know, C level folks currently are in that bandwagon where they feel let's block till we, someone figures it out. I would say the right approach is look, there are massive benefits to your workforce adopting AI and the three prong approach people process technology.

Vivek: The first thing to do is to give security awareness trainings to your folks. advising them about the good and bad of AI and how to probably use it effectively in office setting. Second is to build processes. Uh, it's absolutely fine that you build, you know, a blocking posture in the beginning, but then have people tell you why they should be allowed access to AI.

Vivek: And based upon [00:38:00] that, you start making exceptions. Where slowly you understand this is how the marketing team wants to use it. This is how somebody else wants to use it. And all of that, finally, technology technology, because look, you can never stop a disruptive wave. All you can do is quickly adapt. And it is very important.

Vivek: I think for C level folks to understand that the faster they understand and adapt, the more secure they will be. And the more they will feel as part of the process. Yes. rather than resisting it long enough and all of a sudden having to jump in, uh, you know, all hands in and trying to rescue a situation.

Vivek: So I feel high adaptability has always been, at least in my humble view, a hallmark of success in C suite people, uh, when it comes to any disruption, which is happening in the broader space.

Mehmet: Just, uh, maybe fun story to, to the point you mentioned Vivek. And I mean, people knows that whenever [00:39:00] we put, uh, for example, you mentioned like, yeah, let's, let's ban every single AI tool, chat, GPT, whatever, Gemini.

Mehmet: So, so people by default, their action would be, okay, let's install a VPN and bypass And I, I remember when, you know, but I'm talking about maybe 20 years plus now when I was at college. So I remember the university decided to, to block something which is really not harmful. It was something useful, but I don't know, you know, like it was one of these new things.

Mehmet: Um, and the way for us to overcome this, we found Something that it does exactly, you know, it will simulate a browser, you know, so it's like you have a Chrome, but it's not the actual Chrome. It's a portable version of Chrome. And we figured out that by doing this, we can actually access that exact thing that we wanted to access it.

Mehmet: So to your point, yeah, like you cannot like keep people away. from using that. Plus you [00:40:00] mentioned also Vivek previously, and this is something I hope like people who are listening or watching this, you can control people when they are on inside your premises, right? So, so you can control them as long as they sit within your fences.

Mehmet: But today everyone is mobile first. They have their own laptops, they have their own, uh, mobile phones and tablets, and they can put the data inside chat GPT, whether you accept it or not. So, so you can, you can control them sometime, but not all the time, which is absolutely to, to your point about this one.

Mehmet: Now, I want to ask you like question, which is a little bit, you know, it's interesting, I believe. Uh, and I ask it to founders usually, but for example, in this case, We're talking about a cyber security company. So how much, you know, yourself being someone versus a, you know, you, you've heard previous, uh, you know, someone who was previously doing [00:41:00] hacking actually, how does that help you in, in, in, uh, in building Square X?

Mehmet: Like how, how beneficial was that?

Vivek: Yeah, no, again, you know, very interesting question. Thank you. I can tell you in cybersecurity, there are primarily, you know, two kinds of companies which get built. One is, you know, companies which have figured out a lot of inefficiencies and internal processes. Uh, when it comes to cybersecurity, a simple example is DevSecOps, secure programming, and all of that stuff.

Vivek: The other group of companies which end up getting built is companies primarily built to protect against attacks. Now, my perspective, and this is just my humble view. is people who have an attacker background have a much better chance as building, you know, latter companies and products, simply because of the fact that you already know how attackers work.

Vivek: And now you're starting to think how you protect against it. Had you been the attacker, trying to break in in a certain way. So I've actually [00:42:00] found that, uh, Mehmet, you know, when I talk to CISOs, CIOs, CTOs, And we talk about browser security, uh, and they try to go very deep asking me about different attacks and exploits and all of that.

Vivek: Me being able to very clearly articulate, tell them what those attacks were, how they could protect themselves. You know, using Square X or other products, you know, whichever case may be, I feel is a superpower because I mean, you know, I mean, you've been on the other side, anytime that you end up talking to, let's say somebody selling something to you and you quickly realize that they don't have a lot of depth.

Vivek: You immediately lose faith and cybersecurity is one field where you will only buy from someone where you have faith and trust. And you're very confident that this company, which automatically translates to the founder, the founding team understands more cybersecurity in that space than we do. Because if you know more [00:43:00] than the person building the product, you clearly know the product isn't going to work.

Vivek: So what I've found is it's, it's always helped right from conceptualization of the solution to understanding how attackers are evolving their methodologies, allowing us to refine the product and at the very same time, give confidence to prospective customers, uh, where they feel like, you know what, you're, you guys are pioneers thought leaders because you're putting out research.

Vivek: Simple example, this year at DEF CON, the world's largest hacker conference, We are doing a main stage talk on why secure web gateways are broken, uh, where we've discovered a brand new, uh, you know, entire new class of attacks. And this was something when I told one of the CISOs that we are working with, he was absolutely thrilled.

Vivek: And he said, look, I feel comfort in the fact that I'm working with a company, which is at the bleeding edge of discovering how [00:44:00] existing products are failing. And that is exactly what attackers are going to exploit, right? You, as a large company, you aren't worried about protecting yourself from a script kiddie, just firing automated tools.

Vivek: You're worried about organized crime. You're worried about nation state attackers who have the resources, the time, uh, you know, the group thing to collectively come together and try to compromise your company. So in, in conclusion, I think has helped has always been a superpower.

Mehmet: I like this approach. And I, by the way, I was on the both sides of the table Vivek.

Mehmet: So I was on the receptive side and on the, on the other side as well. And to your point, yes. Um, Clients, customers, organizations, they actually, they want the guidance of someone who, to your point, can show them things that currently with their, uh, limited resources, and [00:45:00] I say limited regardless of how much, you know, organization is big, you're busy.

Mehmet: I mean, everyone is busy. Everyone, they have priority. And of course they would look for someone like you Vivek and your company to rely on, to discover and uncover, especially in cybersecurity, you mentioned, and you, you hit the nail, you know, uh, on, uh, on the head because Cybersecurity is something which is always evolving.

Mehmet: We have something every day. Of course, maybe the AI have managed to steal a little bit the light, uh, from cybersecurity, but attacks are still happening and attacks are still there. And, uh, we just discussed that these guys have accelerated their reach using AI actually. So, so they want someone. Exactly.

Mehmet: You know, as you mentioned to rely on and I'm I'm happy, you know that you mentioned this from customers perspective, how they like to to see things moving. Um, just like, you know, before we close, I get to know from from the team something that you have started the [00:46:00] first, uh, hacker comic. Yeah. Tell me a little bit about it.

Mehmet: What's the, what's the motive? How about that?

Vivek: Yeah. So, so, you know, Mehmet, my entire career was built in cybersecurity, you know, starting as an offensive hacker. And, and so that is something, you know, I hold very close to my heart. Uh, so interestingly, what happened is, you know, my elder son, uh, he asked me like a couple of years back, it was probably like two, two and a half years back when I, when I sold my previous company and I was taking a bit of a break.

Vivek: He said, dad, what do you do? And I said, look, you're old enough to go Google my name and figure it out and come back and tell me what I do. So he came back. And incidentally, what had happened is there are many articles. But it says, you know, Vivek is one of the top hackers, you know, in India or other places in the world and whatnot.

Vivek: And then he Googled the word hacker and he came back and said, dad, you steal from people because the popular [00:47:00] mainstream adaptation of hackers is, you know, people who steal.

Mehmet: Yeah. The one with who G sitting in the basement.

Vivek: So, so you can well imagine the last thing you want to think, uh, you have your kids think, you know, is, is that you are somebody stealing from other people.

Vivek: So I started thinking and I said, unfortunately, what's happened is the mainstream media has hijacked the word hacker and made him look like somebody or made him look at somebody good or bad, you know, very bad flavor. While our perception of hackers are people who are curious, who, who break systems beyond what the designers of the systems thought could be possible.

Vivek: So then what I thought is, uh, if the only way I could convey this to younger folks is in a medium of communication, which I know at certain age, everybody goes through, and we all have read comic books. Superheroes and all of that, right? I mean, we now live in an age of superheroes with all those [00:48:00] Marvel movies with every child watching.

Vivek: So that's when I said, why not create a hacker vigilante comic book series, but with a twist that here we talk about all the attacks and all of that in a very realistic way, you know, unlike the Matrix movie where Neo shows his hand and, you know, the, the wiring systems part way and everything happens. So a hyper realistic way.

Vivek: So people understand hacking is about curiosity, learning, pushing system to your limits, uh, trying to be smart, trying to contribute. Uh, and that is really where, how I started the series. I've written a bunch of additions. Uh, you know, we put out the first one i'm planning to put out a couple of the others later in the year

Mehmet: You know brilliant idea and um, you know to your point.

Mehmet: Yeah, because guys There is a in the cyber security Uh landscape a team called the red team and this red team job is to break [00:49:00] things try to break things Let's say yeah, so thank you vivek for putting this and yeah Maybe not related to what I say usually in the show, but, but I mentioned, yeah, sometimes, you know, the, the, the mainstream media, the movies, they tend to show us things which are not realistic and you know, like they, they make us feel like things are boring or this is not interesting.

Mehmet: While on the other side it can be fun because people think that nowadays, especially cybersecurity is, is like. Very important. So some people think, Oh, like this is something, you know, I don't want to get into, like, it's very complicated for me, but to the way that you, you, you just mentioned to me about this comic book, it's like really educate.

Mehmet: And at the same time, push the curiosity. I love this Vivek, really interesting.

Vivek: My

Mehmet: pleasure. One thing before we come to close and I ask you, you know, and I should have congratulate you this, Uh, at the beginning about this at the beginning, you'll secure a backed startup, [00:50:00] right?

Vivek: Yes. Yes. So Southeast Asia was, uh, the only seed investor I had a relationship with them before.

Vivek: Uh, so that made it, you know, easy, but at the very same time, I really genuinely believe they're probably the best investors out there. And that was the reason that we aligned.

Mehmet: Yeah. So, you know, again, I know like it was since last year, but congratulations on this, like, uh, because, because last I'm saying congratulation because I was speaking to a lot of founders last year and they had issues, you know, raising money and raising capital.

Mehmet: So things are looking easy now. So good. So Vivek, Final thing you want to leave us with, especially for, you know, to be founders in this space, because it's not easy, like final words of wisdom, I would call them and where people can, can get in touch and know more about you and Squarex.

Vivek: I think, you know, uh, what I tell prospective founders, people getting in is you generally [00:51:00] overestimate what you can do in a year, but underestimate what you can achieve in a decade.

Vivek: And this is something I live by is. You need to be patient. You need to believe in the power of compounding and allow things to become, you know, big and great over time. I think a lot of first time founders come in with very unrealistic expectations that in a year, I'm going to do this in two years, you know, I'd probably have built a billion dollar company and all of that.

Vivek: And that tends to kind of, you know, suddenly put them into this whole trough of depression when things don't work, people don't invest and all of that. So. The whole thing I've realized having done this for over 13, 14 years is startups building companies and products is a resilient sport is a sport of patience.

Vivek: And I think if, if you invest the time and believe in compounding, uh, I think you're all set. If you have unrealistic expectations, don't do it. And do not build a [00:52:00] company because you feel you want to be your own boss. Uh, the early stage of startups, you know what, everybody is your boss, right? You want to recruit good people, you know, you have to kind of go behind them, somehow manage to convince them.

Vivek: Uh, you're trying to convince investors, your early customers. So honestly, you're literally begging everybody. So, uh, you know, so at least that's my vantage point of, you know, how I've seen this space.

Mehmet: Cool. Where, where to find out more Vivek?

Vivek: Yeah. So, you know, about Squarex, you can go to sqrx. com. Uh, me, Vivek Ramachandran, you can find me on LinkedIn.

Vivek: You can connect to me over there on Twitter. I am, you know, Viv Ramach, V I V R A M A C. Uh, I'm, I'm very online. I keep posting stuff, so feel free to connect, feel free to DM. Uh, if you have any other interesting questions after you see this show,

Mehmet: great. Thank you very much, Vivek. Like, you know, I liked your advice, uh, to the founders.

Mehmet: Um, it's, [00:53:00] it's, of course it's a very cliche, but it's a marathon. It's not a sprint. It, it takes a lot of time. It takes a lot of effort, uh, even to get the first customer forget about making it a billion dollar company, which is hopefully I wish every founder can reach this milestone. So thank you again for sharing this wisdom, I would call it.

Mehmet: And you know, very exciting topic, very exciting, uh, approach you're doing. I think you'll disrupt. I'm not, I'm not Thinking of course, i'm sure like you're disrupting And I love this by default the audience knows me and even people like in the actual life I get excited about ideas that change the status quo, which is exactly what you're doing.

Mehmet: Vivek So thank you very much for being with me on the show today. I really appreciate the time and this is for the audience This is how I usually end the each episode if you just discovered this podcast by chance Thank you for passing by if you like Kit please share it [00:54:00] subscribe and tell your friends and colleagues and if you are one of the people who keeps coming Sending me questions comments suggestions, please.

Mehmet: Keep them coming. I listen to them all I read them all so keep them coming Thank you very much for tuning in. We'll be again very soon. Bye. Bye.

Vivek: so much