The Voice of Cyberยฎ

KBKAST
Episode 277 Deep Dive: Jagdish Mahapatra | Microsegmentation and the Path Forward
First Aired: September 18, 2024

In this episode of KBKast, we’re joined by Jagdish Mahapatra, Chief Revenue Officer of ColorTokens, as he discusses the imperative of achieving digital resilience against cyber attacks. Jag delves into the critical role of the right partners in business digital security, the importance of microsegmentation in preventing lateral movement within networks, and why businesses should focus on breach containment rather than just prevention. He alsoย sheds light on the importance of maintaining business continuity through digital resiliency, the need for ongoing support from vendors, and how businesses can better prepare for inevitable cyber breaches.

Jagdish Mahapatra is the Chief Revenue Officer of ColorTokens, a leader in Cybersecurityย  industry in helping organisations โ€œ Be Breach Readyโ€. He is responsible for the Global Go toย  Market strategy of ColorTokens.ย 

Prior to joining ColorTokens Jagdish Mahapatra was the Vice President for CrowdStrike forย  Asia Region which included South East Asia, North Asia and South Asia. His key responsibilitiesย  included Building a Strong Business for Asia Region with the focus on providing next Genย  Cybersecurity solutions to Enterprise customer and Govt. and build Strategic Alliances forย  CrowdStrike. Aside from growing business in hypergrowth mode which made Asia one of theย  fastest growing regions in the world for CrowdStrike, he topk a lot of pride in incubating aย 

culture of a highly engaged team with CrowdStrike Singapore being amongst the Top 5 Workplaces of 2022 and CrowdStrike India in Top 10 Workplaces in 2023. ( GPTW).ย 

Jagdish has previously worked for Cisco and McAfee. In Cisco he built a Strong Enterpriseย  business of 250M USD when he took charge as the Managing Director for McAfee India.ย  Having built a successful business and culture in McAfee India, he went to run the Strategicย  Alliances for APJ for McAfee before joining CrowdStrike.ย 

He was recognized as one of the Top 40 Executives in India Inc under 40 in 2011 by Businessย  World.ย ย 

He has delivered a TED talk for Star TV which was aired in Jan 2018 where he spoke about howย  we should keep our kids safe in the online world. He has also spoken as TEDx speaker in Febย  2018 on Cybersecurity and impact of Digital footprints.ย 

In the formative part of his career, he was instrumental in creating the manufacturing offย  shoring model in India which emerged as a significant game changing industry phenomenonย  during his stint at Larsen and Toubro, a large Engineering Conglomerate in India.ย ย 

On the academic front, Jagdish is an Electrical Engineer with MBA in Marketing and Finance.ย  Jagdish loves to explore travel to experience cultures, food and local mythology and loves toย  relate the stories to work. Born in the holy city of Puri, one of the 4 top pilgrimages of India,ย  he finds Indian mythology inspiring to fulfil todaysโ€™ life. He is an avid reader from fiction toย  Business and Technology and loves to blog regularly on all topics on Social media. Right now,ย  his passion is to rekindle his music desires with Piano and Drums.ย 

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Jagdish Mahapatra [00:00:00]:
Businesses must realize there is no constant state of security, and we’ve always had this mindset about looking at security as the cyber war. I would like to say it’s not a war. It’s a game of chess. In a game of chess, you’re constantly looking to make moves so that you’re ahead of the adversary so they can protect the king. And the king is the data, your crown jewels.

Karissa Breen [00:00:39]:
Joining me today is Jagdish Mahapatra, commonly known as Jag, Chief Revenue Officer for Color Tokens. And today, we’re discussing microsegmentation and the path forward. So Jag, thanks for joining, and welcome.

Jagdish Mahapatra [00:00:56]:
Thank you, Carissa. It’s my pleasure to be in your podcast.

Karissa Breen [00:00:59]:
Okay. So I wanna get into it straight away. I wanna know your version of micro segmentation. Now I asked this question because, again, there’s terms out there that vendors, etcetera, people use. Everyone’s got a different version of what it means. So I get various answers, but so everyone’s on the same foot on this interview. I wanna hear your thoughts.

Jagdish Mahapatra [00:01:21]:
Yeah. Let’s kick it off with that. I mean, I’m gonna dig into the why of microsegmentation because that’s very important. And let’s, for a moment, think like an attacker, like an adversary, or a hacker. And if I were to have a hypothetical conversation with the adversary, what would he or she tell me? Well, this is how I think it’ll go. That for last 20 years, businesses around the world have been hiring the hackers. They want us to find exploitable loopholes in their armor and break in as far as we can and try to figure out where we are. So are we impenetrable is the universal question.

Jagdish Mahapatra [00:02:03]:
I think it’s time. We might as well be asking the same about your organization, and as a hacker, I can say with confidence that most certainly, there is always a way in. And I think if I were to play it back from a defender’s mindset from or for the organization, Vanessa’s Carissa, I will say this is one advice that can we can take it very seriously, is can we stop trying to keep the bad guys out? Because they have enough motivation, and there is a business model that justifies why they will be in. So can we assume that they are in and they’ll find a way to move inside and look at our crown jewels? The answer we should be seeking for is, as businesses, is can we make it hard for the adversaries to move inside once they’re in? Because they will try and exploit the relationship that allow them to move laterally to the corporate network. They can do this by distrusting anyone. Right? The first thing they can do is distrusting anyone within their data environment and repeatedly corroborating that all users are who they say they are. Right? So I think at the core, what micro segmentation does, it doesn’t allow the adversaries to move laterally. It buys time for the defenders to really slow them down and use that time to protect their crown jewels.

Jagdish Mahapatra [00:03:34]:
In the scheme of things when breakout time as it’s popularly used by CrowdStrike to define how it moves from patient 0 to patient 1, the breakout times are shrinking with the with the shortest one being in 2 and a half minutes. I think this is where businesses have to focus on, and micro segmentation at the foundational level addresses this core issue.

Karissa Breen [00:03:57]:
Okay. There’s a couple of things in there which is interesting. When you said the foundational level, what do you mean by that when you say that?

Jagdish Mahapatra [00:04:03]:
Well, at the foundational level, it starts to create the segments and zones in the network that creates friction for the adversaries to move, and that’s the core value that it offers back to the security practitioner.

Karissa Breen [00:04:17]:
And then you also said by doing this, it buys time. How much time are we talking?

Jagdish Mahapatra [00:04:23]:
In the scheme of things of where the breakout times are shrinking by minutes. And I said, on an average, it’s come down to 64 minutes now, and the fastest one can be 2 and a half minutes. You really are playing in seconds here. Right? So if you can buy seconds and minutes now, you’re basically gonna do a massive favor to entire business continuity and digital resilience.

Karissa Breen [00:04:44]:
I heard the 2 and a half minutes, but what what can happen in 2 and a half minutes? Like, I can’t even drink cup of coffee within that time.

Jagdish Mahapatra [00:04:51]:
Absolutely. If you’re dealing with the nation state actors and let’s say if you’re dealing with Russian adversary, they are extremely sophisticated. This is exactly the time they would need to, inject a payload or, move from patient 0 to patient 1 and move laterally, and then it’s game over. And the the challenge now for organizations is to have defenses that can help them prevent this or detect this faster and remediate faster. But, hence, I believe that this whole constant energy and technology that we’ve been spending in this industry for last 10 years into detect detection and prevention is done well. It’s done us well, but that’s not the only place we could stop. We gotta now move beyond detection and prevention technologies with that assumption that they will move in and find ways to slow them down. I think this is where the biggest problem in the MITRE framework has not been solved, which is a lateral movement.

Jagdish Mahapatra [00:05:41]:
And at the core, microsegmentation does that.

Karissa Breen [00:05:44]:
Okay. This is interesting. So you said people gotta move beyond this. Would you say that why aren’t people moving beyond this? Is it that they don’t know, they’re unsure, they’re confused, they confused, they got a 1,000 other things they need to do, and this just feels like something else that they need to get their head around? What are your thoughts?

Jagdish Mahapatra [00:06:00]:
The whole micro segmentation has been misunderstood by IT and security for a while. Well, why is it so? The start of segmentation started with the network segmentation, miss Carissa. I worked in Cisco, you know, 15 years back, and we would talk about network segmentation then. And those were days when VLANs were used to segment the computing systems in the same network, but they couldn’t discern the malicious traffic. Right? So any lateral movement that would happen within the VLAN, that, you know, was a problem. But as it started to move from network segmentation, we’d I would say in the 2nd generation started talking about software based segmentation. Now software based segmentation were a little better. They could stop the lateral movement within the VLAN, but, obviously, the problem was there were long observation periods to discern what is a good traffic against what’s a bad traffic to create the segments.

Jagdish Mahapatra [00:06:51]:
And the zones were based on network, departments, sometimes asset types, which can be very basic. What I’m trying to say where the real value of reach ready micro segmentation is your ability to detect and respond. You could stop the attack proliferation. You can ensure business continuity, and you can determine material impact. I think this is where the value starts to come in, what I would say the breach ready segmentation. Fundamentally, this helps organizations be ready for the eventuality of breach, which I we know in today’s time, it’s not a matter of if, but when.

Karissa Breen [00:07:28]:
So would you say people are just under the proviso? Well, that’s nice, Jag, but I’m just gonna go with the theory of I’m just gonna keep the bad guys out completely. Is that what people are sort of saying when you’re speaking to customers and people in the in the industry?

Jagdish Mahapatra [00:07:42]:
Well, this has been the wisdom of the industry for last 15 years. I’ve worked in in similar organizations in the past, and by the way, don’t get me wrong. That’s important. We have to continue to improve our detection, prevention capabilities. We have to try to keep them out. But I think what what I’m trying to say is we can start to shift our capabilities, our technologies, and energies with the assumption that they will move in because the business model is the I mean, it’s a it’s a massive industry. It’s a $1,000,000,000,000 industry. This could be the 4th largest economy.

Jagdish Mahapatra [00:08:14]:
Cyber cybercrime is the 4th largest economy. They have enough motivation to get in. So why not we assume that they will get in and find ways now to really slow them down? So I’m saying that continue to do what you’ve been doing, but don’t live in the notion that’s enough because security is always a journey. I think the energies need to shift into really saying how we can slow them down because that will change the game. And to me, this is a asymmetric warfare, and you could bring in some symmetry by giving us time.

Karissa Breen [00:08:44]:
So would you say that people just they’re just not there yet? Because I know look. I asked that question because as you know, things take time and there’s adoption, then there’s understanding, there’s awareness, there’s education, and I hate to say it, but for the last 20 plus years, people can’t even do patch management correctly. So now we’re trying to introduce something, you know, that that is perhaps not as ubiquitous. Is that gonna be hard, would you say? Because, again, like, people are creatures of nature, etcetera, so they don’t like to think, well, I’ve gotta learn something new. I’ve gotta think differently. What are your thoughts then on that?

Jagdish Mahapatra [00:09:17]:
I think I’m starting to see the adoption going up across across the globe significantly. I think there is a realization in different sectors, definitely in the financial segment, in the health care segment, that the breaches are brutal. But, again, it needs to be positioned correctly. And one of the things we believed in, color token says, stop talking about micro segmentation as much as we should talk about what it can do, and that makes a lot of difference. So firstly, what’s the goal? We’ve been always been saying that micro segmentation is a breach readiness tool. So how can we reduce the breach impact and make it easier for adoption? When I say adoption, the value realization. Can we get a value realization in the first 60, 90 days of material impact? Can I reduce the attack surface? Can we reduce the blast radius? So eventually give metrics that the business can be proud saying, you know what? We feel far more comfortable. And then eventually, it’ll improve the partner capabilities.

Jagdish Mahapatra [00:10:10]:
Right? End of day, it has to be managed well. But find ways to make it even, easier or, I would say frictionless consumption models. I think those are areas that are improving, and I believe that the adoption of this of this technology is, right across the corner, and we’re starting to see early signs in Asia Pac as well.

Karissa Breen [00:10:27]:
Going back, I know you sort of mentioned it before, but what do you sort of think that people are confused by? Do you think it’s just a misrepresentation and they’re sort of comparing it to a v a VLAN, would you say? And then therefore, they’re like, oh, well, that’s outdated. Is that sort of where people are drawing comparison?

Jagdish Mahapatra [00:10:43]:
If I were to unpack and you’re right. I mean, like I said, there’s a there’s a confusion with the with with network segmentation and some of the old things in our head. By the way, there’s nothing wrong in that. But I think the moment we pivot the conversation of segmentation micro segmentation to breach readiness, it means entirely different. And if I were to unpack that for you, I think the first part is, can we build pervasive defenses? When I say pervasive defenses, you should be able to address potential points of breach across IT, OT. And this is important because as we’re living in a world where the OT world is probably 3 to 5 times of IT, and that’s gonna get bigger and bigger, and that’s becoming a significant threat vector in supply chain, health care, and you can’t afford to ignore it. And, of course, the cloud. Right? We’re living in the world of cloud.

Jagdish Mahapatra [00:11:35]:
While you build pervasive defense, defenses, it’s important that the visualization improves. Right? In our world, we call this panoptic visibility. You should be able to get detailed visibility across the attack path of what is fixed and what’s moving, and that’s something that wasn’t available. And these are all innovation happening as, as we speak. But progressively reducing the impact is important, which means you are improving the security posture, but that you’re reducing any impact of any attack that comes in. While you do that, this is when the real zones and conduit start to make make meaning. Right? It should be possible to simplify the internal attack surface by intelligent zoning techniques. Now to your question, in the past, it was very rudimentary.

Jagdish Mahapatra [00:12:19]:
The returns against the effort were not in place. And I think with lot more advent of AI and more tools and more technologies available, this is getting much more easier to predict, and that basically helps us to prepare for the cyber attack models. Right? So it it should be possible for cybersecurity teams to foresee the possibilities of cyberattacks and the impact it can have, and that can help, what I would say, help organizations ensure business continuity. Right? And I think that’s the part we start to get in, but, eventually, I think the real promise of this technology is in in helping organizations achieve adaptive breach response, which means it should they should be it should be possible to adapt to changes due to an attack, and then you redefine your controls and parameters to defeat the attacker. That’s the ideal outcome this technology is now capable of, and that’s the that’s the journey we’re in in color tokens to really articulate this value, journey. And whenever we’ve had this conversation with our customers, it’s really gone down extremely positively because this is lifting up back to all the stakeholders. I haven’t heard a single CFO, COO, or a CIO coming back saying, you know what? This doesn’t make sense. This is absolutely the most important thing our businesses want to really listen about.

Karissa Breen [00:13:36]:
Okay. So there’s a couple of things in there that I wanna get into a bit more. So what I’m hearing from what you’re saying is there needs to be a mindset shift around, like, historically, it was like, okay. We gotta keep these people out. These people are getting in regardless. Whether we like it, we agree, we disagree, it doesn’t matter, these people are still getting in. So then you’re saying there needs to be an extra barrier or control there because they they will. And as you said, quite a large industry.

Karissa Breen [00:13:59]:
You can someone can sit at home in the middle of nowhere and, you know, make a lot of money. So then there’s that. Then the second thing would be the business continuity side of things. As we’ve seen in recent outages, this is a big problem. And people not being able to operate their business, how much money that they are losing, and this will continue to happen because of how reliant we are now in technology. And, you know, businesses are built upon this. So is that what you’re sort of seeing now in terms of the shift? And, I mean, I’ve been in this game for 10 years, and the conversation that you and I are having now, this wasn’t really a conversation even a couple of years ago, really. But ever since you’ve seen a lot of these outages, we are starting to see people move away from the old adage.

Jagdish Mahapatra [00:14:45]:
Absolutely. Every bank, every health care customer, every large complex environment that I’ve had conversation in the last 10 months in color tokens, This has come out as to be the most important part. Every time we’ve spoken, we’ve taken the conversation away from technology to a breach, impact reduction or breach readiness, it has resonated. Particularly, they understand that the threat vectors are not just the data center or the ID workloads, but it pans across OT as well as cloud. And as long as we can give them that whole pervasive defense model, they start to make sense because the attacks are coming from everywhere everywhere else. And despite putting in the best of the technologies, the breaches continue to happen. That’s the problem we are dealing with.

Karissa Breen [00:15:32]:
And just to sort of touch on a little bit more in terms of, you know, business continuity, is this something that is starting to even in recent sort of couple of weeks when I’ve been interviewing people, I can see the conversation and dialogue changing. This is what is worrying people now. Like, if you think about even, like, Delta Airlines, for example, not being able to operate x amount of flights for even that amount of time, that impacts people planning as well as, you know, as a rep, you know, reputationally as well. Even though it wasn’t really their fault, people on the front line are still blaming them effectively to be like, well, I can’t I can’t fly home now because your system isn’t working. So are we trying to see organizations like people don’t wanna be in this situation? So what does that then sort of look like from a conversation point of view that you’re having with customers, for example?

Jagdish Mahapatra [00:16:22]:
That’s a great question, Carissa, and, I’m gonna respond that in 2 ways. Number 1 is a step ahead of business continuity is what I would like to say as digital resiliency. And why do I want I wanna make sure I say that very clearly because in I believe we are living in times not a single organization can say that they’re not digital. In fact, any form of brick and mortar business models that you and I might have grown upon are digital in most part of their value chain now, and most part of a customer’s perception about a brand actually is starting and emanating from the digital experience of the brand. I mean, with the airline or a hospital or a bank or what have you. If that’s the world we are living in, I think the most important metrics that starts to be important to the CEO is digital resilience. Now let me tell you this interesting conversation I’ve had in last 9 or 10 months. Absolutely, consistently, I’ve heard this.

Jagdish Mahapatra [00:17:23]:
So I’ve asked CEOs saying, if you had a disruption in your operations, whatever the reason may be, let’s steal cyberattacks, but we’ve seen outages and everything impacting. And the first question I’ve always said, when do you how much time do you think your business will be up by? Most of the CEO answer with expectation is 24 hours. You don’t ask that to the to the CSO, they’ll probably say it’s 7 days. If you ask that to the CIO, it goes down to months. The reality is that if your business is running at 100% level before a disruption or an attack, it never comes back to 100% for next 6 months. So we are talking about it falling down to 20% level for next few weeks, and it starts to crawl up back to 80% in months. And if I were to translate this back to what the economic impact of that is, I think it’s you understand well. And if there is a cyber attack that makes you limp at 20% levels for months, which usually comes with a bit of a blind spot for the leaders, and when they realize that, oh, is that true? And they start to react very differently.

Jagdish Mahapatra [00:18:42]:
To me, I’m I’m elevating this problem to saying that, can we talk about how we can help businesses achieve 80% operating minimum value business. I am call call it a 80% level. I think micro segmentation can play a massive role there. So what I’m trying to say here is that, can we help organizations achieve digital resiliency by making sure 80% of their operations are up and running in hours? And what I would say the maximum possible operations are running by quarantining the cyberattacks into microsegments rather than the current standards of 20% of acceptable operational running in case of disruption. I think as long as you can hit that most important business outcome for our customers, and that’s the path we are in color tokens, We would do a great lot of benefit back. They can can continue to invest with all the prevention technologies. I have a lot of respect for them, but I think they need to start understanding that this is where the real value starts to come in, which is digital resiliency.

Karissa Breen [00:19:51]:
So you said before, it makes if it makes companies limp, but we’ve already seen people limp in recent times. Like, look at the part that got me was and I and I interviewed Jeetu Patel from Cisco about this, and I was sort of looking at you’ve got a young student that couldn’t fly home, and she’s like, I don’t have any money left in my account. That was a problem. But then you’ve also got people that couldn’t even operate their businesses, and that that wasn’t even 24 hours. So you could you imagine when we’re getting up to that 24 hours and how there’s so many interdependencies as well on companies. So would you say organizations are fearful because they have this reliance on these technology software companies? So, for example, if they’re relying of x company, something goes wrong, which it can do, not everything’s perfect, do they have that anxiety and that fear constantly? Because that’s problem in their supply chain. Right? Like, they kind of need this person to be their oxygen to do certain things, but then they’re also fearful at the same time that if something goes wrong to your point, it’s gonna make them limp.

Jagdish Mahapatra [00:20:53]:
Yeah. I mean, see, the fears coming in from what they’re seeing, and most of the time, the attacks are you know, you could be on the headline next, so that’s not gonna go away. But I don’t think we can live in the state of fear. I think the right way to look at this is how can you augment your cybersecurity controls with a breach readiness mindset? And micro segmentation does that exactly. Right? And how does that how does that do it? Like, most serious organizations who plan for security well or cybersecurity well, they know their critical digital assets and where the data is and where they are to some extent because of the information is the basis of cybersecurity investment. They know what it is. Such organizations, they also have a very mature incident response programs. I can I have to tell you that despite some of the successful attacks that I’ve seen, I’ve seen pretty mature incident response programs? So and and they also test it periodically.

Jagdish Mahapatra [00:21:46]:
So I’m not here coming back saying, you know what? Everything is none none of that is working. I mean, some of these things are very mature as well. But adding micro segmentation to this would mean that it would be possible to contain a cyber attack by quarantining it to the zone where the attack has been detected. What does that mean? This would mean that the rest of the enterprise continue doing business as usual while the SOC manages the cyber attack within a very small micro perimeter of where it was detected. This changes the whole business continuity paradigm that you’re alluding to. So instead of planning to continue business at 20%, what I was telling you, it’s possible to plan for 80% continuity. And even if the systems are compromised, cyber forensics will be limited, so you’ll not have time. But when it is a small micro perimeter, it’s much easier for our businesses to thrive under the attack.

Jagdish Mahapatra [00:22:41]:
I’m using the word thrive because just imagine if I were to give you metaphorically, I’m sitting in a restaurant and there is a attack there. By the way, I’ve seen this live in earlier part of life. I don’t wanna talk about that now. Another time that if the attackers get inside and you could, on the fly, create micro zones in the restaurant that instead of seeing hundreds of people and hundreds of tables there, they could actually end up seeing only probably a micro corner of that restaurant. They could only describe where nothing else is visible. That’s what micro segmentation does. It basically then allows the resources and people skills to solve a much smaller part of the problem while making sure the rest of the business is working. And I think that fundamentally is the game changing technology that businesses need now.

Karissa Breen [00:23:27]:
But what happens if it’s not detected?

Jagdish Mahapatra [00:23:29]:
That’s exactly what I’m trying to say. It’s when your detections fail. But if you so what what happens in in a breach ready micro segmentation? Let me let me just walk you through some of the parameters why it is important because when we say it’s digital resilience and micro segmentation can help there, let’s look at some building blocks. Right? The research is important because the listeners should should get that part. You need pervasive defensibility, which means it should be possible to address all points of breaches across IT, OT, and cloud. Very important. Okay? And if you got identity or reputation or API, all of that. Right? You need pan or pick visibility, which means it should be possible to combine the semantics and the instance information of the compute landscape to ensure that there’s a complete visualization from east west and north south traffic.

Jagdish Mahapatra [00:24:19]:
Then you got to model the defenses. It should be possible to simplify the computing landscape into defensible zones that restrict lateral movement, and that needs a fair amount of readiness. Right? And that should be and you should be able to do that in 1st 90 days. And then you then you achieve what I could so call a breach ready zoning, which means you should be possible to design these zones that can be segregated, quarantined, and isolated while the attacks are on, which is I call the gauche shields up. Right? And so and and that you can achieve, obviously, with more progressive hardening, more granular quarantining. And I think if you’d follow these practices, it becomes much easier to reduce that impact even if the preventions and detections fail.

Karissa Breen [00:25:03]:
Yeah. Okay. That makes sense. So okay. So let’s let’s get into this a little bit more. What do you think people need to know more about this? We’ve obviously discussed these misconceptions, people are making parallels to the VLAN, etcetera, but what’s the one thing that people listening on this show today really need to know about micro segmentation from your perspective?

Jagdish Mahapatra [00:25:26]:
I think they should focus on the real outcome, and the the biggest real outcome that we can we can provide is help them be completely digitally resilient, from cyber attack. And I think that’s one goal that resonates with, business stakeholders and tech stakeholders. This is a tech to really go to. But what’s important then from there is to really have the right partner, have the right vendor that can walk walk you through the whole mile, get them ready around all these parameters I talked about, but most importantly, be able to deliver a value in the 1st 60, 90 days window. So that’s very important because the tax are going up every day. So that’s one big outcome we can bring on, Tim.

Karissa Breen [00:26:09]:
Okay. So you were saying people need to focus on the one big outcome, but aren’t people focused on this, would you say?

Jagdish Mahapatra [00:26:15]:
They are. Business continuity and digital resilience are, but what are the solutions? If you look at the you know, I’m gonna go back to the MITRE framework. If you look at the MITRE framework, the biggest gap right now in MITRE framework is, you know, if okay. Let me let me just pour to simplify that. There are 4 parts to the MITRE framework, attack framework. Right? The first part is to find victims and build the resources, which is a reconnaissance part. You and I can’t do much about it. The business model of cybercrime has enough motivation that they will do this.

Jagdish Mahapatra [00:26:48]:
You we don’t have a we don’t have a control over that, the first block. The second part is initial cyber attack and access. This is where most of the tools and technologies are. Prevention, detection, identity, it’s very well invested. So the second blocks, we have done very well, but that’s not enough because the third block is where they move laterally and extend the access. Now this is the part this is the problem that’s not been solved, and I think at Color Tokens, we are focusing in this bucket of problem. And if that can be done, then our their ability to really steal and exit with our data and whatever their motivations are really reduces significantly. So we are solving a biggest missing gap right now in MITRE framework.

Jagdish Mahapatra [00:27:33]:
And I think if organizations understand that, which I think most organizations do, they will start to see value here. And in the past, probably, I would say the industry has been talking a lot about the tech. And in color tokens, we have shifted our conversation, forget the tech part. This is a real value we can bring in, and we can bring it pretty quick. That’s important.

Karissa Breen [00:27:51]:
Okay. So you mentioned something before, Jag, around right vendor. The part that gets me, perhaps, at times, is I’ve spoken to, I would say, every single major vendor in the world multiple times. And one of the things that often comes up with customers is, hey. I went and procured this stuff from x vendor. Once the deal’s done, never heard from them. Not telling us about, you know, the latest features and functions and not having that ongoing sort of support and communication. I’m hearing that a lot from customers who are leveraging quite large vendors as well.

Karissa Breen [00:28:24]:
So So it’s not like they don’t have any resources. They do. So what what’s your view on how customers can pick the right vendor? Because there’s thousands and thousands of them out there, and people are getting bombarded every day by a vendor. But this is the part where I’ve often seen frustration from clients to say, we don’t actually hear from them once the sale is done.

Jagdish Mahapatra [00:28:48]:
Yeah. The curse of the industry, isn’t it? The sales guys promise a lot of things, and then that doesn’t try to get transferred back to the delivery team, and there is always a gap that comes in from the delivery team as well as even the partner that’s gonna manage that, whether it’s a system integrator or global SI. I’ve been fortunate to work with organizations who haven’t done that. Okay? And I’m not here to talk about them, but I’m gonna talk about what I’ve learned from the best, and this is exactly what we are promising in in in color tokens. The first thing is, what does the text say isn’t important? What does it how does it translate back to you from business outcome is important. What’s a business outcome? We’ll help you be ready for breach, we’ll help you reduce your breach impact, we’ll help you achieve business continuity, we’ll help you achieve digital resiliency. We’ll stay on those 4. While while we do that, we also give you economic benefits.

Jagdish Mahapatra [00:29:40]:
We had all of business value assessment with our with our, prospects at the beginning of the conversation so that when we do a proof of value, it aligns with the business value assessment and the business goals. That’s very important. But once we start to adopt or the adoption starts, we are very clear about our execution. What are we going to do in the 1st 30 days? How will we help reduce the attack surface? This is a clear metrics that we commit in the 1st 30 days, and that’s important because most of the vendors have not been saying that reducing attack surface precisely is important because the ability to change the communication between systems using 0 trust. Right? I’m not gonna spend a lot of time on 0 trust. You know about that. That is qualify what communication is right and what’s not. Most organizations don’t know that, and that happens directly from color tokens with our own team.

Jagdish Mahapatra [00:30:30]:
We’ve got a specialized team that works on it, that does that in the 1st 30 days. In the next 30 days, we reduce the blast radius. Okay? This is what this is when you don’t really allow infection from patient 0 to move to patient 1 and and ahead. We do that ourselves in the 1st 60 days. In the 1st 90 days, we make sure we can reduce the breach impact score from x to a 0.5x, which is 50% breach impact reduction, and that’s the promise we make upfront. Then after that, there are 2 choices. We got our own managed services that we can run and operate it for the whole year of next few years for the customer, and that’s pretty much the choice a customer has, Or we’ve got our partners, our global SIs and local partners that can run it for run it for them. And we make sure that through those the 1st year of the partner managing it, we do a fair amount of mentoring because we understand the technology has not has not been well understood or adopted by the partner community as well.

Jagdish Mahapatra [00:31:29]:
That’s a work in progress. So we give both the models, and that’s important because end of the day, when we talk about digital resiliency, it is not a goal of today, tomorrow. It’s a continuity goal. It is important that as a vendor, we give a choice. Either we can do that for the customer directly, but we make sure. And some of our largest customer in the last 2, 3 years have been the one where we imparted the skills internal, and then let them lead it upfront. There have been some people who have said, you know, we are capable of doing it on our own, or we bring in a partner who do that. I think this is a part we are solving it right from day 1.

Jagdish Mahapatra [00:32:03]:
Learn from all the best with the organization in my past. I think this is something we are pretty committed.

Karissa Breen [00:32:07]:
Okay. So what I’m hearing from what you’re saying is companies should try with the vendor before they buy it rather than companies saying, alright, vendor. We’re gonna we’re gonna hand drive all this money, and then we never see you ever again, and they walk off into the sunset, and that was and they call it a day. Is that what you’re saying? Do would you say that is a better approach to finding the right vendor? Because everyone’s gonna say we can do this and that, and we’re 247. But in actuality, I’ve seen that not be the case. And this is the part, like, that I really wanna understand is would you say that that would be a clear driver for companies out there that are looking at procuring vendors that they be working with companies and saying, look. Okay. Let’s trial this out for a couple of months or 90 days to what you’re saying and then see what happens rather than we’re gonna sell you, promise you the world, and then deliver not what we sold you, for example.

Jagdish Mahapatra [00:32:56]:
Yeah. I mean and that’s pragmatic. Let’s say you’ve got 10,000 servers in your data center. I’m gonna say, you know what? Give me the first 1,000 to start with. These are the value metrics that I’m signing up that I will definitely commit to achieve for you in the 1st 90 days, and one of the biggest goal would be 50% reduction in breach impact. And if you can achieve that for 1,000 servers, let’s go all out because it’s important for all the servers. And that’s how that’s that’s one way of doing it, and I think we are we are very clear. Our value realization guarantee, we are so clear about that that if we can achieve it for a smaller subset, it makes it much easier for the customer.

Jagdish Mahapatra [00:33:31]:
Also to take it back to the stakeholders because understand for the CISO, they’ve been up in this state many times and they have gone up to the board and said, you know what? This technology will change the game, and it hasn’t. And so it’s important that we we we find them we become their friends in articulating this back saying, how can they be confident that this one will deliver? And if we can show that with a clear value realization metrics in 1st 90 days with a small subset, it gives them confidence and also gives them early wins that they can take back home and get for the entire scope. In fact, that’s something we advocate very strongly.

Karissa Breen [00:34:06]:
So what you’re also saying is people need to have that skin in the game. So example, going back to the 90 days, guys don’t deliver, for example, or there’s probably other companies that are doing that out there as well. Therefore, it’s like, well, you guys didn’t deliver, therefore, we’re out. So there is showing that there’s that extra layer of assurance is what I’m hearing from what you’re saying.

Jagdish Mahapatra [00:34:26]:
100%. In fact, if, we’re so confident of our technology that in the 1st 90 days, if we don’t hit the value metrics that we signed upon, I’m I’m we will need to take it back.

Karissa Breen [00:34:35]:
And so are you seeing, generally speaking, in the industry, as you mentioned before, like, that’s been the problem of people selling something, never hear from these people ever again. Are we starting to see a shift in terms of how buyers are buying now that this this is gonna be quite, you know, the new way forward? People aren’t gonna just hand over money to vendors and say, okay. Well, we trust you to do the thing. Like, you’re gonna have to prove it first before we’re willing to to sign on for for longer terms, would you say?

Jagdish Mahapatra [00:34:59]:
100%, Chris. I mean, I’ve been meeting quite a few of, customers, across the globe. I’m I’m right now in US, and I’ve been spending last 7, 8 months in this in US and Europe and, of course, in Asia Pac, And one consistent feedback that comes in, particularly for micro segmentation, and I’m not trying to take a shot at anyone here particularly, is they haven’t been able to they haven’t been able to complete the journey for which they started. And then I go back and say, what was the goal that you had in mind? And the goal is fuzzy. So if the goal is clear if the goal is simple, let’s just stop the lateral movement. That’s what technical goal, but the real business goal is help the organization be digitally resilient. That’s the goal. Let’s break it down into 4 or 5 metrics that’s important to achieve, and let’s do that in the 1st 90 days instead of making that a NASA project or a rocket launch.

Jagdish Mahapatra [00:35:48]:
We aren’t we aren’t in that business. I think that’s fundamentally what you try to address, and and that’s exactly the conversation I wanna have with 10 out of 10 customers that I meet in forthcoming future because I think that’s really has been the missing gap.

Karissa Breen [00:36:02]:
So I wanna sort of just quickly touch on the path forward. What do you think happens now? So, obviously, we’re seeing a shift in the mindset around, you know, understanding that people are gonna get in regardless. We’re also seeing a shift on how to pick the right vendor and this sort of try before you buy type of thing. What else do you sort of see moving forward?

Jagdish Mahapatra [00:36:19]:
I think as we all know, the attacks are going to get more and more sophisticated. This game is not getting over. Okay? And if I were to have one message for the businesses is this. Right? Businesses must realize there is no constant state of security, and we’ve always had this mindset about looking at security as as a cyber war. I would like to say it’s not a war. It’s a game of chess. In a game of chess, you’re constantly looking to make moves so that you’re ahead of the adversary so they can protect the king. The king is the data, your crown jewels.

Jagdish Mahapatra [00:36:57]:
I think it’s a mindset shift, and the and the moment we have this mindset shift of not using a mental model of a war here rather than a game of chess, it constantly puts us in the game saying, I could keep getting better and better. So next the next ahead of it, next step of micro segmentation, I would say, is far deeper to micro controls, which makes it even sharper in terms of what value metrics we could bring. So if I could protect what you know, if I’m exposing 1% for attack, can I make it 0.5% so make it even harder and harder? I think that’s what you would expect from color tokens moving forward, even more tighter controls so that we allow no room for the adversities to move. And that basically comes from we changing our mental model of thinking of this as a war rather than a chess game. I believe it’s the it’s the latter.

Karissa Breen [00:37:47]:
So, Jag, is there any sort of closing comments or final thoughts you’d like to leave our audience with today?

Jagdish Mahapatra [00:37:52]:
Despite all the doom and gloom talk that we mostly end up in these conversations, I still think that the industry and I wanna speak on behalf of my peers. You’ve done a great job in mostly try and keep the organization safe, the government safe. The world would have been a very different situation if, it was not the case. So I think first, let’s all applaud ourselves that we haven’t been that bad, but the only thing we should know is, it’s not gonna stay where it is because adversaries are always a step ahead. And I’m gonna again go back and say that this whole fight is not symmetric. Right? They they have more information about us than we have about them. So if we can know more about them and make sure that our cyber defenses are up with respect to where we’re expected to be attacked, I think that mindset shift will do a lot of lot of good for the whole community.

Share This