The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

35. Aviv Grafi, Founder and Innovator at Votiro: from IDF 8200 to Cybersecurity Visionary

Welcome everyone to another episode of the security podcast in Silicon Valley. I'm here today with a very respectful guest, Aviv Agrafi, the founder and CTO of Votero. Welcome to the show. Hey, John, thank you very much for having me here.

It's a great pleasure to have you. You've been in security for a very long time. Before you were founder and CTO of Votero, you did some research in very low level security space. You also have experience as part of the IDF 8200 unit.

That's right. Would you like to share with our listeners who maybe are less familiar with that, what that was? Yeah, so actually, let's start, you know, slightly before that, but I'm based in Tel Aviv, Israel. And one of the things that I was doing probably since I was kind of a teenager in high school, probably, is I really, you know, have kind of a hobby to tear things apart.

And when, you know, when internet came out, it was 19 something, 19 something, and I was trying to do that stuff online. And I mean, one thing they do another, and I was really interested in security, in some way in hacking and in software. And I got to the point where I was a teenager in high school. And before graduating, there is, you know, kind of thing here in Israel, you need to do your three years military service.

And I was recruited. Yeah, I was recruited by the intelligence forces to do some stuff with the license as part of the intelligence forces, mostly defense and offense security operations. So that's mainly what a unit AT200 is doing actually since then, on the last probably years. Amazing.

So it's really difficult to get into the specifics, but it sounds like you were reverse engineering. Yeah. So I was doing a lot of reverse engineering when I was also in high school. And then it was kind of a natural thing for me to do, right, during my time in the military service.

And actually, that's interesting. A bit after I graduated from the Army service, I was continuing to do some pen testing work, like services work for a lot of companies. I worked for two companies, and then I did my own kind of services firm. And that was a really fun job for 20-something years old.

You know, I was 24 years old, and I was traveling around the world, meeting clients and interviewing their IT teams. And practically, that was a hacking with a license, showing them how vulnerable they are. And for me, that was a pretty fun job. I think that was the point where I think I started to really form it, what today actually is called Votero.

That's spectacular. You know, as a pen tester, you never really have the same day twice. It's to think on your feet and creativity is front and center. I feel the passion and the love.

Yeah. So as I mentioned, when I started to really get into, understand how things are really, you know, works under the hood, usually in computers, I had my own. Back then, I had my own. Before, it's called, maybe I sound a bit old, but we used to have a Palm Pilot.

Remember those things? I do remember those things. You're not old. We're not old yet.

Okay, okay. There may be a few listeners that are Googling what a Palm Pilot is. Yeah, so I had to pump out when I was a teenager, and I was starting to see how I can really, you know, use that hardware and software, and I installed some additional software that's not meant to be installed on those devices. That was purely kind of curiosity game.

And really, I started to invest my time in doing some stuff, understanding how things are working. And that obviously led to security kind of research. How do I get more stuff out of something? Learning new stuff on my own, online, on the first days of the internet.

Being kind of, I was the one at helping my friends, and not just with, you know, with a computer, but also how to get things done. So I think that's where it all started. I think the curiosity thing, that's in the creativity that you mentioned, I think that that's the catalyst. For a lot of the security research, at least I experienced, and that's actually what drives my passion.

So this is a really good point. And today you're broadcasting from Tel Aviv as the founder and CTO of Votero. And I'm really interested to learn more about Votero, but I'm also kind of curious, did you grow up in that area? Yeah, I was born in Israel.

I grew up around the Tel Aviv area. I spent most of my life here. Married with three kids. So we all live around here, yeah.

And I know security is always front and center, maybe top of mind because of the unfortunate situation that we're in, and sort of that part of the world. But I'm really interested. Tell me, what does Votero do exactly? And what is the one thing or the couple of things that it does better than anyone else in the world?

Yeah. So I think that in terms of the story, maybe just to share the background, how I founded Votero, and to understand what we're doing and why we're doing what we're doing. So when I was a pantherster, there was kind of a few techniques that I developed in order to get into a new organization, you know, interview the IT team, and then showing them what are the vulnerability points they have in the network. And usually I was demonstrating to them how I could hack them.

And there was one thing that just worked for me 100% of the times. It was just logging to the website of that client. It can be a law firm. It can be an insurance company.

It can be a utilities company. And seeing what the open positions are. And then I see, for example, they're recruiting for a position in the marketing department. So we're just sending a PDF, something that looks like a resume, but actually that's a weaponized PDF, sending that to the recruiting department.

Say, hey, I want to apply to position your company. I know John. And actually, if you want some references, I'd be happy to share that with you. And on the other side, there is a guy or lady that needs to do their job, right?

And in order to do their job well, they need to screen hundreds of those resumes a week. So when someone was opening that PDF, I was able to screen capture the screen. And that's it. I was able to demonstrate that it's really easy to hack those organizations.

And there's one thing that I realized. It's that easy because there is really fine balance between security and productivity. Because we're trying to tell our employees and our colleagues, you need to spot the fishing while you're doing your job, which is sometimes it's just impossible. And I think that was the moment where I realized that even 20, 30 years after we invented all those technologies that, you know, supposed to block all those malicious attachments, it still fails.

And we need to do our job. And that's the point where I understood that there is a room for a new thing. This is where what now is known. And now it's called Votero started to form.

And the idea is instead of letting that recruiter try to find whether this is a suspicious PDF or suspicious email, we cannot really let him do that, right? So instead of looking at that PDF and saying, yeah, this is a bad PDF, we know that recruiter is interested in the content of that document. He's interested in the title of a graphy, my contact details. He's interested in the experience in the text.

Maybe the links. And practically that's about it. So if I'm taking all that content and just move that to a safe template of the exact same file type and delivering that, he will get the exact same experience without anything that may be malicious in it. It will just be kept outside.

And that idea of flipping the problem on its head, saying, let's not try to find the bad stuff because that's impossible. Let's deliver always good known content. I think that's what we do better than anyone else in the industry because they're all relying on the same thing. We know the history.

Let's try to predict the future. And we're not trying to do that. Just delivering good known content always, all the time. I love how simple it is.

You're just going to take the good stuff and leave everything else. And you don't have to worry about identifying specific patterns of malicious behavior or code or snippets or meta splites or whatever. Exactly. You're just scraping what you need from the document and rewriting it.

And of course, when we started, most of the content was, you know, moved over emails and web downloads. But now, you know, you have Slack and Box and Dropbox and OneDrive and SharePoint. So we had inventory to support all those kind of sources of documents and content. So we're allowing our customers just to consume any document without the need to think twice.

We're telling, in fact, I'm telling my employees and colleagues, open any document you'll get from outside. Just open it. Even if you think that it's malicious, just open it because it's completely safe. And in that way, we're really, you know, avoiding what we used to do, like saying, you as a poor employee, you would spot that phishing scheme, you would spot that attack, and which is obviously cannot really work.

And I'm always giving that example that probably you, John, you're also doing those phishing campaigns training kind of thing. Oh, yeah. Yeah. Yeah.

So probably you receive those emails saying, oh, you clicked the wrong link. Now you need to do kind of a crash course on something. Yeah. It killed me to blame the victim.

But yeah. Exactly. Actually, that's blaming, that's blaming the victim. Exactly that.

So, so we understand that we cannot really, you know, throw all that responsibility on the victim. And to be honest, if someone would send me an email saying, hey, there was a problem worrying your paycheck this month, and you need to fill the attached form, I would feel, I would open and fill the attached form because I want to have my paycheck. You want to get paid. Right.

Of course. So, so that's the problem. We cannot really, you know, tell our employees, think twice before you do the job. but I think that's the idea and I think that's what I would like to see more in the world, like more proactive protection rather than reactive.

I love being proactive and I love scraping what you need and ignoring the rest and assuming that the rest is potentially malicious because it's, it doesn't matter than what the next exploit is going to be in a document or, you know, a remote code execution and some random PDF viewer. There's just, that's right, a very rich ecosystem of things that interpret documents. An entire economy are built around just documents. So, it's a nice way to cover all of that ground in one swoop.

Yeah, and you know, the interesting part when we started, we didn't think about all those new sources of documents. If you think about even, I mean, today, I wanted to say post-COVID era, we see a lot of companies going digital even more than before. So, if now I want to file, for example, health insurance claim, okay, they would ask me to upload tons of documents online. We didn't have that probably 10 years ago, 15 years ago.

But now, a lot of companies also now, you know, they might be attacked by those upload portals. So, and even small companies, they want to be, you know, on the front line of the digital area, right? So, they opening their system for uploads from clients. And all those are new way to get stuff into organization.

And I was talking with pentesters, they said they love it because that's the easiest way to get in. Just send something through that upload portal of a company and bam, you're in because no one suspects that. I mean, we're all being told don't open emails from someone you don't know. But no one told us don't open attachments or documents from the system that you're working on every day, which doesn't look like email.

No, thank you for sharing. I have a good understanding then of why you started Botero. Like, you saw the opportunity, you used it firsthand as a pen tester, and it's almost like you felt an obligation to build this and solve this problem for everybody. Look, I couldn't really find any decent solution because most of the solutions that exist today, they're all trying to, you know, to see, okay, what happened in the history and let's try to predict the future.

Like, anti-Mauer, anti-virus. Like, they all, you know, rely on signatures. What they know, that's what they can detect. Even the machine learning kind of driven next-gen AVs, they're just as good as the model that machine learning is trained on with the data that they fed into that.

So, they all try to get some historical data and predict the future and I think that's a problem because, you know, the bad guys would always be one step ahead so let's not try to, you know, to participate in that cat and mouse game. Let's just, be proactive and say, okay, let's turn the problem on its head. I want to get the good stuff. I don't care about anything that is not really useful for that employee, that colleague, you know, to open and consume that content.

So here we are. We have Tiro. What's your go-to-market strategy? Is it top-down or maybe bottom-up?

Is it something that I could sign up for and integrate into my ecosystem in one day? So, so that's a good question. When we started, we were mostly like tied to kind of one or two sources of documents like email. But just recently, when we, a couple of years ago, when we moved to offer that as a cloud service, we opened that as an open API approach.

So as long as you can code in any language, you can connect your business application. I know almost any application out there to Votero. so any file can be just, any content can be sent to Votero cloud and you can get the safe version back. So that's pretty easy like in minutes to integrate if using the cloud service.

Of course, we have for those, you know, security savvy organizations that want to have that on-prem, we have that version for them as well. But we see more and more organizations and clients actually moving to consume that API over the cloud. And of course, a lot of, you know, technical teams, architects, they usually found that solution and say, hey, I want to introduce that into in my organization. So usually we see that as a bottom-up kind of approach.

Amazing. Spectacular. So bottom-up and easy to use an API that just does what you need exposed to the world. So maybe you could share with us like what's been the best day you've had so far at your journey with Votero?

Yeah. That's a good question. I think I cannot say that there is the best day. I can say that there are a lot of great days in Votero.

But I think that if you need to outline what is a great day in Votero is a great day that we're getting customer or design partner of ours getting us great feedback or acknowledgement that a certain feature in the direction of the product that they've been using is exactly what they wanted. So getting that kind of feedback that's a great day in Votero at least for me that's actually fulfilled me and acknowledge that what I've been working in Votero in order to help real people is actually the way. Yeah.

I am a firm believer that at the end of the day we can build all of this technology and have all of these products out there and an ecosystem of stuff but unless we're actually improving and changing our fellow humans' lives for the better like what is it what are we doing you know what is it worth and I think the worth and the meaning and the value that comes from having a positive impact on people's lives. Yeah.

And I think that it can be you know you saved me a lot of time you allowed my organization to work that those are really great you know feedback that if I'm getting if I'm hearing that from customers that's a great day in Votero of course if I save money that's that's okay but probably the best kind of feedback is that's exactly what I was looking for and you helped me to do my job even better. Does I'm just being curious now does Votero have a way to detect that yeah actually like this one document had something malicious in it and here's the clean version of it here you go. Yeah.

So actually that's a great question because when we started we didn't have that capability but what we found a lot of customers they're saying okay so all the content and all the documents are now clean they can open all those documents without you know they need to think twice but what we're doing in order to you know to augment that with some more analytics and threat intelligence data we actually scan those documents days a week after they're being you know delivered with some best-in-class detection solutions in the market and which the problem with those detection solutions market takes them days to catch up right but if we deliver the safe content there's no problem to scan those originals days after we deliver that and say oh you know a week ago there was a resume sent out to you don't worry you were safe now we can tell you that those were malicious documents sent out to you and here are the details so yeah we do that retrospectively and a good thing is that we don't need to panic the SOC team we don't need to tell them now you need to run around and find how you know remediate that because it was already delivered safe but probably you need to know you want to know but by the way this one resume was totally malicious exactly and then there was an interesting question of like was that intentional or was there a piece of like malware on that person's machine that injected something that in emails that were sent or something like that right all of that stuff is like an external threat so like external documents coming into your organization super curious I think the same technology lends itself really nicely also to the internal threat yeah I think that we see some use cases of using that for internal threats but less than external threat I think that a lot of the internal threats are mostly someone want to leak some information out not necessarily malicious stuff is being sent internally or getting outside organization it's nice to use the same techniques and products to solve both types of threats I mean if you have the requirement a lot of have regulatory requirements to handle certain types of insider threat insider threats yeah so that's nice it's just a nice option so how about a little bit of a tougher question I'll let you think about it for a second but what was the worst day so far in your journey at Voturo as founder and CTO yeah I think that as entrepreneur that's a rollercoaster I think that over time I cannot really say that this was the worst because you know weeks or months after that what you know it looks like the worst day in Voturo it doesn't look like the worst so so I think that but tough days in Voturo at least for me would say personally for me is that I realized that for example I had the wrong hire or someone that I really thought that would help to do a change doesn't deliver or maybe there is a mismatch of values and for me the realization that I need to part ways with someone that part of that journey I think that's not a great day at least in my perspective yeah those can be challenging moments a little bit of short-term pain and maybe for long-term more happiness on both sides of the equation yeah that's something also I learned exactly that for long-term it's happiness for both sides so I wouldn't say it's not the worst day but it's not challenging it's challenging I think it's challenging I mean customers and crises they're always such things but the things with the human beings I think that's the more challenging part in the future yeah I understand what you mean and I really feel like your value placed on the humans that are around us and it's good to try to make the world a better place and we want to contribute back right and and it sounds like that you and I share this value of focusing on people and so when there's a mismatch and it includes people I definitely understand how that can be yeah a challenging moment short-term but that's okay yeah that's okay and long-term like always I I try to be very intentional and deliberate with my choices and focus on those long-term goals and payoffs and sometimes that requires a short-term not a compromise but just overcoming the challenge so that's right yeah I agree with that yeah it takes time it takes time to develop that but yeah okay so speaking about long-term goals and your vision if we fast-forward into the future and I'll let you decide how fast how much into that future we'd like to fast forward here but what does success look like for Votera what is that north star so I think that that approach of kind of changing that paradigm of how we treat content I think if I would see that kind of widespread in the industry that will be a success obviously Votera would be a significant part of that either part of one of the big vendors or being the player actually designing that approach I think that would be a success for Votera and personally for me because I feel that I really think that this is the right approach and see that happening in the market I think that will be a success yeah it's the success is all about adoption putting everyone in a position where they can realize value based on solving these challenging problems moving forward together so going back to people just for a moment here and interviews and maybe your experiences have led you to change your views on this but do you have a favorite interview question I think that the favorite interview question usually I mean I like your answer is kind of on the key takeaways and one probably tip for CISOs and security architects I think probably that's something that I really want to kind of give my two cents of how I see the industry so that's probably the best or my favorite question usually being asked in interviews my favorite question usually what is the key takeaway that you would like to give the audience and what are the things that you think that CISOs or architects would learn or benefit what do you think that's the one thing that they should know or think about so it's almost like asking what do they think is the most important like the one most important piece yeah and obviously I think usually my answer is that as a CISO you need to be the good guy not the bad cop in the organization and you need to think how you find solutions that enable the business and not kind of being restrictive security I want to have enabling security and not restrictive security I think this is extremely important because for some security folks and I admit that I was part of that kind of approach you know stopping things and policy and you know and making sure that everything is being done according to something that you know is maybe nice in there you know on paper but for business that's sometimes really a pain in the ass that's the truth so thankfully yeah so I think that we need to have more kind of enabling security rather restrictive security yeah you know it's funny you mentioned enabling security I always believe that not only should security be connected to actual human beings and the quality of life you know and not interrupt people's flow of their day like security done right is quiet and it's in the background right but to get there is quite challenging to get that high bar of security you know often requires a lot of time and energy and dedication behind the scenes and to drive that within an organization can be very challenging and I've noticed that there's really there's two types of security people in the world there's the type that will walk into a meeting room and everyone and everyone else in the meeting room will be like oh no it's here they're gonna tell us we can't do this and they're gonna extend the deadline they're gonna put all of these strange like new standards up on the whiteboard and ask us to implement these things and then there's another type of security person they'll walk into that same exactly the same room with exactly the same set of security goals but they'll be perceived as an ally that helped them ship on a tight deadline and contribute towards solving all of these challenging security issues that need to be solved in order to ship a secure product and everyone will feel like they're in the same boat together and supported collaborative instead of prescriptive that's exactly right and you know just being perceived with that collaborative space can make all of the difference for the human beings and the quality of life and then oftentimes I'll find that people will engage you they'll ask they'll want to learn about the security aspects of what's going on and why is that important you know and but not in a challenging sort of way but in a playful learning and collaborative sort of approach so yeah that's exactly that and you know there is a question that I learned that works at least for me and for some organizations that I want to assess whether they what kind of type or personal security kind of approach they are and I usually ask them what is your security policy regarding password protected documents on the way in are you blocking all those password protected documents altogether or are you just allowing them to go in no matter what there is in them and usually I'm learning from the answer about what is the organization or the leader kind of approach what's their approach so so by the prescriptive super strict like maybe a little bit on the combative side like what is a typical answer yeah so so obviously for the guy that said I want to block everything that I cannot really you know be sure for 100% that it's safe he would be blocking all password protected documents coming into for example by email saying okay if I cannot really assess what there is in it I'm not allowing it and of course from business perspective that's horrible because you know today we're all getting a lot of password protected documents even you know for privacy purposes and a lot of customers and clients of ours and say okay that's we need to find a solution for that and of course on the other side there is a guy saying okay if that's possible protected I'll be allowing those documents go in because I didn't realize there is a solution for that and I prefer not to impact the business you know by the name of security and I think that's the answer of the other side at the end of the day a business has to balance its books and enable growth and all of these things I'm 100% a believer that security can be almost positioned as an advocate and a top an enabler of what are we doing you know why I agree I mean having a 100% security just let's disconnect all systems from the internet and from network and that will be 100% security but we'll have no business yeah you might have the CIA but you're not going to have the business exactly okay okay so you bring all of this great experience to the table and you've gone through a lot of challenging moments and you've clearly like overcome them and have achieved a very high bar of success and if you could go back to your younger self and maybe share with your younger self a book or a movie that that really like spoke to you and maybe shared a key insight yeah so do you recommend anything so two things I would say to my younger self first if there is a book that actually influenced me in some way and there is a book called the hard things about the hard things yes so probably the audience heard about that so I think what I liked about that book is that it's really based on real experience it's not a model it's really based on experience and it's really easy to read it because it's like a short usually they're not being described in you know those textbooks so this is one thing that I really liked about that book now if I would need to say something to my younger self I would say don't I mean the highs are not that high and the lows are not that low don't take anything that happened in that roller cluster kind of journey too serious I think that probably what the experience actually teach us and that what I would try to say to my younger self that's amazing I love that advice for your younger self I think all of my life experiences kind of point to the same thing and the there's a quote that really just captures all of that beautifully Oscar Wilde actually said like this far too important thing to be taken so seriously all the time yeah I that's perfect you know that's amazing that's really good no it's just super healthy and we can laugh at ourselves and remind ourselves when we're at those peaks and those mountains well it's like yeah it's temporary and then when we're in those troughs and we're like sludging through like the grits and it feels like everything is collapsed around us yep okay temporary fine yeah exactly it's very Buddhist are you Buddhist nope no okay I mean you could be very easily it doesn't sound like you're too far off of it so yeah all right very nice all right how about a playful question if you fast forward into the future do you just would you like someone out there who is looking for a new idea to just go off and solve a particular problem that you keep bumping into over and over again and you just don't have the time or the bandwidth or the expertise to solve it in the way that it should be solved this is a little bit of a leading question for the entrepreneurs that listen yeah that's a great question so maybe if that interview would be recorded kind of six months ago I would say an AI model that I would chat with and it will spit all the answers but they only invented that okay so let's think about something else so I think maybe something around tapping into reading people's mind that probably would be something very cool that is a lot of things will be easy for us and probably will be creating new kind of reality and situations so that's probably what I would be happy to see the mind reading technology but let's say reading people's minds remotely remotely okay via zoom I would just tap in on the button that's it okay that's a magical technology I have no idea how it might work but maybe something around AI and reading all of our information leakage just like soups right off of our bodies facial expressions and the way that we say things micro gaps between words you could be like there was processing there between those two words I wonder what that was that's the new feature for a chat GPT thing I mean yeah that's I'm joking too I'm but if someone could pull that off you know my hat's off here it would change the world I don't know what that world would look like there must be like a Black Mirror episode on that yeah Aviv thank you so much for joining me on this episode of the security podcast in Silicon Valley I would love it if you would like to leave our guests with any final words of wisdom yes thank you very much John for having me here and inviting me to the podcast it was really fun and pleasure to have that chat with you today and for the audience I think two things one try to find a enabling security and not restrictive security this is one and of course don't take life too seriously I think that's the second one thank you again Avi thank you very much John thank you everyone for tuning in for another episode and stay tuned for the next full take care everyone bye bye bye bye

‹ 36. Feross Aboukhadijeh, Founder and CEO of Socket.dev, a startup improving security and privacy on the web

34. Ganesh Krishnan, Co-Founder and CEO of Anzenna - on Cyber Security Awareness Training ›