Workshop | From Asset Management to Asset Intelligence: Crossing the CAASM

You come here in Berlin, but I'm covering a call leadership Summit workshop talk. He comments on he from I computer state us, Susie, in vie we are Martin and workshop from TEMA Asset Management.

Alin, I'm going to, I'm gonna repeat this in English. One, one second. I'm just trying to, trying to make this so I can actually, I can switch to English directly so I repeat myself. Good morning everyone. Welcome to Berlin to the cuffing called Leadership Event. And we are glad that we, that you all made it to here. And we are also glad that you at home are watching your computer screens. Now we are doing a three hour workshop about asset management. Now that sounds a little bit boring, does it?

And we've been making up our minds about what to do to entertain you within three hours so that no one really runs away. And you all have a proper takeaway from, from our efforts here. So I'm giving you a rundown of what's gonna happen in the next couple of hours. First of all, we have brought some very interesting colleagues of mine from Israel because a is a company been founded in Israel, and we have three gentlemen sitting over there that can tell you much more about a's than I can. Who am I? I am Christoff Kupa.

I am running a's business here in the German speaking part of Europe, in in Switzerland, Austria, and, and also in Germany. And alongside with me is Aor ov, who is one of the co-founders of Aons.

Now, AOR is here to not only present the technology to you on a high level in a not so long presentation, but he's also gonna weave in a lot of the why and how Aons was actually founded. And that's gonna be very interesting because as good morning, because asset management can be highly exciting if you're in a hurry. If you really need to find that asset for a specific reason and you don't know what it, where it is, then you start asking yourself the question, How can I optimize this?

So this was actually a little bit of a spoiler for what's gonna happen next, but about the founding and about the idea of Aons. Avedo is gonna tell you a little bit. And then after this, we have two gentlemen with us who are experts in the two different aspects of our platform, which is cyber asset management and SARS management.

Now cyber, let's leave the cyber aside. Asset management is pretty obvious. We talk about devices, we talk about users, and we talk about maybe access rights of those. But if it comes to SaaS, there's no device anymore. And users also are kind of blurry because there's a lot of automated users. There's a lot of things going on in the background that we don't understand because it's partially handled by the SaaS provider. So it's very difficult. And on the other hand, SaaS is proliferating quite a bit in the last couple of years. Who does not use Zoom? Who does not use Salesforce?

Who does not use Microsoft Office 365? This is the stuff we're gonna talk about in the second part of our workshop. And it's not that we are only talking and this is what I wanna make super clear. Anyone in the audience, please, please raise the hands, throw in a question, throw in a use case.

Hey, can you do this? Hey, how would you do that? We want to answer those questions together with you. We wanna make use of this time that we have as good as we can so that you all not only understand why is this company been founded? What was the, the initiating event? How does this, how did this all go? But also that you really in depth understand what is this all about and how do those guys do this so that you can take this away and can say, Okay, we like this, and maybe tell it other people. If you like it, please tell it other people.

If you don't like it, please come to us and tell it to us. Now after that, having said, I think, is there any questions in the audience for now? Is there any, any suggestions how to go? Is there anyone who would say, Could you please tell me this in the course of the next three hours? If not now, please.

I want, I want to explicitly say this, and I will say this again and again and I will look at you and I will ask you if I can see there's potentially a question, I will come to you, I will annoy you to please help us to make the best out of your time. Okay? Having that said, I'll hand this over to Mr.

Aov, who is gonna tell us what sucks on yours and, and why and how and a bunch of other things. Thanks much.

Hello, everyone. Okay, so we're gonna talk today a bit about, about Exus, about the platform, what it does. And I'll start with just, you know, a quick explanation. What we do, I'll continue to the story of how it was found, how it was founded, and you know, just what we can do with this to, to make asset management an easier thing for your security teams. So this is me, one of the co-founders and the chief architect. What I do in the company is more mostly the technological stuff.

I, I'm into the architecture of the product. So if you have into, you know, any questions about how it works behind the screen or, you know, behind the scenes and things like this, that's absolutely okay to ask. So here's the agenda and you know, what do we even do? So we are exons basically what we do is we do, as I mentioned, we are saying you've got a lot of assets in your organization. Many of them are coming from different sources, right? They're coming from, some of them would manage your Windows devices. Some of them would be endpoint protection that you are protecting.

Some of them would be just vulnerabilities, scanners. They are seeing a lot of, you know, in your network. And there are many, many, a lot of information coming from different parts of your network. And you know, it's very fragmented when you, when you're trying to ask a question like, you know, what is this device? There are many, many different answers to such a question. It could be information that's coming from, you know, your domain that's saying, Hey, this is a device which is coming from this.

It's, it's in this group. It could be from your end print protection, which is saying, I've got this policy on it. It could be saying it's in your cloud, right? So the context that you have for every device is spread across so many different products. And that's actually some of the things that trying to solve.

So, you know, those are the founders. Basically we're all ex a 200, which is the cybersecurity unit of, of the, the Israeli military. I've done their five and a half years of service as an officer. And so this is where my background is coming from and a bit about the company before I deep dive into, you know, what is this story? We are one of the fastest growing cybersecurity companies that in history, basically we, we have a couple of funding rounds, and right now we're valued over 2 billion in valuation.

And we have, we have won a couple of the biggest, you know, awards in the, in the industry. And, and, and we have couple of the biggest logos that there are. Those are just the public ones that we can just tell you. But we have a couple of other very big ones that are using our solution. And so I wanna deep dive into what we do. And this is, I think one of, it's one of my favorite photos of, you know, understanding the problem right here is a would a tweet that was done by one of the, the security, some security guy advocate on, on Twitter, which is a demonstrated problem, right?

The CSO is asking how many Windows hosts do we have? And then each team is going to say something else. The end print protection guy is going to say, you know, VIRs guy is going to say, we've got this number. And then the desktop management is going to say, we've got this number. DDR team is going to say, we've got this number, right? Because everyone sees the problem in its own eyes. Everyone has different pieces of information. And with this in mind, I wanna go to the story of how it was founded, right? Because you're thinking about the ideas on how they come.

I think many people will think, you know, how do you, how do you think when you start a new business where, where it would come from? I think, you know, in the movies what you see is that a couple of people are sitting in some room and are thinking, you know, what would be the best, the next idea? This wasn't the story for us, For us, it was a story that came directly with interaction from the field, interaction with the cybersecurity industry. So our CEO Dean, he founded another company before, which was around Deception, and he was the CTO in that company.

What he was doing, he was flying to many prospects and installing the solution that is a different company, a previous company, not exons. And what he would do, he would install that deception solution, deception solution. What it basically does, it's kind of like a honey pad. You put it in a network, you put some host that is talking, they're exactly like other hosts. I imagine you have, let's say 10,000 devices in your network. It understands how those devices are talking between each other. And then it would install a lot more that are talking exactly the same.

But if you interact with them, then we will, you know, then the solution would know that something is wrong, right? This is not Exon, this is the previous company that our CEO has founded and it's no longer what we do. But when he did this, he went into some prospect in the United States, a very, very big company, one of the large enterprises in the United States, and he installed a solution. And then a couple of days after, suddenly there is something interacting with it, right?

It's a, it's a deception tool. No, nothing should interact with it. It's there so that someone will interact with it. If there is something going on and it happened, you know, and at this point he's thinking, Hey, you know, we've got something here we should understand because it's very, very suspicious. You could imagine in your organization, you know, what, what, what would you do at this point? And he was thinking, Wait, there's an ip. By the way, a couple of months later, they did understand it was a real attack. That's not a, you know, it's a real story what I'm telling.

It's also, we've published this on our blog and he asked the security person there, you know, here's an ip we need to understand what is this IP I'm asking you right now, you know, here's an IP in your network. What is this? What can you tell me about this ip? It's such a simple question, right?

I mean, it should be a simple question. You, you are in charge, you know, after all on the security of the network. And then the answer that that person told was absolutely, you know, amazing in the way that it's unaccepted.

It'll, you know, in order for me, for me to understand what is this device, I have to open an IT ticket so that my different solutions would tell me what is this? Right? Because if it's a Windows device, it might be, you know, it might be managed in active directory because Active directory manages my Windows devices, so it knows when was the last check-in. It knows what groups it's part of, it knows such things. But if it's on my cloud, then AWS would say, you know, here, here is the, the instance, here's the account it's on, here's the name of it.

If it's critical, if it's production, if it's development, if it's going to be a user that is, that was connected, then my VPN solution would know this, or you know, whoever the, the users are connecting. But then it must have, you know, we hope it has an endpoint protection. So the endpoint protection would say, here's the last ip, you know, the public I to was on, we, we, you know, here's the policy. It's on. If a vulnerability scanner saw it, then the vulnerability scanner would see, you know, here's the, the vulnerabilities on it.

So, so many different teams and don't, you know, so the, our CEO asked him what, I mean, this is what you have to do in order to ask, you know, answer such a simple question, you have to talk to so different, so many different teams. And he said, Yes. So how do you, you know, even correlate between information. And then he answered using basically Excel spreadsheets, right?

It's, and we founded this in 2017 Excel spreadsheets in 2017. We've got the cloud, we've got continuation going on, but still teams are using Excel spreadsheets, right? Because the VIRs got, you know, team will say, here's, here are all my endpoints, here's the last thing that we've got from them, the policies. And every team is going to say something else.

So, you know, how do you even understand basic things? And so you got the next day and he asked, you know, do you even know how many devices you have in your network? How many devices, right? A simple should be a simple question as well. And that person said, we've got between a million and a half and two, Okay? Which is an amazing range. Like that practically means that you don't know how many devices you have.

You know, we, we want to make this, you know, not, not a boring presentation, but, and so if you've got questions, if you've got thoughts, because I'm sure that problem exists in every company, you know, please feel free to, to say them, but basically, you know, this point, there was like a aha moment that said, you know, there's something really, really wrong here going on. And so you, you're starting to think why, I mean, why is this happening right now?

If it, if it, if it's a problem that exists for a lot of years, why isn't this solved already? What is it like, why is it new? And this was 2017, what is the big difference that happened? And then you, you're thinking just a couple of years ago, you know, the way that I look at it, you know, if you, if we look at 2012, 2011, I'm thinking about, you know, those movies where you're seeing some, you know, corporate building, you're going into a building, you're seeing people working, Everything looks the same, the monitor is the same, the operating system is the same.

They all got Windows or you know, whatever that would be. Everything is the same. There are only like three or four antivirus solutions in the world, which are dominating the, the market. And then something happened between that year, you know, 2010, let's say.

And two, 2017, there was a huge, like, advancement in it, in it mostly, right? Cloud suddenly became something beginner. That wasn't a big thing then containerization, that didn't exist there, right? Operating systems, most companies would have just one, right? Right.

Now, if you're going to, you know, different companies, you know, they have different operating systems. They have Linux for their service, but they've got users who have max users, who have Windows PCs working from home. That wasn't a thing, right? People would go to the office, personal phones and bring your own device. That wasn't a thing. So many new things, So many new things emerged.

And yet, you know, when we were thinking about this, we thought this is actually like, like the Cambrian explosion. The Cambrian explosion is a piece in history, the history of earth where a lot of new species were suddenly created, you know, species were created along history, you know, all the time. But there was a specific period, which is called crime explosion, where, you know, a lot more were created in this period. So something happened, and security, just the security space did not make it in in time, right?

So it was kind of like a very, very fast car, but a breaks were in developed in order to protect it. And so this is how, why, you know, how we were thinking about it. So something happened until that, that place where many different solutions were developed, the information was fragmented. So you go into an organization, so many different solutions, so many different things, each one of them has a different part of your network, and there is no solution to this.

And so, you know, when you're thinking, what would people do? How would they know what they, you know, what, what are all, where all my agents things like, they would use Excel spreadsheets, which is, you know, just not working well. So this is how started, we didn't, you know, even know how we would solve this thing. But this is the problem. It's a big problem. This is what we were thinking too, for instance, 17. And we said, we gotta solve this because, you know, the life of security teams right now is just not good with this. Any questions by now, before I continue to do more things?

Question? Yeah. C is less than others. It's not a good C otherwise, people, The question I, I can repeat.

How come, how come the CMDB is, is less than others? I think it wouldn't be a surprise if I tell you that CMDB are, you know, lacking a lot of, you know, the real estate of the right of your network.

It's, it's a problem in the entire industry. Cmdb. That's why we are not a cmdb. If some people would say our US mdb, we're not a cmdp. A CMDB is something that you have to manually go to. You have to edit the records and, and you know, not being in a healthy state, not being in a, you know, kind of a hygiene state, that's an industry problem. We are seeing in our customers a lot of old records, a lot of records which are not updated, a lot of artifacts.

So, you know, it's for sure like this. But you know what, to your question, it could be even a lot higher because you would have devices there which do not exist anymore, right? That could be an another option.

Any other, Yeah. Okay. So you're not a CMD Bay, Yes. But in 10 seconds, what are you? So what we are doing is we are going in into all of the existing solutions that you have in your network by api. We're talking active directory with api, we're talking to the end protection and api. We get all of the information into the, into one place. We normalize it, be correlated, that'll show you demo in a moment. And then we show you everything in your network in one place. We do asset management by talking to each one of your existing solutions in your network by api.

So does that answer your question? Yep. Great. Thank you. It was a kind of a leading question, I guess. Thank you.

All right, so I'll continue with this. So why is it so difficult?

Wait, Wait, wait. I would have, I would have a thought in in mind at that point. I'm listening to this presentation and this content quite some time. And whenever I'm at this point, I think to myself, if I would be an attacker, if attacker, if I would be someone who wants to take out information out of a given system, I would be really happy about the fact that, you know, systems are proliferating. Is anyone of you in that state of mind?

Is, is, is anyone of you thinking that way? Or are we all trying to only protect and protect and, and not think about what the other side of the game would really do? I don't expect an answer here at that point.

Also, there's people on, on, on, on, on the hybrid side of, on the video side of, of the presentation. But I want you to think about this a little bit as the presentation goes on, because it's, it's exactly the mindset that, that, that led to the founding and building of what's gonna come next about the technology that you're gonna see in the next couple of minutes. And please ask questions about this. Try to be a hacker in the next couple of of hours. Try to think with a mindset, how can you crack this? How can you circumvent this?

If, if someone would have a think like this in place, how could you potentially, I think you are on the right track here with the question, how could you potentially still, you know, circumvent this Eva, this I stop here and I'm sorry for Interrupting. No, please continue. Yes. So we're, wait, wait, wait, excuse me. So is everything around on premise when you say this count, right? The premise, No, Could be, could be on SAS as well.

Yeah, you could, you know, you could have active directory on your premise, but in Azure, in your cloud, you could have, if you're using an protection like CrowdStrike or you're using Sentinel one, you're using cyber reason, they're all cloud. But in on-prem, you would have sccm, for example, to managing your software in patches, right? That's also part of the problem.

So, yeah. So I got a question around called OT devices. Generally most of it runs off legacy and maybe they don't have APIs. How would you hook into those kind of systems that don't support APIs? Great question. What whatever you're not managing, First of all, some other solutions would see it like your dhcp, you know, networking tools would see it. So one of the most important things you could do is first of all, just categorize them. You'll see a lot of assets in your network. Just first of all, understand what they are, right?

If something is unmanaged, it could be something that is not manage because it, it's a problem. It could be something that's not managed because it's an iot device. You could take a look at the MAC address, for example, to understand the manufacturer, to understand it's an iot device. You can see what, you know, VLAN or sab, this is connected to because your wifi, you know, software would see it. And then you will connect to a DCP connector would connect to your, any networking tool. Mostly if you have checkpoint, if you've got Palo Alto, if you've got 4k, they will see that thing.

They will even probably understand kind of what is that thing roughly, right? And so you cannot manage it, but you can see it and understand exactly what it is and see weird things in it. For example, you could say, I wanna see all of my IOT devices, those devices where, which are coming from those manufacturers. They do not, they are not known in any other information source, which is, by the way, another something very simple that should be asked with a very complicated answer. How do you answer, you know, what is the question?

What is, where is all my devices? Where the networking tool knows them, but the input protection does not know them. That's exactly what is going, I'm going to show you that we can do in one click, right? And you would know this is an IT device and understand that maybe it's like it's not in the right network or things like this, right? More questions. All right, great. So I'll pass through all of those slides fast and just, let's just go to the, to the product.

You know, we used to have this and now we started to have so many different other solutions. Think about your own companies. You probably, you know, try to count how many logos do you have here, right? I'm guessing each, each one of you will have many of those, because otherwise you can't operate the network in other ways, right?

So many, you know, things to manage your, your just devices in general. I mean, look, look at all of those solutions, right? This is just, and that's just small part of it because there are hundreds of them that, that you have in your existing solution. Each one of them has different types of assets and fragmented information about each one of them. Each one of them sees a different part of the network, and some of them do not see the same things, right? So some of my, of the use cases that we have is my agent, everything everywhere it should be. How do you know that, right?

Because the agent would know everywhere where it's installed, it's not going to know where it's not installed. If you go into the console and look for, so, you know, how do, how, what do my users have access to in other use cases, use case, we can have, you gotta talk to each one of those solutions to understand what users they have, which permissions they have, and to find anomalies with this.

So we, we wanna answer basically six essential questions about every asset. Every asset that you have in your network is this known and managed, which is, by the way, exactly what you asked. If it's unknown like or it's not managed, you can try to understand if it's not managed for the right reasons, because it's an IOT device, and at least categorize it and say, this is an IOT device, it's owned by this team, this is what it's doing, it has to be in this or whatever that would be, right? If it's managed, is it managed correctly? Is it in the right policy?

Is it, you know, does it have the right policy? Everyone have, you know, have assets which are not managed the right way. But it's very hard to understand. It's for one console, you gotta have the entire context of everything.

Where, where is it? What is it? Who has access to it? Is it configured correctly? What software is in, you know, software is installed on that device? Does it adhere to my policies? Right? Those are questions which are by the way, fundamental by the CIS controls, right? CIS controls, if you look at the compliance controls, some of them would say that the basic things, the fundamental things about every, every, in every security team, in every compliance, it's first of all just have inventory. Just understand what you have. You cannot protect something you don't know about.

You cannot protect something you do not see. So that's the basic thing that every cis and many compliance, I basically just, you know, required to do, just continuously have an inventory of everything that, that you have in your network, because that's the basic that you have to have in order to protect the assets.

Otherwise, you would not even know, you know, what to protect. Okay? So I think we'll just go to them right now and start a couple of, a couple of use cases. And this is the product that I'm demoing right now. So before I start, questions by now about everything, about the story, about the use cases, about the problem space, anything that, that you have to ask?

Yeah, I have a question. You said you want to answer all these questions, but if you have a million of things on your network, how do you group them into things and how do I get the right persons to answer? That's a very, So you're asking two things, right? Basically categorization of devices. What is this device? Is this a laptop, is this a server? Is this and my production account, is this a development thing? Is this what project it's part of just tagging those devices. And the second thing is ownership, by the way, another very large use case.

Okay, we, here's an asset, I know everything about it. It's a server, it's public, it's managing some software, you know, that is critical to my business and I have a vulnerability in it.

Now what, who is owning it? Who should I contact so that, you know, they will fix the issue? That's a big issue.

And I'm, I'm sure that, you know, you're, you're spending your time way too much on, on those questions where you shouldn't, does that answer the, the question? I'll show you exactly how to do so, but I want everyone to connect to the problem first of all, because if I'm talking things that you do not relate to, then please let me know. I'm pretty sure, you know, we, we do have hundreds of customers. We're seeing this at every single customer. And you know, I'm pretty sure that this is a wide industry problem. Yeah.

It's because I'm from a company where we have a lot of OT and that sort of, you know, evolved over yeah. 60 years and so on. So there's a lot of old stuff on it and new stuff and, and they buying stuff to support the production and the ownership.

Yeah, somewhere. But, but getting all this information correlated into your system, then we need to figure out who, who's owning these and, and, and that's gonna be a huge task unless we can group them into, Yes. Yeah. So unless we can automate basically filters, we call this queries. Unless we can say this device is owned by this team, if the following, you know, conditions happen, and then if it's done automatically, you would automatically know. And by the way, you would only know this if you have context about this device from different information sources.

If you just talked to the AWS or the Azure, the GCP cloud, it would not give you all the information that you need. If you just talked to DC mdb, it would not give you all the information. If you have answers from all of this or what I'm, you know, what we call the context. If you have the context of the entire asset only then you will be able to understand these critical questions. So let me start with the adapter page. The adapter page One second one. Yes.

Sorry, that's another question. Oh, I'm Sorry, Yes. One question regarding the shadow it because how we can make sure with this tool that we didn't have such blind spots. That's an interesting point for me to See.

So, so we are aiming to see every assets because it will connect to your wifi or it will connect to your ANet connection. It will be, someone will see it, maybe not the, the adapters, which we, we call adapters integrations. That's what I'll show in a moment.

Not, maybe not the solutions that you currently have for managing the IOT devices, but someone will see it if it's interacting with your network, it has to be somewhere in the network. It has to talk to the wifi, has to talk to the internet, it has to get an IP address from somewhere. It has to be on some switch.

You will, you will see it and you will be able to say, you know, this is not, this is not adhering to my policies. And then investigate this from, you know, more so, so this is, you know, how we would do this. This is how we would, we would not be able to see information that manages it, but we would be able to see that exists there. The last time it was, it was connected.

For example, if you have an issue in your network, you wanna see, you know, here's an ip, what was this IP a week ago like or what is this I device where what IP it had a week ago, you would be able to do so because we recorded this state of your network every day. And before you get into the demonstration of Iora, let, let me please interrupt your thinking process and the flow of information that goes towards you.

Again, I know this is kind of annoying, but I'm doing this on purpose to keep this a workshop. And not only a play out in broadcast, A said something interesting a couple of minutes ago.

He said, you can only protect what you can see. And we all know this, we heard this before from many, many other aspects of it and also from technology that helps us with that. But I want you again, to think rogue. And I want you again to think about the question. I can only find someone bad if I know about him and how would I know about him if I would not use any single source of information that's out there. And assets, asset databases are great sources of information.

So if I collect anything about who's connecting to my network and if I collect everything about who is dialing into my VP and concentrator and if I collect everything about who is leaving traces somewhere in my IT then and only then the cyber aspect of asset management really comes into play because managing asset on a proper basis and you know, knowing a hundred percent who's what and what's what, This is only half side of the story obviously. And please keep this in mind. The other side of the story is how could I find something that I don't want? And I make a quick example here.

If, if, if I'm at home, I know every asset there because it's my wife's PC and it's my PC and the kids, they have their PlayStation thing and then we have a printer and then we have one or two wifi hotspots and I'm a IT geek, so I have quite a bit of stuff sitting at home, but I know each and every one of those and if there's something's going wrong, then my wife calls me and said, eh, this is not working. I go there and I fix it because I know where it is.

But if you are in a company like yours with a multitude of assets, and if you in a company like yours with a multitude of OT assets, which don't even fit into categories quite well, this is where the power of aggregation of information about asset information comes into play. Aggregation, we are aggregating asset information. We're not collecting it, others are collecting it. All your databases, all your systems, all your management platforms, they are collecting information.

We are aggregating information and we are trying to give a single source of truth, not only to know where's the printer sitting and who is administering it and who's paying for that potentially. Yeah, but also what's that? What can I ask the question please? What's that thing here? What's that mega address and where does it sit? What's that mega address and where on my network does it sit? And where's the switch physically? Is it in Germany, Is it in Poland? Is it in the us When I need to go for, Those are questions I want you to think about in the next couple of minutes.

Sorry for interrupting your thought process again, please. A question, Yes. When I'm thinking with this mindset, I am sometimes lost in between two layers. The first layer is the collecting the information, which might be a huge and humongous that I cannot take from it any insight. This is the first layer and the other layer is a very highs eye layer when I see all the organization assets as one complete set where all the information is hidden. So on this layer, I don't see on this layer, I'm lost in the details.

So when I'm thinking about security, I just, I believe I'm searching for something in between that can help me analyze the data and get some insights on these insights. I'll work and I will investigate and I'll try to do my best later. Go Ahead. Great question. I'll answer it in just one moment when I show you the demo and then we can understand because that's really, really true. If you talk to the IT solutions, you'll see, you know, you'll have to first of all talk with their language, each one with this api, so many problems about the api.

Some have frt links, some have some, some, so many issues that you have to, you know, do or you know, work with. Why would you spend so much time in order just to talk to those things?

You know, it's like, I'm thinking to myself, it's like answering a question where you have to go into your browser, into Google Chrome and open seven to different, you know, tabs. Everything is there, but you have to go into each one of the tabs, which talk an entirely different language and has the information somewhere else. A simple question can take a lot of time, right? And the other thing is that, you know, where you say the high level, I've got so many things, how do you even understand what you know, the insights out of it? So I'll start with the adapter's page.

The adapter's page is basically our integration page we call an adapter. It's basically integration that we have within the product to talk to the different solutions. So we can connect, for example, to active directory, right? This is a demo environment obviously. So you know, if we go active directory, here is one instance. You could have many domains, by the way, many domain controllers, there are many advanced options here. But basically what you really need is just the address, the username, the password for a read only access.

And then what we'll do is we'll go talk directory, we'll talk in its api, which is lep, right? And we'll say every couple of hours, hey, active directory, can you give me everything that you know about all of your devices? Every couple of hours will get this in question. We'll get it into exons. And then we'll do the same thing for, you know, your protection. For example, it could be cross strike, it could be aff, it could be anything, you know, it could be a lot of solutions. We do the same thing for your cloud. Could be aws, could be, you know, gcp, any, any cloud that you have.

We'll do this for the virtualization like, you know, your VMware or your HyperV or any other virtualization solution that you have. We are supporting the biggest here. And we always keep adding. We'll do it for the vulnerability scanner, whether it's Rapid seven or whether it's an extendable and or whether it's qs. We'll do this for your networking tools, for example, like Cisco or for, or you know, your, for the gates or your Palo ALS or whatever that would be. We'll do this for random SQL databases because we know that exists, right?

Sometimes you have automations, some something is running in some random SQL server and has information that no other tool has because there's a team that's automating something. We'll pull that information as well. We'll even take CSVs that you have somewhere which are not automated. So if you wanna upload a CSV that has information, we'll do this, this as well. And we'll do each one of those things every few hours. Or to be honest, how much you configure. So what are we doing with this? So let's talk, let's take, you know, a random device. I'm going here to the devices stable.

This, this is a table that shows all of the devices that you have in your network that we understand that, you know, from, from the different solutions that you have, the more solutions that you connect, we will see more, more of your network and eventually see everything. Now notice there's no endpoint or there's no agent installation anywhere.

We do not, we just talk api. We do not install anything. There's no scanning that's done. We're not scanning at any point. We're just talking to existing solutions that you have. This is why if you have read only credentials to them and you're, you know, you can get the value very, very fast because the deployment is not hard. So what do you do with this? The first thing is context. Let's go into a random device here. You can see in this random device a couple of things, right? I'm gonna click view advance for a moment. This is what we got from Cisco Meraki, for example.

Now here, this is a demo environment, so I'm not sure exactly it's going to, oh, it's actually, it's looking quite almost the same in active directory. It would talk in LEP in its own language, right? Because l d is one language that it knows. It would say, this is the hosting of this device, this is the domain. Those are those things. This is the raw information. How we get this, you know how we read this, And this is by the way, how the existing teams, the directory team, they know very well this language because this is what they talk, right?

But then if you talk, if you look at your AFF, for example, that knows something else entirely. It's like, you know, one is talking in French and the other one is talking Italian, and they, they have different languages. So the first thing that we do is we're saying, okay, let's just translate it into one. We're taking, we're doing the hard like, you know, boring work to be honest, right? We're talking to their api, we integrate with the, you know, with APA Nation, with their fring, with the, you know, the different endpoints.

We, if, if there is any new feature, we'll we'll do the, the thing that you don't want to do. And then the first thing that we'll do is normalize information. Take the language that they're talking and translate it into one. So whatever, no, however you get host name or however you get the last time it was signed into this solution or however you get, any field that you have on this will first of all translate it and see. And so you can see it in a very well organized thing. So we can see here in aff McCaffey says, you know, the last time I've seen this asset was four days ago, right?

I've seen it on November 4th. And then, you know, this is the IP that I'm seeing. And I understand that this is a Windows 10 Pro device, and this is the hardest because knows all of those things. And then if you take a look at active directory, that would say something else that would say, you know, I'm also seeing it's a Windows 10, but the last time I seen it was on November 6th, because this is what active directory sees, right? But then it also sees things that doesn't even have a clue on this is, again, this is a demo environment. In a real environment you'll see hundreds of fields.

That's the object class. This is the, you know, the account name, this, those are the me object, like the membership groups. This is the policy of the password that's attached to it. Only things that active directory knows about because AFF doesn't have the context. And then you can take a look at sccn, which is managing those Windows devices and you can see that thing knows other things that Hack directory doesn't know and doesn't know, for example, your installed software on it and the security patches that you have.

So the first thing that we'll do is just give you context about everything. You have an ip, Okay?

Here, here, here, you know, you can see everything here. And I want to connect it quickly with a story that we have from one of our customers. We have a customer that was examining a solution for public IP scanning. So you give public ips some solutions, scans them, and you know, it's, it's, you know, there are many solutions to this and chose, here's an ip, here's, here's the vulnerability. And that customer said, you know, it was checking a couple of different vendors that would give that value.

And it said to that vendors, you know, we want you to integrate with Exons because we do not want yet another console where I'm seeing IP vulnerability, IP vulnerability. That's not going to help me.

I mean, you know, I can work with that. But again, Excel spread says it's not going to be automated. I don't have the context. If I have an IP and a vulnerability, that doesn't tell me the entire story. But if you have that solution, you need that solution. But it integrates within exons. You can see here's an ip, it's on aws, it's a Windows device. We know it's owned by this team. The CMDB is saying this thing, you have the entire context. It's part of this application. It's in production use, you know it, the unprinted protection says it has seen it, you know, yesterday.

So I know that, or today. So I know it's protected. So I can lower the priority on that vulnerability, right? And you have the entire context. So the first thing that we want to say is, here's a device, here's an ip, here's an O name. Here's the entire context on it so that you can understand everything that you need to understand, especially when you know you, you need, you need it fast. And we can see this in an aggregated view as well. And you know, we can, we can just do a lot of things on it. And now I'm getting to the biggest feature, and that's maybe the most important feature.

That's also going to answer your question about, you know, where is the medium ground? Like where is not the high, no, the low, how, you know, And I think that's the most important feature that we have in Exon, and it's called the Query Wizard. The Query Wizard is the ability to ask questions that are coming from different information sources in a very simple way. And notice this is not like, you know, a Splunk language or anything that your people have to learn. It's a very graphical, intuitive ui. And I can ask a question.

Let's say I have a policy, and that's mostly for understanding because your question is about, you know, you, you can't investigate every asset that you have in your network. You need to ask questions, right? And the questions are mostly about the policies that you want to enforce. So the basic policy that you want to enforce is that, you know, let's say if, if it's a Windows device, it has to be in my domain, right? A very basic policy. Another policy would be, you know, if it's, if it's a personal device, it has to have an an endpoint protection solution that those are the policies.

Everything that doesn't fit in that policy you need to know about because that's a security issue in your eyes, right? So I'm gonna ask you a question. Show me all of the devices where someone said some solution said it's a Windows device. Now notice I start here with 40,000 devices. We've got a customers who have millions of them, right? So that's a relatively low number. Show me everything that is a Windows device. I'm gonna, you know, show you the query.

Again, everything, everything that someone said when I'm saying, you know, when I'm using this icon, which is the aggregated view, it could be the active directory that said it, it could be the Cisco Meraki, it could be the Forest Scale, it could be the aff, it could be the ESX platform. Someone said it's a Windows device, and then I get this list, I can export it at any stage. By the way, here, that's a very, you know, simple question that is not so, so simple to answer, right? And then I can add another statement here.

And it's, you know, it's a Windows device, but actually directory does not know about the existence of it, right? We'll do this and then we can find out 125 devices. That's an immediate value, by the way, an immediate value, right? Everything that's a Windows doesn't, doesn't is not known by active. How do we know that? Because we went into every solution. We went into directory.

We said, give me everything that you know about. We went to the endpoint protection, give me everything that you know about. We asked everyone, we normalize information and we correlated information.

We said, if it has the same ip, if it has the same Mac, it's probably the same device. That's by the way of not true.

Like, you know, it's not simple. Some solutions would tell you different ips because they're seeing it in different times of the, of, you know, of the day. Some would see different network interfaces, some would say false information. We're seeing it a lot, especially about vulnerability scanners and anything that guesses, whenever you have a guess, it's not running an agent or something like this. It would mostly guess, right? It would have contradicting information. Some would just not know about the map because they don't have this information coming.

They would only know about the hosting will correlate those things. Would serial numbers. We host names with ips with, with every information we have with idea on aws. Anything that we have to say, those are the same devices. And when we have this information, we can, you know, pretty quickly tell you, here are all of my Windows devices, which not have active directory. So let's continue to another statement here and say, you know, there's 125 of those, but I wanna see, you know, those which were interacting in the last three days.

Because many of them, you know, it could be a decommissioned computer, there could be a decommissioned server. I want to know something which is active. So we'll do last scene equals three. And in this, okay, so we've got 115 instead of 125. If we'll take a look at those things, right? Open this thing. For example, Windows, you know, this thing.

We'll see, here's the IP as it was reported. And those are the times where each solution saw it. ESX saw it two days ago. Tenable saw it a couple of days ago because it's a scanner, right? It makes sense that AFF also saw it two days ago. So you know, this device, maybe it shut down for, because it wasn't distracted two days ago, but it was interacting and active direction did not see it, right?

So look at, you know, how, how what you can do basically when you just talk to different solutions and you, you know, norm normalize it into one language correlated, and then you can ask pretty advanced questions. Now on top of it, those are the most basic questions that we have. But you know, what we could do is basically throw that, those solutions at you and you know, just not let you do the query wizard because we just know the questions to ask. But here's the interesting part, right? Every organization has things which are very custom to that organization.

We have customers where they want to know about devices which are not connected to their directory with a specific subnet or where the CMDB is saying it's part of this project because then the criticality goes above some level and they want to know about this things which are custom to your organization. This is how, by the way, we can also do the ownership problem, right? If you wanna know where is this, you know, who is owning this device?

It's you, you have, you, you, you can ask a question like, you know, is it part of this network? Is it part of this subnet? Is it in in those AWS accounts? So you can have a question of, show me all of the devices where they're part of this account or they're part of this data center, or the CMDB is saying it's part of this application.

Or in my, you know, every solution that supports tagging the tag that says solution equals this is is indeed saying it. Or, or, or, right? A different, different things. This is how you can do ownership. This is how we can do custom things to you. Before I continue, please, you know, would love to hear your questions about the solution, how it works. Use cases that you're thinking of, you know, everything in your mind.

Yeah, I got a question around, so your API obviously picks up and aggregates the data. What happens when there's a conflict in terms of, so you get one thing, it's Windows 10 and the other says, you know, Windows seven. And which takes precedence Then in that great, great question.

It's, you know, it's part of the things that we're trying to solve all the time for our customers. We'll see, it's mostly happening there. There are many cases where this can happen. It can happen when a vulnerability scanner is saying something which is wrong.

Or a cmdb, which we all know is not every CMDB has hygiene problems, right? The operating system got upgraded, no one updated the cmdb or it takes time to upgrade the cmdb. So it would say Windows 10, but its actually Windows 11. It could happen when you re re-image a laptop or a device, you know, an employee left, you took the device, you re-image it, but the Mac stayed the same, right? And the serial numbers stayed the same. So some systems would say, Hey, it's this device, but it's actually owned by someone else right now contradicting information is always happening. It's always there.

The first thing that we can just tell you is that it's happening. We will correlate it with protection mechanisms.

We'll say, you know, if it has the same ip, that doesn't necessarily mean it's the same device, but if it has the same IP in the same Mac and maybe we are seeing the same cereal, or at least we're not seeing contradicting cereal, if we even have this information or if the host name and the, you know, net bias name where you know how it comes from other solution fits, then it might be the same device, right? We have a lot of, and that's, that's mostly, by the way, that's not, that's really one of our deep patents, you know, the correlation engine.

Because the correlation engine, it's, it doesn't just have one logic. It's things that we are seeing in so many different networks. We have organizations which have subsidiaries. So you've got an organization, that organization acquired a different organization. They have conflicting sub IP spaces. So if you see two different devices with the same IP space, it's correct. It's not even like, it's not an issue.

It's so, you know, so many issues that you're seeing because you know it is complicated and the life of it and security people, it's complicated because of it. The first thing we'll do, we'll correlate it with protection mechanisms. And that's, you know, why we are leading this market. We started with a solution. We created that category in Gartner Chasm. We were the leading, we are the leading ones, but we were the one who created that solution where the first ones, So now we have other competitors, but we have the most knowledge about the correlation engine because we've seen so many cases.

We've seen so many types of information, different parts of, in different customers that we have. But I wanna show you another thing. You can click edit columns here and see that table in a different view. So I'm gonna just, you know, remove a couple of things here.

Let's say, you know, remove the Mac, it's not interesting at this context and remove the type. Yeah, I'm doing it with my left hand. I'm not left hand person. And then we have something that's called preferred. So if you have a value, like, whoops, I removed this in the wrong thing, but let's do just preferred host name, right? And it could be also the preferred IP here. Those are basically fields that are saying I got a lot of information coming from different sources. Some of it would be contradicting in this demo. You will not find it because it's a custom made demo.

But in your network you'll find a lot of contradicting information and you know we And in this demo, Indeed, yeah, it's showing, it's right here. If you have different solutions that are reporting different IP address, we'll pick the one which is mostly, most probably the correct one. Why? Because we have logic that says who is your solution. That would most probably say the right information. For example, agents would be a lot more correct or a lot more accurate than vulner chem, right? That's obvious. Active directory would know more information about from, from networking tools.

Well or, and you know, if you have a couple of agents, one agent is for endpoint protection, the other one is for just managing your patch. The one who told the latest, like their most recent information. If you have one that was reporting today, another one was reporting three days ago. The one who reported today is mostly the, is probably the more accurate. You want a definitive answer. You don't need to take time.

You don't need to even spend time on, you know, correlating this in different CSVs and asking who has the most accurate, And I'm sure you're doing it because everyone is doing it, right? So we'll just give you one thing and we, you know, it's not a magic, it's not like we're doing something special around here. All we do is just talk to different solutions, aggregated and correlate it.

That's, you know, when you have the basics, when you have the fundamentals, you can answer fundamental questions. Does that answer your question? Yeah.

Yes, somewhat. The other question I have is around classification. So do you apply any classification policies or can that be applied to assets? So if you got something maybe on an external IP range, you said automatically make these criticals or so forth something. So you can do it manually, which you don't want to do because you want to enforce it. We'll do it in a moment, but just to show you how you do it manually, you'll select it here, you'll click tag, you'll put some tag here.

Some, you know, this is for example, you know, owned by this team, team one, right? Or it could be an IT device, but this is really not something that, you know, I'll just click an existing one, not the new one. This is really not, if, if you have very, very specific examples, you can do this and then by the way, search for them. But after that, with tax, just, you know, show me everything. It also has this tag, but the main use cases of our customers would be, let's take a category, some something that I would like to classify all of them with, and then apply this thing.

For example, if you have devices that you want to tag as a specific project or our production devices or owned by a specific team. So you can do something like, show me everything that is in this network ip, right? And thats knows it. And it's part of those account names, right? Account names or, Yeah. And in this demo, we don't have it, but you know, the account name, how it's coming from AWS and the seem to be saying this. And once you do this thing, everything here will be part of this, what we call query.

You can save this query, you can give it a name and, and, and after that automate, and we'll show this in a moment. And after we finish this, and that's the second part of the solution, automate actions on it. For example, every time that you get those devices, run this query and tag them, give them this tag that says, this is my tagging. So we have many customers which just have policies that tag according to what they want to say. Some would spread their, their organization into just ownership. This is this subsidiary, this is coming from this by the way.

They have a lot of solutions which are just single tenant. We're seeing this, you know, we have organizations which have sub organizations, but they just acquired one solution that takes everything, that sees everything. But they don't wanna see that way.

They, they want to show to every subsidiary here, all of your devices. They don't want to give everything to everyone, right? So you'll get everything from one solution. You'll segment this because you have the pulses that you know, it's part of the network, the ips, it's maybe some, even the solution itself knows what it's part of. And then you can just apply this filter, AFF says it's part of this site, or CrowdStrike says this policy is on it, Things like this. And then you can, you can basically know for every device what is the category expert, those information.

But you'll do this in an automated way and then your inventory will always be up to date. Speaker 11 01:00:15 Yeah.

I got, I got a question here. So I think, you know, follow on, you know, the classification questions is still, to me, there are still a lot of manual, you know, interaction you need to do in order to enforce the predefined policy, whatever the organization is prescribed to. And I think, you know, like in, in there, I think you did a great job of, you know, collating those informations, having query and things like that. What about, you know, like the actual manual operation aspect of your tool?

Because you know, like is it belongs to a cybersecurity function or is that network management function or somebody in the organization need to say, Yeah, when I found this information, you know, like what does it mean to the organizations and also, you know, how do you actually carry out the true classifications? And that is a manual, very manual intensive kind of things you have to do in order to keep your asset management up to date. I think first of all, we, the, the main function will function, which will operate in system, will usually be in the, in the security teams, right?

In the cyber security teams, not less in the IT teams, but we are seeing users from all types of, like when, when you'll have the, the solution deployed, many different teams will use that thing. But whoever will be managing this or administrating that thing will be a group under this cybersecurity usually about asset management or whoever is answering coverage questions like where am I protection is not installed? Who is owning those device? Things like this. I think a lot of the things that we have to do when you install the solution, we give you predefined things.

We'll immediately give you predefined queries that are interesting. Your public instances, which are in the internet, we know that because they have a public IP or because one of your solutions says it's actually public, like your cloud, which not have any per protection, right? That's an issue for sure. That's an issue. But some things we can't do because it's very, very custom to your network. Like ownership, like, you know, car questions that you have around your network.

I think you will have, and you know, know we, we help with this, but you can do this on your own in the first couple of days. Manual kind of rules or queries that you will define. But after you define them once, it will all automate, you know, it will all be automatic because the assets are keep, you know, getting pulled. They're pulled every couple of hours. The correlation engine is running on its own. And the rules that you define, let's say if this device is part of this query, then it's probably this. They will just run automatically.

So there is an aspect of managing this solution like any other solution. But the vast majority of the work will be just in the first few days of, you know, of, of fine tuning it into your specific organization policies, which, which are not in any other organization, Speaker 11 01:03:10 Right? Just think, you know, like you were difficult to get different kind of stakeholder. Do I agree?

You know, what the classification would be. And that is the challenge.

Let me, let me chime in here and thank you much for that question. Yeah. If I understand that question correct, you're saying it's nice that you're having all of that asset information automatically been generated out of the sources and well prepared and as a single source of truth. And now we use it and, and now we find things, but manually, and this is a bottleneck. How about automating findings and sending out information to the respective owners? You just said this is type of people, this might be it ops, is this more the question you was asking about?

Speaker 11 01:03:55 Yes, because you know, ultimately, you know, like somebody need to pay for this, right? So, you know, like how do you actually get those people to agree who's gonna own what?

And, and, and also, you know, how how do you actually, when this incident occur, who is responsible fix those kind of things. This is about the process, not about the technology layer, the process, how you going make use of this assets management tool, which is I think is great, but you know, like when it come to BAU operation and things like that, it's not that straightforward. Yeah. So we are glad you asked that because there's a piece of technology within our platform called the enforcement center, right?

And I'm sure this enforcement center will be demoed somewhere in the, in the next couple of minutes. This is exactly what you're asking for. So whatever comes up from a set cur from a setup question you are asking to your asset inventory database as an answer might immediately lead to an emergent need of being taken care of.

And then if you want to also integrate administrators by, for instance, excellence into the system and say, this is the guys who manage the switches, this is the guys who manage the endpoints, this is the person who manage exactly the switches in Berlin miter, please send him an email or please send him a ticket through the ticketing system. Those are things we can do based on our enforcement center.

If I'm not totally mistaken, I don't want to interfere here with our Yeah, no, I want, let's just answer a couple of questions about the assets screen and then continue to the, to the enforcement you wanted to ask. Yeah, A couple of questions. You don't have to answer 'em here if they're topics you're gonna cover later. One is security of the data that's collected. The second one is reporting on the outside cuz nobody wants another pane of glass to go to and everyone wants it in a horribly formatted PowerPoint.

So, but can you like push out the power BI or ET or Tableau along the, if we're gonna cover that later, you don't have to answer that. Now The second question, absolutely in a moment when we go to the enforcement tender, that's the way to automate things within the platform, but also outside of the platform, which is, and basically reporting because you don't wanna do this manual things, obviously that's, and if you wanna ask a question right now, you'll do, you'll go into the console, but it's mostly going to send you emails, for example, once a week or show you dashboards.

So we can, we'll see this in a second. That process is not like, it's not, you don't have to go every time and ask those again and again, those questions, it will be result, the result will be reporting that you'll get about the security of the data, you know, behind the screens, behind the scenes.

It's, it can, the solution can be deployed on two in two different ways. The first one is hosted on our SaaS, it will be on our AWS environment. Each customer has a designated place, nothing is shared with anyone else, and it's encrypted with the highest security standards. I can talk about them as well. The second option would be just on premise, if you've got your own private cloud or you've got your VMware, you'll deploy, you know, you'll deploy vm, it will have a database there and you can apply the encryption on the disk. We have also integrations with vaults.

So if you don't want to give you us your password, I don't, you know, I don't want to get your password, you know, just connect me to, to your existing vault that you have in your organization. We'll pull the passwords for the adapters all the time. If in order to automate logins, we obviously support single sign on any SAM mechanism. And that is going to be just with rules. So for example, if you know you can do identity provider give here the exact thing, we are integrated with Okta, and then here you've got also special like automating logins, right?

If you're logging it from Octa and you're part of this group, you'll only get, we'd only view, you will not be able to see everything. You will only be able to do things with the permission that, that we allow you any other, like, you know, you can ask any other question about this or Oh, I have More, but yeah, okay, continue on. The more you speak the more questions I have. So Let's keep it going. It's a good thing I think because we want it to be interactive. Yes.

Yeah, you were talking about that you could have single and on, et cetera. Can you make a role management sort of, the server team can see this part of it and, and network can log in and see whatever they need. So two things. One is that you can automate roles, you add a role, the, you know, and, and this is not just like for different permissions.

There, there are permissions to everything here. You can say, you know, I want this user to be able to run queries and create dashboards, but not run automation and not control my adapters. Certainly not connect or change adapters because they don't need to.

So you create that role and then after that, if you manage users locally, which we do not recommend, we recommend using sso, then you'll just create that user and you know, send him a, like a password generation link, things like this and give the title, the, I'm sorry, the, the role by the way, you can do things like, you know, like a password policy enforcement or you know, you gotta change your password every couple of days. Things, you know, the basic things.

And if, if it's coming from a single sign-on, then you can say, if it's part of this group that's called in our solution role assignment rules. If it's mostly something you do just once and then forget about it and it just works. If the group is ex's admins right in your sso, then the role that you give that user is admin.

If it's, you know, if it's a different thing, it's a different thing, right? And just do it once. And then the entire managing of users is only on your single sign on side. So you can manage this, you know, without, and it can be automated. If someone is leaving the company or something like this, or even leaving a group within the company just joining to a different team, the permission will change. Yeah. There's also auditing about this, every change that you were doing is, is, is reported and you can send it. Yeah. Okay.

So I'll move to a new aspect, a different aspect which we were talking, you know, we were mentioning right now, which is the enforcement screen. So in the devices screen, what we could do is we can create query wizard, we can create queries, you can save those queries. Let's do a valid query here. You can save those queries.

You can say, you know, I'm gonna wanna save this and call it, you know, a, you know, a like my initials just for this demo and just call it, you know, PCs, you know, not, not healthy, I'll do this, but you know, just for this demo and just save this thing by the way, after you save all of those things in the, so, so there is a screen that's called safe queries wizard Safe queries, which is, which is where all of your queries exist and whoever has created them. And you can also organize this in, in folders and you know, make you just organize, right?

And so the next screen is what we call the enforcement center. The enforcement center is when you can take a query and say, I want to do something with this query. Let's take it and create a new enforcement center. I want to notify someone about the results of this query. For example, send a CSV to an don'ts free bucket or send adjacent with the results of the query to an s free bucket. Or you can do things internally like pushing system notification. You can send an email, you can send it to box, you can, you know, do all of those things that, that's most like our integrations.

We've got more than 500 adapters. We built the, the, the platform in a way that's, it's very easy to add more and more adapters we can do. And we have the same thing for enforcements. You mentioned I think Power BI and I am, I think we, we, yeah, send access to Power bi so specifically that we have, but we have other things that we can send it to. We can basically export the assets out into different solutions and, but most people would use email just to do reporting. Other things that we can do.

So one, one aspect of the enforcement center would be take a query and do something with it to, to other people or you know, automate it in some way. Now what does it mean to take a query? You can just do it every hour or every day or every Sunday, right? Take the results. If I have a query that's called and you know, devices which do not have an endpoint protection but should have, or let's make even one interesting devices who do have endpoint protection, but someone has seen those devices in the last three days.

However, my end print protection has not seen them for two weeks. That's even a more, I mean think of it because they all have it. You can find this information, it's just gonna be very, very, you know, hard in a different way. You'll have to talk to a different solutions. You'll have to normalize information, You have to correlate it and then think of this, it's gonna take hours or days or you know, more than that within experience.

You can ask this question and then say, this is the query, we'll call it broken devices and then just send it every Sunday to this email or send it every Sunday to this, you know, place like S3 bucket or send it to a power BI because we want to automate this in our dashboard. We have a dashboard security wide dashboard for all operations and we want to get information from as well in an aggregated mode. We'll do this. Or you can say, I don't want to get this every Sunday.

I want to get, only if this query changes, if I have 100 devices or one 10,000 devices in this query, if that query changes, if it has one more device, if it has one less device, even if it has the same number of devices because one device was removed, the other one was added, there was a change in the query. And only then I want to get a notification about this. This would mostly be about policies that I want to, you know, that it, you're mostly okay about.

And, and, and some, you know, for example, internally we use it, we use it within exon use to find public devices. We know we have public devices, but I want to know immediately of any new public device that I do not, did not approve, right?

So I'll, you know, I'll do a query that says show me all devices where, which have a public IP and then do not have they, they do not have the tag that is called public approved because I did not go and and approve it. And then every change, I'll get an email about that thing. I didn't talk about it before but you know, whatever is coming from adapters can, can, can be queried. So the latest thing that we have done was around software management and vulnerability management, right?

With the open SSL vulnerability in the last a week and a half, everyone has open ssl but it's very hard to answer who has it. Because different solutions again would tell you different things. The vulnerability scanner would say there, SCCM would would say, if you have AWS agent like SSM aws, it would say, it would say you have to talk to so many different solutions just to understand who has the software. But if it has everything aggregated, you can just ask in a simple a question, all of them at once and then get an email. If you've got an open ssl, right?

The everything is about de aggregation of different sources that talk different language normalization and correlation about them. And then when you have everything in one place, you can get the insights very, very easily and automate this. More things that we can do an enforcement center, you, we can actually do update date, update data in different solutions. So we have customers which are actually updating their, their cmdb. That's might be funny. So some of some of you, but you know, we've got different CMDB here.

If ServiceNow for example has an ip, which is outdated, but we know the right IP because we have the preferred IP mechanism because we know that the agent is mostly talking the truth. So let's take everything understand who is the right ip, the most correct ip, the one that's probably right and then go to ServiceNow or go to, you know, order CMD that you have and just update the information because we know that's that, right?

So we, we can help with the hygiene of, of external systems. We can create it, we can create tickets within ServiceNow if you want to. Okay. That's what the, if you want to as well in Jira as well.

Yeah, I can think it's cold here. Here it is. Yeah.

Create, Yeah. And we have a couple of them. So that's managed cmdb. But if I do create incident or ticket, so you've got this, this, those options, right? Got an issue, just create a ticket on it. You don't need to go into exons because you know that some of the policies are already there. They're working, they're getting updated. Every couple of ours.

Let's, let's open it. I, I think I can justify this product just for keeping our security stack on the endpoints up to date at this point, we have a guy in Sydney, Australia that his job is basically to look globally at all of our assets and find out is SCCM not checked in silence?

Tanium, Yeah, you name it. Yeah. And his whole day job is to fix 'em globally. Getting the data together is the Hard part. Yes.

That, and we have many users like this. That's the coverage issue, right? The coverage use case, who has this but doesn't have this or who has this and one reported the other one didn't report things like this.

So yes, it's is the, one of the biggest use cases, you know, of the product. I don't want to, I don't want this to be like a sell pitch, right?

We're, we're talking about the problem that we have in asset management. So please, you know, ask about every problem that you have.

So yeah, I'll give him, I don't suppose to hand this out for free, right? For what? Sorry for free. For free. That's a little fee included, but it's just a little fee. No worries.

You, you can manage that. That's what they all say. Actually the biggest companies pay the most and the small companies pay the least. This is the logic behind it, but it's not a lot. No worries. That wasn't indication on on where how you charging is depend on how many items you collect, number of users. If I Just to get an indication on where we end up because if it cost a fortune then there might be other solutions. But if it's, yeah, No, it doesn't cost a fortune, as I said, it's gonna be very, very affordable. It is basically calculated on the number of assets and that's it.

So if you think you have 5,000 assets, let's do a demo. We find out you have six and a half thousand assets and there's a tier from 5,000 to 9,999 and then you pay this yearly subscription for exactly this tier. If you find out, if you think you have 5,000 assets and we find out you have 15,000, there's another tier in between 10,000 and 14,999 or something like that. And then if it comes to real large enterprises, this is gonna be I would say extrapolated and with a little bit of of discount worked in there. But it's feasible.

I mean the more assets you have, the more you pay and then it's up to you to reduce your number of assets. And this is actually a very interesting question in regards of the second part of our presentation cuz if you come to SARS management there, we involve also information from procurement who pays for SARS applications and from expense reports, who pays on a personal basis on the company for SARS applications. And then you find that you pay for SARS applications that you don't use or you find that you use SAR applications that you don't know of.

So the question, the angle of the cost, the financial cost, the financial angle is ex is is actually very interesting. And I want to remind my team over there about, I will take a note of this sort of that we come back to this later as I'm now speaking, sorry abido for, for breaking into your presentation. It's highly interesting and I'm sure you can go on forever because you've been kind of inventing this, this, this thing here. I want to ask you one thing as we have more or less half of the time over, are we all good with a little break? Do you want to take a little break?

Like five minutes, 10 minutes, go out, have a coffee, whatever. And then also, hello dear visitors on the video screen. I cannot see you answering now nodding or something. Not sure if the team can or if there's any chat channel, but I would strongly suggest to take a short break here. And then after that I would say we finalize the presentation of the product, which actually is already a little bit of a demonstration because you're asking questions and we are going to this.

And then in the second part of the day of the workshop, we would wanna throw out a handful of very, very shallow, easy to understand and easy to implement by the q questions and use cases so that you see, ah, this is what the guy's doing basically, not much more than you're been seeing up to now. But then I want you to challenge us, I want you to come up with what would happen if, and then we will try as we have other people here, then we will try to find out if we can answer very specific questions about potential environments.

And I'll have a few of them in the back of my mind, but you might also be able to bring one, some of them. So if I may, yeah, let's just stop talking here and meet again in what would you say? One question here, Speaker 12 01:22:52 Could we, could we take one question before we're gonna go on the break? Of course. Okay. Any question? Perfect. Speaker 12 01:22:58 I see on the left hand side that you can also track the history of your actions, right?

And yes, I wonder because a bit spontaneously as an attacker, I would go for the actions here. How do you track the security part of it? Especially the one when you are sending out the emails to your teams or on the systems that need an update or not seen on the way as well. You will have to, we'll we'll do a couple of things and the prevention side first of all will, you know, give you all of the options to prevent such a thing with specific role management with, you know, brute force attack, you know, stopping those things.

If it's, if you're not using sso, which you should just giving specific permissions to those things, we highly encourage you not to give us what we don't need. So if we, we need redon credentials or we need a credential just to open a J ticket, don't give us more than that, right?

That's, you know, what we are, we just need what we need basically. And then you have other things. One thing that you have is the audit log, the activity log, everything that you do in the system is here.

You see, I, you can see I created this, you can see I edited the tags, you can even see what queries I ran. So if you go into the safe queries and you're showing the query history, you can see everything that was run in the system. So there's, and those are the things that I, I was running before in, in our presentation, right? So those are the things that you can do and you can send those things as well. So you've got, you know, on the prevention side, knowing that it, trying to understand that it, trying to not make it happen.

And on the auditing side, having everything sent to you and then you can apply logics on whatever seems like an anomaly right to you. Speaker 12 01:24:55 Great. And then I assume that you also track the users who are added to the groups in the same looks, right? Yes. And this one, this thing can be, you know, like something that only admins can see, right? And things like that. You don't have to expose it to everyone, but yes, it's, there is a history to everything that is done in, in the system, right?

So let's, I guess let's take a 10 minute break, right? Wait, Wait, wait. This is interesting.

I, I'm, I'm, I'm trying to be the devil's advocate here. I'm not sure if your question is already fully answered.

I'm, I'm trying to make up a case here. If I would be a hacker, I would try to catch the traffic from the system to the user on the network so that you don't see it in your locks. Yeah. And then I would try to obfuscate the messages or would try to resend something saying, Hey, please disregard the last message. This is already taken care of so that I could, I was asking you to think like this, How could I circumvent a solution like that? We can take this into the second part, but this is exactly what I was looking for in the workshop.

I'm not sure if I'm, if I'm doing you right or not, but probably you have had something in mind like this. Again, let's take the break and then we can probably pick this up after the break. Thanks much. I'm glad that we are not only the same number of people, but by the magic of the break and the conversations, we even got more interested people in here.

Also, we found a little group over there that makes it much, much easier for the questions than for handing over the microphone. Thanks much for joining us. We had been going into the break with a very interesting question about how to secure the solution in itself, how to harden the solution, so to say. We had been talking about how to continue from here on because we, what we feared might be a big problem, how to fill the three hours is now actually another problem. How to get the content put into the hours.

So this, thanks to you because of all the questions and other aspects we were able to discuss about this. Next we will finalize the demonstration of the product itself or the presentation of the product itself. And then we want to give room to the other aspect of our platform, which is task management. And we will really deep dive here into, for another, I would say 30 ish minutes, maybe we can keep it a little bit short or we go into this models of q and a again, so you can ask questions and then we, we, we, we, we test that piece of the solution a little bit.

And then finally I would say if there's still room for more sophist use cases, we can use the rest of the time. So we can build one or two of the use cases you are throwing out on us here on the stage or on the, on the front, on the axon side of, of the presentation. Without further ado, please go ahead and show us more about the beauty of the solution. Thank you for coming back.

Okay, so we, we talked about the devices screen, seeing all of your inventory, being able to ask questions, specific questions, what we call queries on the information that's coming from the various sources. And we talked about how to export this data out, not only export this data out, but be able to tag it internally, be able to, you know, open a ticket, be able to enrich other solutions. I wanna quickly show a couple of other things we can do with the automation and, and then talk about another thing.

So one of the things that we can do, we can interact with active directory in order to do actual, you know, actions which are not just notifying or not just exporting data. For example, add a specific device or add a specific user to groups. So you can do a query, like, you know, if those users are, if there is a, a user that has a specific, or there's a device that has a specific condition, do, you know, add this to, to a group disable this device. Things like this. Same thing about single sign solutions. We have Okta here in place.

We can stop if you have AWS for example, stop ant instance or tag it with a specific way or, or other things. But you know, some people would think, okay, this is all you, you, you know, you know what to do. We built the platform in such a way where the adapters and enforcements, what we call it, each one of those items is an enforcement. The ability to automate, you know, with, with the queries, take the, take the results of the query and do something with it. That is what we call an enforcement.

It's, it's a library. We keep adding this to this library more and more. It's actually, we've built the product in such a way where we can do things in, in one day, right? You ask for something one day to, to implement such things and if it's easy or a couple of days if it's not. So that's about it. A couple of other screens that I would like to show the user screen, we haven't talked about it at all, but it's just like the devices.

But for users, we'll go to active directory, we'll go to Okta, we'll go to your, you know, password management solution like one password or, or the, or you know, last person, whatever. You have any source that has something about your users. In this demo there is only active directory, but we're seeing in our customers, you know, user information coming from different places, coming from the single signon obviously, but coming from G suite and then coming from the HR systems, right?

And we can do the same thing because there is, there are places where a user could be in one group but then have more permission than, than that user, you know, supposed to have. So you can ask a question like, and that's exactly in the query wizard, just like in the devices, right? The query wizard is eventually, if you think of it, it's just the ability to ask a structure question. If you have all of the data normalized and correlated, right? That that's all, it's not like a, you know, a big patent, it's just the ability to ask those questions.

But we deliberately try to do this in a way that doesn't require you to learn a language or anything like this, right? You just need to browse through the different, you know, fields that an adapter can get and that's it. So I can ask questions like I want to see all of the users where the last time the password was set was more than a half a year because the systems know that we can query that information with API or get all of the users that are within a group that contains admins in it, right?

And if it contains admins in it, then I would like to, you know, enforce a specific policy like multifactor authentication. Okta would know which, or any single sign on Azure AD for example, as a popular one as well, has this, you know, if it, if it doesn't have it right, or if that user is actually, you know, if it, if it's a user also an AWS or gcp, then we want to see it. It doesn't have the permission, it, it does not need to have. So everywhere that you can compare the data, that's where we are coming and, and that's what we are doing with a user screen as well.

And it's the same functionality as the devices. And another screen that I would like to show is the vulnerability screen, if we have information about vulnerability is coming from different sources because SCCM knows of them and your any, you know, a lot of solutions know if you have Tenable or Rapid seven or Q each one, you the one of the free popular vulnerability assessment tools will counter tools. They can tell you about vulnerabilities sometimes by the way, they will tell you here is just a CVE ID and not nothing more, sometimes more than that SCCM can know as well.

SSM or Azure, Intune or any, any many different tools will know information. And again, there is a question of aggregation of those tools because again, there is fragmentation of all of this information in different solutions. That's the problem that we have. That's why, you know, we solve this by aggregating information will go to each one of those solutions, will pull the information every couple of hours, aggregating correlate, put it in one place. And then what we can do is just view it in a different way. In this way you're seeing a vulnerability id.

But what we did is we took this vulnerability id this, you can see a different vulnerabilities here, hold on Google Chrome, but we have more than that. And you know, for 1 97 vulnerabilities, we went into nvd, national availability database and we said, okay, let's take, you know, we have the vulnerability id, let's understand if it's critical, if it was the cv, sever was the CVSs score, just enrich the data, just give you the entire context, right? Just aggregating the entire information, showing it in one place, and then the ability to make queries out of it.

Because you know, everyone has many vulnerabilities. What do you do with this right now? You have to somehow prioritize things. You have to ask the questions that will give you vulnerability that you want and not just get it in a huge, you know, table here, here you have, you know, 1000 vulnerabilities or 10,000 abilities just now. You can do whatever you want with this, right? So now you can do, I want to get all the, all of the vulnerabilities which are in this software or have a CVSs core, which is, you know, higher than nine.

And it's also applying on devices which are, you know, production devices or devices which are IAG as critical or devices which are owned by this application, which I deliberately want to protect more because something you know, is important nowadays. So do we have this, this screen as well? Same like the devices and we are planning to have more of those, right? The main concept of exons is aggregation from different existing security solutions, correlation, enrichment on that data and just giving you the entire context in one place.

And the ability to ask questions in a, in a structured way on all of it. It's very flexible and, and you know, we, we want to keep it that way because then you can do the custom use case that you have. And the last screen that I'll show, and we can talk more abouts and the different things after the presentation of this house management software, which is a different solution that we have within the company.

This is, this product is called Cyber Asset Management, right? We, we, that's just the inventory of devices and the users. We'll show you another product in a few minutes, but now I'm talking about the dashboard. So the dashboard contains charts, right? It can contain here, you know, just a general view of everything that you have. By the way, this is very interesting, right? If we are back in the original question of how many devices you have, you can see Mac saying this number, right?

And by the way, this, this number within here, you know the internal number within the parenthesis, you can see it's, it's bigger. That's because we understood that within Macoff there are duplications as well. That's happening a lot, right? You go into a software, you go into vendor, you're seeing the same pc, two different records and the same thing.

Very, very popular in vulnerability scanners but happening in different places as well. Even aws, if you have a device that's, you know, just like a spot instance or something like this, right? It's spinning up and down and up and down.

It's like, you know, it's, it's, it's the same device but it's, it's logically the same device but it's actually a different device because it was spinning up and down. And sometimes you just have mistakes. Vulnerabilities can seize that device by the ip. The IP has changed, it's actually the same device but two different aps, it's gonna be two different records there. So you know, in AFF we've seen in this example that the same devices there a couple of times we, we de-duplicated it and then we correlated it to the other devices.

And so if you scroll down you can see that we actually were seeing so many devices coming from different sources and after correlation it's only 40,000 in the network, right? So that's the question of how many devices do you have? That's the unique device count.

This is, and this is by the way, what we charge on this is like the tiers in terms of how we charge. And so if we go to the dashboards, each dashboard here can have, you know, we call those things spaces and each one of them can have different dashboards. You can just visualize the entire data and that can be sent in reporting as well. So if you want to have a weekly report or something, you can just attach those dashboards. I'm gonna do an example of something interesting. There is a dashboard that I in particular love.

We can have many dashboards here and not gonna go into each one of them because you know them from other solutions. But one of the things that we can do is something that's called field segmentation. Field segmentation is a specific dashboard that I particularly like more because it allows me to get insights from my data. So what I do is I'm saying let's take a query or in this example just query the entire devices because I want on all of them and take a specific field within that device.

For example, I can do, I'll do something else in this demo, which is networking of interfaces Manufacturer. Manufacturer is, we took the Mac address, we looked at the prefix and we just, you know, understood the, the manufacturer out of it. In this example you can see most of them are by Intel Corporation. That's just a demo environment.

But what it's doing is going through all of the devices, it's taking the different values that we have in that field and just showing it to you in a different way, just showing you the information that you have in different ways, in the way that is constantly getting updated and is what makes you move faster, right? That's the, that's the logic. Let's do this for OS type, just understand segmentation of how much we have from each and understand you know, the numbers, right? So you can see that across everything from all information sources, from all devices.

This is the amount of Windows devices, this is the amount of Linux devices and you can do this on every field. You can do this by business units to understand how many devices are owned by each one of your business units. How many devices that have the openness of cell vulnerability are owned by a business unit. You can build a timeline dashboard out of it to the reporting. We have customers which do reporting once a month. They have to have a report sent once a month and they have to show that the numbers decline, right?

So you can do a timeline to understand, you know, at every day how, what was the number and see that something is progressing towards a specific goal that we have. How do you track that goal today? It's hard when you have to operate and correlate the information. Every question that is coming from different solutions. If you don't have an asset asset management solution that take everything, takes everything, it, it's very hard to, to answer it, you have A question? I have two simple questions here. The first one, I don't see any, any network devices in this scope.

However, they have their own operating systems. The second question, what if I have a core switch with multi interface, each one in different vlan, how it is calculated in the unique devices? Is it one device? Is it multiple devices? Some devices are even overloaded with activities.

Yeah, With different scope of the network at all different MAC addresses in some cases also, Yeah, for the first question it's just not in the demo. In a real environment we'll see many operating systems here we'll see a lot of, you know, whatever we can know from different existing solutions or we can know from a manufacturer information we will show you the operating system. So you'll see you know, networking tools as well. That's just not in this demo, which is a custom demo. It's not a real network. And then for the second one, we're not calculating based on IP or in Mac.

It's only based on a logical device. If you have device, doesn't matter if it has, if it has multiple agent, if it has multiple ips, if it has multiple Macs, if it's a device like logically you would think of it as one device, then it would be one device in the system. And this is like the pricing model And let me bargain in here. This also goes back to your question about the assets. So don't fear that we are counting assets and asset and asset and this is gonna be your bill.

No, the idea of aons is to give you one single source of tools, not only about the assets and the cyber aspect but also about the aspect of the licensing. And ato, may I ask a question please as it's only one hour left for Yes the poor colleague to present the SaaS management. I think I finished so whenever questions you have and then we'll pass it to. Perfect. Awesome. So first off, thanks much for presenting the cyber asset management part of the exons platform.

There have been a bunch of questions, I'm sure there's even more of those questions and I would really strongly suggest to take a note of them or throw them over to me. I'll take a note of them. But this is far too interesting to push this only onto the very end of the workshop. Really we are now talking about SAR solutions software as a service. We know them all, we use them all, we all say ah they are bad to our it, we don't know about them but we, every company is forced into this, especially since Coronavirus and all this shift to work from home.

We have been glad that we had solutions like Zoom around so that we could, you know, do our daily meetings and everything. The proliferation to me, since I only work for a couple of weeks at Exons is it is astonishing how fast this really goes. I mean I'm obviously not tracking this because I'm just a user of SaaS applications, but now as we have a part of our platform that really collects exactly the same type of information that we talked about in the chem cyber asset management part of our platform, we also strive to do on the SARS management side of the house.

And here's the interesting one, this product evolves in the same speed, like the proliferation of of SARS happens. So yes we have a super HR team around cyber asset management and only with this HR team it's possible for us as a company to to to serve the needs of our customers and to to build all of those adopters. That was one piece I wanted to reiterate on for the time being in the moment we have 550 adopters out of the box where where you can hook into existing asset management things like your Cisco management platform, like your Dhtp server, like your Microsoft, like whatever.

Yeah this is easy to extend. If you have a special solution we'll build you an adopter within weeks, two weeks. That's the standard lead time. But that was only to close off the piece of cyber asset management. Now we are coming to the SaaS management part of the platform as I just said and I think we are ready to go. I mean this, this play shows something else than that but we can are you, are you able to, to take it over? Start talking? Perfect.

So let me, let me introduce to the audience and also on the video Mr. Yagon Lavi who is a developer and also a director of development in Aons himself. Ya one over to you please. Speaker 13 01:45:18 Thank you. So hello everyone. Well this nice guy helped me connect for all of you to see the demo. Let's just talk a little bit about SaaS management and why it's so important, especially these days. So as Christ just mentioned, we all know that in the last few years we have, we had a big change in our company works before the pandemic, most of the companies had on-prem solutions.

Some of them started using SA applications. But in the recent years, especially because of the pandemic, many many companies start moving their solutions into the cloud and one of the aspect of working the cloud is working with SaaS applications from of course many different vendors from many different countries. The big difference in the SaaS management is that comparing to on-prem solution, your data is actually in the cloud and it's not in like one area that you control. Speaker 13 01:46:26 It depends on what vendor you use for your SaaS solution.

For example, there are some vendors that theyre data data stories in China, some vendors uses Europe servers. Of course there is also compliance issues that some states can't have their data stored in other areas. And this is why it's very important for you to know all this stuff. One aspect of security and SaaS management that is really important is that comparing to devices and like IPS or subnets or the option for all your data and users to be in the same network, all of your users and devices can be whatever you want.

People can work from other states, people can work from their personal devices and usually they need to accept their identity by identity providers or sso. So it's, it's a totally different story than securing the the regular on-prem networks, you don't have firewalls, you don't have endpoint protections regarding SaaS because as we just mentioned all the data is in the cloud itself.

Do you have any question before we have the demo fixed regarding the general identification I just mentioned Speaker 16 01:48:08 So it's more like an sspm solution where it's assess a set inventory to identify what you have, where you have and then Speaker 13 01:48:18 Sure, good question. So actually our solution, our solution, a goal is to be try to be all like ss, p m ca be all the different aspect of SA management. This is why it's so unique because you have some solution to see your users, you have some solution to see whether or not you're in compliance or not.

Like thank you and many different solution comparing to what a video just mentioned before is many different languages and many different APIs and you can go to your Azure for example, which is like the Microsoft solution for a cloud managing of users in your organization in groups and roles. You can go to your Google cloud, you can have a aws, you can have Google drive, like everything is in different places, different vendors, different countries and many different aspects.

As soon as you see the demo, I think it'll ring a bell because you'll understand how many different features build you like the whole, the whole picture of your, the whole image of your, of your SaaS environment because we try to show many different aspects and the perspective regarding SaaS, Did it answer your question? I think Speaker 16 01:49:48 That you want more or less, I understand that you want to build a unicorn, but in reality I probably with with with the demo will be able to see it better. How do you correlate the identities? Sure.

So let me add to this, yes there's different aspects of sales management out there and there's different categories you've been asking for one of them s PPM or something like that. Forgive me, I don't know these acronyms but there is different aspects out there and like Yaron was just trying to explain we are taking them all into respect. We cannot be the check of all trades, we cannot be the solution to do everything of it, but we can clearly understand who has what part of the SaaS management playground so to say.

And we are taking our fair share of this todos which of those todos that that are to cover in in regards of SaaS management. And we are all trying to buy time here because we want to see the demo and everything. That's not only the demo actually it's also the presentation so that this all gets into a better shape and the information is presented in the right way. I'm not sure how long this is gonna take. I'm gonna use that time to apologize to all the people on the video screen that had kindly been asking questions on the chat. We hadn't been aware of this, so sorry about this.

We were trying to catch up after the break once we noticed that yes, there's people on the chat and yes there's people asking questions. However, when we joined the team session after half of the time, obviously there's no history of the questions and then we cannot even see your questions. So please forgive us that that was, that I take totally on myself because I should have known earlier and I can only ask you if there is anything you want to be answered from the aons team. Please either just repost your question in the chat or what would be even better.

Send us an email at in for@aons.com or maybe you send me an email@christof.com ACOM and I can answer those questions or at least find the right people to get you an answer to the question. Yeah, SARS management, we had been leading in now for quite some times I was already talking about the aspect of cybersecurity, also the aspect of cost and then, then there's another aspect within SaaS management to me, which is who's entitled to do what. So this is the question of the, of the level of privileges of the users and here's a little example of why this might be interesting.

So sure enough, your company uses a single sign on to access not only SAR solutions but also other parts of the IT and other, other software solutions in the it. And then within the single sign on, clearly the roles are very, very well moderated and taken care of. But any user of say salesforce.com could also go the direct way and log onto Salesforce with his, with his, let's say local to Salesforce credentials. And in this case, sure enough, Salesforce and the Salesforce administrative needs to take care of, you know, the privileged level or the access level that people have.

But here you can see there's already a crack in the system. If we as an organization think that that single signon does the trick, we need to think twice and there's a lot of ways to get to SARS applications rather than only through single sign on. Now having that said, I'm really handing this over to the specialist. Thanks much and ya on your stage, please show us the product. Speaker 13 01:53:50 So thank you so much Christ for helping me spending some time until we have this and explaining everyone our approach.

So regarding your question, you can see like a briefing of our features here. This is our homepage of our solution. Of course we show the SaaS application, which is like the basic thing you need to know when you managing your SaaS environment. You can see in the demo that we have, like we founded, we discovered 202 applications. And our discovery method is, is special because we not only look at your SSO or at your IDPs or your managed apps, we discover apps that you probably didn't know you have.

And many of our customers, when we go to the next stop where you see more detailed about our findings is are really kind of shocked that they have so many applications they don't know about. Speaker 13 01:54:49 Some of them are only for two or three users because what is so unique about SA application is that anyone can just register by his email or whether it is the company email, whether he is using his IDPs like signing with Google, signing with Microsoft sign with Okta and all those things creates usually automatically users for the use SaaS applications.

And without even IT people have to accept it. It's, it's in the hands of the end users, which is very, very risky. If they can just use arbitrary applications that you didn't even hear about or maybe they are risky, maybe they are keeping data in China and your compliance doesn't allow you to do it. So when we go to the next tab, you you'll see some applications that couldn't be found by only IDPs and sos. Another approach for us to have this discovery about applications is by looking at the budgets application like Expensify or sub concor for example.

Speaker 13 01:56:03 Because usually how team works teams work in a big company is that when they want to use an application, when they struggle a problem and they want to solve it, they usually look for a a solution SA solution. The team member ask for approval from me with this manager and most of the times it doesn't even need to go through it. If it costs money then they have to put its budget in Concor or inify and they get the money to register for this application but it doesn't go through the IT cycle at all. So we also get this information from the budget applications.

We'll see this in a few moments beside application, which is like the mandatory feature for this solution. We show the users that we found, we can see that we found total 1,203 users, but we can see that we group them to different categories like the generic categories are non shadow users and shadow users and in shadow users we have more subcategories that we'll see later.

Speaker 13 01:57:25 But it's really helpful to have this homepage that's showing you like all over what we found regarding your SaaS environment, aggregated data in the top more detailed data here we can like scroll and see most of, most of the application we found how many user we found for them. We can go to policies which is actually a very important aspect when you want to know whether or not you, are you okay with your compliance.

For example, pci, ds A to cas, we can show you aggregated information about your coverage regarding compliance, regarding your settings of those, of those SAS apps. We have analysts that all the time keep this information updated whether what is the right configurations that the SaaS application need to to be in order for the compliance to be fulfilled. Findings is is a very cool task that will go a little bit later.

Speaker 13 01:58:35 Spending and renewals is a feature which is looking in another perspective on your sourcing environment and like Christoff mentioned before, we not only show you security or managing or like shadow users for the it. We also show you spending and we can show you how many, how many application you have. That costs a lot and doesn't have any user maybe or only two users. And maybe there are some duplicates.

Maybe you'll find out for example, that you use sub core, but some kind of team decided they want to use Expensify and they probably pay extra money that they don't need to pay because you have the other solution here. Speaker 13 01:59:19 This is the spending window we can take a look at at it and we can see that for example, LinkedIn is like the most expensive app in this demo environment than Salesforce, than Zendesk. And it's not only of course because it's more expensive, it's also depends how many users this application is using.

Renewals is a feature we want to help our customers to reduce their money to pay on the applications. Usually when you have licenses, just second please, usually when you have licenses you have to renew them and if you don't do it on time, you pay more money. And usually the vendors don't, doesn't don't want to notify you because they want to get more money. So we help you knowing what are your next renewals and to be prepared for it.

Yeah, you got a question? Okay. I'm asking about the information source for the applications and for the spending. How can this information be resourced? Speaker 13 02:00:22 So we have two, two options. The first option is what I mentioned before, we discover applications through expensive five concor, any other solution that is budget wise and by this we can know how how much money you spend on those. But if we have also adapter specific for this SaaS application and maybe it'll be more logic to when we we go to the next steps is that we can get information from the vendor itself.

Because if you go for example to Azure, you can see your office licenses and you know how many user use it, how much it cost. And we also see this from the other perspective of the budget you really paid in Concor or expensive or any other application. And we aggregate this data in order to show you the correct picture, correct information. Eventually Just a little one on top of this one you may have, we have applications where they are sort of shadow it and I've been in a company before where sort of shadow it was travel expenses, travel expenses.

So you don't have a clue about them in any financial systems. Can you do it based on what a, a normal cost for a user in assess application would be and then this information in to get an estimate on the cost or how is it done?

Speaker 13 02:01:59 So currently we don't have this feature but yeah, it's, it's possible of course because we, we can know the average price and we can like multiply it by the number of users, but we prefer to show you a real information and if we don't know how much is spent, so we don't show you this information because you know every company has a different deal, maybe you got a discount, maybe not so, but, but usually we see all this information up to now with customers because as I mentioned, if we don't see it in the, in the budget SaaS application, we see it within the application itself Because usually every SaaS application that you that costs money have a tab that show you how much you pay for it and what is your license.

Let me interrupt you please and get back to this question again because I didn't understand it quite well. So you said can you please repeat that question because that's really interesting. I believe at Least I, I said that that I've been in another company that I'm in right now and some of the shadow, it was actually just travel expenses. So it was hidden what the cost of it was because if you had to go through it, it was a hassle to get these servers and get whatever access you wanted. So you just bought it and swipe the cart and then make the world go round.

And now the question was can we, could this exon SA management solution cover exactly those, I don't know if if somehow could get an estimate because if if management just see okay you have 10 users on this. Yeah, so what see this, But if the cost it huge, if there's an estimated cost of it that's very huge then it really matters anyway. See this is good why I was asking you to reiterate on this question because the answer is yes we do and this is what yaron is, is explaining here we tap into your expensive buy, we tap into your SAP conquer, we tap into any of your expense solutions.

I'm not talking about the procurement, Procurement is a different story. We can also tap into financial information from a procurement perspective and say how much money goes to Microsoft for which leads licenses. Yeah but we can also tap into your expense file or whatever expense solution that is to cover exactly that part of SaaS usage that is not been sanctioned by the company somehow on a program level or even from it's perspective.

So yes, if someone back there in the very end of your organization says I need this SAR solution now and I'm but on purpose not pulling out any department here so that I don't blame anyone but we know those guys who do stuff like this, usually the guys that have the money and they spend the money, then they go to somewhere and they say oh we need to, we need a SA solution to support what we are doing there.

So they screen the market maybe even on Apple's marketplace and they find something there and they buy it and then they say, then this solution says yeah, yeah that's not a problem but just connect us to your ad and then we can work. So they give them reading access through maybe even you know, credentials that they ask at it for and it says what do you need these credentials for, these credentials for? And then they say don't ask those questions, this is our post, give them the great interest and there you go.

This is how this sometimes happens and how would you, how would you be able to cover this if you tap into Expensify and see what expenses are being reimbursed by individuals or organizations and you'll find some second sales force there to make a very, very stupid example because that's not gonna work. But let's just think that someone is buying the exact same SAR solution again, that the company has already sanctioned, that the company has already under their IT management and that the company maybe even has already under their cybersecurity WatchGuard whatever.

I don't know, I don't know how to even say this in English because I'm German, I'm sorry for that. So, so yes we do and this is why it's so important to have a look at it. This is only the dashboard. I think it makes a lot of sense if you now go to the next slide or to the next part of the presentation and all of the things become much clearer than by seeing exactly where Speaker 13 02:06:40 Okay This, Speaker 13 02:06:42 Yeah. So this is one of my favorite tabs actually.

Speaker 17 02:06:49 Impressive, Speaker 13 02:06:50 Very impressive Speaker 17 02:06:52 Said that why it is always a good color. Speaker 13 02:06:58 So this tab show you the interconnectivity between all your SaaS applications and you can see by the size of the application how many user they have. You can see which application connected to which other application. The center is usually the IDP of those applications. For example, you can see that Google workspace, all those little apps using the Google identity of the users in this network. Okta is the sso.

So all of those application using, so login and interesting stuff we can see is there are applications that connected to both because maybe some user did used their Google as the IDP because they did sign in with Google but some people use the app from the Okta dashboard and just push the link and logged in through their sso. And sometimes it's very interesting to see that when you have an application defining Octa and you would expect all the users to be logged in with Octa and be managed with sso.

Apparently there are some users that tend, that are unmanaged because they use their Google identity which can be disconnected from Okta. In this case it's also connected to Okta as we can see. Speaker 13 02:08:22 So Google workspace for example has 653 users but there is only one user using this application called aha. Okay. And it's unmanaged only Robert used this application, we found it through our adapter for Google workspace and you can see that we don't have any sso, again, we don't have any management for this app. This is why it get the tag unmanaged.

If I go to Google itself much more users. So it'll make much more sense and we can see the different tags. SSO tag is because Google is connected to Okta and if we see your application is connected to the SSO and users logged into those applications through sso, we give it the SSO tag so you can know that this user is managed by your sso. Everything is okay, you know about it, you expected it to be this way. Application tag is because we have adapter for Google workspace and I will explain what does it mean We have adapter like the previous presentation of of of our asset management solution.

We also work with adopters concept and we don't need adopters for all those little apps you, you see we usually have adopters for only a few of the IDPs, SSO budget applications as we just mentioned. And we discover ourself all the little apps that you probably didn't know about and you didn't even have the opportunity to give us your API credentials for those because you weren't aware that they are existing.

Let's see, something interesting for for example, let's do the management filter and choose only the managed apps. Speaker 13 02:10:24 So all the unmanaged being grayed out and you can see that all those apps are managed. Okta is managed probably, probably because we have adapter for it and this is why it'll get the application tag as we've seen before, here's the application tag.

But for example if we go to, Speaker 13 02:10:48 If we go to this app we can see it's as SSO tag because it's linked to Okta but this user doesn't have application tag because we don't have the, we didn't see the either we didn't see this user through our adapter to for or this fortunate app doesn't even have an adapter and we just saw it through the S So cool tag cool tags we have here are regarding the shadow user we were talking about before. So shadow users are categorized by a few different subcategories.

Unmanaged is the user we found through either the budget, the IDPs like Google that is not your sso. So it doesn't have to be the main way to log into the Zap so it get the unmanaged tag or find tag is a very important tag that show you that this user is defined to be using this app in Okta. Speaker 13 02:11:57 But we don't see this user when you look on the other side because for example for Google we've seen before we have adapter. So we have the application tag and we also have the SSO tag because some user use the Okta in order to log into Google.

So if we see orphan users in Google, it means that those users have the option to log in through Okta defined in Okta but they didn't use this option and they're only logged into Google. And when looking through the adapter we see that we only see this user from one side, which is weird because if it logged in through sso, we would expect to see this user also in the other side in the adapter for the application using the sso. Any question?

So this would help you identify the users logging into Atlassian with SSO and with the secondary ID or like their personal id cuz they have a separate Speaker 13 02:12:58 Instance. Exactly it It's, I'm looking at this from like a DLP focus. Speaker 13 02:13:02 Exactly because if for example, I have like your example either Jira, Atlassian, whatever and I see that the user have a user defined in sso, but when I connect adapter for atlasian, which we have by the way adapter to atlasian, you won't see this user there.

So this user is orphaned because you, you supposed to see this user also in the other side because when it connects to the application defined in Octa, you should see it as a user account in this application and it should, it should make you a little bit suspicious And we can see in findings tab later all the misconfiguration and weird things we seen in the environment. Speaker 16 02:13:47 And how would you manage the same correlation but withdrawal based identities rather than on time user provision based on the idp.

Because what you're saying it does make sense when you have your Okta and then it provides on time the user on the end application. But when you have just a roll and you push your attributes through your idp, there's no, there's not going to be an A user on the end application. Speaker 13 02:14:16 Why not? Because if I'm using the IDP and I have adapter to this application, I will see it from the adapter side. Speaker 16 02:14:24 You will have a role and the user will push the attribute saying hey, I'm a user belonging to this role.

But for example, if you, if you connect your idp, your Okta with your Amazon account got, you'll never have a user, you will always have just a role saying this per this role can assume x y permissions. Speaker 13 02:14:43 So the way we gather the information from your Okta, from your IDP is not just by looking at the rules. So this makes sense for you to say, oh I don't have a rule for user, I have rules for the groups and roles or or for how to assign application.

We see actually the used tokens we call them, okay because when a user log into an application through sso, idp, no matter how we have either logs or we have tokens of these users because all those apps have through their API or through browsing to their management site information about what was your last using app like how do, when did you do the login? So no matter if the rule is for the role, eventually the user will use the role or the assignment that he got from the role. And we can see this by getting the information. Yes.

So it means if your application is not on board centralizing the Y, you can list these applications which are the centralized right? Is that you are saying Yeah, Speaker 13 02:15:50 I can see them from many different aspects. If not from the SSO then maybe from other IDP like Google or even Slack because Slack also have option to be an idp. There are some SaaS application that has the option login with Slack and then by having an adapter to Slack we can see even more apps that we didn't see through Okta, Google or any other budget application.

There's one more question over there I believe. Not behind you but exactly you.

No, no not yet. Okay, perfect. Let me back in here to the, the time we have 25 more minutes. This is a workshop. I think the last couple of minutes have been very interesting from a information gathering point of view, but if there's anything pressing questions, remarks, doubt, can you do this? How would you do that? Now is the time to speak up.

I mean we can continue to present this beautiful solution to you and show you how this information gathering about SaaS application will help you to look into your SAS environment from different aspects being a cyber aspect, being a cost aspect, being a user and permissions aspect. And that will eat up to 25 minutes or you'll say no stop this now I have this pressing problem I'm thinking of and let's dive into this. Let's just do this.

Yeah, Okay, I have one. Okay, go ahead please. More about SAS discovery. Is this also something you can crawl proxy logs to find, you know, because it's, you know what you know but you don't know what that random business user in Munich signed up for. Speaker 13 02:17:40 Exactly. So as you mentioned, besides That might actually be a free thing. So there's no expense trail. How would make it really difficult? How would we go about that? Speaker 13 02:17:51 So nice catch.

This is also another approach that you use to have discovery because if you have a a DNS for example or any other security application that have logs of connection, maybe firewall in the organization to see all the connections so we can understand by the connection, by the network connection also what user you have. We can also see the the the Chrome extension. For example if a user have a Chrome extension installed for the Slack, so this user uses Slack and we take this information from all those approaches aggregated so we know for sure that he use it.

Something interesting before we move to the next step if there isn't any other question is that you can see that those apps are not connected to any other apps, right? All those apps are make sense, okay some the people use the Google login, all those apps are not connected to Okta and this is why they're actually unmanaged because user just decided they want to log into those apps they just did signing with Google, use their Google account for of their of their company and 45 users use Confluence, two user use supermetrics, all those apps are unmanaged.

Speaker 13 02:19:13 And also the apps here in the right side are unmanaged and those apps are actually the apps that were were discovered by for example DNS records, budget, budget applications and we didn't see them in any other adopters or approach we taken because this is the aggregated information. We know for sure that these apps are not connected to your organization regarding using sso, IDP or anything that is some kind managed by the it. It's just they decided to do it and usually you'll see apps with very little users here as well.

Another thing we use that I didn't mention is thanks to the awesome product that a video showed before he gave you the example of the installed apps that we have information about installed apps and of devices of users. And because we are the same company, we have the privilege to also use the data that the other product have if you have both product installed and we can know by the installed apps also in other discovery of SaaS application you use because we see them installed in your endpoint and we you we see how how much you use them like last access time et cetera.

Speaker 13 02:20:33 If there is no other question, I would like to go wait, Wait, wait. We really need to make sure that there's no other question cause otherwise this is not a workshop. So anything coming up here in those regards, is there anything which comes to your mind? I mean Speaker 16 02:20:49 I have one last question. How do you actually eliminate the false positive that you might have looking into the proxy traffic?

So basically you, I go to my I don't know, newsletter, the, there's an advertisement about, I don't know use one password and suddenly I you you see a network connection or thes request to that, to that application. How do you eliminate the noise to basically give me actual action, actual actionable database on those apps? Speaker 13 02:21:21 So great question because it's actually not that simple, but we have Analyst that know like the URLs that are being used when we actually use the app and not just surfing to the app just to see how it works.

Plus we see how many times you surf to this application, what was the last time, how many times you surf to the application and up to now we didn't see a false positive regarding all those things correlated together because we actually see a URL being accessed that is not accessible when we don't really use the app because it's a post login url.

So if you serve to the, you for sure logged into the SA application and you have a user for the SaaS application, Speaker 16 02:22:11 You're a bit in with with the logging that you do, Speaker 13 02:22:14 Sorry, Speaker 16 02:22:15 You're a bit in immersive with the loggings that you onboard in your platform. What do you mean? If you look at the post request that you have, that's you'll, you'll need to par the, the response either it's a 200, it's a 400, then that means you Speaker 13 02:22:30 Of course, of course.

But if I see, like if I see an URL that is accessed a few times, like not only one url. So it's probably like a real URL surfing and not just a trying to serve to denied access euros. Yeah. This is a more, this is more of a question I've seen. This is for the German market. You're collecting a lot of information here and it goes to user behavior. Have you seen any issues with getting past the patri? We had a huge problem Actually.

This is an interesting topic and as we are talking about cybersecurity here we are talking about tools, we are talking about pii, personal identifiable information. I could give you an answer but I'm not allowed to, right?

So yes, there is information about your question around and yes there is, let me put it more generically. There's always a way to explain people about the good things we are trying to do in cybersecurity in general. Not only with Aon solution but in general. And there's always a downside of it. This gentleman just mentioned, we are very intrusive in trying to find out how you are using your SAR solutions.

Yes, we are intrusive in this case because we have to because SARS is proliferating all across the place and how would you run after it if you follow the rules of engagement? There's no rules of engagement in buying a new SA solution and getting a new access to it. So we have to be as smart, I would say not intrusive, but as smart as possible to go after what's going on in your infrastructure because that you want to know and if you don't know that you can't help it. That we had in the in the beginning. Yeah.

So if it comes to discussions with the German RI art, this usually follows to my understanding and experience. This follows a certain pattern that goes, this is theri art, this is the game beha or the organization and they are enemies. This is the nature of being Ari art. So a Petri art says, hey, there's something going on that has been sanctioned by my enemy and I have to stop this now the enemy is cybersecurity. This could also be the surveillance surveillance camera somewhere in, I don't know, in the locker room or something.

But there's good reasons for this camera because someone has stolen, someone has potentially stolen something there. So both theri, right? And the company wanna know what's going on here because the petri guard will never cover the black sheep in their workers for us. They will always protect their workers for, but if, but if there's a, there's a black sheep in there, the Petri guard wants to know.

So usually this follows the habit or the pattern of finding a cybersecurity agreement between the cybersecurity team and the ri not saying, Hey, you guys can do whatever you want in a black box as long as you don't disclose PII of any of the workers at the point where we get away from c pseudo normalization or anonymization and we really would lift you know, the cover and look who's beneath there.

We want a four I principle, not only cybersecurity looks to this clear text name and pii, but also, but this only happens in a case where the, the discovered behavior may potentially be in conflict with local law and in this case this has to happen anyways. So this is a situation where nobody leaves out and no company has a lot of wiggle room in, in regards of their judgment. But this is a point where the German starts, unright comes into play and says, listen, someone's stealing something, someone is doing this and that.

And then usually if you discuss those, this is very generically, this is not exons alike, but this is very generically if you, if you discuss what cybersecurity does with your ri are they usually understand the only thing they need to make sure is that their enemy is not making use of the information they get to do sidetracking to understand how much are they working and all sorts of things.

The usual battle between companies and Petri that are going, We had a question back there and then I you you Take, I just won't ask about what is meant by Petri route was oh That means the works council, sorry, that's the works council, world Council, like a professional union within an organization representing non-management people. Nobody likes them except of the Germans. Hey I got my like them on occasion because Actually, actually we have this in Egypt and it's very useful for the organizations to change direction and fix what is not being seen as an issue.

It's another perspective. It's a, But what is the role of Petri in this context? Petri or the works council usually takes care that the company and how the company is run are based to the legal local regulations and it is protecting especially the workforce from from being, how do you say this?

From by, from being sped out and trying to avoid those words. Yeah, so this is the company they wanna make the best use of the workforce. This is the workforce they wanna make, make the best use of their life. There's a conflict since a couple of hundred of years since we do in industrialization on this planet.

And the and and the works council takes care for the, for the rights of, of the workforce and the company takes care for the prosperity of the company and there may may be be some gaps as usual and to, so that every single worker has his representative, this is where the works council or the pres comes, comes into play. Speaker 13 02:28:30 It's all clear now. Thank you. Please go ahead. I was thinking all time in this solution, I think it is really potential.

However, how do you protect if you have the attacker inside? I mean if this is really compromised because you have all the information from your organization. We saw accounts, we saw asset, we saw behaviors. So I think it's really interested to also to know how this tool is protector protect in your own company. Speaker 13 02:29:03 So we have a feature called user behavior analysis. Actually I'm, I'm going go through the other types very fast, but I want to show you this feature just for you to understand.

We have a feature called logs analytics and we actually going over logs over operations that user do whatever, they do it from the real device, whether it's the real endpoint user or whether it's like a fake user using the token itself. And we see all the operations being done in a period of time and we have an engine that analyze the, the differentiation in behavior according to time. And we also have rules that catches suspicious behavior like the Okta Bridge for example. Have you all, have you heard about the Octa Bridge? That was very famous few months ago.

So actually it was a a case where a user being compromised and using its real credentials, not any other wrong credentials and the admin created another admin user. Speaker 13 02:30:16 This new user started getting more and more application with admin credentials and it kind of put a back door for him to go back later. So we can catch this scenario and if we see all those logs here, this is a tab called logs in analytics, we can see over time how many events have happened each and every day.

If, if we see a pick, it can be something suspicious by itself because there is suddenly a day where we have a lot of activities. But if we wanna see actually suspicious activity that created findings for them, we can filters those events and now we are gonna see events that created a finding for us, a finding is our mechanism to show you what we have found that this need to be handled. Okay?

Because through the tiles we just see and up until now and through the tiles, we are gonna see in a, in a few seconds we can show you different perspective of your information, whether it's correct or whether it's wrong. Speaker 13 02:31:22 But finding stub have the opportunity to show you like, like a summary of all the things you need to fix in order to be okay, whether it's compromised, it's a suspicious activity, it's a suspicious behavior, whether it's wrong settings that we gonna see very soon, how is the settings are okay with the compliance or not.

Whether it's like a shadow user we just mentioned because if I go to the finding of those logs, I can see what I mentioned, new suspicious Octa admin, the severity is very, is the highest, it's critical. And I can see admin user created and perform login in less than 24 hour window, which is one of our rules to, to catch the Okta bridge. Let me interrupt you. I think this is an excellent feature to make sure that people who use your environment don't go rogue. But your question was going in a different route I assume.

I think if they, if you have, if this tool is compromised, I guess you are getting over it, Right? So we are talking about hardening of the tool and how can we make sure that nobody gets a hold tool. All this relevant information. Let me tell you this, there is a thing out there called SOC and SOC two, it's not helpful. We know this. I mean it's helpful but it's only helpful in showing you how good on a scale from one to 10 you might be. So we are following this path as a company to get certified. I think we are SOC two in the moment and we, yeah, SOC two, type two.

And who knows this game of building mattresses and having 1, 2, 2, 2, 1, 1, 2, 2 knows what I'm talking about. I'm with you. Everybody who tries to collect relevant information regardless if it's about assets or there's other user behavior solutions out there on this planet who do exactly this.

And then you'll find, and then if I was, I was, I was asking you to think rogue and thanks much for doing this, it's very helpful not only in regards of how a tool like this can be helpful but also how important it really is that that the information being collected by a tool like this is also kept as secure as possible. And we all know that no, there's no a hundred percent security if, let me, let me do this and then we come back to the next question. If you are interested in more details then we can do this on a one-to-one basis.

We'll connect you with our senior management who we learned is also the driving force behind the development of the solution. And then we can see how, how much we can disclose about what we are doing about hardening. Sure enough, this is all gonna be encrypted. Sure enough, this is all gonna be made as as vulnerability free as possible, but there's always cracks, cracks everywhere. This is not a good answer, I know this but this is the best answer I can give you for now. There's one question over here again please.

Speaker 16 02:34:25 I do have a possibly I I I'll try to make it the last question. So basically you have the ability to inventory all SAS application that we have where you have the ability to tap into the users and find out what user has access to what, do you also have the ability to actually correlate the database on department? For example, as any other company, you have multiple business units, you have your finance, your HR and so on, et cetera, et cetera.

But imagine that the user has a ped access or I'm a security person and I have access to my CRM or to my HR solution that I should not have or imagine that I do have access to the Salesforce tenant when I should not have access. Do you have the ability to basically display that kind of event?

So for example, users with correct permissions assigned based on the role or the department, they are plus some probably shady, probably way too wide permissions accessing different other SaaS applications that should not be there and that's more aligned with the cleanup with governance and, and make sure that you people, it's actually following your lease privilege. Speaker 13 02:35:37 So you, you are talking about feature of more like an identity manager, right? That like you see that your identity of this department is doing wrong thing with the identity itself.

But actually you can see in the user tab the department of the user and you can see for example if it's add, if it has admin permissions and we don't have the feature of like showing you and create findings for a a person that is like in a HR team and and use SaaS application for developers. But we can show you for example that we have a user in a specific department that has admin permission, which is is wrong, but the admin permission is not, has to be for the entire unique user. Okay?

It can be only in one app for example, you can see that this user have admin permission for Salesforce but it doesn't have admin permission for Google office, Azure or any other stuff. Speaker 13 02:36:37 So you can say okay, why? Why does it need to be admin of the Salesforce? Maybe it's correct and it should be admin of the Salesforce but maybe it's something wrong. And regarding your question, I wanna go to the extension tab and then go back to the user, the extension tab actually show you more details about the connection themselves.

Remember in the inventory page we saw all the application being connected to one another, but we don't know how they are connected and what permission do they ask for for each and every user. And we can see that we can can now take a look from another aspect, not by user view but by the token themselves. And we can see that, for example, Google Workspace has a Adobe token being used by 23 users and they are 23 inactive users because in this case they didn't use it.

Speaker 13 02:37:36 But when I go to the extension page, what is nice that I can see the permission themselves and I can now see exactly what are the permission that's used like the permission by Google and tagged by our tags that currently there is only identity and admin. So you will know if this is like identities for all the read only things you want to do. Like if you just log in with Google, you usually get open id, maybe you see contact, read calendar events, et cetera.

But you don't have to, for example, see a a a Google drive access and if you see Google Drive access for an application, that's supposed to be like for hr, this is weird either for the application or for this specific user that maybe has been compromised. But so we can, you can investigate it and see it but we don't have a finding for it to show you. But we can create a rules because our finding tabs is also things we create and also we have the option to ask for new rules to be added that create automatically findings.

Speaker 16 02:38:51 Can can a user of that of this platform create his own rules basically because I see that you probably in the background you're using some K QL or something like that, that would allow me to create my own correlation rules to say, hey, applications of Salesforce should be accessed only by finance department, rest should not be. And if if there's something then give me a finding that I can act on it. Speaker 13 02:39:17 So currently we don't have the the the UI option to do it. This product is actually is kind of new.

We started it like one year ago and it became official only a few months ago. But currently we give the option for customer to ask for rules that we add behind the the curtains. But in the future, yeah, we want to have the option for the customer to do its own rules and create its own findings and then with all the information just for you, you can have this finding. So sales management is an interesting topic to discuss about, to look into. It's growing very, very fast.

So does the market around it sold us the types and vendors and specific of of free letter or four letter acronyms been covering this problem. This is all a highly dynamical place and like Yvan just said, also our product is trying to run after this, this explosion of IT usage out of our hands so to say.

Yeah, if you look at this to a very traditional compared to a very traditional approach like we headed a couple of years ago, like where, where we talked about in the earlier session where you had just one type of operating system and you just one type of network and one type of agent. This is not the case anymore. We could talk on for HS, but it's only one minute left if my watch goes right. I wanted to use a little bit of the time today, today to say thank you to the people here in the audience.

Again, thanks for for making your way to here for involving into the discussion here for throwing in some very, very interesting questions. But I also wanted to say bye bye to the people on the video screen and I wanted to apologize again. Unfortunately we were still not able to get a hold on that stream of questions that have been placed in the team session.

I again, want to encourage you if there's anything you wanna know about a's technology, the licensing, the ups and downs and maybe future and past or whatever, please feel free to drop a mail to in for@aons.com. Mention you had been on a a CSLs event and post the question again, this will sure enough than be forwarded to me or anyone here over here in the European team. And then we will take the questions from there. If you need more pressing contact information, feel free to reach out to me on, sorry to say one of the SaaS applications on LinkedIn.

That's always a nice thing to do or take down from my speaker information, maybe my email address and then you can address me directly having that all said again, thanks much for being here. We will be here in the afternoon to set up our booth. We'll be here tomorrow whilst you are in the sessions and we will answer your questions, give you a quick demo.

My, my colleague Orhan will be with me. The other two gentlemen are actually going back home to Israel. Thank you also to you. I'll probably stay as well. Are you gonna stay even better? So we have a SaaS management expert here as well for, for your questions. Thanks much to AOR who took the time out of his calendar. You can imagine that he has a lot of things to do coming to Germany and to present here to the cupping call audience, which I understand is a broader than only German audience. We have people from, from all across Europe here. So thanks.

Thanks and thanks and thanks and having that set. It's exactly one minute after 12 o'clock. See you in a bit. Bye bye.