Etay Nir is a cybersecurity expert with experience across R&D, threat intelligence, malware reverse engineering, OSINT, vulnerability and exploit development, and operations management. For eight years, he worked at Palo Alto Networks, where he worked in their advanced technologies R&D team alongside John Kindervag, the security analyst who coined the term “Zero Trust.”
In February ‘22, Nir joined Axonius, a cybersecurity asset management provider and one of the fastest growing start-ups in the cybersecurity space, with a $200M Series E run earlier this year. In this role, he is focussed on scaling the Axonius engineering team and streamlining their development processes.
We spoke to Nir ahead of Black Hat 2022, where he presented on how organizations can implement an effective Zero Trust strategy. Our interview covered the Axonius platform, the importance of visibility in the cybersecurity strategy, and the first steps organizations should take on their Zero Trust journey.
Can you give us an overview of the Axonius platform, what you deliver, who your customers are, and the big pain points they are facing today?
Axonius is a cybersecurity asset management platform. What we do is take all of the information that you already have in your infrastructure—we support over 450 IT tools—and do deduplication, we do correlation, we do all these processes to give you a simple, unified picture of what assets you actually have. Because you need to start defending these things, and if you don’t know anything about what you have, how can you defend the network?
The challenge is, up until the pandemic, organizations were slowly moving into the cloud. It was a very orchestrated and organized process of moving into cloud services And then the pandemic hit. And all those people, policies, and devices started working from home. All of a sudden, the perimeter became very atomized and very different.
So, the rate of the transitions to the cloud from on-prem became very challenging. And this is, I think, one of the major challenges, just the speed in which everything is happening. And at the same time, you have these different IT tools—you have scanners, you have network sniffers, you have firewalls—and everything resides on the cloud, not on-prem, so there is no way to get a sense of it.
So, the way that we’re solving it, rather than installing another endpoint, is to leverage everything that you have From that, we give you a normalized picture of your assets, of your devices, and of the locations of your data. And then we make determinations and ask smart questions about those devices that you have. This will then enable you to build policies around your Zero Trust posture.
We’re hearing a lot about this concept of Zero Trust—but where many organizations we talk to are struggling is what the concept should really mean for them. How does Axonius define Zero Trust, what is its importance beyond the buzzword, and how does asset management fit into the Zero Trust framework?
It’s never trust and always verify. That is always the basic tenant of zero trust. What it tells you is, don’t trust anything, and verify everything. Don’t make assumptions that, because something is in your network, because it has passed through all the controls and all the policies, that it is okay. Don’t assume, never trust, and always verify.
How different organizations and how different platforms implement Zero Trust varies. You have encryption companies that look at data encryption and data in motion, like Palo Alto. And you have the whole Zero Trust Network Access architecture. But when you go beyond that, and you start thinking as a defender on your network, as a CISO or a CIO, you start thinking, “How am I going to go about this?” Then it becomes the nitty gritty of things and it’s a different perspective.
Now, where Axonius comes into play, I call it stage zero. You cannot protect what you cannot see. We enable you to see those devices, those users’ assets and data, and make determinations based on a few criteria that we will look at, such as location, etc. Based on that, we can find untrusted users, applications or devices, and we can then determine access controls by users, devices, locations, etc.
There’s also a decoupling when you’re looking at those types of things from the perimeter.
If you’re looking at things from the vanishing perimeter, it’s even more pronounced. Because if you’re a user and you go to Starbucks with your laptop, you may not connect to your VPN. So, then you go into your network on public Wi-Fi, as opposed to being in your office, and you’re accessing those assets within your protected network. This is a problem.
This is where you need to start building policies, if users are outside the network using a VPN. We give users those controls based on the applications and the infrastructure and the platforms that you have in house—your network scanners, firewalls, north of 450 adapters— and we take all that data and crunch it. And then we’ll give you an answer, or at least give you the ability then to ask those smart questions.
Let’s go to the next phase: where are all my endpoints, which of my endpoints have protection there? Is there any McAfee or Symantec installed? If I have protection, when was the last time I checked into those devices? So instead of looking at the perimeter view, I’m going into the user view. And not only that, but into the application, the location. And based on that, I can tweak my policies or actually enforce those policies.
This is where we come into play. I call it stage zero. Before we even start talking about the nitty gritty of Zero Trust, you need to know you need to have a list of the things that you then defend. If you can’t see it, how can you defend it?
Finally, what advice would you give to organizations who are at that foundational stage, but are looking to improve asset management and take advantage of that Zero Trust framework?
Again, you have to gain visibility. You have to find those gaps in your security.
I always say that the adversary lives in the gaps. This is where the things are that you don’t see—the things that you didn’t think about, but which someone else has already discovered. They’ve figured it out and are exploiting it.
It’s like the whole world of exploitation and vulnerability exploitation. You use these tools to find problems within your software and solve them. There is this whole litany of solutions that try to exploit a platform or exploit a vulnerability.
It’s the same thing with the process of discovering what you have. What are the areas that are protected? What are the areas that are not protected? Identify those gaps as soon as possible, and then patch those. And I think that’s one of the most important things that Axonius is providing: vulnerability gap identification.
Learn more about Axonius: https://www.axonius.com