How to work in cloud security

On today's podcast, Menachem Shafran of XM Cyber talks about cloud security. Menachem tells us about the work of project manager and product manager, how the haste to migrate to the cloud can unnecessarily leave vulnerabilities wide open and why a cloud security expert also needs to be a good storyteller. 

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

  • 0:00 - Intro
  • 2:40 - Getting into cybersecurity
  • 5:47 - Project manager in cybersecurity
  • 9:12 - Identifying pain points
  • 10:24 - Working as a VP of product
  • 14:09 - Data breaches
  • 16:30 - Critical versus non-critical data breaches
  • 18:19 - Attacker's market
  • 19:38 - How do we secure the cloud?
  • 22:45 - A safer cycle of teams
  • 24:40 - How to implement cybersecurity changes
  • 28:50 - How to work in cloud security
  • 30:48 - A good cloud security resume
  • 33:02 - Work from home and cloud security
  • 34:30 - XM Cyber's services
  • 37:21 - Learn more about Menachem
  • 38:00 - Outro

[00:00:01] Chris Sienko: Today on Cyber Work, I speak with XM Cyber’s, Menachem Shafran about cloud security. Menachem tells us about the work of project manager and product manager within a cybersecurity space, how the haste to migrate to the cloud can unnecessarily leave vulnerabilities wide open and why a cloud security expert also needs to be a good storyteller. That’s all on today’s episode of Cyber Work.

[00:00:28] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Menachem Shafran is VP of Product for XM cyber, the multi award-winning leader in cyber-attack path management. He has more than 15 years of experience in product management, and cybersecurity and has managed complex products ranging from cybersecurity and homeland security to DevOps automation and mobile applications. Prior to his roles in product management, Menachem served for five years in the IDF’s Elite Intelligence Unit 8200, where he served both as a researcher and as a team leader.

Today, our main topic is we’re going to talk about the cloud, specifically securing the right parts of the cloud and even more specifically, the fact that there isn’t much consensus on how to secure the cloud. I’m sure we will solve it all at the end of this hours. Menachem thank you for joining us. Welcome to Cyber Work

[00:01:33] Menachem Shafran: Thank you. Thank you for having me.

[00:01:36] CS: I always like to get a get a sense of our guess, passion. I would like to ask, where did you get first interested in computers and tech? When did you also get first interested in cybersecurity? What was the initial attraction? I know, your college degrees were in mathematics and music, but were you also working with computers and such at the time?

[00:01:56] MS: Actually, the beginning of my interest in computers, and networks actually came as a child. I think that was seventh grade or so. My dad was also a computer geek. We had internet at home, we had dial ups and he used to talk to me and explain about when he was younger, there was the blue box, and phone, and hacking phone systems and things of that nature that used to be in the past. I don’t know if any of the listeners still know what we’re talking about.

[00:02:36] CS: The time of phone phreaking or?

[00:02:38] MS: Yep.

[00:02:39] CS: Okay. Yeah. I read about it, yeah.

[00:02:40] MS: That’s old.

[00:02:42] CS: That’s old school, yeah.

[00:02:45] MS: He used to talk about that and I used to be excited. We had a computer at home, and we started to – and I was starting to play around and see what I can do. I remember that when I was in around seventh grade, my mother used to work in the NIH, the National Institute of Health. Wen she was there, I remember that during the weekends, my dad used to say, “We can go to mom’s office. There is a T3 connection over there.” Basically, that’s 34 megabits. That sounds so –

[00:03:21] CS: As fast as it – yeah. Oh, yeah. At that time, that was lightning quick.

[00:03:25] MS: That was lightning and I was like excited. I can go and I can browse the internet. You click on a page and it actually loads. That was –

[00:03:33] CS: I remember that, yeah. When you have dial ups, that’s super exciting. Really, I think on those days, I really started to get into computers, and into networking, and working with my dad setting up their home network, and things of that nature, which was really, really cool. All the way until I actually reached the age of 18 when I finished high school, and then I went to the military service now. In the military service, they’re coming in and actually giving you different types of exams and trying to figure out where they’re going to place you, if you’re going to be in a combat unit or if you’re going to be in a tech unit. I came in and they started asking me and I said, “Oh, yeah. I know I’m using –” [inaudible 00:04:14] and different types. I understand you know a little bit about networking and so forth. That’s how eventually I rolled up into 8200, where I really got into different types of advanced networking and what today we call cybersecurity. Really, that’s kind of how I started in cybersecurity and in tech way before my college degree, which came up only later.

[00:04:44] CS: Yeah. I believe you’re not our first guest that got their start in tech through their military service in Israel. That’s pretty cool. That seems to be a very common pathway and a very good one for that matter. One of the things that I mentioned or that I noted in your education and so forth when you were with the Israeli Defense Force is that, you did work as a project manager. Project manager is one of those within a cybersecurity sphere, is one of those career paths that not every cybersecurity aspiring thinks of, but can you talk about your work as as a PM at this time and how it fed into the type of security and product management work you did in future positions.

[00:05:25] MS: So yeah, I’ll separate it into two parts. In the military, some of the stuff that we did, I was doing different types of project management. Really, project management is trying to figure out how you actually create, sometimes it’s a product, sometimes it’s trying to adopt a new platform, a new system. It’s really a great way to actually learn about both – seeing the technology part, but also working on how you actually create it into process in the organization. I think it’s really a good and great way, because you can – when you’re looking at how you start in cybersecurity, so many people start as SOC analyst and things of that nature. But really, coming and saying, “I’m going to help adopt new EDR in the company” and it’s a process. You both need to understand very well how the EDR is working. You need to understand how to orchestrate the different phases in the company, and really create a process that will drive that.

Definitely, project management is a great way to expand, and learn and get into various places in cybersecurity and in tech in general. I think that from that, I’ve actually pivoted into product management, which, in those days, product management was a bit more vague than it is today. Today, a lot of the people I speak to are, “I’m a product manager” or “I want to be a product manager.” I remember when I came out of the military, I said, “Well, the specific type of security things that I’ve done in the military are not things that I think exist in the civilian world. Then I was trying to figure out. Okay. I don’t want to be a developer. I’m not a QA person. I’m not a sales person. What else is there in the industry to do? Then I got offered – I got approached by a company through a friend, and they said, “You want to be a product manager?” I’ve asked, “What is a product manager? What do you do?” I figured out, it’s similar to a bit of project management, but a lot more about understanding customer needs, and connecting them and really taking and connecting the technology part to the business or to the customer needs.

That’s really interesting, because that’s something that really, I think, in the core of almost every position in cybersecurity, that what helps you drive excellence. I mean, if you’re coming and not just looking at it from a technology perspective, but also understanding the people in the processes in the organization. Kind of like a weird way to get product management and –

[00:08:08] CS: Yeah. That’s good. I was going to ask you about the distinction. I’m glad you jumped right into it. You’re saying basically like you’ll have this product that you are sort of overseeing, that you know inside and out, backwards and forwards, and then you talk with clients and they said, “Well, how do we integrate it in this way?” or “How do we make it work for this specialized department that doesn’t necessarily use it in a conventional way?” and you sort of find solutions for them? Am I on the right track?

[00:08:35] MS: You’re basically trying to find solutions, but really, in many cases, it starts from identifying the real pain points. Now, in many cases, people are coming and telling you, “Well, I need the product to also do A, B, and C.” One of the key things that a product manager is doing is trying to understand okay, so what are you actually trying to solve? I mean, it’s not necessarily –

[00:09:00] CS: Just plug it in and it tells you what you need to know, right?

[00:09:03] MS: That’s the idea. That’s what product managers do, is they try to understand the pain points of the customers, and really direct the development of the product, so that you will be able to fulfill those to the best way.

[00:09:20] CS: Okay. To that end, what is your average workday like as VP of Product for XM Cyber? Are there certain tasks that you’re always working on? How much time is split between working with clients and working with tech and teams?

[00:09:33] MS: So really, I would say that as a VP of Product today, I’m working a lot more with the customers. But not just with the actual customers, we’re also speaking with the customer success team, with the sales dealing, with different prospects with industry analysts, speaking with Gartner. I think that would basically consume, I would say, 60% of my time today. The rest of the time is actually speaking either with my team members that are – making sure that we’re all aligned, and we understand and we agree to the vision of where we want to take the product. With the technology folks with the R&D in order to make sure that they’re actually building it in the right way. Or sometimes they’ll come and tell you, “Well, I can’t do it this way. But perhaps, you know, we can do it a little bit different.” R&D folks are usually very, very smart guys. If you actually help them understand what is the problem that they’re trying to solve, sometimes they’ll surprise you with ideas of how to actually solve it in a way, in a smarter way.

It’s great to also listen, and not just trying to explain to them, “Okay. This is what the customer needs,” but listening to them and feeling what they actually – what are their ideas of how to solve the problems.

[00:10:49] CS: Okay. You’re still doing a little bit of project management in that regard? Like you’re still sort of organizing the process of updating and improving and so forth? Is that right?

[00:11:02] MS: Yeah.

[00:11:02] CS: It takes a [inaudible 00:11:02].

[00:11:03] MS: Obviously, it’s less and less that I’m actually writing specs, and designing and stuff like that. But I’m always trying to make sure that I’m still both doing that at least a little bit, that some of the features are more than designing them, and that I’ll actually do the full process in order to not lose the touch. But yeah, but more and more, you’re speaking with the customers, with the customer success team and trying to understand the pain points that they’re having.

[00:11:35] CS: Yeah. Now, do you feel that you have to keep up with the technology, just in the greater world to sort of make sure that you’re – that you guys are implementing the correct solutions to whatever products that you’re working in?

[00:11:52MS: I’m wondering if it’s a question that if you ask someone that is passionate about tech and cybersecurity does not tell you, part of what I do all the time is making sure that I’m keeping up to date.

[00:12:05] CS: Learning more, yeah.

[00:12:06] MS: And learning more. Really, I think that’s the essence of – one of the nice things that I like about this industry, about the tech industry in general and cybersecurity is the fact that it’s always changing, and you always need to learn and understand to make sure that you’re that you’re up to date. As a product manager for cybersecurity, you need to – I read all the time blogs, and things about attack techniques, about different – what was released in the latest blackout, different vulnerabilities, incidents that are happening. But also, what’s in the market, what are the solutions there are reading reports by analysts in the industry, keeping a track what are the different solutions that customers have. So you won’t be surprised by understanding, “Oh! There is a new company that is doing something that can solve and help. Maybe we can collaborate, maybe we can do something together.” Definitely, all the time, reading and learning is a major process that we do.

[00:13:05] CS: Absolutely. I just want to make sure. I figured as much, but I wanted to hear it from you. As I said at the top of the show, our main topic today is cloud security. Some supplemental research you sent along, June 2021 study by the International Data Corporation or IDC, noted that of the companies they surveyed, a whopping 98% had been hit by a data breach. I mean, this is a staggering number. Can you help break down what this actually means in a practical way?

[00:13:32] MS: I’ll separate that into two parts. First, we’re always seeing reports in the industry coming out about different types of statistics and what they’re actually seeing. This is great because it helps us share knowledge and learn, but you always need to actually look and try to understand how to actually interpret the data, where the data is actually coming from. It’s important to look if that survey is a questionnaire that someone that you’ve asked 200, 300, 400 500 CISOs that are super busy, and are basically trying to, “Okay. Let’s answer this question A, B, C. Yeah.” Then you need to understand, obviously, they’re not lying, but they’re – but you need to understand that there –

[00:14:22] CS: But there’s nuance, yeah.

[00:14:22] MS: They’re interpreting questions, and there is nuances and they’re trying to figure out. Versus places that are putting up a research, or a report that is coming out based on incident response statistic that they’re doing. If we take for example, the Verizon data breach investigation report, they’re actually documenting how many incidents we got reported form such and such that happened. Trying to work more. Now, both have places in the industry and both bring value, but you need to understand the nuances in order to understand how to interpret the data. If I’m not mistaken, that a IDC survey is a questionnaire that they’ve sent to 200 leading CISOs. Then, I’m trying to think about it and feeling – obviously, no one is actually – if 98% of those CISOs had a major cloud data breach, that’s probably what we’re going to hear out in the news all day long. This company was breached. This company was breached.

[00:15:28] CS: If 98% of companies suffered a critical data breach, I think the entire industry would be in freefall. Can you explain a bit about the difference between these critical and non-critical data breaches? I mean, what are they reporting that is not – we got completely ransomware, and completely hacked, completely invaded, whatever. What are these lower-level ones like? What are they seeing?

[00:15:54] MS: Basically, we need to understand that attackers are constantly attacking organizations. In many cases, it’s even automated processes that are trying to gain initial foothold. There is a continuous process of cleaning out your environment from all of those different incidents. My assumption, because obviously, I’m – I don’t know what went in the head of someone that chose that answer, is that they’re referring to the fact that they had different incidents of someone getting some foothold into their cloud environment, which makes sense, because there’s so many places to make mistakes. But it doesn’t mean that that someone was able to actually get to the critical assets, to the PCI data, to personal health data or whatever. Steal that, or damage that or whatever.

We need to make a difference between incidents that are happening every day. We need to agree that that’s part of life. It’s always happening. Obviously, we need to try and make sure that they’re less than less, but that’s part of life. Critical data breaches, that are basically an attacker being able to reach the PCI data and steal credit card numbers. That’s the thing.

[00:17:16] CS: Yeah. We had a previous guest talk about how there are certain sort of attack groups that don’t even actively exploited vulnerabilities, but they’ll just compile vulnerabilities in major companies, and then sort of sell the list on the dark web and say, if you’re interested in going after this company, or that company, we found this, this and this or whatever. I think there’s so many things. I mean, just because someone got in there doesn’t mean anyone can actually do anything with it, right?

[00:17:44] MS: Yep. It’s really – it’s interesting to see how the market, the attackers market is evolving in that aspect. You can see ransom, if you’re looking at ransomware. We have ransomware as a service. People are telling you, you will give us the initial foothold. We are going to outsource. They’re getting the initial foothold. We’ll do the entire operation, finding new path and getting to the critical assets, and encrypting and demanding the ransom. And we’ll give you a revenue share because you gave us the initial foothold. They’re understanding that that’s something that happens. The main capability is actually the insight, pivoting, and reaching and finding the critical assets in that part.

[00:18:30] CS: Escalating, yeah. In our introduction to this episode, when we were talking beforehand, your colleague at XM Cyber, [inaudible 00:18:39] said that the this problem will only increase because, “Nobody is completely sure how to secure the cloud.” Can you talk more about this? What are some of the major mistakes you see with companies who are trying to secure their assets on the cloud? What in your mind is a more secure way to do things that’s not being done now?

[00:18:57] MS: I think, when we’re talking and saying that people are not sure how to secure the cloud, I think the first thing is a knowledge gap. Both about how the cloud actually works. For many people, that’s – it’s so new. They don’t understand what’s the differences? Are those just servers in the cloud or what else is –

[00:19:16] CS: Yeah. Difference from our backup tapes in our office and things like that. Yeah.

[00:19:20] MS: Which they’re not. There’s a lot more possibilities. Both make things more secure, but also to make more mistakes. Also, the flexibility and the ease that the cloud is actually bringing screening situation that in many cases, security folks just don’t know exactly what are they trying to protect. We’re not trying to protect everything in the cloud. It’s not – it’s not all the same. In many cases, the security team are coming late to the game, where they are in the ER, moving things to the cloud, moving things fast. In many cases, when you’re moving things fast, what do you want to do? You want to make sure that it works. You want to make sure that it works. How do you make sure that it works? You give it just more permissions.

[00:20:04] CS: Yep. More accessible to everybody. Yeah.

[00:20:07] MS: If we’ll just give right access to everyone on that, it will work. I’m sure that you remember installing, I don’t know, some solution with a database in the ‘90s or in the early 2000. You were like, figuring out what permissions do they need to do? Does the program need to? Does the web server need to damage the SQL database? Maybe I’ll just give it everything.

[00:20:33] CS: You just throw [inaudible 00:20:33]. Right.

[00:20:35] MS: That’s exactly what’s happening. Again, now, in the cloud, people want to move services quickly to the cloud. They want to do a lift and shift. Then they’re giving excessive permissions. In the cloud, everything is identities basically. You give –there is a [inaudible 00:20:54], it’s attached to a ROM. What are the permissions? If you give it permission to do pretty much everything, then the risk from that machine is also escalating. That’s one of the things. Basically, I think that people, the security people, they either – they don’t know what they want to secure. Then they’re coming and facing with the situation where the R&D are already moving things to the cloud. Now, they need to chase and try to say, “Okay. Do you actually need those permissions? Is it something that is needed?” Obviously, the answer will be, “Yeah. Of course, they need that permission.” It needed to work. I was trying to make sure that things work and that’s how it works.

[00:21:39] CS: It seems like a good first step would be to just sort of – sort of flip the roles and start with security, sort of doing a check of what’s going to be migrated to the cloud, and then making sort of recommendations to R&D before they even begin. I mean, obviously, not everyone’s like super stoked on that. But can sort of walk me through like a flowchart of what you think would be like a safer sort of cycle of teams?

[00:22:08] MS: Yeah. Ideally, you have the security people and you decide who are the people that are going to work on cloud security and you’re going to give them a little bit of training. Then they’re going to create guidance, and they’re going to work with people. I think it is not an ideal world, and in many cases, R&D are going to run and IT are going to start moving things to the cloud. For that, we need to understand that there are tools that the cloud providers are creating in order to help us identify and make sure that we’re trying to make things more secure. Obviously, ideally, you first come to the security, they will tell you exactly what you need to know, you’ll build it securely. It’s actually happening. I’ve spoken with a customer of ours a few weeks ago, he mentioned that they had a messy cloud account, that basically worked the way R&D were moving things to the cloud. They decided, “You know what, we’re going to do it fresh, we’re going to do new. We’re opening a new account, open everything you want to move, we’re going to make sure that you’re doing it correctly.” Now, they’re in the process of remigrating to the cloud, basically. Those things happen, but obviously, that’s a lot of effort. In many places, you got to need to chase the R&D and see how you identify and fix things afterwards.

[00:23:35] CS: Yeah, that leads nicely into my next question, which, I think one of the things, R&D and others are going to push back on is that, making changes like these probably require a significant amount of resources, and money, time, and intention, and maybe even downtime of your system. What kind of downtime can one expect when making these kinds of security changes? How do you make the board or C-suite understand the future benefits of sort of being safe up front, even if it means a little more hassle, or a little more resources, or a little more work, or even a little less value?

[00:24:08] MS: I’m not sure that necessarily you’re going to have no downtime, systems not working. Do things correctly, you can migrate. They’re wonderful technologies today. You have blue-green deployments. You can make sure that you move things slowly. But it is definitely a lot of effort that you need to invest in order to actually analyze and do things a correctly. Now, I would separate it into two parts. First, you want to make sure what you’re protecting are the important stuff, and not just everything that you that you can. Not everything is created equal in our IT infrastructure. You want to focus on how to make sure that the critical aspects are more secure. Obviously, there is an entire process of how do you go about identifying what’s important for the business.

Once you have that and you’re working in a more focused manner, then it is easier to actually help by explaining what are the implications of the changes that you want to make. Why do you want to make those changes? You mentioned explaining to the C-suite, and selling it to the C level. Basically, if you’re coming and giving them numbers, I’ve seen CISOs that present to management and they’re saying, “Yeah, we have a dashboard showing how many vulnerabilities, critical vulnerabilities we have, and how wide is the EDR deployed” and things of that nature. Really, that’s data.

If you’re starting and telling them, we actually want to invest and make those changes, because we’ve seen that it’s not that hard to actually –if someone gain access to whatever, it’s not hard for an attacker to pivot and get to the credit card data, or to our manufacturing platform, or something that they care about from the business. The more you turn it into something that they can relate to, and they can understand and you create a story around it, the easier it is to sell. It’s not just for the C level. Even if you’re coming to IT and telling them, “I need you to apply a patch” and they’ll tell you, “Yeah. We’ll do it when we get the time.”

But if you actually explain that you need to understand that, that patch will basically make sure that that server will not be able – you won’t be able to exploit and from that server, there are very strong credentials that would pivot the way to someone to compromise the entire network. Now they realize and they say, “Oh! That is important. I am going to do it.”

[00:26:42] CS: Priority. Yeah.

[00:26:43] MS: Exactly. Really talking, and explaining, and not just giving – this is the things that needs to happen really helps promote those things.

[00:26:53] CS: Yeah. Well, also, it comes down to sort of taking a breath rather than going for speed. I mean, we had cloud people in past saying, “If you’re not migrated to the cloud, or migrating to the cloud, now you’re 10 steps behind.” I think there’s a lot of that sort of ingrained fear of being left behind and getting things going too quickly. I guess, rather than downtime, it sounds like more – rather than everyone saying, “Okay. We got to do this right now, right now, right now.” Then just take a deep breath and sort of start your plan a little quicker, rather than worry about, “We have to have it done by X date.” Maybe push that a week ahead and say, “If we front load this a week early, it’s going to be a lot safer in the end.”

[00:27:43] MS: Definitely.

[00:27:44] CS: Okay. Now,this is obviously the Cyber Work podcast. We like to whatever we’re talking about, we also want to talk about the business value of it. For our listeners who are currently on their cybersecurity journeys early on, building their skills for future career, what types of activities, accomplishments, reading education do they need to work in cloud security in 2021 and beyond?

[00:28:09] MS: I think first thing is, they need to learn and try to understand about the cloud and how it works. Generally, you’re not just learning about security, you’re learning about IT. Think about it. If we compare it to 20 years ago, people used to learn about networking, and then they learn about security. It goes hand in hand. You need to learn about all the benefits and different offerings and how the cloud is behaving differently. Then you really need to start following what’s happening in the industry. Following what’s happening in industry is listening to podcasts such as Cyber Work. It is about reading blogs, going on Twitter. It’s amazing how much talks the security industry is doing on Twitter and how much you can actually learn and follow and really be passionate about, about learning the skills, the capabilities, the attack techniques that are happening.

Now, it’s not necessarily that you need to do that. Everyone that wants to go into cloud security needs to actually be a reverse engineering that understand exactly all the bits and pieces of every attack. But you can understand the story, you can understand what is happening, the different techniques, what attackers are actually targeting and how it relates to the technology and differences in the cloud. That’s I think one thing that people need to understand, the continuous learning that they need to do in educating themselves. That’s what I would say.

[00:29:45] CS: Speaking as someone who – I’m assuming hires people to do this sort of work. If you wanted to hire someone to work alongside you or beneath you, what would you absolutely need to see in their cover letter, on their resume, in their CV, whatever that sort of showed off the things they could do or the interest subsections that drive them?

[00:30:07] MS: Obviously, it depends to what position I’m recruiting. But definitely, you want people that have passionate, that are passionate about what they do. You want people that they can learn, and they can be flexible. You need people and it’s something that we don’t put enough emphasis upon, can try to actually understand that, in the end, it’s people that we’re working with, not just technology. You might be the most educated person about cybersecurity or be the best, whatever. The best product – well, the product manager, it’s going to be hard if you don’t understand how to work with people.

Be technically very, very strong, but you need to understand that you need to actually create processes. You speak with CISOs, and they tell you, “Well, obviously, I can try to fight my way” and say, “Well, we need to do A, B and C and change.” But if you come in and understand that you’re working with people, and you understand how to create the process and build, build the credit, and the credibility so that people will want to work and want to make the changes, just like what we mentioned about the vulnerability and asking the IT to patch it. If you’re coming and telling, those are the list of vulnerabilities you need to patch. That’s not going to work. I’m going to look for someone that can actually work and understand and relate to people. Those soft skills are I think, very, very centralized when looking into hiring.

[00:31:36] CS: Yeah. I hear that a lot that the importance of storytelling, and I think you’ve illustrated that really well. I’m not just telling you to download this critical patch. I’m saying, by doing this, you shut down these particular threat areas and so forth. Not everyone has that, but everyone could strengthen that aspect of their of their work.

[00:31:57] MS: Yeah. It’s a skill.

[00:32:00] CS: Looking towards the future, how if at all has cloud security changed with the increasing factorization of the workspace due to what is looking to be at least a measure of permanent work from home going forward in the future?

[00:32:13] MS: I think that work from home – I’m not sure that, for the cloud, it didn’t really change significantly the way that people are working in the cloud. Because, again, if you’re working from the office or if you’re working from home, the cloud is not even –

[00:32:31] CS: The cloud is there either way, yeah.

[00:32:32] MS: It’s there either way.

[00:32:34] CS: There’s more input though, right?

[00:32:37] MS: There is an acceleration of moving to the cloud. People are saying, “Okay. I’m already working from home.” Instead of investing in more VPNs, and in my data center and things, we’ll just shift things to the cloud faster. I think that’s really what we’ve seen that work from home, it helped create more – help people – they needed to choose. Do I want to invest more in VPNs or do I want to accelerate my moving to the cloud? Obviously, they’re looking forward. They said, “Let’s accelerate my moving to the cloud and now we have more SAS products, you have more cloud capabilities that you’re using. Really, I think that’s how we’ve seen that work from home accelerated the digital transformation of the moving to the cloud.

[00:33:25] CS: Okay. That’s a great answer. I want to wrap up today, thank you again, for your time. As we wrap up, tell us about XM Cyber and what services you offer to your customer.

[00:33:36] MS: Okay. Excellent. XM Cyber is an attack path management platform. So basically, what it means is that we actually build. You can think about it as, we generate this big graph of potential attack of how an attacker can pivot from different initial footholds that we talked about that exist all the time, towards the critical assets. In that way, you can actually start measuring and doing this storytelling that we talked about of, okay, how can an attacker and how hard it will be for him to reach the SAP servers or to reach the personal data that we have and things of that nature.

Then we’re doing it both in on-prem and enterprise environments, but also in cloud environments. Also, which is quite interesting in between, in the hybrid place, so we can actually – it’s really interesting to see how you can actually see an attack path going from a random workstation, pivoting in the enterprise in the on-prem network until they found an access keys to AWS. Then pivoting to the cloud and so forth. Really, I think that, in many cases, attacks on cloud environments are actually starting from the on-prem, starting from – phishing is still the number one way that people get into organizations, and then they work their way until they reach someone from DevOps, got access keys.

Now, they’re entering the cloud and trying to escalate their privileges. Really, that’s what XM Cyber is actually bringing to the table, looking at it from the attackers perspective, building this graph of how the attacker can feel it. With that, you can both estimate the risk, but also prioritize your remediation efforts and making sure that you are continuously improving your security posture.

[00:35:25] CS: Yeah. I’m imagining it in my head. I’m seeing something like a ventilation system or something. It’s like, if the attacker comes in here, they can only get so far before they hit a dead end or something.

[00:35:35] MS: Yeah. Really, that’s one of the – it’s interesting, because you can actually try to see how in many cases, sometimes there is something that would look like a very, very critical risk. But in the end, there’s a critical vulnerability and everybody’s talking about – I don’t know, print nightmare. But on a specific machine, print nightmare, not necessarily might actually be able to allow to help the attacker pivot towards the critical assets. That’s important in that case. In the other hand, you might see another issue that will give you a root user, or domain admin or whatever. It’s very interesting to see how – when you’re looking at it in a bigger picture, you can understand priorities better.

[00:36:18] CS: Interesting. All right. One last question. If our listeners want to learn more about Menachem Shafran or XM Cyber, where can they go online?

[00:36:26] MS: Obviously, XM Cyber, there’s a website and there’s a newsletter that we’re sending out about new blogs that our research teams is publishing and things of that nature. Me personally, I have a Twitter account that I need to be more active. I’m usually reading a lot and less writing, but definitely my Twitter or LinkedIn. I’ll be happy to discuss with people about cybersecurity issues and their challenges.

[00:36:58] CS: Awesome. Well, Menachem, thank you for joining us today. I really appreciate talking to you.

[00:37:02] MS: Thank you.

[00:37:04] CS: As always, thank you to everyone who is listening, watching and supporting the show. New episodes of the Cyber Work podcast are available every Monday at 1:00 PM Central both on video at our YouTube page, and on audio wherever you find podcasts are downloaded.

I’m excited to announce that our Infosec Skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month, you’ll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we’re giving away more than $1,000 worth of prizes each month. Go to and get started right now.

Thank you once again to Menachem Shafran and thank you all so much for watching and listening. We will speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.