Black Hat: Amer Deeba, Normalyze.ai

Alan Shimel: Hi everyone. We’re back here on Thursday in Las Vegas for Black Hat. Thursday of Black Hat week is always an interesting day because a lot of the people are transitioning to DEFCON.
Amer Deeba: Yes. And they’re tired.
Alan Shimel: Right. And the rest of them are heading home.
Amer Deeba: Yeah, they are leaving.
Alan Shimel: They’ve been here all week. So it’s always a fun day like that. Of course, my friend sitting here with me, he’s seen his share of Black Hats over the years. I’m having to introduce you to Amer Deeba. Amer’s been a fixture in cybersecurity for as long as I’ve been in cybersecurity. Hard to believe, but it’s probably 25 years.
Amer Deeba: Yeah, it is.
Alan Shimel: And it’s a pleasure to have them on here. Amer is the CEO and co-founder of a company called Normalyze. And that’s N-O-R-M-A-L-Y-Z-E, correct?
Amer Deeba: Correct. Yes.
Alan Shimel: Right?
Amer Deeba: Correct.
Alan Shimel: It’s normalyze.com.
Amer Deeba: .ai.
Alan Shimel: .ai, excuse me.
They didn’t have .ai 25 years ago.
Amer Deeba: .com works-
Alan Shimel: Yes, but it’s normalyze.ai. And look, we could sit and reminisce about all times all day, but we’re not going to do that to you. We’re going to talk about Normalyze. But just before we do, Amer, as I mentioned, you’re in Cyber InfoSec 25 years. What got you excited about Normalyze? Because every entrepreneur I know, and you’re an entrepreneur, we can’t just… Look, starting a company, you put your guts into it. It’s not something you do because I’ll take a shot, right?
Amer Deeba: Yeah.
Alan Shimel: You do it because you feel it.
Amer Deeba: Correct. Yes. Yeah.
Alan Shimel: Tell us about it.
Amer Deeba: I mean, a lot of people, I was at Qualys for 18 years almost, and we had the great product there. A lot of focus on the focus was on infrastructure security mainly. And after Qualys and doing some soul searching, talking to customers, and of course interacting with my co-founder, right now Ravi Ithal. The focus around data kept coming up again, again, and again. Each time we talk to a customer, to a Chief Security Officer. And it felt like it’s really the right problem that needs to be solved now considering all the changes that are happening in customers environments, moving from on-prem to the cloud and all that transformation that’s happening, data is becoming a big focus for many, many reasons that we can talk about today.
And that’s really what got me excited. It’s a big problem that needs to be solved. That requires a lot of innovation and a lot of new ways to address it because the old ways, the way we were doing the LP before just does not work. It has a lot of efficacy issues and costs and deployment and all of that. So as an entrepreneur and someone, a cybersecurity lover, aficionado, whatever you want to call me, it felt really this is the next problem that I wanted to tackle.
Alan Shimel: Absolutely. So I look at it, there’s two big drivers for this, to me anyway. Number one, I would say for the last, let’s say 12 years, 15 years even, there was a big shift. And it’s funny, we’re here at Black Hat. Black Hat’s the recipient of it. When you and I first came in, it was network security.
Amer Deeba: Yes.
Alan Shimel: That was where security was. We moved to application security. AppSec became king. Black Hat is the-
Amer Deeba: Big part.
Alan Shimel: … prime example of it. And we focused on the application. Was the application coded correctly? Was it deployed on the right infrastructure? Was there buffer overflows? Was there back doors? It was all about the application.
At the same time with the cloud storage, data storage blew up. I mean, I know we’re a nothing company here, but the amount of video data we store is mind boggling. So you had this huge amount of data that a lot of people couldn’t even wrap their head around and all of a sudden someone’s at some point, and it happened during COVID, people started realizing it’s about the data, stupid. The app is good. You need a secure app. But it’s the data that are the crown jewels. The app is a means to an end. It’s the data.
Amer Deeba: And basically the understanding or the preface that we had okay, if we secure the infrastructure or we secure the application and we secure where we think where the data is, then we secure the data. As you know, that breaches continue to happen and more and more breaches are happening. And fundamentally that model where, okay, if we secure where the data is then means it’s secure, is no longer valid, especially in cloud environments. Why? Because the data is moving everywhere. You have now engineering teams and development teams, they’re in control of just pushing more and more workloads and more applications and doing updates twice, three times, four times a day. And with all of that, new data comes, new sensitive data comes and it moves around within the cloud environments and a multi-cloud environment at a very fast speed.
So that model where, okay, I’m going to secure that infrastructure where the data is or the app itself is going to secure me from breaches, it will help of course and it needs to be done. But also understanding where your data is, where your crown jewels are, what’s in them, who has access to them, and the content and the environment that they’re in, and connecting all these dots together in an intelligent way to give you that notion where the risks are around your sensitive data is really a very important aspect right now to protect yourself and secure yourself from breaches.
Alan Shimel: Sounds like a great reason to start a company.
Amer Deeba: Exactly. And that’s what Normalyze focus is. When we started, we call it Data-First Cloud Security, data security for the cloud. And really it’s now evolving. Gartner calls it Data Security Posture Management, which is a new category, very much focused on understanding the security posture around the data.
Alan Shimel: DSPM.
Amer Deeba: DSPM. Yes.
Alan Shimel: So that’s a new term for guys out there to focus in on DSPM, Data Security Posture Management.
Amer Deeba: Posture Management. Yeah.
Alan Shimel: God bless Gartner when they come up with this names.
Amer Deeba: A complicated name maybe, but it captures the essence of what we’re trying to do and it’s good to have a category and analysts now are all rallying behind it, which is very helpful.
Alan Shimel: Excellent. And that does. Look, I saw it when we did NAC. We had some silly name for it. They named it Network Access Control. We said, “Okay, go with it.”
Amer Deeba: “Okay, that makes sense. Just go for it.”
Alan Shimel: So DSPM it is exactly. So I think we’ve set that table. Let’s now talk about what Normalyze does to help with DSPM, what people need to know.
Amer Deeba: So the other also thing, big requirement and shift that we’ve seen is when you’re looking at data, you can’t just look at it in one place. You have to look at data everywhere. You have to understand data across ISAs, across your past environment, across SaaS, across on-prem. So you really need to have that vision that really allows you to get visibility of your data everywhere. And fundamentally at Normalyze, our mission is to really help you understand where all your data is, what’s in your data, where are the risks around your data, where are the privacy gaps and compliance issues around your data. And then build this dashboard where everything that you need to know about your data in one place that can give you that ongoing continuous visibility and ability to proactively know where the risks are and address them around your data.
We started of course focusing on cloud environments at when we did, when we launched the company, but now we’re expanding our presence specifically on-prem also and hybrid cloud environments because this is where customers are. We need to know everywhere where our data is.
Alan Shimel: Sure. You got to go where the data is, wherever it is.
Amer Deeba: Correct. So the first thing we do, which is the use cases we help customers with, first of all getting discovery; discover where your data stores are, structured and unstructured. And then understand what’s in them, what’s the sensitive data they contain, what’s the monetary value of that data. So you understand data store A has maybe $300,000 worth of sensitive information. And-
Alan Shimel: How do you put a price on that?
Amer Deeba: Very good question. So we have a research team. So as we identify the different sensitive data within these data stores, we assign a monetary value to each of these entities based on research and various approaches that our research team has gathered from public sources and data breaches and other reports, third party reports. So we can assign a specific value, a dollar value for each sensitive data that we identify. And then you combine it all together per data store to give you what is the actual monetary value within that data store. It’s an indication of course, that doesn’t mean it’s worth that. But it really helps and customers love the fact that they have associated a monetary value for their sensitive data and then they can use it to prioritize and drive remediation when needed. And of course we let customers customize it based on their own environment and how they want to value the data within their environment. But it’s a great start for [inaudible 00:10:38] Alan Shimel: Absolutely. I mean, it kind of reminds me of CVE, CVSS scoring.
Amer Deeba: In a way. Exactly.
Alan Shimel: Right. But also, again, give the customers a chance to up or downgrade-
Amer Deeba: Up or down and say, “Yes, it has that value, but this data store,” for example, “it’s not in my production environment, so I can reduce that amount.” So the first use case again is discovery, and then we take it into classification to understand where the sensitive data is and what type of data, PII, HIPAA. You name it. GDPR. We have hundreds of these sensitive entities and we connect them together via proximity to show… For example, your name and social security number and credit card number are within the same proximity. So it’s definitely considered PII data. So it really helps increase accuracy of these results as well as the reduction of false positives, which can be very problematic.
Alan Shimel: Let me talk a question a little bit on the discovery phase. There’s the old saying you don’t know what you don’t know. How do you find data that you may not know about that’s there?
Amer Deeba: Now with the beauty in cloud and using the cloud APIs, it helps you in looking into logs and understanding. You can interrogate the entire environment very easily and grab a lot of telemetry and information from the cloud environment that allows you to really identify in a very accurate way where your data stores are, what type of data stores they are, structured and unstructured. And then from there we connect to these data stores in a very transparent way through IM roles in order to scan that data and to classify it. And the scanners are orchestrated in a way where they come to you where the data is; we don’t take any data out, we don’t copy it out, we don’t transport it out of the environment. So they come to you where the data is, perform the classification and disappear. And all of that is done in a very cost effective, efficient way to help customers really scan the data quickly and get the information they need.
Alan Shimel: What about scale? Because that, as I mentioned earlier, that’s the second part of this conundrum is there’s so much data. How do you scale?
Amer Deeba: There’s a lot of mechanisms that you have to think about when you’re thinking about data and scanning data and scaling for data, which is… Again, and cloud really helps you, which is… From the grounds up when we built the platform, scale was a big part of our mission because we want to do it everywhere for small, medium, large customers across all the clouds and wherever their data is. So we’ve built the backend, it’s a graph based backend to house all that information. And that can scale very, very well as customers add more data and more information. And it allows us also to share the results very quickly and to provide the information… You can go in and find… Show me where all my data stores that have this type of information, that have this type of risk associated with them or this privacy issue. And the graph gives you the information pretty much momentarily in real time basis.
And everything is kind of built at the scale of the cloud to allow us to discover quickly, scan quickly. And when you’re scanning the data, we have a lot of techniques that we use like data sampling. For example, if it’s a data store that has a lot of machine generated data, you really don’t need to do a hundred percent scan, but you can do it 10, 5 even, percent scan. It gives you very good understanding of what the data is in it. However, if it’s a very custom type of an S3 Bucket that’s collecting a lot of information from individual users and many, many sources, then you might want to do a more extensive scan on that. And all of that, we do a one pass scan through the file where we collect all the information in one pass. We don’t do a pass for PII data and another that-
Alan Shimel: It’s in a layered. Right. That would…
Amer Deeba: Exactly. So one time it goes through the file one quickly. We read it, we understand the sensitive entities and we classify it and all that information is processed in our backend. So the results come up very quickly and customers can start seeing it and interacting with it and deciding how to take actions on the risks that were identified and drive remediation.
Alan Shimel: Got it. So we discover, we categorize, if you will-
Amer Deeba: Classify category.
Alan Shimel: Classify better. Yes.
Next step is protect?
Amer Deeba: It’s risk, understanding the risks. So you need to understand where that data is, the context it’s in it, and who has access to that data, which is a huge risk factor around it. If Alan has access to a data store, for example, that contains sensitive information and HIPAA data, PII data, but you haven’t accessed that data for six months, eight months, why do you need to have access to it? Removing that access immediately helps eliminate risks associated with that access that you have.
So understanding access to the data and applying least privileged access to it is a big use case that comes in that phase followed by understanding all the risks around it. In other words, are there any vulnerabilities, configurations, misconfigurations or any attack paths by connecting all these dots around it that could lead to a data compromise? So we immediately present all these risks to the customer and prioritize based on the type of risk, the impact of the risk, and the monetary value associated with the data. It comes with it. And we provide all the remediation actions that you need to do in order to resolve that issue or to resolve that risk and help you drive remediation.
Alan Shimel: Let me stop you here. When you say you provide all the remediation actions… Again, I’m going back to our old vulnerability management taste… you’re telling them these are the actions you could take, but you’re not proactively doing the remediation?
Amer Deeba: So we connect with SOAR workflows, with SIMs, with ticketing, with Jira, ServiceNow, Slack. We help basically take that intelligence and help drive DevSecOps to remediate the problem. There were certain actions that we can help from within the product to remediate. For example, removing access. You can remove that from within, if you have the right access of course to do it. But fundamentally, when you’re in production environments to do remediation and automated remediation-
Alan Shimel: Scary.
Amer Deeba: … it’s a process that you have to orchestrate with your change management and DevOps team. So we want to integrate into that and facilitate it as much as possible. And of course talking with customers and discussing with customers, remediation will become a big part of the platform as we grow the product. [inaudible 00:17:47] Alan Shimel: It was the same thing in vulnerability management. It wasn’t enough anymore just to find the vulnerabilities or to tell you what to do.
Amer Deeba: Get a batch and apply.
Alan Shimel: There were so many vulnerabilities. Right. You had a batch and you had to start automating. Again, it goes back to scale.
Amer Deeba: Exactly. So that’s an area that we will work with customers to mature it. For example, if a recurring issue keeps coming up again and again and each time you apply a certain automation to do it, why can’t you just apply that automatically and fix the problem? But this has to be of course, designed and orchestrated the right way and we will. It’ll become a big part of what we do also in the future.
Alan Shimel: I get it. If you don’t mind, I wanted a Black Hat specific question. So here we are in the kingdom of AppSec. The capital of application security. You’re here all week. You and the whole Normalyze team is here all week. Do the AppSec people get it? Are they understanding that data is king and they got to protect the data? They’ve got to recognize data, protect data?
Amer Deeba: It’s a big focus. So I think just walking through the hall and seeing some of the sessions here and all of that, there’s a big focus on API security or data security. App security of course is a big thing. And for all of cloud centric, with that in mind. And also orchestration and workflow and remediation and all of that, I saw a lot of innovation in this space. And just getting the vibe of the show, I feel like… Same at RSA, by the way this year. We thought it’s all going to be about AI and all of that. And there was so much focus on data and data security.
Alan Shimel: Excellent. So you mentioned the AI word. Now you mentioned it, we got to talk about it.
Amer Deeba: Of course. Yeah, let’s do it.
Alan Shimel: There’s got to be a role here for ai.
Amer Deeba: Absolutely. I mean, we already use it as part of the platform to help provide better remediation and guided remediation for customers on problems. We use it a little bit in our scanning engine also. And then we are going to use it more in the future to better understand similarity of objects. And so for example, if you’re looking for a specific type of an agreement or type of document, we can use AI to really help us immediately understand when we scan the data and identify it in a faster way.
So it’s going to play a big role I think in data security when it help in driving guided remediation and also making sure that data that’s going into your models, in and out of your models, and what’s in your models, that if you contain sensitive data, that this data is not going to come to bite you in the future.
Alan Shimel: So I think that right there could be a product in and of itself. Everyone I speak to, whether it’s in the media business that we’re in or in other businesses, they all want to create their own LLMs. Taking their data, putting it into a vector database, dumping it into an LLM, they put a chat bot in front of it, and now voila, I have my own custom dataset. Understanding what data got in there and what privacy issues we have, what-
Amer Deeba: Of course that comes with it. Yeah, it’s very important.
Alan Shimel: I don’t know if people are thinking about that yet.
Amer Deeba: Customers are definitely thinking about it and we hear it quite often coming from customers. But the way they’re approaching it also, it’s like if we have the right visibility and we know where our sensitive data is and what’s going in and out of these data stores and are they being used in data modeling and big LLMs, then that’s a great start to get started. And again, with old customers, when… I think the most important things when you start with trying to understand your data security landscape, you can’t boil the ocean. You have to focus on what’s important first and get that visibility, the number one thing because that helps you put the blueprint for how you want to address it and what controls you should put in place and how you manage the entire process in a way that makes you achieve success one step at a time and reaching your final destination.
Alan Shimel: And look, this is best practices in security. You mentioned API security. We saw this with API security. Two years ago, all of the API security vendors were talking about, do you know what APIs you’re even using? Because we can’t secure what you don’t know you even have. So it was about discovery of API security. Attack Surface Management is another big area. It’s the same thing. If you don’t know your surface, how could you manage it?
Amer Deeba: How could you secure that? Yes.
Alan Shimel: And so it is the same thing with data. We only have a few minutes left. If you don’t mind, look in the camera. For people who are out there saying, “Yeah, it’s time. We got to get serious about data.” What’s the on-ramp? How do they engage with normalizing and get started here?
Amer Deeba: Very good questions. And it’s a discussion I have with CISOs all the time. First of all, there’s a lot of innovation in this space. So there’s a lot of new ideas and great tech coming out to help solve this problem. So the CISOs now, especially if they have a bad experience from before on DLP, I think they really need to stop and consider and listen to us, and of course at Normalyze, we are at the forefront of it and we are having these discussions all the time. And it’s easy to get started, especially in cloud environments. It makes it much easier to get. It’s always, of course, it’s never easy, but it’s much easier to get started and to have a small POC in an environment that you have good control on to start testing these technologies and see the output and the value that it provides to you and to your organization. And the good thing, if you engage with us, that’s not months. It could be days if not weeks, for you to get started and see value right away.
Alan Shimel: What’s involved? Is it I put a couple agents on my system, let them run or?
Amer Deeba: No agents. We hundred percent agent-less. Basically you connect your cloud accounts into our back, into our platform and we deploy within their environment in a very special secure way. Very similar to CSPM tools, SM tools and all of that. And that deployment can be literally, sometimes we do it over Zoom,-
Alan Shimel: Really?
Amer Deeba: … if you have the right access and you have the right people on the call. And then from there it’s the scans are happening-
Alan Shimel: It’s off and running.
Amer Deeba: … and off and running. And then you can start tuning it a little bit more, understanding the results a little bit more and then making changes and then connecting it, for example, to your values in Jira accounts. If you want to orchestrate [inaudible 00:25:10]-
Alan Shimel: Integrating.
Amer Deeba: … and integration or integrating it to a SIM or in order to-
Alan Shimel: Or SOAR or something.
Amer Deeba: Or SOAR from there. But it’s a pretty frictionless process. And it all happens where the data is. We don’t take any data out, we don’t transport it, we don’t address it, none of that. So it’s-
Alan Shimel: They call that liability.
Amer Deeba: Yeah, I mean some approaches before, that’s how we address it. The problem [inaudible 00:25:40] Alan Shimel: Yeah. No, it was. In the end, it was a liability.
Amer Deeba: And it didn’t help also with certain customers.
So that’s how we do it. And we encourage you come to our website, join our freemium, which is you can get started on your own or we can help you get it started.
Alan Shimel: On that note, so there might be people out here who say, “Look, I’m not a large enterprise. I don’t have petabytes of data. We have gigabytes, we’re not even terabytes-
Amer Deeba: Gigabytes, terabytes, yeah, I mean we see it across. But they all say that. Oh, we only think we have that. And they got started, and oh, we didn’t know about this and that data store and someone added that somewhere else within Azure and I didn’t know about it. And then a new project popped in a GCP.
Alan Shimel: That would actually be an interesting survey. The before and after. The new customer says… Approximately, how much data do you have? And then how much data do you really have?
Amer Deeba: And the beauty is that, that’s again, getting that visibility really immediately gives you that ability to understand better what you have. And from there you can decide if you want to tackle it all or tackle part of it or how you… And we help. Our licensing model is very simple. It’s all like you start small, you start large, whatever you want, and then you can grow with us.
Alan Shimel: All right, so you’re not too big or too small to use Normalyze.
Amer Deeba: Everyone has good sensitive data. Everyone wants to protect their crown jewels and the data. In fact, we have a campaign here at the Black Hat with track what matters most for you. And if you come to our booth, we give you an AirTag so you can use it to…
Alan Shimel: Really?
Amer Deeba: Yes.
Alan Shimel: That’s great. It is a good one.
Amer Deeba: So come get a demo and you’ll get a nice beautifully branded AirTag, so you can be part of that campaign to track really what’s important and what matters to you, your data.
Alan Shimel: Fantastic. All right. Here was Amer Deeba, Normalyze. That’s normalyze.io. Though .com will work. But it’s normalyze-
Amer Deeba: .ai.
Alan Shimel: .ai.
Amer Deeba: All of these.
Alan Shimel: The app is .io. The website is .ai.
Amer Deeba: But .com-
Alan Shimel: Yeah, it works too.
… works as well. But most importantly, your data is important and you need to use a tool like Normalyze to get your arms around that. We’re going to take a break. We’re live here at Thursday, wrapping up Black Hat Week. We’ll be back in a little bit.
Amer Deeba: Thank you.
Alan Shimel: Thank you, Amer.

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 82 posts and counting.See all posts by alan

Application Security Check Up