Redefining CyberSecurity

The Future of Secure Business Browsing: Isolation and Protection | Browser Security : Isolation-101 | A SecTor Event Coverage Conversation with Evgeniy Kharam

Episode Summary

In this episode of the Redefining CyberSecurity Podcast, Sean Martin and guest Evgeniy Kharam discuss browser security, remote browser isolation, enterprise browsers, and the impact on security programs.

Episode Notes

Guest: Evgeniy Kharam, Cybersecurity Professional, Security Architecture Podcast [@secarchpodcast]

On Linkedin | https://www.linkedin.com/in/ekharam/

____________________________

Hosts: 

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

Episode Notes

In this episode of the Redefining CyberSecurity Podcast, host Sean Martin is joined by Evgeniy Kharam to explore the world of browser security and browser isolation. They discuss the user experience and the policies that organizations can apply to protect against security threats.

The conversation delves into the concept of remote browser isolation and its application in ensuring user safety when visiting unknown or malicious websites. They also dive into the benefits of using enterprise browsers and the control they provide over website access, malware scanning, data loss prevention, and more.

The episode touches on the impact of browser security on security programs, team structures, and the tech stack. They discuss the relatively new browser security space and its potential to disrupt the SASE and SSE markets. Evgeniy shares insights into the potential transformation of the cybersecurity landscape and predicts that endpoint solutions may incorporate isolation technology. The episode concludes with a preview of Evgeniy's upcoming session at the SecTor security conference in Toronto, where he will dive deeper into browser security isolation.

Overall, this episode offers valuable insights into the evolving world of browser security and its potential impact on cybersecurity practices. Listeners can expect an engaging conversation that combines technical knowledge with practical applications.

About Evgeniy's SecTor Session: There has been renewed hype about adding more security efforts around the browser. New security startups and the bigger players as well have been making the case that because browsing is such an inherent part of our work and personal lives, we should address phishing and other attacks there. After interviewing and analyzing the offerings of many providers, I will share my findings and perspective on the market. This session will go over key points on how such a technology might be used in your organization, the pitfalls and how it fits in with / competes with other product suites like SASE and EDR. What you will learn:

- Use cases for browser isolation/enterprise browser

- ZTNA using browser isolation/enterprise browser

- Where browser isolation/enterprise browser fits in an environment

- Vendor land space

- What we should expect in the next 12-18 months

____________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

____________________________

Resources

Browser Security / Isolation-101 (session): https://www.blackhat.com/sector/2023/briefings/schedule/#browser-security--isolation-101-34279

Learn more about SecTor 2023: https://www.blackhat.com/sector/2023/

____________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

Episode Transcription

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

[00:00:00] Sean Martin: Hello everybody, this is Sean Martin and you're very welcome to a new episode of Redefining Cyber Security here on the ITSP Magazine Podcast Network where I get to talk about all things cyber in business and I really like to focus on how to operationalize Different things, uh, not just to play with cool tech, but to actually help the business protect itself and, and the revenue that it generates, hopefully. 
 

And, uh, today's conversation, we're gonna be looking at browser isolation, browser security, and it's driven by, uh, a session at Sector in Canada. Part of the, uh, they actually want me to say it's part of the Black Hat group of sessions or events, but then that's how I know it anyway. And, uh, there's a lot of cool topics. 
 

I picked a few of them to, uh, to discuss. This is one of them. And I'm thrilled to have Jenny on, uh, today to help us understand a little bit more about browser security, browser isolation is, and how it fits into security programs. Um, Jenny, you've had a long history in this space. Um, maybe a few words about, about you, your role at Herzbeck Group and, uh, other things you're up to, uh, that led you to this particular session. 
 

[00:01:20] Evgeniy Kharam: So, first of all, thank you for inviting me to speak here today. Very pleasure to be here and talk about it. And I'm very happy that you're covering conferences in Toronto. I am a local Torontonian, so I live in Canada. We have several different conferences, but I do believe that Black Hat used to be sector is one of the bigger one in cyber in Toronto. 
 

And I've been around for some time as well. I've been 17 years in Toronto. I used to live in Israel and work in a company called Checkpoint. This is where I started my cybersecurity career as a QA Firewall Analyst. Before Checkpoint, I spent five years in the Navy, where I learned a lot about IT, network, Linux, and quite a lot of basic things that right now I still believe. 
 

are fundamental to become a very good cybersecurity professional person. When I moved to Canada, I moved as a checkpoint engineer, and I used to run around to installing checkpoint firewalls. I moved up on the ranks, managed several teams in professional services, in network security, endpoint security, the initialization of cloud, SYN as well. 
 

And when you. Run. And when you manage people in different spheres, you have to fix a lot of problems. Even with the firewalls, you always get blamed because the firewall, you probably guys change something. The firewall doesn't work. It's all you guys. So I ended up learning quite a lot about other systems. 
 

And when I started to manage the endpoint security team and the same team and network and IPSs, I ended up learning quite a lot about different, different technologies. And it moved me to architecture. I realize I like to connect the dots. I like to understand the bigger picture. And with my basic learning of how fundamental stuff works, it actually connected really well. 
 

Because I was able to talk about the overall design, and able to go down to bytes and bits to explain to the customer why they need to go this direction or this direction, for example. And, uh, I am a geek. I like technology. And I like it to learn new things and adapt. And it's part of cyber and how fast we are moving. 
 

You have to adapt and learn. So it served me well to always learning and always finding new things. I also spent a lot of time on the human aspect to do pre sales work for MSSPs and VARs and learn how it is to communicate with the customer. And I always used to tell the engineers in professional services that you cannot spend a week with a customer deploying firewall or antivirus and don't talk to them. 
 

You have to communicate with them. And if you become their friend, if you're actually going to be interested in what they do, then they will become your friend and they will be interested in what you do. And guess what? It's actually a win win situation. You're going to have a pleasant week. They're going to have a pleasant week. 
 

You will have a good implementation. They will want to learn. They will not bug you so much when you're done, because they like you now. So it's, it's very, very good. And I learn more and more about the human connection. And a bit became fascinated about the human connection to later on opening my own podcast with a friend and my own channel as well, talking a lot about soft skills and how to better connect to people. 
 

And also I'm a second time immigrant. I moved from USSR to Israel, then to Canada. So English is a third language. And as immigrants everywhere, we have accent. I used to speak really fast. Everybody always able to understand what I'm saying. So by having this better connection with these people, I think it's part of very important communication here right now. 
 

[00:05:10] Sean Martin: I love it, Vinyan. And it's, uh, it's interesting the, uh, the, the overlap in, uh, in career trajectory that we have. Uh, I too, QA engineering and I'm a geek and I'd like to look at stories. I mean, you can't do quality assurance without understanding the human. End of things, right? The human story and tell those stories in a way that you're going to uncover. 
 

Where the flaws, where the gaps are. And obviously with QA, you're looking to find those and plug the gaps.  
 

[00:05:42] Evgeniy Kharam: Once you're a QA engineer, you're always a QA engineer because you always find to find flaws. And it's like, stop, stop. You're not here to find problems. Just use the product. That's right.  
 

[00:05:53] Sean Martin: I also like to build, which is, uh, which is just fun in itself. 
 

And I find that sometimes I forget the QA part. It's just too fun to build. But anyway, we're not here to talk about me. We're here to talk about, uh, Browser isolation and, um, and then eventually I want to come back to your, uh, your podcast as well to talk about those because I think those are cool. So why this topic at Sektor? 
 

Why now?  
 

[00:06:20] Evgeniy Kharam: This is interesting. Because browser isolation, and I'll explain what it is, not everything. Yes, I still want people to come, to come to the session, is part of network security in my mind. Why? Because I'm browsing and I'm, packets are moving to the internet. And why right now is because for the last five years, we have so much digital transformation. 
 

We had so much movement. To the internet, to SaaS applications, just because it needed to happen. And of course, because of COVID, people realize they cannot go and reboot a server in the middle of the COVID. And they also realize that I'm very, very big, um, kind of believer in this, that people need to focus on what the business does. 
 

So if your business does pizza, go and focus on pizza making and. And don't focus on how the oven or the smart oven is working for you. Let somebody else figure out this part. You want to make good pizza. So by moving stuff to SAS, by moving stuff to the cloud, we more and more touching the browser every day. 
 

We less have applications, just fat applications on our, on our devices. Thick application, I used to call them as well. And we just use the browser. So the more we use the browser, the more is in the browser. This could be if you can say a choke point for us to provide security and provide the controls there, but there's a history There's a long history how we came there We definitely started a secure web gateway So secure web gateway and the people that have been around probably remember companies like WebSense changed name to force point blue code one of the Probably the biggest ones that did a lot of work in security. 
 

Over at Gatway and then of course move to Symantec and Broadcom. I'm not going to talk about Broadcom right now. But there's a lot of history there from Security perspective, but also I guess privacy because you're all filtering one of the big starts of the SQL gateway and proxies started with, I think it was around 2006, 2004, when the US government basically wanted to make sure kids and students in schools. 
 

Our learning and not going to a website. We were not supposed to go during the school like pornography and weapons and gambling. This is where it started, but then it quickly adopted for malware, bad websites, spam. And we can talk about this for a long time. So if we take there from the secure web gateway and move it slowly up, we realize we can do. 
 

Better. Interestingly enough, Chrome runs on Chromium, and Chromium had a change in 2008, I believe, when they introduced the idea that every tab will have a different process running in your memory. So now have separation between the tab, isolation between the tab. And during this time, where the first Isolation company started RBI, Remote Browser Isolation. 
 

Manual was one, Fireglass was the second one. Well, you basically can browse. Still through the proxy, like a mini secure web gateway, but you're going to have a browser on the other side between you and the internet when you're basically going to render everything. And to simplify the stuff, you're going to get an HTML file, almost like a recording of where you're going. 
 

So if you went to a website that serves malware, Nothing will get to you because everything pretty much gonna be like video recording and I'm simplifying this stuff right now was the beginning of re remote browser isolation with some of the issues, uh, of usability. And later on there was companies that tried to do the same on the endpoint, but they needed a lot of horsepower as well. 
 

And we'll talk with this about the on the session as well, where we move all the way to the point when we knew the browser is the main focal point and we realized. The laptops are quite powerful as well, so why not to apply the security right on the browser? Nothing remote, right on the browser. And it can be done, now we call it enterprise browser as well. 
 

I call it secure browser, enterprise browser, depend how you want to look on this. Where I can do URL filtering, where I can do stop malware, where I can even control the extensions you have in the browser. locally on your browser. And I can do it with giving you a different browser, the Chrome Chromeum, or I can do it with the extension that you can deploy inside your browser that will do the same. 
 

And every solution that we're speaking about has pros and cons. It's just the nature of life. We never have something perfect. But this is a very very high... I can pause  
 

[00:11:10] Sean Martin: you, because I know there are a lot of apps now that are essentially... Uh, uh, desktop shell with a, with a browser interface. So there, I don't know how that changes. 
 

[00:11:24] Evgeniy Kharam: Not just apps, our, our, our mobile devices. Yeah.  
 

[00:11:29] Sean Martin: So how does that, how does that change the picture you just described?  
 

[00:11:33] Evgeniy Kharam: So this is actually not going to change the picture for the apps yet. Because yeah, yeah. Still an app. We're basically saying. I can give you an extension to the browser using right now, or I can give you a browser that you're going to install the same going to install Word and Outlook, and you're going to use this browser. 
 

Now, you may say, all right, but Evgeny, like, why would I use this browser? Like, who would have forced me? And yes, there's a way to force you. We can use MDM, mobile device management, or this is the interesting part. I can create dependencies. So let's say I want to hire Sean, and I think this is one of the very interesting and the easiest cases to use such technology right now. 
 

I want to hire Sean to do some work on my database in my company. And I know I can provide you access through the browser. In the past, I may need to give you an IPSec VPN or SSL VPN, give you certificates, give you many things. Or depending on the size of the company, I may even ship you a laptop. So, Sean, here's the laptop. 
 

This is the only thing we can do. So I'm going to spend 500, 000, 2, 000, whatever the laptop people buy right now. In this case, I may tell you, Sean, go to this URL, download this browser, and I'm going to create a dependency that you can only use this browser to connect to my application to do the work. Now we'll know this. 
 

So even if I know your credentials and I have your MFA somehow, if I don't have the browser, I'm not able to do the work. So I'm creating other dependencies. And this is what I like. I don't want to go to talk about Zero Trust right now. I think it's a very popular topic. But I'm supporting the Zero Trust architectural framework. 
 

I'm not saying I'm the Zero Trust framework, but I'm supporting the idea that I know it's Sean. I know when Sean log in. To the point that if Sean wants to download a file, I say, no, no, no, Sean. If you download the file, it has to be encrypted. You're not going to get all the information you work on. Take it with you when you're done your work. 
 

[00:13:41] Sean Martin: So I love this. So let's, let's talk about, I'm going to come back to the management and operations in a minute, but let's talk about that user experience a little more. Um, and what are some of the policies that organizations can apply? You just described one in terms of like two, right? Access or not, and, and downloading files or not. 
 

Talk to me about the user experience there. What. What can we control? What can we enable? What can we enforce? What can we protect them from? I'm assuming there's a protection against malicious code and all the OWASP topics and stuff.  
 

[00:14:22] Evgeniy Kharam: So again, we can talk about all the three, you know, the remote browser isolation that probably right now mainly will be applied on top of your secure web gateway. 
 

That probably right now will be SASE or OCC platform and going to be basically a sliver of your platform and the best use cases in my mind I think majority of the vendors agree that this as well is When you go to unknown websites on antiquarized websites We're going to enable the isolation part to make sure you're safe and nothing comes to you So there's gonna be the main use case there with enterprise browsers the extension Then it's going to be a bit different because now you're basically applying everything here and you don't have in many cases to use. 
 

The secure gateway for this part. So I can tell which website you can or cannot visit like Facebook, for example, or other other sites. I can definitely scan for malware. I can understand URLs. I can control DLP, what you're uploading there as well, not just downloading. It's going to depend if I'm a contractor. 
 

I'm working for the company with a bit different use cases. I can create dependencies when you log in to use AWS or when you log in to Google or how do you work there. I can, in some cases, have a watermark on the page. But if you take a screenshot, We'll know it's you because it's going to be, it's going to be there as well. 
 

So it's coming very close to have a very similar controls to the traditional secure web gateway. And in some cases, it has functionality of remote VPN as well to the company right now.  
 

[00:16:09] Sean Martin: And I would imagine that, uh, as with most things where you're installing something new, that security focused performance is still, still an issue, right? 
 

Um, and there's always an exception, the exception to the rules too. So this is productivity.  
 

[00:16:28] Evgeniy Kharam: Go ahead. Yes. The companies that started with the browser, because if I put extension, that shouldn't be a lot of pressure, still doing some work, but people say, Oh, you're going to have a dedicated browser. It's probably going to be heavy. 
 

So they claim again, I'm not a vendor. I'm not creating this. I use some of them, which look okay, but I didn't really measure the performance with. CPU measurement and memory. They say they actually remove a lot of things that Chrome have right now. Because Chrome has statistics, Chrome has other things, understand, user performance for themselves. 
 

They remove all this stuff, similar to the manner when we used to buy Windows, and people still use actually, and they remove unnecessary services, or disable unnecessary services, especially on servers, because you don't need them to have a better performance. So the same... Claim comes here, then because they remove whatever not needed, the browser is running faster. 
 

[00:17:31] Sean Martin: And presumably safer, right? Yes. Reduce exposure and airport risk.  
 

[00:17:40] Evgeniy Kharam: There's a couple of points that are important here, and I think the extension one is quite an interesting one. Yeah, because right now, yeah, you can install any extension you want. And we know there were use cases where you extend, let's say you install an extension that show you the weather. 
 

Okay, great. You know, show me the weather. But then five days after you started collecting everything, you're basically going in the browsers. You don't know about that. So with such options, and I'm almost telling. A lot of stuff I'm going to talk about in the session, so I don't know if I should though.  
 

[00:18:12] Sean Martin: No, no. 
 

We want people to listen there. You can tease us though, for sure. Yeah,  
 

[00:18:16] Evgeniy Kharam: I can say no, no, no. Your extensions that show weather, that's it. You're not allowed to capture any information. No keystrokes, nothing. So I have more gun control there as well. Oh, and just the fact that whatever you download, it can be encrypted or not encrypted, is also very powerful. 
 

There's a lot of small things that you can do with the browser and become much more creative on the part. If it's silver bullet, no, because you still need to, people use it, you still have several licenses and maybe people like Firefox. They're like, no, no, no, I'm not using Firefox anymore, I'm using this browser right now. 
 

But I love Firefox, but I'm using Linux, you know. So there is always going to be something that will not work as you expect it. But we expect it from pretty much anything in cyber security and vendor community.  
 

[00:19:07] Sean Martin: Always the exceptions, and I'll let your audience at Sektor ask that question. You can share your thoughts on the exceptions. 
 

I want to get into, you touched on a little bit, kind of the infrastructure that exists pre browser, enterprise browser, and then post enterprise browser. So how does this change, and I'll kind of wrap it in one, share as much as you want, keep some for the session. Uh, as you like, how does this change the program security program overall? 
 

How does it change team structure and what they focus on, uh, other tech stack processes, something in things like vulnerability management, if it eliminates a lot of stuff, if you're pushing stuff through the browser instead of thick apps, or, um, it changes the way you define policies, which are more slim and consistent. 
 

You're thinking out loud here, but a couple of examples of impacts, uh,  
 

[00:20:05] Evgeniy Kharam: that people should be aware of. So, first of all, think about this. We're talking about a category or domain that literally didn't exist four years ago. Maybe five, I need to double check. But we asked, we had RBI before. We had extensions, kind of going to check the URLs, but that's it. 
 

But the entire market is so, so fresh. And why I'm saying this, I don't think everybody still understand how to use it and what to do with it. And similar to SASE and SSE, Secure Access Service Edge, that is relatively new as well. I feel there's going to be a bit of a transformation there, and some of the vendors are going to be acquired. 
 

Actually, we already have one vendor, Talon is being acquired by Palo Alto. I don't think it's fine. The deal is finalized, but at least LinkedIn tell us that they're planning to do this. We don't know for sure if it's going to happen, but probably. So going to be some changes there. And why I'm saying this because we are still not fully sure how it's going to change the entire dynamic in the company. 
 

What I'm thinking definitely going to change and I'm big supporters there is. We're going to change the dynamic and the policies how you interact with third party contractors or temporary workers. Because now, I can definitely say, okay, here's the browser, this, this is how you work with me, and I feel less concerned about my data protection, how you access, or where you access, and if you are accessing. 
 

Internally, if this is fully going to replace my secure web gateway, or it's going to augment my secure web gateway, we're not fully there. There are some use cases, and I think for small medium companies, It may be an easy way to go to actually use this technology and not buy a secure objective because if you don't have one, it will still not change how we do vulnerability management or it will still require us to have an EDR and EPP endpoint solutions. 
 

On our devices, and it is primarily technology for users. It means, it's not a technology that's going to protect my data center, or my database, just to explain. It's a corporate security for corporate users that work in a company, or people that need to do work for this company outside of the company. 
 

[00:22:37] Sean Martin: It's a great, uh, great picture. You mentioned the market a couple of times, um, not necessarily looking for names, but, uh, kind of paint a picture of what this space looked like. You said around four or five years, I remember that it wasn't a market yet, but I remember banks hiring companies to build special browsers. 
 

That they would deliver to their banking customers so that they could securely bank with them. Basically one of these isolated secure browsers. That was maybe, I don't know, 10, 15 years ago. So the concept isn't new. The market is relatively new and I don't know which analyst kind of put it on the map as a category, but kind of paint. 
 

Become an analyst now and paint the picture of what this space looks like and what people can expect to see when they start to poke around and look at it.  
 

[00:23:35] Evgeniy Kharam: Talking about the past, I think we didn't mention important part is like Citrix. Citrix, you know, people still have Citrix to remotely connect and do work. 
 

And as great as Citrix as it is, I think everybody you ask, it was like, yeah, it's slow. Yes, it's, it's a pain. Yes, it's not as a user friendly. It's not as just doing my work at home. So this is this part as well that exists. If I can paint a picture, it's an interesting picture because If we take to the account for the last seven years, we have more and more encrypted traffic. 
 

Basically, we're talking about 98 percent of internet is encrypted when you browse HTTPS versus HTTP. It's mean is a bit harder or much harder to inspect the traffic. in line with firewalls and secure web gateways. And if you're familiar with the idea of pin certificates, for example, where you cannot actually open the traffic, it creates another problem there. 
 

And where I'm going with this, I'm kind of pushing the idea of controls and inspection. To the endpoint before they get encrypted on the browser itself. So, I believe it's a supporting idea for the extensions and the enterprise browsers to do the inspection before the traffic gets encrypted right there. 
 

And it's become a very complicated control with defense in depth with EDRs and endpoints. So my personal view if I were an analyst. And I'm not sure exactly if Palo Alto is an endpoint company or it's a network company because they're buying one of the first one, but I'll predict or I will predict that you will be able to see endpoint solutions have their isolation as part of their technology. 
 

Now, we had companies like this. We had Bromium in the past. Required by HP, but they were too early and it wasn't user friendly and they tried to isolate and virtualize everything pretty much didn't really work well for them. But if I take the browser technology enterprise browser or the extension technology and pair it with EDR technology, then I have a much fuller stack for my endpoint. 
 

So this is one of the predictions I see. I also see it may change the SASE and SSE space. Because if I can do URL filtering and DLP on the browser, where is my use cases for SASS and SSC? There are still use cases, but how am I going to use it?  
 

[00:26:16] Sean Martin: I love it. And yeah, there's no question we're seeing a ton of convergence. 
 

Uh, I was just on with, uh, we just published the, uh, the conversation with, uh, Ali Mellon from Forrester talking about the, the SimSpace and the Splunk acquisition and kind of that consolidation where there's, again, endpoints, XDR combining with SIM and SOAR and so there's convergence all up, up and down and down the stack. 
 

And clearly this one touches the network as well. So super, super interesting. Um, your session, Jenny, is Browser Security Isolation 101. It's on Wednesday, the 25th of October at Sektor. And, uh, I mean, I could talk to you for hours about this, and I'm sure we could have a ton more, uh, use cases and scenarios, and I can poke at you, and you'd respond with some really cool stuff. 
 

I'm gonna let the audience do that with you in Toronto. And, uh, Toronto, right? Yeah. Yeah. Sektor, of course.  
 

[00:27:21] Evgeniy Kharam: And, uh... 10 a. m., right after the keynote. Yeah.  
 

[00:27:24] Sean Martin: Perfect. Just right over there. And, uh, you're very welcome back to, uh, have a follow up conversation with, on this topic and perhaps share some, share some insights after you've spoken and, and heard, heard from the audience there and gotten the feedback. 
 

Um, before we wrap though, I want to give you a chance. You, you do two podcasts. I don't know if they're combined under one umbrella, but talk to me a little bit about. What you're doing there and some of the stories you're sharing.  
 

[00:27:52] Evgeniy Kharam: Definitely. Definitely. So the first podcast secured architecture that you see near me is something me and Dimitri Reidman started three years ago. 
 

And the idea was I basically, so, and I was in her jewelry group that will sell a solution to a customer. I'll come back six months after and. It's a shelf word, you know, they deployed some and everything's still on the shelf. I was like, WTF, why it's happening? And I thought, again, again, again, like, why? So the idea, we'll start a podcast, we'll do a season on a topic, and our first season was Security Web Gatsby, and we'll create questions that are related to architecture, because I'm a fundamental architect, and Dmitry is a CTO of the company, we're basically a developer, so we'll combine our views. 
 

And we're going to go to every vendor, not every, but majority of the vendors in the space and ask them the same questions. So it'll become an RFI, request for information, for customers that want to buy a solution. And it will be very interesting because each of these vendors will have to provide the same answers, sorry, the same Questions. 
 

Answers to the questions. So it was very, very interesting. The first season was one hour. We realized that one hour was too long. So we cut it to half an hour for Season 2. In Season 2, we went with the SASE, SSE approach and covered ZTNA, the Zero Trust Network Access. Or 15 vendors there, very, very interesting. 
 

I was very surprised to learn later on that some of the vendors included our material as part of onboarding. When people onboard to the set, to the companies, they need to watch the episode to understand how stuff works. Like, okay, we're doing something right. And, uh, later on learned that people actually watching the episodes when they need to choose the solutions. 
 

So like, okay, we're going to watch the meeting in the beginning. How they ask, what the answer is, and it will give us better tools. To ask vendor the questions that they may not want to answer. So this was great as well. The same time, like we did four seasons right now, we started a new season about Cloud Security Synapse. 
 

But some vendors asked us, Hey, I want to be on a show. Like, I don't know what to do with you. I don't have a season for you. So we did a couple of what we call launchpads. When we just cover a vendor, we'll create topics for this vendor particularly, and we answer this question. So we're a bit unique, because I don't think anybody wake up and like, Oh, I want to learn and understand how this works. 
 

It's basically you going to the podcast and looking for information when you actually need to solve this problem. So it's very, very interesting. Unfortunately, as you know, in our industry, people don't stay and write comments. When you meet people, they say, Oh, I watch you on Talbot. Okay, I didn't know this was happening. 
 

So this is the security architecture. It's very, very technical, very design oriented to connect the dots between marketing, architecture, and design. When I left Horaciova Group last year, I decided to start a different podcast called Cyber Inspiration, and it's now part of Security Architecture, and it's, I started videos like 20 episodes ago, so now there's videos there as well, if you want to watch. 
 

And the idea was, and still is, Understand the human aspect of the founder. Like, who are you? I want to buy this solution, but are you a good human person? What motivated you to start this company? How do you actually raise the money? So it's a business podcast, human oriented podcast as well, with a bit of a touch of technology. 
 

We really don't talk about what the company does beside like a minute with the introduction, but it has to be a founder, by the way. They need to talk about when they come up with the idea. What they did later on, for example, who did they talk to? How did they realize that people are going to buy this solution? 
 

How did they raise money? How did they hire people? How did they build a culture? And how does it work with stress? How does it work with tasks? How does a black day look like? How do they come back from a stress black day? So it's a very different segment and a very different paint on people. And, uh. It's interesting. 
 

I enjoyed the conversation and I think it's a must if you want to start a company, go listen to these people. I pick up so much that I didn't think about it. So many, I mean, good, good, good, good tips from different people.  
 

[00:32:21] Sean Martin: Lessons learned through others.  
 

[00:32:24] Evgeniy Kharam: Yes. Yeah. I did a marathon in April. I interviewed seven Not Marathon, probably Sprint. 
 

I interviewed seven of the RSA finalists. RSA conference finalists for the Sandbox. It was a lot of fun, and then of course one of them won. But it was very interesting to understand their stories. Fresh companies, relatively new companies as well. I love it.  
 

[00:32:48] Sean Martin: And I find, uh, having those conversations, uh, we get to have some with vendors as well. 
 

Kind of to your point earlier of staying up to date on everything. I mean, there's so much change, so much, uh, innovation. Um, staying connected to the community and the vendors and the practitioners and the security leaders keeps, at least for me, keeps my brain fresh with some of the latest stuff going on. 
 

Um, I can't always dig as deep as I'd like. So, I don't feed the, pure geek in me as much as... Maybe I, I'd like to, but, uh, and have a nice broad view of a lot of things going on. And I think that's important in this space for sure.  
 

[00:33:31] Evgeniy Kharam: It is time consuming and yet this is not my main job. My main job, I do in consulting right now to Fars, MSSPs and some vendors. 
 

So it's happened to connect to cool people and learn what they do as well to figure out if there's synergy between us.  
 

[00:33:48] Sean Martin: Perfect. Well, Jenny, it's been, uh, it's been great chatting with you. I'm glad we finally got to meet after all this time. Who knows where we were hanging out and hiding out from each other. 
 

But, uh, here we are, we made it tonight. I suspect we'll connect again on another episode. I have a feeling as well. In the meantime, uh, Wednesday, October 25th, 2015. Sektor in Toronto. Black Hat Events. Informa. Go check it out. Connect with Jenny there, and, uh. Learn about browser isolation. Dig deeper than we did today. 
 

But I appreciate you sharing what you did today. And my main objective is to get people to learn and think. I'm sure we did that today. So thanks a million. Thank you everyone. And be sure to check the show notes. We'll connect you to Jenny there. And any resources you think are, uh, Useful for this conversation. 
 

Of course, the link to a session. I just lost my video. So I'm going to keep talking. Uh, thanks everybody for listening. Be sure to share, subscribe, and we'll catch you on the next one.