Cracking the Code Episode 19

0:06
Hello everyone.

0:07
We are here to film another cracking the Code.

0:10
If you haven’t watched episodes 16 and 18 yet of cracking the code, we review a couple topics that are really going to be helpful for this one.

0:18
So here with me today I have Jim Clear Data, CTO and Chris Bowen, Clear Data’s Founder and CISO to discuss the Cyber Health platform.

0:27
The first and only CSPM software purpose help to protect Phi and sensitive healthcare data in the three major public clouds.

0:34
So without further ado, I am going to hand it over to Chris and Jim to deep dive into the Cyber Health platform.

0:41
Thank you, Natalie.

0:42
It’s great to be here today and excited to talk a little bit more about our platform.

0:48
Jim, we’ve been working on all kinds of things since the last time we spoke, since the last time we’ve appeared here on the cracking the code, what what’s kind of excited you in the past, you know, four weeks or so in terms of what you’re, what you’re working on?

1:03
Yeah.

1:04
So we just recently launched our latest version of the cyber health platform and you know a bunch of new features around sensitive data governance management, a new resource viewer to help you prioritize some of the risks that appear in your environment and and all new ways to explore our safeguards and and use our safeguards in your environment as well.

1:28
So really exciting to launch our latest edition of the cyber health platform and and watch our customers adopt and get even more value out of our, our, our platform and our services.

1:39
You know, speaking about sensitive data governance, it took us a while to name that.

1:43
By the way, that was fun.

1:47
I was talking to a customer just a couple of days ago and one of the Directors of government governance, Risk and Compliance when I talked a little bit about sensitive data governance, she kind of got all excited about, hey, Oh my gosh, Jim, tell us a little bit more about sensitive data governance in terms of how a customer can benefit from that.

2:06
Yeah, so you know Chris, we have hundreds of healthcare customers, right.

2:09
And our and our, our mission for Clear Data is to help those healthcare customers protect Phi in the cloud, right.

2:15
So as we were thinking about the evolution of the cyber health platform, I said look we we’ve got to add we need more cowbell, we need more thought around where Phi exists, where it doesn’t and and really helping make sure that everything that we do at Clear Data from our platform to our services is focused on protecting Phi.

2:39
It’s one of the things that makes us unique as a compliance security vendor is that we’re we’re hyper focused on the healthcare market, it’s all we do and and the biggest brown jewels in the healthcare market is that Phi data, it’s why those hundreds of customers rely upon us every day.

2:55
So as we were exploring you know Phi, the, the great thing about working here in our hundreds of healthcare customers is that we engage them much like you did recently in these conversations about how do we, you know what keeps them up at night about protecting Phi.

3:12
And and they were actually many of our customers were very involved in the development of these capabilities even for a surprise to us when when I first gave the hypothesis of what I thought we should do with at the time it was called Phi discovery and management, as you said, we went through a number of naming iterations.

3:31
It just rolls off the tongue, doesn’t it?

3:33
It just rolls off the tongue.

3:34
Yes, exactly.

3:35
This is why I’m not in marketing.

3:37
But anyway, we the original hypothesis was, you know, making sure that we knew where their crown jewels were.

3:45
And as we went through with customers that that sort of thesis, they said, they actually said they gave us some insight.

3:51
We’re less concerned about where Phi is because we know where it is and we rely upon clearly to help us keep that secure.

3:58
What we’re more worried about is where Phi exists, where we don’t expect it to.

4:03
And so while our sensitive data governance now that it’s called that, it does a couple things.

4:09
One, it helps make sure that where Phi is supposed to be, that we have all the necessary controls from a compliance and security perspective to keep it safe.

4:21
But the other benefit that our customers really wanted to get out of it is, yeah, it’s it’s where pH, can you help me spot where Phi found its way into other parts of our infrastructure where I don’t expect it.

4:32
The best example is one of our customers says we have a support channel with our customers where they send us, they deal with with sort of radiology and and and reading test results from that.

4:47
And they said you’d be surprised how many times like they’ll call a support organization say hey we’re having a problem with the system and as part of that they’ll attach artifacts in the support case that have Phi all over them and they’re like and and so and we’ve seen breaches lately even outside of healthcare where support channels are seeing either PIIPHI leaked and and that’s where some of the the threat actors are going now is not trying to break into the main vault to steal the crown jewels but they’re looking at all these other places where Phi may be flowing sometimes inadvertently and that’s where they’re able to grab some of this incredibly valuable data.

5:28
So anyway so sensitive data governance evolved to not just make sure that we keep Phi safe where it’s supposed to be but how do we ensure how do we watch for Phi appearing where it’s not supposed to be.

5:41
Support channels, development systems, test systems was a big was a big use case our customers gave us.

5:50
They said we found in our QA department our engineering team had taken production data full of Phi and is using it in test environments.

5:58
We’re like so anyway so that was the evolution of sensitive data governance and and how our customers continue to play a key role in its development.

6:07
Jim, I hate to, I can’t, I can’t skip this, this note.

6:11
As we were developing this this algorithm as as we were working on this together, you used a a metaphor and you’re great with metaphors.

6:20
The Geiger counter.

6:22
Tell us about the Geiger counter.

6:24
Yeah.

6:24
So I use a lot of metaphors to help simplify things sometimes.

6:28
And the Geiger counter this when when we think about sensitive data governance, there’s one which is the Geiger counter that is the how do I detect where Phi exists, right.

6:39
So that to me is where is the radioactive material that we should all be afraid of, right.

6:44
That’s where the Geiger counter came from.

6:46
But what I said to our customers, I said, look, there’s a bunch of different ways we can build a counter.

6:53
They exist out there.

6:54
We’re going to rely upon that and the part that we’re focused on for our intellectual property that the value that we’re trying to bring is once we once we can detect it, how do we govern it, how do we manage, what do we do about it.

7:07
And that’s really been our focus, is not building the world’s best Geiger counter.

7:11
Yes, we need a Geiger counter, but it’s the governance processes, it’s the controls that we put on top of those things, whether it’s where Phi is supposed to be or where Phi is not supposed to be.

7:22
So it’s that governance part that we spent a lot of time developing and leveraging a lot of best of breed Geiger counters out there that give us the signal that this smells like this smells like Phi or you know beep beep beep, there’s radioactive material here.

7:38
So all of this is great.

7:41
I’m I’m excited about that.

7:42
We especially as the as the founding father if you will of this company protecting patient data, this is the the best thing that that we could think of.

7:54
We’re going to expand the the capabilities of it different clouds, you know where else can we find data.

8:00
You know all that’s coming but there were some other things that we talked about earlier you you briefly mentioned resource viewer, we talked about actionability.

8:11
Tell us about that.

8:12
Sure.

8:14
As I talk about some of those, you know, first let’s take a step back in our previous episodes where we talked about Cras and Safeguards.

8:20
And just for a very quick recap, right, you know, Cras are our compliance reference architectures.

8:25
They’re basically the blueprints for our customers to help them understand how to best leverage these cloud services that are available to them, how to deploy them and leverage them in their environment in a compliant, secure way.

8:37
That’s our reference architecture work, the safeguards and after that come in safeguards are a wonderful mapping of either a wrist posture, A compliance framework, so you know a high trust book and verse that translate our translations down in the appropriate technical controls to protect against that.

8:57
And the safeguards really are our way to check for adherence to these best practices, compliance regulations or you know that you don’t have this risk vector.

9:08
Safeguards also provide prescriptive and sometimes automated ways to resolve those issues if we encounter them.

9:17
So when the platform comes in and now our new features of like the resource viewer etcetera is our focus isn’t isn’t like other tools where you know, I, I, I look I’ve talked to our customers and looked at so many of the other tools on the market that just overwhelm them with scary information.

9:33
You know thousands of you have thousands and thousands of vulnerabilities on this one virtual machine and you’re you’re all going to die is the summation of it.

9:43
And and I think they perceive the value of their tools as how many scary data points they can put in front of you.

9:51
And look there’s no shortage of scary data points in the universe.

9:56
I think everybody is well aware of that at this point.

9:58
So our focus with the tool is there’s no sense showing you 1000 scary data points.

10:05
Our point of view through the resource viewer, through the technology that we’re doing with the platform is, is giving you an action plan of going here’s what you should be doing to best mitigate your security and compliance posture that we viewed, that we built up based upon those thousands of scary data points.

10:26
But most of the scary data points aren’t being presented at human scale, what I call human scale anyway.

10:31
In other words, it’s way too much stimulation for you to be able to manage.

10:35
So our focus is on how do we take all of that?

10:38
Through the resource viewer, we can actually show you a prioritized view as well as action plans, right?

10:45
Prescriptive and sometimes automated remediation plans of here’s the best things you can do to to have the most impact of improving your compliance and security posture.

10:57
So that’s the nature of resource viewer very simple to to to consume to read to see and again the goal of it is, is to not be like other tools and over stimulate you with thousands of data points.

11:13
Jim, I would, I would add, I mean that’s well said.

11:16
I would add that you know this whole platform is built specifically for healthcare, right.

11:22
And Healthcare is different.

11:24
Healthcare is different than you’d you’d have with a a, a financial industry company or a bank or you know a a, a critical infrastructure environment like manufacturing, all that stuff.

11:37
And so when we build these safeguards, when we build these countermeasures if you will and these sets of instructions, we actually take into account the lessons learned from those who have failed before us, not us, but but who have failed in their journey.

11:56
For example, there is, there are prescriptive ways that we, we advise our customers to harden their environments whether that’s Acis hardening standard or whether that’s something else.

12:10
There are ways for us that we we actually get into discussions around how to leverage your services together so that you’re not making them weaker together making them a creative if you will.

12:24
What are your thoughts on on how we’re doing that and and why that’s important to our customers?

12:29
Yes, so you know, well said and and there’s not only the failures of the past, right.

12:35
And and that has LED us to things like, you know, our CR as are based upon best practices, based on lessons learned and and providing A blueprint for, you know, much like if you were building a house, right, you they learn, they learn how to build a house.

12:53
Yeah, exactly.

12:54
So, so Cras help with that.

12:57
The platform’s reinforcing that.

13:00
But more importantly, you know, so at Clear Data, we, we not only have the platform, but we have other services like our MDR service which does threat management, threat response.

13:10
So we’re not just seeing the lessons learned that are very important, but we’re actually seeing the active threats every day that are happening in healthcare, how are our healthcare customers that how is that industry under attack.

13:25
And like you said, every industry is a little bit different in in how the threat actors are trying to trying to steal the crown jewels, right, And the crown jewels are different.

13:35
So, so that’s another thing that we’re doing in terms of how we fold that into the safeguards.

13:40
I was just talking to our head of our managed services MDR practice this morning and we and these are the discussions we have, which is, you know, he puts out a regular report internally as well as to our customers about, look, here’s what here’s what the threat actors are doing now, right and what we’re doing to help protect you.

14:00
And and my job on the platform side is to how do we make sure that that those active threats turn into active safeguards that we make sure that we’ve got all the locks on all the right doors when we see a new attack path coming.

14:17
Are our CR as resilient to the new attack pass?

14:21
Do our safeguards provide that early warning detection and preventative approach to making sure that if that attack path hits our customers, is it sufficient, right.

14:33
Our whole job is to is to lower the risk of those threat actors with those methods from compromising our customers.

14:42
And so I I think that whole feedback loop and our, our maniacal focus on protecting healthcare and and the the series of threat actors and their their tactics of how they go after healthcare really refines us to a better solution than just a generic security solution for example, Jim, I love that.

15:06
I think another area for us where we learn is where our customers may, they maybe have something in their own area of responsibility that they’re doing poorly.

15:18
And we were just talking about that this morning, actually talking about how do we protect our customers from things that they’re supposed to be handling, even even if we’re not handling it directly ourselves.

15:28
What are your thoughts on, you know, those kinds of safeguards that we’re building, what’s what’s coming down the pipe on the safeguard front?

15:37
Yeah, sure.

15:38
So, yeah, so you and I were talking about, you know, this is what we do every day, right?

15:42
We we look at what what are the risks and threats to our customers environments, how are things evolving and and then what what do we do about it right, do we put it in our response teams and and MDR, how do we build it into the platform, how do we build new safeguards, how does it affect our CR as how does it affect our communications to our customers.

16:02
But like like you said we don’t we don’t run our customers entire company or infrastructure every aspect of it.

16:09
So we’re always working with them to to understand the bigger picture of what operates their business.

16:17
And and so I guess what I would say to that is what keeps me up at night is always making sure we understand all of the risk, as many of the risks as possible to how we protect our customers.

16:34
And there’s new ones every day, there’s pieces that we don’t control.

16:37
But what we talked about this morning for example is there may be things that that they manage that we may not manage but we can still provide them those safeguards to clue them in on what they might be doing differently.

16:49
Even one that I didn’t talk to you about, but I’ve been talking to again another person in our managed services organization is even some of the non security and non compliance related things around things like their operational teams to deal with the risks around resiliency, disaster recovery.

17:08
You know to protect against things like even threats like DDoS attacks, right?

17:14
You know that that aren’t necessarily caused by a vulnerability or a compliance failure, but somebody could just overwhelm an infrastructure to bring a company down, right?

17:25
And so there’s operational aspects to how you deploy your applications to be resilient to load and resilient to DDoS that that we have to take into account as well.

17:36
So those are the discussions we’re having every day.

17:39
And so how does that relate to safeguards, right?

17:41
When I look at that and I-1 is understanding the threat, the risks and the threats that can cause our customers to have issues.

17:50
And then how do we evolve our safeguards and our CR as to help our customers protect against that, build a more resilient, more secure, more compliant infrastructure for their operations.

18:03
Love it Jim.

18:04
I I think we’ve probably exceeded our time.

18:08
Great conversation as usual there.

18:11
There’s one thing I did want to add before we jumped and that is we talked a little bit in one of our last episodes.

18:17
We went from 16 to 18.

18:18
I’m still trying to figure out where 7.

18:19
Still figuring out what happened to 17.

18:21
It’s like 13 in a yeah is is 17 the new unlucky number?

18:25
I I don’t know.

18:26
I’m going to go find episode 17.

18:28
It’s been incredible.

18:30
Somebody hit it on purpose.

18:32
Teeth probably were lettuce in them Anyway, we talked about a well architected framework review.

18:40
You know, we’re giving that out to our customers.

18:43
They don’t have to pay for it.

18:45
What value do you see in in that based on what you just talked about?

18:49
You know, so much like I talked about the tools that overwhelm you with stimulation, you know, that scare the crap out of you.

18:55
Even this podcast, you know, for some folks may go, I heard everything they said, but how does that relate to me?

19:01
How, you know, am I at risk?

19:04
Should I be afraid that’s what our that’s what our you know our our assessment our cloud risk assessment process does for our customers is let us come in and sort of just show you a picture of what we see in your environment.

19:18
And more and again more importantly what we think you should be doing right.

19:22
What what we think is the best response you can have to the you know to that to that data that we see in your environment.

19:29
So we offer the the cloud risk assessment for free that can come in very simply, do that assessment, show you our results of the platform, show you, you know not just you know what we see as a problem, but more importantly what we see is the as the prescription for you to be more secure and compliant.

19:47
And I had that’s more cowbell, right, that’s more cowbell, yeah, exactly.

19:51
Yeah.

19:51
So I so that’s the, that’s the cloud risk assessment that you can you can ask us for through the website and I think there’ll be AQR code like here put it right here or something, I don’t know.

20:03
But that’s the cloud risk assessment.

20:05
And you also mentioned wafers, right.

20:07
You know, wafers are another great tool that we have that we use with our customers that again think about our CR as the best practices.

20:16
The well architect, well architected framework review is that sort of assessment that we can come in and we can do an assessment to ensure that you’re actually adhering to those, right.

20:27
So again, analogy #75 for me today, right, it’s it’s the we gave you the recipe for the chocolate chip cookies.

20:36
I’m more than happy to come in and taste them and see if you made them right.

20:39
And and that’s what we’ll do is we’ll actually come in, we’ve given you the recipes, we’ve given you the CR as we’ve given you the safeguards, we’ve given you the platform.

20:48
Let’s come in and and test it to see, you know are we missing anything from a from a well architected perspective and give you that guidance.

20:57
Again, these are just ways that just trust and verify provide that perspective and most importantly give you the prescription for better security and compliance in your environment.

21:06
Love the white glove approach.

21:08
Jim, thank you again for joining us today and and by the way for all of you listening and watching, give us a call, let us, let us give you that taste test if you will.

21:19
Yeah.

21:20
And and I’d love and I’d love to hear from folks, customers or or not, what’s chasing you and your nightmares and your cloud environment, you know, and how can clear data help?

21:29
How can we open up our aperture of risk to help you understand, to manage that thing that that monster chasing you in your in your cloud nightmare.

21:36
So love to have those conversations and maybe we can talk about that in episode 23.

21:41
Is that the next one?

21:42
I don’t, I don’t know.

21:43
I mean, I don’t know how we’re numbering these things anymore.

21:45
Maybe they’re maybe they’re just five numbers or something.

21:47
Who knows?

21:49
All right.

21:49
Well, thanks a lot, everybody.

21:50
We’ll talk soon.

21:51
Thanks.