Episode 7 - Wiz Bang

[00:00:07] Tom: Welcome to the DevSecOps podcast, where we explore the past, present and future of computing in the modern workplace. [00:00:12] Scotti: Your hosts are a trio of experts recordant, each representing different areas within it. A bit like a nerdy A team. [00:00:19] James: So join Tom, James and Scotty for a regular, mostly serious podcast providing you with pragmatic advice and insights into modernizing your IT environment. [00:00:30] Tom: Welcome back to another episode of the DevSecOps podcast. As usual, my name is Tom Walker. And equally as usual, if not more so, I'm joined by my fellow hosts, Scott Fletcher and James Vincent. Good morning, gentlemen. [00:00:40] James: Good morning. [00:00:41] Scotti: Good morning. [00:00:42] Tom: Now, those that have been following Cordant Socials know we're a big rat for Wiz and we cover off why in the why we love Wiz section of our website. With a significant amount of buzz recently off the back of a record $32 billion acquisition by Google, we're getting asked more than ever, what is Wiz and why should we be looking at it? So rather than answer that question ourselves, we thought we'd go straight to the horse's mouth and ask our very special guest today, Matt Preswick, principal solutions engineer for Wizz apj. Welcome, Matt. [00:01:09] Matt: Thanks everyone. [00:01:09] Tom: Glad to be here. Awesome. Hey Matt, can you give Our listeners your ELI5 version of Wiz and then maybe a little bit about your role and what brought you to Wiz? [00:01:17] Matt: Yeah, sure. Thanks, Tom. So Wiz is essentially a cloud security company that's been in the market for five years and at a high level, or the explain like I'm five view is, Wiz is a platform that allows organizations to get a full bird's eye view of their cloud environment. And what we essentially do with that is we look at all of the applications and infrastructure within that environment, including multi cloud, multi architecture, and even before it's even live in build stage and deploy stage. And we tell you where you've got potential problems that could lead to a high impact risk. In other words, to use like the house analogy, is the front door open or is the back window open? If you left keys on the front door, that allows you to take the car kind of thing. So it's a bit of a change in how security is done. And the second thing that we do is we're a platform not just built for security people. We're overwhelmingly used by the people that actually build the infrastructure. So dev DevOps and so forth. And my role is essentially as a principal solution engineer is to help organizations kind of move into this modern operating model. So I essentially work with, you know, large organizations across apj as well as startups on how to effectively do the security in a pragmatic way that doesn't slow down the business, but also make sure the risk levels are kept at a appropriate amount at the high level. [00:02:35] James: Hey Matt, I was really interested there that you mentioned a number of different Personas or, you know, people and perspectives that you're appealing to with Wiz. And it's something that we've touched on quite a bit in some of our earlier episodes that, you know, the modern security landscape is quite complex and I imagine when you're out and about you're balancing conversations with very technical people, very security operations centric type people. But there's also, I guess, an executive perspective that the Wiz type tooling can bring to the table and you know, how it makes that information so accessible and understandable for people. Are you finding that you're sort of getting an interesting level of traction with a more executive or business oriented audience because of that visual appeal of the tooling that you have? [00:03:18] Matt: Yeah, yeah, I think there's a few layers to that, to be honest, James, which I think comes to the priorities at the executive level. Like obviously a CISO executive is thinking about the risk posture and the governance of them as an organization and that's their kind of priority, making sure they got a team and the tooling in place. And Wiz is fairly compelling for those types of Personas in the CISO or CSO role because of the fact that, you know, there's huge consolidation, they get the ROI fairly quickly. You know, everyone that's onboarded any form of security tool knows implementation can be really tedious and time consuming. One of the powerful things just that we have by nature of being cloud first is using the cloud native advantages of really fast implementation. So the initial time to value is really quick. So that's a compelling thing to be able to kind of present back to executives and boards. But we're actually seeing a bit of a shift into CIOs, CTOs and then ultimately CEOs from a budgetary perspective is the consolidation of tooling and the ability to say we're implementing security guardrails without slowing down our ability to deploy new products or introduce new technologies. One of the main markers of a lot of CTOs is their ability or their time to adopt emerging technologies in a secure way. You know, whether you're a bank or a startup, there's certain governance and conditions that you want to put in place before trying out the new AI toy on the block kind of thing. So Wiz is kind of one of our value propositions. There is we will accelerate your time to market with these new tools by having developers involved at the early stage from a security perspective as well. So that's where those kind of conversations go at that level. And then it comes down to just risk identification and so forth. [00:04:57] James: And it's a large part of that appeal because anytime something new is deployed into the environment, you have that immediate observability because the tooling is picking that up and it's doing that constant refresh of the landscape and understanding of potential threat vectors as well. [00:05:12] Matt: Yeah, there's kind of two layers that are required to be able to do this effectively, which is one, having the visibility of any environment that's getting tested out, which obviously the way we operate is essentially that top down view. So it's a capture rule. Whatever's in the cloud environment of that organization, we're going to see. But there is the secondary element of having a partner like Wiz that has a team that onboards these modern technologies. Because, you know, although we could be agnostic to a lot of things, you still need the third party to be an extension of your team, to be ahead of the curve in terms of, hey, we're going to onboard all the kind of security controls and checks of all these cool new technologies so all of our customers can adopt them and have it out of the box, so to speak. Now of course, that's a never ending list and it's a consistent journey. So there's a mix of customers also kind of working and partnering us with, hey, this is an emerging technology. I think you guys should onboard into your platform and then it kind of helps us facilitate that. And truly at the executive level, the other thing I hear from CISOs is, you know, new vulnerability comes out or new technology comes out that they're getting asked from their CTO or cio, hey, why aren't we using this? He's like, I don't know how to secure it. None of my tools have scanners for this or haven't onboarded it. And so if we can be viewed as that extension of team, as a reliable source to say, you know, hey, Wiz is most likely going to have the coverage here or if not, we'll ask them and they we've got a really fast turnaround just by the nature of how we operate, then that's obviously a pretty compelling thing as well. [00:06:36] James: I really take that point about it being quite compelling because of that. I was just thinking, Scotty, it's been one of your passionate points as well, hasn't it, about having a whole bunch of disparate tooling, but that tooling not being particularly adaptive to anything new that may arise, or still finding that you have enormous gaps in your observability. From a security perspective, if we look. [00:06:54] Scotti: At some of the customers that we've been involved with that have deployed wizards, it's definitely around actually having. To your point, Matt, certainly around the visibility. A lot of our customers have more than one cloud and certainly there's quite a big struggle not only for just security members, but also then all the developers and all of the testers and everybody else that's involved in the whole process. When you start looking at, well, now I've got Azure, I've got aws, I've got GCD and I've got oci, which is one of my favorite clouds. All the current things that are going on in the media notwithstanding. But it does present a real significant challenge because as a security professional, most cases they're just going to turn up and say, hey Mr. Hey developers, you've got these problems, you need to go and fix them. Then tomorrow you're going to go with a different set of problems with a different set of cloud providers and a different set of remedial actions and a different set of tools. And it quickly becomes a well, now we're not working on what we're actually meant to be doing, which is building applications that are delivering value for the business and our customers. And we're now just focusing on playing whack a mole of things that we don't even know if it has a real impact in the real world, which is that whole pragmatic piece that we couldn't really like to really encourage our customers to focus on. So I'm really curious to get your view around how, how Wiz has really tackled that piece, certainly with that, with the angle towards bringing those developers on. I'd really like to get your view on how Wiz helps address that. Certainly bringing the developers along the journey. [00:08:17] Matt: Yeah, and, and to be honest, like outside of technology, technology is like the, the foundational piece of it. But as you know, all three of you know well and truly you can have great technology, but if you don't get it operationalized and used, it's kind of like it's just a toy that is in the toy box or tool in the toolbox. I should say that that doesn't get the roi. And once again, going back to that C level, what do they care about it from an ROI perspective, obviously risk reduction, but also the utilization. You know, one of the SISOs in one of the large banks in New Zealand said to me, you know, some of the ways he evaluates his tooling is when he's up for renewal with a given vendor is how many people have logged into this in the last two months. And if it's like, you know, no one, that's a pretty easy kind of. Well, we're not going to lose too much sleep yet. Obviously there's edge cases around that now. How Wiz approaches it is, you know, once again, I know all three of you are well and truly aware of the sometimes frictionful nature of security and developer relationships or engineering and security. And it's because of potentially misaligned priority orders. You know, they've got the same priorities. Everyone wants the business to do weld and build, but the security team wants to do it securely and the engineering team often wants to do it fast. So one of the things that we kind of have helped bridge that gap is removing the adversarial nature of security by like empowering them as that thought leader over the top. The governors or the legislators of the land and then the citizens just following the rules in a pragmatic way. Not like, you know, getting them for a minor vulnerability that is unattachable or unreachable from the Internet. We're talking about bringing in like all of the relevant telemetry from, from a risk perspective and then prioritizing it by risk. Now, I know a lot of suppliers are saying that, but the really effective way is, and something we say to CIOs and CISOs is if you're getting developers to do security, you want to have the most tangible reduction in risk. Because if you've got them taking time off building or optimizing application, that is going to kind of slow the business down. So what's a pragmatic time is removing the most likely and the most impactful type thing. So the way Wiz is operating, outside of surfacing these in a really powerful way, is the user experience around the top of it. We don't want developers to be an expert in every security domain because it's not their job. So how do you, for lack of better terms, spoon feed them what's wrong, how to fix it in the fastest possible way. And by doing that, we're getting really good endorsement from the technology arms or the engineering arms, because they know they have to do security. But we've shifted it into this way to be completely Pragmatic First, a lot of organizations will send a list of a thousand CVEs, throw it into a JIRA board, you're not going to get any results there and then you're going to have risk remaining and all these other things. And yeah, so that's the kind of like high level there. [00:10:57] Tom: I don't think that can be underestimated or undervalued. The impact of that, removing the boy who cried wolf type issue there with multiple CVEs and the like. The number of people that I talk to, security leaders and even infrastructure leaders that either say, hey, we're not getting the buy in from the rest of the business because, you know, we keep sending stuff over there and it becomes noise. Now they start ignoring it, or security becomes seen as a blocker to outcomes because we just get this noise and irrelevant stuff thrown at us. So it really creates separation. That was the first thing that really struck me about Wiz was how because of that prioritization and the contextualization of actual. Yeah, it removed that whole boy who cried wolf. So the teams that were receiving this, either development teams or DevOps teams, knew that it was something genuine that they need to investigate. I think that's a big booster to building that security aware culture. [00:11:46] Matt: I'll add to that to my previous comment as well. I kind of view it as like a psychology element here as well, in the sense, like, how are you going to get developers to do something that's outside of their typical day job? And there's like, firstly, they gotta trust that there's value, so there's trust of the findings. You know, that's obviously priority number one. Once they trust the findings, they're more likely to action it and then proactively action it. And one of the other expressions that I kind of use is, you know, all the risks in cloud are complex. There's so many different dimensions to it. So we kind of say make the complex simple in the form of the UI and the graph visualization which you've all seen, and then make the simple compelling in the sense, you know, you're not saying here's just a random CVE like I mentioned before, but here's a proper incident waiting to happen. And I see that that typically has better outcomes. [00:12:30] James: I think this is the thing that I find quite fascinating and in terms of making the entire security landscape more accessible to people like developers and actually pragmatically helping them, is that it's one thing to raise a list of defects and say, hey, you guys, you got these problems. But what I really enjoyed about Wiz as a platform when I started playing with it, is that it's not only telling me that there's a defect, it's explaining what it is, why it matters, and how I might go about fixing it. And in my case, you know, I've come from a cloud background. I was looking at an AWS IAM policy. It told me what was wrong with the policy and also which assets were affected by that. And I found that to be really quite compelling. And it gave me recommendations around fixing and the solution. So I think it's actually making the security landscape much more accessible for different people and different Personas. And it's a much more effective way of communicating, I think, putting the power in the hands of those who actually then have to affect change. You know, I think it's really quite liberating. [00:13:23] Scotti: Along James's line of the IAM policy, I actually spent about four hours on the weekend trying to get a decent score. Reported using Docker Scout for a container that I built and was looking to deploy. And it was telling me, hey, you've got these old libraries. I'm like, but I'm using the latest version of the Ubuntu image. And I'm going, well, where are these libraries coming from? They're not actually running in my application. And the reality is, I knew that I wasn't using them, but I was getting a score that was saying, well, you're vulnerable, right? And I realized it really resonated with me that when I was looking at it going, if I'm struggling with this, I'm having to, you know, delete specific files from operating systems in the container when I'm building the image. And I'm going, this is really complex, right? I'm going, and every single time my image changes or my application changes, this is going to make it really hard. Do really like the remediation element of it. And I also like the part of kind of bridging the. You're kind of using technology to kind of solve a people challenge as well. Because there is a very large bridge for most organizations. There are some organizations that do this really well. I see where security is embedded in the dev lifecycle. It is kind of thought about really early on. That's I would say the exception, not the rule. What I actually see is you've got security teams that have traditionally kind of played this whack a mole because to their defense, and I've been one of these people in the past as well. You can only make do with what the information you have available. And that often is a list of vulnerabilities. Having the tools and technology to now bring the capability to say, well, now we've got the prioritization. But then it also kind of solves the human element, icy, which is Security. People actually have to interact with developers and people outside of the security team, rather than just lobbing a JIRA ticket over to the dev team. Is that something that you see more and more? [00:15:03] Matt: I think one of the concepts of the organizations that do a. Well, you know, the Security Champions model, which I'm a big fan of, you know, which is either a dedicated security Persona within development teams that's obviously at a larger scale that's more feasible. Amazon's kind of the ones that pioneered this quite a lot and they've kind of shared, they call it the Guardians program at a smaller scale. It's kind of where you have a person within a team that can kind of wear a little bit more of a security hat than the rest of the team. So they can be the initial kind of triage point or be kind of embedded with like the novel attack types that we're seeing in the wild and all those types of things. And that kind of has like then a continuous bridge within the security organization. And to your point, Scott, like, you well and truly know that like security, if you're just doing the keeping the lights on activity, the security landscape is changing so rapidly, like, particularly since Cloud, the velocity has changed. So we really want security teams just from a general defense of the country and the companies within it to be aware of all these novel attacks. And if they're just spending time triaging CVEs, it's just a waste of all that expertise, in my opinion, because the landscape's evolving rapidly so fast that we really need to focus our security experts in how to handle those novel threats opposed to the traditional ones. So by having that Security Guardians or Champions program within an organization of any scale that's feasible and using technology that makes that simpler, I think really leads to a better outcome, not from a business perspective, but also just general security perspective as well. [00:16:31] Scotti: And I've seen that. Right. So one of the customers that we were involved as part of the deployment and operationalization of Wizards, I think they're down. They've only got like a couple of critical risk items left, so. And that was out of a fairly large number. A lot of that stuff was stuff they just realized they could just delete because it was actually not being used, but it was still carrying the risk because it was connected to the Internet and that was definitely, you know, that's a major win. Like in the first three months after deploying Wiz, there's a whole bunch of work that had to go on around actually identifying could we delete these things. But once they were confident, the risk has reduced dramatically. [00:17:03] Matt: Are you seeing any changes of the Personas or the executives that you're talking to beyond the security folk? Are you getting kind of concerns from like the board or CEOs of your customers around security lately? Has that shifted in the last couple of years? I'd be curious about that. [00:17:17] Tom: I think reputational damage is the biggest concern, particularly at the board level. We have had a podcast before where we've discussed risk and how we invest in security and what actually resonates with those at the board level. Off the back of the Medibank and Optus sort of bridges couple of years ago, there's certainly more of an awareness around security. I think at the board level, the challenge up to now has actually been how do we get tangible risk filtered up and presented in a way that is consumable by that board level? Because I think the biggest challenge in our world as technologists is we speak technology and boards don't speak technology. Even in technology organisations or technology led organisations, it's still a different world. So we need to have the language that matters to the board. And that's one of the reasons that I particularly like Wiz and beyond. There's an aspect of lenses where you can apply different Persona and it gives you a different view as to the findings of Wiz. The fact that it contextualizes and to the point that I know Scotty loves this feature, you know, takes a snapshot of the website and the risk and a particular risk that that's something real world and tangible that you could put your hands on. And that's what boards care about is what is what is the legitimate risk to me. And if you're bringing up a whole lot of noise to that C suite, they don't want to talk to you. If you filtered that down to, hey, these are our key risks and this is how it can damage us, you're going to have a much easier conversation at that level and get that investment into remediating these problems we're seeing a. [00:18:43] Matt: Little bit is the kind of going back to like the very early question around the different, like the executive level conversation is the things that we're seeing them care about is obviously operational efficiency of their security teams, which you Know, as mentioned at the top, we can, we, we've got a pretty good story, therefore, particularly when it comes to consolidation. But then, yeah, like, what's the, where's the goalposts here? Like what, what does good look like and how do we continue to show that we' maintaining good, you know, oh, well, we haven't had any incidents in the last year, so it's not very visible the effect that we're doing. So how do we prove that ROI up? Do you guys see that a lot in terms of like, you know, it's a clean house and therefore there's no security needed and potential divestment risks there or. Yeah. What do you. Scott. [00:19:21] Scotti: So I'm going to take, I'm going to take a slightly different view on this because it's great. Executives will want things to be secure. They want to wake up, they want to, they don't want to have a breach overnight. They want to sleep well. They want the business to endure all of those great things. But I look at it from the complete reverse perspective, which says, I think most people generally want to do things the right way. Most of the time you just need to show them how. So I like being a developer for many of my junior years, I look at it and go, as soon as someone showed me, hey, this is how you, these are the issues that you might have had in your code and here's how you fix it and here's why it's a problem. I think people definitely want to actually kind of follow along. So I'm going to flip it on its head completely and say if wiz, which it does, gives you the ability to say, okay, we've now got, you know, right from when you're initially starting to write code, write all the steps, all of the checks, all of the assurance controls that are required. Like, you're essentially ending up in a situation where the executives. It's kind of like the compliance view, right? Where you say, instead of saying we need to do compliance and therefore we have to have all of these security things that we need to do to be compliant. It's like, well, we are compliant because we have been doing those security things from the get go. And from my point of view, I think the real hallmark of where an organization has started to kind of get these things right is when people that aren't directly involved in security or development, because I kind of see those two things being quite closely aligned. Other parts of the business where people are saying, hey, we've seen a security vulnerability or we've seen this particular thing happen or you know, it's even where people start reporting phishing emails. I know, not specifically related to Wiz, but from an organizational and cultural change point of view, I think that's where the shift at the fundamental level means that the top down view, you shouldn't really have to be selling to executives. Obviously they're potentially signing off on purchasing the product. But do you see, do you see where I look at it from a different angle that says I really like the foundational elements, getting those done right, as you pointed out, not just patching things, have it patch automatically and then test that it works, that kind of stuff. I see that being the real bit where the value certainly when we're talking about accelerating development really comes from. [00:21:24] James: It's fascinating. Scott, I do see this from an executive level and it's really interesting. I think it touches on what Tom was describing that I think boards have become quite good at asking the question are we secure or are we at risk of leaking sensitive customer data or whatever it may be. But the challenge is then in understanding the answer to that question. Because often it's that thing that, well, that depends, right? Because maybe we haven't had a breach or a vulnerability arise to date, but you know, we're constantly investing in cybersecurity but we don't really understand whether or not that's actually shifting the needle on our risk position because we don't know how to measure it. And it can certainly be very, very challenging for them to actually understand what is appropriate from a level of investment and how do they compare and contrast themselves to others in industry, like whether it be their immediate industry peers or maybe I want to actually be as good as a bank might be from a security standpoint and have that observability. And I think one of the fascinating things to me, you know, I've done quite a bit of compliance in my time and regulatory type considerations and when I first started playing with the different security compliance lenses and landscapes, I think there's 180 odd pre canned views that Wiz brings to the table. I was just blown away with how simple it is to actually generate that perspective. You know, so if I want to measure myself against a known standard, say a NIST853, I can actually do that. So I can now go back to my board and say, look, we are measuring against known industry standards. This is not just a bunch of nerds over in the corner here making things up and saying, yeah, we think we're pretty good, you know, we've actually got a tangible metric now and Wiz is really enabling organizations to do that in what is, you know, to Matt's point, an increasingly complex landscape, a multi cloud landscape. And you know, I personally, you know, I've been through that thing of saying, well, you know, I know we were compliant because we did an audit nine months ago, but I genuinely don't know where we're at today because things are changing so fast. And one of the things I'm seeing from a risk and governance point of view is an acceptance that we do need to shift from that static annual perspective on risk to something that is far more real time. And you know, Matt, I imagine that you're probably seeing a few other people out there when you're showing them what Wiz can do that are quite blown away by that perspective as well. [00:23:31] Matt: Yeah, yeah. I think there's a difference between staying secure and staying compliant. Both are important, but it's a kind of different lens. Right. Do you want developers to be getting sent every non compliant thing every week or do you do that in a palatable project required based on some regulatory reason? You know, the staying secure is obviously imperative and developers need to be involved in that because they're often the ones that can remediate that. When it comes to compliance and regulatory or GRC and all those different things, I see particularly in cloud, a lot of unnecessary heavy lifting from organizations, particularly in those more regulated fields. Obviously APPRA in the FSI has that requirement to quarterly report or annually report to any APPRA regulator to have to report their attestation to certain things. And I'm seeing some organizations, you know, going manually into the relevant cloud console and taking a screenshot of configuration. I was like, talk about toil on those. And when I hear, you know, a lot of security Personas getting burnout, I'm like, that's where you get burnout. It's so menial and completely can be automated. So one of the things that we help with organizations is like being able to, what we call continuously automatically attest to a given compliance state. It's just like an amazing outcome for these teams because they don't need to go see, they don't need to go asking a developer or an application and hey, can you log into your cloud and show me that you've got that bucket encrypted or something like that, or it's private, they don't need to talk to them and it creates this internal digital trust and then they can actually export that automatically, obviously, just for the technical components and then they can focus on the operational ones. The people focus things. So it's been like a really powerful outcome that really speeds up and removes a lot of wasted time. I would say. [00:25:12] James: Yeah. It's really interesting that you raised this concept around the burnout of security engineers. Right. Because we hear this a lot. Right. You know, it's an exponentially growing environment and there's only a finite number of people. And I've literally looked at these spreadsheets in the past that attempt to map every single service in cloud to a bunch of most commonly used industry standards around security. And the fact that Wiz has codified all of this and made it so much simpler, you know, when I see people digging into the console and trying to take those screenshots, it's like, yeah, that's great, but how do you know you've actually got complete coverage and how do you know that it hasn't changed and all these sorts of things. But I guess it's like any investment in third party tooling and removing heavy lifting, is that what you want to see, is that ongoing investment from the tool provider as well? Right. So, you know, I imagine to get whiz to where it is today, there's been massive investment in the background from a programmatic perspective. But, you know, it also brings to mind for me, you know, there's a really interesting story around this where, you know, when Deepseek came out and became really popular, you guys found a vulnerability in Deep Seq and immediately were able to protect your customers and clients. I mean, that's obviously a very public one, but do you have any insight into sort of how that came about and how that plays out? [00:26:22] Matt: As I mentioned earlier, I think when it comes to looking at, you know, you notice I don't say vendor too much because we truly do view ourselves as partners with our customers, because you're not just buying the technology from us, you're buying the expertise behind it. So we often communicate like, astro research team is an extension of your team, as you guys well and truly know. Like, our findings don't just go into the public. They get embedded and start getting detected from straight away within the customer environment. So they've got that escalated view. Almost like having the Wiz threat research team looking through your environment for you and finding the head of security can ask the question, hey, there's a new zero day. We affect it. Go into Wiz, you'll see if you're affected or not. And so that comes in two frames. Like one, the compliance side of Things once again, there's new frameworks and new best practices coming out all the time. Whether it's AI, there's the new top 10 for LLMs, for example. Do you want your team to spend time on building that out? If you've got a dedicated GRC team, there may be capacity, but there's a lot of research and expertise that goes into that. Whereas Wiz gets viewed as that extension of the team. We'll take that off and we're going to embed it in product. You know, it's a core competency of ours, like threat research, like that. Deep seq1 is a fantastic one by Gal, one of our kind of lead threat researchers. Anytime there's new technologies that are being used in our customer base, he's essentially a bug bounty guy as well as looking at threats that we're seeing across the globe and making sure that our customer base are in a safe implementation of those. Now Obviously that deep seq1 was more of just on the Deep SEQ side from an architectural problem and we, you know, responsibly disclosed it and we've done it with other vendors as well. You know, obviously there's a significant one with Microsoft a couple years ago, 18 months ago or so, but the outcome is great. You know, we've got good relationships with those companies that we, we have these disclosures with because it's for the kind of greater good across, across the whole industry. And then once again it gets embedded if relevant, if it's a, you know, an architectural misconfiguration across the board. We embed that into the platform to say, hey, if you're using this technology, we want you to check this out right now because we've just discovered something. So once again that extension of team, you're not just the technology but the people behind it that are embedding their expertise. And once again it goes back to what are your core competencies as an organization? That's what we want you to focus on. And if there's something that can be that we can do, let's bring that into the platform for you. [00:28:38] Tom: Speaking of core competencies, maybe it's time for a bit of a break and a bit of a light hearted approach to going back to the future. As people know, I'm the sort of infrastructure guy, but I think a lot of us cut our teeth originally on various pieces of coding work. I'd just be interested with Wiz talking about this shift left and moving into the development space, how did we all get started with development? What were Our first exposures to software development. Are we still doing it today? Scotty, I might start with you. [00:29:04] Scotti: That's an interesting one. I actually started life in VB6, so I'm probably showing my age a little bit. I then moved across into like. Net development and then found the light, went and did some Ruby, spent a lot of time with Python and other languages and that's about when I transitioned across into cyber. We've done some really interesting projects. One for essentially a fishing industry application that was correlating geolocation beacon data with reported catch from fishing vessels for the South Pacific Ocean, which actually is. There's no exclusive economic zone, so essentially the area isn't owned by any one country. And that was essentially when I transitioned across into cyber. What about you, Tom? [00:29:41] Tom: Yeah, talk about showing your age. I cut my teeth on Apple IIe's At School, writing in Apple Basic originally. And then I sort of dabbled in a bit of Turbo, Pascal through to PHP at university and a bit of web development, but that's essentially where I parked it. I'm pretty mean. You wouldn't want me scripting too much, but I do a bit of PowerShell scripting every now and again. I think the concepts and logic around developing are critical just in terms of even troubleshooting and working out logical approaches to things. I think it's a great starting place for anyone working in technology. But if I suggest to anyone that I can code something for you, politely decline my offer because it's been a very long time and I struggle with concepts like object orientation and the like. Matt, how about yourself? [00:30:28] Matt: Probably came to it a bit later. I actually studied mechanical engineering, so. And mechatronic engineering, so not. Not directly, but obviously there's a fair bit of software involved there and we used to kind of hack around with Raspberry PI's Arduino boards and things like that for. So it was that kind of development of actually just like programming sensors and robotic movements and things like that. That's where I started to get first interest and then I kind of landed in the world of solution architecture or solution engineering, which I'm doing now by chance. I actually was working at a network security company in London and then had to get heavily into infrastructure and then I shifted into cloud and Kubernetes primarily, to be honest, and I viewed as such a muscle, you know, if you don't practice it a few times you can really lose the strength. So these days I try and just like do the occasional like little lab of like building a Basic application. At an application code level, I keep it pretty simple. I'm nothing fancy there. And then these days I'm really diving into building some AI pipelines to keep across what's obviously flavor of the year. [00:31:25] James: Yeah, I'm like this strange amalgamation of all of you guys. But it's interesting, Matt, to hear you describe you came from a mechanical engineering background, because that was mine too, but being a little bit older than you, right, they were very backwards in terms of the use of IT and computers. And, you know, I sort of grown up a little bit like Tom, you know, through the school days, playing with a bit of basic, Pascal, all that sort of stuff, you know, which I think instilled some pretty good fundamental programming awareness and understanding. And to me, that's been far more important than any one specific or particular language. And, you know, I've been a professional software developer in banking environments and, you know, it's not something I do a lot of these days, but I always find it amusing when people ask me, you know, what languages do you program in, James? And I'm like, I don't know, whichever one like the tutorial was showing example in or whichever one we use. So, like, I'm a classic forgetting my semicolons in Java. And I was doing Python the other day, right, And I'm trying to debug my Python code and I could just not see anything wrong with it until I had that, you know, realization that indentation is actually what describes structure in Python. And I'm like, this is ridiculous. This is not a real programming language. How can me missing a space define that my code won't compile? But you see how to realize, look, it's all just nuance and the subtleties of the way different languages work. But it's quite interesting, you know, home automation, whatever. It's kind of fascinating that pretty quickly you realize that you do need to bring that lens of awareness around operational resilience and security and all those things to the table. And I certainly learned over time that it's not something that you tend to do in isolation, particularly in a commercial or enterprise context, right? You can't just go away, develop your code and expect that that's going to be mature and ready to roll and deploy out into the real world. You actually have to take that security perspective and that operational perspective on what you're doing. And if you're a small organization, you might be the only guy and you have to do it all yourself. But in bigger enterprises, there's actually process that exists for this stuff, but just seeing the way it's matured in industry and the whole existence of DevSecOps as a practice now compared to where we were even seven or eight years ago, I think is really quite amazing and has been a very, very good evolution. [00:33:32] Tom: Actually to that point. Does Wiz have a blueprint for the sdlc? [00:33:35] Matt: Yeah. So one of the things that we've kind of in the last six months started shifting into a little bit is the language around what one views as an application. And it's not just the runtime environment, it's not just the live cloud infrastructure that's hosting that given application. But, you know, as you guys will know, if you're an application owner, you view the repo, the pipeline, the running environment as the entire application. So we wanted to be able to facilitate a view now of, okay, if I'm that person, I want to log into Wiz and just see my application or even the microservices within that application. So we've introduced a few kind of additional lenses, so to speak, and changing the view of, you know, don't just fix the runtime issue, but, you know, and forgive industry terminology now, but like the code to cloud view, to have that proper from source to run and every step in between, to have that visibility is obviously super imperative. To be able to support an SDLC like a modern SDLC operation and then securing of that is about having more or less the same controls where relevant in runtime all the way through to source as well. One of the things we get is, you know, developers have a tool for their ide, then it's a different tool check from a security perspective, then it's a different tool that's checking the pipeline. And then when it hits runtime and it's in production, then you've got a whole different set of scanners and tools over on that side. And so there's just no uniformity there. And then you've once again introduced friction. So the way Wiz is looking at it now is why don't we just like have it unified across the whole board? Whatever rule that we're looking at in that the developer's getting the feedback in their ide, let's make it the same one. Obviously we're relevant that we would check in runtime and you all know the order of magnitude how much cheaper it is to prevent than to respond. So it kind of facilitates that journey a little bit by having those kind of single policy languages, single scanning mechanisms across the whole board. And that's where we're seeing a nice kind of facilitation from securing the sdlc. [00:35:25] Scotti: You touched on an interesting point, which is talking about runtime. And I've seen more, more recently, certainly what happens when you don't have eyes on glass. So what's actually going on when applications are running in the real world? You can have the best developers, the best education and training, you can have the best static analysis, dynamic analysis, you can have the best pen testers, but you still have no idea about the actual threats that you're going to face when an application is running. Like, I've had a good play with WizDefend and I was actually really taken back by how quickly, coming from someone who's worked with Splunk and Sumo logic, quite a lot when we're building the actual threat timeline of events, saying here's something detected and here's all the event rules before and after. Like, where do you see Wiz playing? Certainly in that runtime detect space and like whereabouts. If you're a customer that potentially has Splunk or has an existing investment in scene, how do you see the. The two aligning? Because I can imagine that you get asked that question quite a bit. [00:36:19] Matt: Yeah. And it's actually extremely timely coincidence that we're talking about this because, you know, at time of recording today, so tomorrow our time is when our official defend GA is happening. So you'll see a whole bunch of public announcements overnight about this and I see there's a few layers to it and I'm glad you've had a. Have had a good play with it, Scott, because I'd be curious. Glad to hear the feedback and be keen to hear more specifics as well, is we're getting really like amazing feedback. Essentially the way I view it, and I'll use a simple analogy here of kind of like how ADR came and changed the way that being essentially a pre processor. Right. We used to send kind of syslogs direct from hosts to SIEM platforms or whatever platform that was kind of aggregating those logs. And then modern EDRs like Crowdstrike obviously is the kind of leader in this space, pre processed a lot of those local events and then sent a package to wherever the SOC or security or IR team were working for. Now, it's obviously not a direct comparison, but I view that as a kind of a bit of a likeness to what WizDefend is doing. I view WizDefend as an aggregator of all the relevant cloud telemetry. So not just like the cloud audit logs or the network events and data events. Also what's happening on the runtime and then pre processing it all into a tangible package, whether it's multiple threats or multiple detections, with the historical behavior analysis and then sending once again a palatable payload to the siem, if that's where the SOC works, if the SOC or IR team or the analysts are working somewhere else than sending it there. And that's the kind of way and the. So it's definitely not like a kind of replacement or anything like that, but there's ways to really introduce a lot of efficiency. So I don't know if Scott or Tom James, you've seen this with some of your customers. When it comes to cloud incident response, there's kind of three themes that I'm seeing here. One, expertise is not quite there. [00:38:08] Tom: Skills. [00:38:08] Matt: There's a skills shortage in SOC response, I would say in cloud response, I should say the second element is volume of alerts. I know that's kind of typical everywhere, but fatigue is really there. And then triage time. What I'm seeing, and one of one of the super apps in Southeast Asia actually were communicating this with me. They're using a siem and that's great for, you know, aggregating everything in, but when it comes to a cloud event, they're seeing like round trips between SIEM to another platform to another platform, all these round trips coming back and forth simply for attribution and that's even before escalating whether the incidents are significant or not. They've got an EDR platform to look at. They've got a, you know, their cloud response and all these different things. So what Wiz Defend kind of does is be that pre processor where you've got all of the relevant context and more importantly, as you guys know, you've got that whole Wiz cloud with code visibility as well. So they're operating off the same visibility that the application owners are looking at. So they don't necessarily need to communicate to the person or if they do, attribution's done kind of immediately. So it's a massive efficiency gain there as well. [00:39:13] Tom: I'd probably add a fourth one to that and that is cost as well. Not just the cost of efficiency, but the cost of ingesting all that data as well. I've spoken to a head of Infrared security that hasn't said how can I get my splunk costs down? Or how can I save money on Sentinel. [00:39:26] Matt: Absolutely, yeah. So there's definitely an element of that as well. Because yeah, as you mentioned Tom. Obviously if we're pre processing a lot of things, there's potential reduction needed to be sent to those other platforms because we've got it all covered. [00:39:36] Scotti: Yeah, and I see a lot of those traditional products that you talked about like EDR and all of those actually. And seems specifically as well most organizations that have, that have cloud have a large on prem environment too. So most of those products were originally purchased to protect their on prem environment. And a lot of those providers haven't really like they sort of do it, but haven't really cloudified their service very well. You know like turning on Defend was a matter of turning on one checkbox and then immediately I'm getting logs and then I've created an event and now I've got some, I've got a detection that's got a timeline as an analyst, you know, and I've been through SOC migrations and SOC deployments, Siemens Soar operationalization and that's like a six month project with really skilled people. As you said, having the requisite resources actually makes a big difference. But to just kind of have a tick box and have an out of box set of rules that cover all my cloud providers and then when an incident actually gets detected, I'm not spending hours with a scene product, you know, manually pivoting through GUI to try and extract more logs to work out. Is this a true positive or true negative? I think is great because a lot of customers still just haven't really thought about those cloud logs into their scene. And then even once you have the cloud logs, you're actually still looking at application specific logs as well. So like it's, it's a massive, from a zero to a decent level of maturity in a week is like something I just haven't seen before. [00:40:57] Matt: And to that point like what are the main challenges we see with customers today when they've moved into a cloud environment and trying to migrate or modernize their soc is once again it's that visibility aspect. So we view like Defender obviously as a part of the Wiz cloud or the Wiz platform in general. In addition with Wiz cloud and one of the main challenges is organizations just not knowing are we in a position to actually detect and respond to these events? Like are we from an incident readiness perspective? So that's kind of like the foundational pillar that Defend starts with. And then the cost, as you mentioned Tom detection engineering, we're seeing huge amounts of effort being done that don't need to be done at a per company level because these are Broad detections that every organization could benefit from. So once again the team that these are guys that are essentially cloud threat responders for the last kind of five to 10 years that have been build all those things and continually adding those to the platform as well. So it's, and it's such a changing space. So we really need to have those kind of detections in place really fast to make sure you're actually in a place to detect these novel threats that we're seeing. Some really sophisticated ones that are quite impressive but also pretty difficult to find if you don't have everything kind of unified to be honest. [00:42:05] James: It's interesting to hear you describe how this is evolving over time. You know, you mentioned that Wizards only sort of really been a five year thing. I noticed that there's been some really interesting evolution in terms of partnerships that Wiz is doing as well with other organizations. And just thinking in terms of the future, you know, you've sort of gone from an infrastructure lens. We've added the application layer in, we've looked at full sdlc, we've got compliance. How's that likely to evolve? Is it about more partnerships and you know, maturing the overall landscape that way? Or are there some really specific and interesting things that you guys are investigating at the moment? [00:42:40] Matt: It's quite a broad array of things that we're looking at now obviously and we're still committed to our existing kind of roadmap and strategy. And you know, the Google acquisition will just help us accelerate that. We're going to continue to focus on multi cloud environments. We started in the cloud using the cloud native capabilities that support the methodology that we kind of use to implement and build and so forth. So one of the areas that we're going to start to look into, as you mentioned, the partnership, you know, we want to help organizations. You know, Wiz doesn't do everything and there's certain elements that are really powerful data points that we can get from third parties that could really enrich our risk analysis of a given application or something like that. So Wiz is really opening up our graph database to be able to facilitate third party ingestions to say, okay, you know, Wiz has got all of this information, but we've also got some CMDB information here or we've got a third party SaaS tool that's told us that there's a weakness here. Let's escalate this a little bit more with these third party data points. The other areas is there's a lot of best practices that we've learned in cloud that are applicable on prem. So we're starting to think, okay, how do we help organizations that are going to maintain a hybrid environment or they might be in a migration objective, how do we facilitate meeting those migration objectives in a faster way? Often, and you guys would know this better than I would, but those cloud migrations are often stored just by like the complexity of on prem and potentially the unknown from a visibility standpoint of what needs to be moving. So how do we kind of provide that same visibility and risk view on prem? So these are areas that we're investigating in combination with WIZ generated findings or WIZ generated like analysis as well as third parties. So we're really opening it up there. And then one other, the kind of two is obviously a lot of themes of our roadmap. But I would say cloud operations generally, you know, Tom, you mentioned resilience before. That's obviously, you know, as a country and in, in the globe we're all accepting that you can never have zero risk. So how do we make really resilient? You know, and there's industry regulations that are coming out like door in Europe and in Australia we've got CPS230 coming into effect in July, which is focused on resiliency. So we've got all this visibility. How can we help you understand from a cloud operation perspective, is this application resilient? So these are areas that we're investigating financial operations, obviously, cloud optimization, cost optimization, these areas that we've kind of dived into because of the data that we can facilitate. So yeah, there's a lot of interesting things. And as I mentioned, you know, WIZ is going to certainly open up and aggregate a lot of these different findings to provide organizations that kind of central view. Whether it's Wiz providing the data or whether it's a third party, it's going to be fairly open there. [00:45:13] James: It's an evolution that makes a lot of sense to me and it actually warms my heart to hear you describe that roadmap because I've certainly lived that dream of the cloud migrations and you know, wanting to take a lot of existing on PREM practices and tools into cloud and they're not necessarily built for that purpose, particularly in a multi cloud or hybrid cloud environment. But I also work a lot with operations teams around modernizing operations. And so to hear that you're broadening that landscape and perhaps bringing a lot more capability through that single lens that wizcam provide across that landscape, I actually think it's really interesting. It's going to be fascinating to see how it evolves. And you know, Scott, it takes me back to some of our previous conversations where you've often said you really wish that the industry would learn to collaborate more, you know, and have a lot of these different tool providers and organizations actually learn to work together to get to a greater outcome. Do you think that this is something that we're more likely to see through the evolution of tools like Wiz in. [00:46:08] Scotti: Market, despite us being told that we should argue more? James, I have to agree. I think that SASE was the idea of SASE in the early days when it was originally coined by Gartner, was that it would bring the best of the products that existed in market today and essentially stitch them together in a mesh to deliver a great outcome for customers. What that that didn't transcend into what actually we see today. We see all, you know, every vendor, a bit like, you know, Netflix and, you know, Disney and Amazon prime, you know, every security vendor now has their own SASE product and have going through that process recently. I can tell you that some are definitely better than others. What I really like about the idea where wizards is bringing this together with the other vendors saying we've got the platform that you can now leverage to essentially deliver your services and those outcomes using our platform or potentially the integrations that the platform provides to customers. So I see that as a huge win, certainly, because security teams, development teams, organizations have all the existing tool sets. And one of the big issues for, you know, justifying a tool spend is, well, we've just brought this tool we haven't fully implemented. Now you want to change the tool again, I think this solves a lot of challenges certainly around the adoption space. [00:47:19] Matt: Yeah. And we're already making serious inroads in this space with like, I think over 180 integrations, both inbound and outbound. One of the kind of sentiments that we share is we want to make security teams successful and pragmatic about these things. So if there's a tool that we can support in facilitating enrichment or roi, it makes sense for us to integrate with it. We don't want to be a black box with the graph database. We're kind of leaders in innovation of using a graph. Why don't we facilitate other organization or other feeds coming into that and making security like, you know, a really kind of smooth running machine and to make them essentially look good and be really efficient as well. And that's one of the kind of other points I wanted to make around where WIZ'S strategy is today is, you know, going into the on prem world is obviously an interesting one. And often I get customers thinking, oh, you guys are really modern. You know, we're still a legacy organization. The cool thing about WIZ is we've kind of got these two parallel themes, which is meeting organizations where they are today and their challenges of today with a second foot in the other camp of making sure that we're ready for the challenges of tomorrow. And obviously AI being like the prominent one there. So we've got huge investment in AI security and things like that. So organizations can modernize, but also we can facilitate where you're at today as well. [00:48:33] James: So I love the fact that you've touched on AI here. Matt. How is AI impacting the security landscape today? I mean, it's obviously a multifaceted thing, but what are some of the key things that you're seeing and how do you think this is going to unfold? [00:48:47] Matt: I think there's obviously different stages of an organization and most are in the experimental phase, I would say research and experiment phase. I haven't seen many. And chatbots almost commoditized. I don't view that as the kind of challenge. It's more when you're starting to do really custom AI applications. Most organizations I'm working with are in that experimental phase. I think we're still working out what are the best practices. As I mentioned before, there's kind of the OWASP top 10 of LLMs that seems to change quite rapidly. I view it as just a really. Whatever we're looking at today is I don't think going to be the same in six months. And the secondary thing, I saw a really interesting thing from the Nvidia founder Jensen Huang around the changing nature of IT organizations within a IT departments, which is you've got your biological workforce and now we're going to have that digital workforce. So with all these AI agents that are going to be deployed in organizations, what are the guardrails that we need to put around that? And I think the first thing I thought, you know, these are going to facilitate really cool things for teams, but how do you have the visibility of what they're doing and how do you put the guardrails around it? It's a kind of vague answer for you again, James, but I think it's going to have a lot of the similar challenges that we already have with any modern technology, but just a new kind of layer of conditions we need to think about. [00:50:01] James: It makes a lot of sense. It's quite an internal perspective that you've described. What about from an external threat and attack perspective? Is AI starting to be leveraged more in industry for those large scale attempts to breach systems? [00:50:14] Matt: Yeah, yeah, that's a good point. So that was for like the ability to adopt AI internally and obviously have that kind of business efficiency. But then from a threat actors perspective, I've heard that there's a huge velocity increase that AI has facilitated because they can do really much more, more targeted, particularly like phishing campaigns. I'm noticing hearing about as well as agentic AI where it can do not just the first step, but continue through. You can essentially, you know, put in a agentic approach to going through all the public endpoints. And we know them and they're all publicly documented in terms of the cloud providers. They've got all the API and API calls that they need and they literally just go through those scripts automatically and becoming quite intelligent in the way to escalate. And as you know, cloud attacks are very rarely one misconfiguration, it's a combination. And these AI agents are now kind of being built to be able to identify, okay, I found a key here. Now I know what next step to do. It removes the human element. So I just think velocity and speed is going to be the challenge. Once again making prevention a priority opposed to relying on detection as well. [00:51:15] Tom: I might just pivot slightly, Matt, but we're obviously a Wiz partner. I know we have some fellow Wiz partners that listen in on this as well. What's Wizz's view and vision around partnerships and what does the future hold? How do partners help accelerate this building of the sort of security aware culture and working with Wiz to help customers do more? [00:51:35] Matt: Yeah, ultimately. So we've got those two layers of partnerships, both technical and then kind of partnerships with organizations like Cordon. And I think there's two layers. You know, implementation is one thing, but to get roi, even though, you know, I obviously discuss the ease of use and there's always operational things that need to be implemented. So we see organizations like Cordon being key in actually delivering and being the thought leaders within those organizations or our customer base and actually facilitating the outcomes that we've promised from the outset. And you know, we obviously are still a young company and Cordon has relationships and expertise such as in this call, that can really deliver the outcomes that we're talking about. Ultimately we're providing the technology and suggested best practices, but organizations like Cordon really add that value in being able to implement it. Every organization, every industry has different requirements and different mechanisms in place. And that's where, you know, we've obviously already had some success with Cordant delivering that for some of our customers. And that's where we see partners being the huge value add for us to be able to actually deliver the value and ROI for our customers. [00:52:40] Tom: Yeah, and I love it with our different Personas in terms of our backgrounds as well. There's something different in Wiz for our customers and it always helps when we can empathise and explain that to our customers and they can resonate with those benefits. Hey, brilliant, Matt, look, thanks. I think I speak for all of us when I say we've had a really enjoyable conversation today. Thank you so much for taking time out of your busy schedule to have a chat with us and sharing your wisdom with our listeners. Just a final note. How can people stay up to date on what Wiz is up to? [00:53:09] Matt: Yeah, there's many ways and we've got a lot of cool public things to actually interact with some of the technology as well. We've got public capture the flags that we run in person. But there's also online self service ones that I recommend having a look at if you want to kind of see how Wiz thinks about the landscape. The other things is obviously on on the typical socials we've got on LinkedIn, following the page and all these types of things. And of course with our partner community like yourselves, obviously Corden's one of our key partners in Australia, New Zealand that's been working really well with us. Following those types of threads is probably the main thing. And final note for me, thank you so much guys for having me. I really enjoy the conversation, particularly from experts like you guys. So thanks again. [00:53:46] Tom: I hope our listeners leave today with a better understanding of Wiz as a product and I think a joint vision of the future of where Wiz can be that conqueror glue and IT builds fun and more collaborative tech pipelines with lower risk. So until next time, everyone have fun and as always, stay safe. [00:54:02] Matt: Thanks very much. [00:54:05] Scotti: If you could use a little help or advice with modernizing your IT environment, visit Cordant Au to start a conversation with us. This has been a KBI Media production.