Defending the Cloud | Gil Friedrich from Avanan

Gil Friedrich 0:00
Everyone has the same security. So if you find a way to bypass let’s say Microsoft 360 5 billion security, not millions, hundreds of millions of mailboxes are just open to you, you know, to your attack.

Alexander Ferguson 0:20
Welcome to UpTech Report. This is our applied tech series UpTech Report is sponsored by TeraLeap. Learn how to leverage the power of video at teraleap.io. Today, I’m very excited to be joined by my guest, Gil Friedrich, who’s based in New York. He’s the co founder and CEO at Avanan. Welcome, Gail. Good to have you. Excellent. Great to be here. Now, your company Avalon is a cybersecurity SAS company started in 2014 120 person company. And it’s all around an enterprise solution for cloud email and collaboration, security or on your website said with a click of a button, protect your enterprise office 365 box Google or other SaaS application against anti phishing and malware and data leakage because that is we’re hearing a lot in the news all about that. So help me understand your What was the reason that you started Evernote? Like when you when you first set out? What was the problem that you saw?

Gil Friedrich 1:15
Great question. So we all started, we all met in a different cybersecurity company. And, you know, things were great. You know, our previous baby, which may be related to it was was doing well protecting enterprise networks. And as we were talking to customers, we heard more and more this, and this was around 2011 to 2014, let’s say more and more this notion of I love this technology. But you know, I’m moving to the cloud helped me understand how I adapt that technology to where my data and my users are going to. And so, and we also looked at how the let’s call them the traditional vendors from the day the on prem days or pre cloud days, were trying to solve the problem. And they all thought about it as let’s take our technology and try to adapt it to you know, but it wasn’t, it wasn’t from the ground up, it wasn’t the cloud first approach. And the architectures architectures they chose just did not make sense. And something about the cloud said, Hey, if you started over, you could actually get something that yes, is a click of a button, you know, just to prove an app, we call it the iPhone app experience. To start your security is very much like installing an app on your iPhone. And also, from a security perspective, there’s a ton of advantages, because everything they did was like to proxy the traffic, send it somewhere else, then send it back, etc. And there was an opportunity to protect SAS application from the inside. So to install an app within the SAS through API, you know, easier to install better security. So this is all the the thought of the opportunity we had.

Alexander Ferguson 3:02
You so you were in the space previous venture. And if I see that correctly, forescout technologies and you saw the challenge of everyone moving to the cloud, or the way it’s been being solved? just didn’t make sense. You’re like, no, let’s start it from the ground up, which is where you start with Amazon. Exactly. Exactly. How How do you see the cybersecurity world in the 21st? century? What What is the ecosystem look like? And what are the inherent challenges that come with a cloud environment compared to previously?

Gil Friedrich 3:34
So I mean, it all starts with, with the fact that, you know, everyone’s connected, obviously. So if in, I don’t know, even in the wild west years, you had two criminals in your little town, and you need to take care of two criminals. Now you need to take care of a million criminals across every country on the planet. And you know, everything about scale, that made technology so pervasive is also available for those hackers. There’s a statistic someone sent to me that says, every customer of office 365 has been attacked. So imagine this, every tenant, every organization has been attacked, it doesn’t skip anyone. And it’s because of this, it’s because everyone’s connected to everyone, you know, hackers can see you, etc. So I think at the end of the day, this is the challenge. What made what, in some ways made cloud easy is also what made it worse. In at least two ways that that come to mind. First, everyone has the same security. So if you find a way to bypass let’s say Microsoft, 360 5 billion security, not billions, hundreds of millions of mailboxes are just open to you, you know, to your attack. Whereas before everyone had slightly different different exchange different The different firewalls, etc. So it wasn’t as monolithic as it is today. And it’s also why hackers see that is such a holy grail because the opportunity for them is much, much bigger, they don’t go one at a time.

Alexander Ferguson 5:13
So you’re basically saying, because there’s only so many major players office 365, or Google or whatever, because it’s there, someone could hacker does crack it, now they have access to everyone who happens to be on that platform, which makes all those us who are on their vulnerable,

Gil Friedrich 5:30
my getting hurt, right? Exactly. Just imagine, you know, a COVID virus that everyone can be infected. Right, that that’s how it is. And then I think the other aspect just because people log in to the cloud. So you know, if in the past, there were more gates to go through now, it’s just most often user password, and you can access from anywhere your email, because it’s in the cloud. We’ve seen a test that we haven’t seen before, people are more than before trying to steal your credentials. Before there was a VPN, there was maybe other authentication methods under, you know, under the hood. Now it’s user and password to Office 365. And they get your email.

Alexander Ferguson 6:08
what’s what’s the most common types of ways people are trying to hack in museums? Is it just like phishing scams? Like hey, click on this link? Is that like the most common one that you’re seeing? Like, what’s the trend?

Gil Friedrich 6:20
So he changes almost daily, but the big ones that repeat I would say, credential harvesting, for sure. Getting people to give away their user and password. Fake invoices all the time, you know, they already know from LinkedIn, and maybe that’s the other thing everyone’s on LinkedIn. Everyone knows who you are, who’s your boss, what’s your title? What’s your job, so very easily, they can see that you are processing invoices for his fortune 500. And your worth is this guy. And all they need is to send you a fake invoice that says, hey, this is your boss, please process this. So I think fake invoices for sure. And links that lead to malware, those multi step attacks, where, you know, you could get the link that points to malicious site. At the time of delivery, the site is clean, it’s weaponized, later so that it bypasses the security, but then when you click it, it’s actually malicious. Or if you’ve come in with a an encrypted file, where it says, Hey, this is the password for my file, you open the file, that could be malware, that could be you know, malicious link, etc.

Alexander Ferguson 7:30
What’s funny is just before this call, I got an email from someone saying, Hey, here’s the survey that you asked for. And here’s the password to access their survey. And it’s a person I haven’t heard in from five years. And I’m like, Huh, it’s every day these are coming into the question I want to know is how are you guys solving it that in this in this cloud environments? What’s your tech stack? How does it work differently?

Gil Friedrich 7:53
Excellent question. So first, I mentioned to you that architecturally, we are sitting in a different place. And what that means is this when the traditional vendors looked at the problem, they, when it was exchange on prem, they said send me the email, I’ll clean it or send it to the exchange. With the cloud, they are basically saying the same send it to me, and then I’ll send it to Microsoft. One thing they need to do in order to do that they need to whitelist themselves within Office 365 in Gmail, and we have a series of blogs that we called One plus one equals zero, where we demonstrated an attack that Microsoft would have blocked one of those email gateways mistakes, but because it was whitelisted, with Microsoft, it actually made it to the inbox. So you have two layers, but you actually have zero. The way we deploy, we deploy after Microsoft, Microsoft or Google, they do their best. And then our algorithm runs. So it’s actually another layer, it’s this one plus one equals two. But when it when when it’s really one plus one equals three is all over AI, all of our machine learning is not trained on the general attacks in the world, we sometimes call them, you know, the background noise of the planet, the easy spam, the things, you know, people trying to sell your fake Rolex or whatever Microsoft takes cares of care of those. We train our AI on the things that Microsoft Miss, and this is what our AI becomes really good at. So this is where the one plus one equals three comes from, that we were able to tune it specifically to what they miss. And I think we’re not the only ones using API. Or this, you know, this installing an app inside office 365 approach. What’s unique to us versus those vendors is that we are the only ones that are able to deploy our solution in line, meaning most of the other ones the email actually makes it to the inbox and then they pull it out. We’re the only one and this is our pattern that only after we clear it, it goes to the inbox so the path is sort of Microsoft do your best And unfilter is the rest and then only then the user can see the

Alexander Ferguson 10:04
end user doesn’t actually see it until those first two layers have been completed. Exactly, I find that interesting. You let Microsoft or Google do their best, I like your phrasing there. Because we, they are massive companies. And they put a lot of time and energy into this, they’re not perfect, but there is a lot. So it’s, it’s, it wouldn’t make sense not to tell us what their their capability, it’s just putting a layer on top of that that’s more targeted, if I heard correctly,

Gil Friedrich 10:31
that’s that’s a great word to use. Because I think the challenge of those big companies is maybe twofold. One, they are sort of the default. And for I don’t know, if it’s $20 a month, or $30 a month, every hacker in the world can get their best security and, you know, work their days and nights to figure out how to bypass it. And it’s almost like asking, you know, have you ever heard of an of a virus that Microsoft Windows blocks, of course you didn’t, because they never released it to the wild, right. So when the attack actually makes it to the wild is after normally after they tested and confirmed that they can, you know, carry out the attack. And I think the other challenge they have is that, you know, as big companies, and again, it’s not bashing them at all, I think there’s no other way to do this in a large organization. Think about the time it takes between someone understanding there’s an attack being missed, going to the right team, to the right developer to fix it to deploy it. You know, that’s time and during that time, customers are exposed. And this is also where we’re different. Because we’re faster, we’re smaller, we’re faster, it gets to the right person, even if there is something bypassing us, normally within two hours, worst case, within 24 hours, that gap is closed. And this is really part of our offering to the customer, to give them the tool to respond quickly,

Alexander Ferguson 11:59
who to 24 hours after you notice that something is you are able to get the fix in and and to be able to stop preventing more of those.

Gil Friedrich 12:08
Exactly. And I mean, they’ll give you it might sound silly, but I’ll give you a recent example. within every email, there are two fields that are sort of redundant, then there’s a sender, and there’s a from and the sender field is where the machines make sure that the email is authentic. The Fromme is what you actually see when you get the email in Outlook. What any, if they’re not saying what Microsoft does, or you know, your Apple client on your device, it will say, X on behalf of y if they’re not the same. What hackers found was that if they send a malformed sender, they’re still are able to bypass the authenticity test of the machine. And what’s presented to the end user is just the front. So the front could be your boss, your CEO, the senator could be something completely different that tricks the machine and you get an email that looks completely authentic, you know, fake, exactly,

Alexander Ferguson 13:16
you will, you’re able to detect that though.

Gil Friedrich 13:19
So yeah, so this is a good example. Because when we saw this attack, it was actually reported to us by user. And we said, there was a scenario where we missed it and say, Oh, we need to fix it. So you know, two hours later, we had fixed but 24 hours later. And this is the advantage we have sitting after Microsoft. So the first fix was just, you know, make sure you’re not vulnerable, you analyze it properly. The second fix was, if we see this method, that’s an indication of attack, that’s the hackers incriminating themselves. And from now on, we did nothing else. If we see that, you know, indication of attack, we blocked email is definitely malicious. And again, going back to the Microsoft example, I’m not sure how long it will take before the understand it’s happening. We understand what’s happening, it will get to the right developer, it will be pushed to production.

Alexander Ferguson 14:10
So it’s part of it in this age of cybersecurity that we are in and cloud cybersecurity is speed, because obviously hackers are never gonna stop they’re never gonna stop innovating in their own way. And so that means that as a cybersecurity company, you have to be just as fast in my in my getting the play the field, right?

Gil Friedrich 14:29
Yeah. And that getting mouse is never ending. And I think this is what makes cybersecurity focused companies different. Maybe then non security companies like Microsoft and Google, right, that mentality of cat and mouse and and using similar tactics, tactics of the hackers, you know, having them incriminate themselves by the things they do. You know, is less traditional, I would say with larger nominees, for example, are security analyst, they would sometimes within a sandbox fall victim on purpose to an attack to see what happens next. So that they can use those steps in order to understand later that, hey, there might be an attack here. You know, we’ve we’ve seen hackers, for example, create folding rules where they use your inbox as their inbox to spread the attack, they already hacked you now they’re trying to spread. So they’ll put a rule there that says, if the email has these curricular characteristics, moving to the deleted items, so you as a user, you won’t know they’re there. While they’re sending emails on your behalf, everything goes to their deleted they use your deleted folder as their inbox. And you never know. Now, that’s self incrimination. For you, right, so now we’re testing. Do it. Yeah, exactly. Is that rule existing? If that will exist? We know it’s very, very suspicious.

Alexander Ferguson 15:54
And are you able to then if someone does get hacked? exit, undo things? Absolutely.

Gil Friedrich 16:01
The part of the layer that you haven’t mentioned is, you know, sometimes referred to as VBA, user and entity behavior analytics. And we look at the configuration suspicious configurations, just end user behavior, to be able to flag specific accounts and say, Hey, this account, you know, more likely, or just make sure etc, geo activity, where do you log in from etc, all of this goes into a scoring that says, you know, very likely just suspicious, etc. When we started to release this, we start to flag things that could be legitimate, like, you know, I gave you the example of a forwarding rule. Some users have a rule that says, Take all my corporate emails and folder to my personal Gmail, just on a regular basis, whatever. It’s not necessarily malicious, but from an organization perspective, that’s an unsecured configuration. So our users, you know, we ask them to say, you know, what flagged those as well as low priority, it’s better that they know it’s happening versus,

Alexander Ferguson 17:05
you know, not showing this Oh, no, no awareness there. For your target users of the companies that you’re working with? Is it is the enterprise SMB? What, what’s the space that you guys are looking to serve?

Gil Friedrich 17:19
So? It’s not, I would say, funny to ask, Because? Because often investors asked me the same question, assuming that, you know, you can’t be everything for everyone. We crossed 4000 customers this week. And we crossed 3000, at the end of January. So are we’re accelerating very quickly, we started 2020 with 1000, just to give you an idea of the rate, so we’re reading about 25 customers a day. It’s all sizes, a lot of them are small. We also have, you know, a good number of Fortune 500, relax. There are things where they’re different. And I would say this for the I sort of mentioned two things, right? They said one of them is installing the clique. The other one is have the best security. So as you go up market, that notion of base security plays a more important role in these installation as you go down market ism, installation plays a bigger role. But both are important to both segments, right? So you’d be surprised, you know, a fortune 500 with a large team that you can think generally could you know, accommodate a complex deployment there, when they go home, they also use their whatever Netflix app or iPhone, and that’s the kind of ease of use they learn to expect as consumers. And so they really appreciate that piece as well. So here, so you know, we serve all segments, we love all customers. And because we’re SAS base, we don’t really care what size you are, we serve everyone,

Alexander Ferguson 19:10
as a as a product lead company, obviously, someone can just get on there and be able to start using it looks like it. I like your point about we are all consumers in the end. So even in the b2b space, we know, okay, might take a little more because it’s a business it shouldn’t. Ideally, we expect the same type of ease of use as a every consumer.

Gil Friedrich 19:30
Exactly. And we’re almost, you know, we’re trying to be not religious about anything. And here the customer first, when it comes to ease of installation, we’re almost religious. So, you know, numerous time I could be in a conversation with a developer that would say, you know, what’s the big deal? I have them go to office 365 make a configuration change. And I say no, they click a button. That’s it, nothing else. So that’s our religion.

Alexander Ferguson 19:57
I love it. I love it. No As we’ve already stated, cybersecurity is not going to go away the need for that the focus on it, if you were to provide a word of advice to a business leader who’s needing to just be aware of where we’re headed, and in current environment, what kind of word of wisdom would would you want to share?

Gil Friedrich 20:21
So just to make sure you’re referring to someone starting a startup in general, or like,

Alexander Ferguson 20:28
it’s more like Cypress went, it’s a business that is needing to be aware of cybersecurity issues. So it’s like our knowledge from Avalon Well, what would you be telling them in from your expertise and what you’re seeing in the cybersecurity world?

Gil Friedrich 20:42
So I would say, first, take it very, very seriously, seriously, from day one, that you start your business, right? It’s almost like, you know, this is one of the things I learned on a different aspects of CFO wasn’t my first hire, we hired our CFO, probably where we have, you know, 2030 people. And when we hired him, you know, I scratch my head, this is the first hire, you should have, like, you know, you get money from investors. You know, make sure you you have a plan, and you have a budget and all that and, and almost like that, I think about cybersecurity, most people that start a business, everyone will get attacked, even if you’re a 20 people organization. And in some ways, you’re even more vulnerable, because you know, the fortune 500, they already have processes of what to do with invoices, and how you know, phishing training for every employee, etc, you will not have that, and you will not have time to focus on it. So think about it initially. And I would even say, you know, find a partner you trust, a service provider, you know, managed security service provider, because you want to build your business, you don’t want to worry about this, have them, you know, deploy best practices, it will never solve the problem. But it will give you some peace of mind to know not to worry about

Alexander Ferguson 22:07
it just for clarity sake. There’s a lot of area when it comes to cybersecurity where you’re focused on his email, one of the specific ones as well as the cloud storage, correct is that that’s the two spaces that you focused on. I mean, we call it

Gil Friedrich 22:24
email and collaboration, basically, emotions, every line of communication, however your organization communicates internally and with the outside world. This is the data we’re sitting on making sure you know, nothing bad comes in, nothing sensitive goes out.

Alexander Ferguson 22:39
What can you share as far as the roadmap of where you’re headed, and maybe upcoming features that you’re excited about and can share?

Gil Friedrich 22:45
When we think about roadmap, first, we want to say having the best security is key, right? So there’s always innovation around, you know how to test links and make sure they’re clean and how to test them when they’re clicked versus when email was delivered. And that cat and mouse never ends, you know, being able to open encrypted files if they come encrypted, so that you know, you make sure they’re safe, even though you know, they came encrypted those kinds of things. Always on our radar. We focus a lot on the end user interaction, the people in the organization, right? So what happens when someone end user gets attacked? What does he get presented with? How does he report an attack that maybe we missed, and then how we reflect all that to the end to the admin. So we call that that post delivery experience. We focus a lot on this notion of every line of communication. So you know, we had the teams six months ago, Microsoft Teams, we have Slack, we just want to make sure you get the full rep wherever your users are, you know, we’re there. So that’s I don’t want to say never ending but there’s always new new methods coming out this court, whatever new methods of communication we want to be there. And then maybe the last piece is that notion of ease of use. So for example, with with Microsoft, if you want to use their advanced security layer, and you go into office 365, you check the box, and you’re done. We want it to be the same way. But now you have multiple layers. So for example, we want to show in our admin, everything that was blocked by all layers, what we blocked what Microsoft block, see everything, have the same workflow for everything. If you need to release something on quarantine, give the unified quarantine experience, show a unified daily digest to the end user that says this is everything that was blocked, notice, lay on this layer this layer everything and figure out, you know, what might be a false positive that you want to bring into your inbox. So it’s basically I would say, a very tight integration with the platform with Microsoft 365 and Google so that it feels like you know, it’s from the inside. You don’t have to system you know, one one source of truth, basically

Alexander Ferguson 25:00
I love your focus on simplicity for one click Start using and the focus on and this multi layered but observability where you can see where both the the big tech companies that where they played a role and where the second layer supports. And being able to keep an eye on keeping ourselves safe has very important. Thank you so much. And for those that want to hear more about the journey, because obviously this didn’t start yesterday, and you’ve been in this space for a long time, stick around for part two, where we’ll be digging into the founders journey series. Thank you again, Gil for being on for those that want to learn more, go to avanan.com. And that’s AVANAN.COM, it looks like people get a quote right there starting at currently $4 per user. So it’s definitely affordable for the small business side all the way up to enterprise.

Gil Friedrich 25:50
All sounds good. Appreciate your time. And we’ll talk soon about why we started with what actually the word avanan means.

Alexander Ferguson 25:57
Oh, I’m excited for that. I will see you guys on the next episode of UpTech Report. That concludes the audio version of this episode. To see the original and more visit our UpTech Report YouTube channel. If you know a tech company, we should interview you can nominate them at Uptechreport.com. Or if you just prefer to listen, make sure you’re subscribed to this series on Apple podcasts, Spotify or your favorite podcasting app.