GISGID – Episode 18 – Dave Raphael

Speaker 1:
Hello and welcome to Get It Started, get It Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with Dave Raphael, Chief Operating Officer at DNSFilter. Dave has more than 20 years experience at tech firm’s, large and small, and is an expert in application security and author of the 2009 book, Security on Rails. We hope you enjoy Den’s discussion with Dave Raphael.

Den Jones:
Welcome folks, to another episode of Get It Started, Get It Done with your host, Den Jones, Banyan’s lame attempt at podcasting and if we’re shit at making software, then I guess, we can fall back to this. So I’m just glad our products actually don’t suck. Got a great guest with us today. So Dave, and I don’t want to butcher your last name, so Dave Raphael or-

Dave Raphael:
That’s it.

Den Jones:
… And are you a ninja mutant turtle fella or…

Dave Raphael:
Yeah, yeah, I lived… I grew up with that as the fun thing. So yeah, that was my era as a kid.

Den Jones:
Well let’s… rather than that being your introduction, why don’t you do a better job and introduce yourselves to the audience?

Dave Raphael:
Yeah, absolutely. So Dave Raphael, I currently work as a Chief Operating Officer at DNSFilter, been there for about 16 months and just recently took this role. Prior to that, I was chief product officer and ran all of R&D and everything from threat research to product development to product management, etc. I’ll actually continue down that path and we’re embracing product led growth is the model and therefore this role’s an extension of that, etc. And yeah, I’ve been doing cyber for, gosh, about 20 years and a few more years beyond that, I’d been doing software development in general and I’ve worked across the gamut of big companies, small companies, seen a little bit of it all and I definitely love this SASE space where we’re in the scaling up phase with a great product market fit, etc. where we are today at DNSFilter. So yeah, just been doing the same stuff for a while now though.

Den Jones:
Oh, so I was… yeah, I was just going to say, so for people who don’t know what DNSFilter is, can you describe what the company is, what the product is, and the vision for the future?

Dave Raphael:
Absolutely, absolutely. And actually what brought me to DNSFilter was the simplicity of our product and that product is providing protective DNS. So for those that aren’t familiar, that’s ultimately ensuring that at the very basic level of DNS queries, those queries are all being run through a system that ensures that they are not malicious, phishing, malware, etc., etc. and beyond that, we also provide content filtering for businesses as needed, whether that’s for corporate policies or even regulatory compliance, such as protecting kids in the educational environment, etc. And so we see that all as a continuum of the security value, etc.
Beyond just providing that as a service, we provide that to the OEM markets as well. So we sell direct to businesses, we sell a lot through MSPs, we have distribution in the US and internationally, we actually provide coverage for a whole country, actually a fourth of filtering, and last but not least, we’re embedded in some very, very large products in the order of millions and millions of users. So our product’s pretty ubiquitous and in terms of the number of users we protect, it’s probably somewhere in the 30 million total users range when you actually extrapolate it out. As far as the core offering goes, that protection and where we’re going with it all, we can expand into that a bit. So feel free to just ask away and we’ll journey through it.

Den Jones:
Yeah, no, that is awesome, awesome. Well, yeah, we’ll probably circle back a little bit ’cause I’ve got a few fun questions for you along today’s episode. So we’ll definitely come back into where the product fits, but I want to play a little buzzword bingo. I don’t know, so Banyan buzzword bingo and we’re going to start off with zero trust. So what’s your take on zero trust? Where do you guys see that with regards to DNSFilter?

Dave Raphael:
Yeah, no, I mean I think first I’ll speak generally to zero trust and then tie that back into DNSFilter. Zero trust really reminds me a lot of when people started referring to the cloud and so it really captures a lot of the, I don’t want to call it quite final state, but as we started migrating from the traditional corporate intranet with big walls and VPN only access or physical only access and then we started seeing more and more of this hybrid, etc., the zero trust term made a lot of sense around how do you approach the problems that come with not having control of the network topology, etc. that you’re dealing with and it’s like if you take the approach that well, don’t trust anything, we can just simply create an incredibly strong security posture by needing that, and that’s a pretty tall order. How do you go about doing that? And so it’s not a single thing. It’s a layered approach and it’s a Tetris problem, if you will, of products really to put together depending on your needs.
DNSFilter fills a couple little areas there and when I say little, not so little in the sense that we are at the foundation of it all. So if it starts with saying, are you locking down the very basics such as the question about what does this domain resolve to and what’s its reputation and other things that we can find out about, that is a basic building block that I often refer to as, it’s like fluoride in tap water. I don’t know if a lot of people realize, but there’s literally fluoride in modern water supplies, it’s one of the reasons why we have better dental health. It’s not just because of dentistry and stuff, it’s actually because this fluoride in the tap water helps solve some very large percentage of the general issues, and that’s true for what we do in the zero trust world is we provide that basic substrate around how we protect the resolution itself.

Den Jones:
Awesome, awesome. So next buzzword bingo, SSE, or maybe it’s acronym bingo really, something like that. What’s your take on SSE and where do you guys play in that arena?

Dave Raphael:
Huh. Well, you may have to filter some of this out ’cause I have some strong opinions and there may be some swearing, but SSE is the one half of a coin called SASE-

Den Jones:
Yeah.

Dave Raphael:
… And SASE to me is a bit like… it reminds me of the SOA stuff back in the 2000s, the service oriented architecture where it was all this rage and we’re going to build a ton of products around how to broker and control and all of this, these services that we’re going to tie together through these amazing protocols and nobody ever has to write code again and with SASE, if you deploy all this, you never have to worry about a zero trust type environment because this takes you from soup to nuts, from your actual basic network access all the way through your authentication, you’re brokering around access, you’re CASB, etc. So ultimately protective DNS is one of the pieces of that puzzle. Every solution that finds itself in that magic quadrant or that category of products must provide protective DNS. Additionally, you’ve got securing down the web part of it, the URLs, etc., etc., and we can talk a little bit more about how DNSFilter plans on playing in some of those other areas too.

Den Jones:
Yeah, yeah. I was just so, my other buzzword bullshit bingo one was going to be SASE, but you covered that a little bit. What do you see is a key difference between SASE, so S-A-S-E and S-S-E.

Dave Raphael:
I may need to pull the reference book out. If I remember correctly, the A part of it’s the Access control, is that right, and Secure Services Edge versus whatever it is, Secure Access and blah-blah-blah.

Den Jones:
I-

Dave Raphael:
Real quick, I will say about SASE is it’s an all-encompassing Gartner invented thing that I think is useful for framing certain conversations.

Den Jones:
Yeah, I was just going to say this. Is it analyst led growth as opposed to product led growth?

Dave Raphael:
It is, it absolutely… I don’t know if the A stands for Analyst or something else, but it’s definitely not product led and it’s not market driven really. It’s more of a how do we bundle all these things to rationalize a complex cycle for some of the other incumbents frankly that have been around a while so that they can sound fresh and really be able to target a zero trust world.

Den Jones:
And it’s funny you say that because I was at a conference, I think it was Dallas, and the speaker before me was wrapping up his talk and the audience questions, one of the questions was all about are you guys in the magic quadrant of nonsense? And his answer was brilliant ’cause he was like hey, those are pay to play. He went you have to meet certain criteria, you have to be best friends, you have to give them money and he just let loose and he was really eye-opening conversation that [inaudible 00:11:09] on the whole analyst market and how you get those things. And it actually reminded me of the awards market as well. If you want to get the project of the year award with blah, blah, blah company, then quite often it refers back to yeah, how much did you spend with that company over the last year? Were they involved? And so there’s a whole bullshit thing that, I think, as a practitioner you don’t really get great awareness or insight into.
As I transitioned over into my role at Banyan, then all of a sudden I started to learn these terms pay to play, which I had never even heard of before. I didn’t even know that thing existed really. So for me when I now get into buzzword bullshit bingo and I try and tell, even our marketing team at Banyan, I roll my eyes every time I see another bloody acronym coming out, but I get… and you hit the nail on the head, it’s how Gartner and other analysts really want companies to be able to frame the conversation more than anything else and for them to say we fit neatly into the bucket of X, Y and Z.
So I understand why companies like us and other companies go down the path of saying oh, we are a zero trust company or we are this company or we are that company. SSE is the new fancy thing for us right now, and I totally understand why we’re on that bandwagon, but at the end of the day, as a practitioner problem solving and reducing risk, I want to know hey, my employees don’t need to use usernames and passwords any longer, how do I achieve that outcome? I don’t want to use VPN any longer, how do I achieve that outcome? I don’t want that my employees click a link that they go to that malicious website, how do I achieve that outcome? So I think the reality is it’s how do you get these products to work together in order to reduce your risk and achieve specific goals.
Now on that topic, I’d love your take on what do you see, how important is collaboration between different companies ’cause we don’t do all things zero trust and we don’t do all things SSE. So I learned in 2017 at Adobe, we needed partners to integrate their solutions in a way that derive these outcomes that I just spoke of. So how important do you see that?

Dave Raphael:
Oh, I think it’s paramount. I mean in some ways it’s like, I’m probably going to answer this a few different ways. Number one, I think that the whole cycle of security products has some interesting patterns where you’ve got the paradigm shifts, some new acronym when we went from antivirus to endpoint to EDR, XDR, blah-blah-blah-blah-blah. You have these evolutions of paradigm, and then there’s the best in class versus best in breed and what ultimately happens is you get acquisitions that occur with some of these best of breed to be combined into a solution and I think you’ve got a few years where you’ve got a leader that can check a number of boxes and solve those problems in a super effective way. As we know, as companies get bigger and accumulate more weight, I’ll say, they slow down their ability to innovate and they really generally are going to struggle to have any sort of paradigm shifting roadmap, etc.
So it’s really important that there’s a continuum of companies out there pushing the boundaries and in order to push the boundaries the best, the focus that comes with being, a laser focus, whether it’s a Banyan or a DNSFilter, to focus on a certain area and being the best in that area and to your point about being integretable and being able to work together, it’s really important for the best of breed companies to understand that we have to be integretable in order for us to sell into, whether it’s the CISO or CIO office whatever, in a way that doesn’t cause their implementation budgets to go wonky, etc. So I think… and I can continue to go… and then I think you also have to look at some of this starts to become a natural bundle for these acquisitions where you can actually put together some pretty compelling stories around hey, such and such, I’ll leave names of companies out for a second, let’s bring these three things together and it can be an in-between the best of breed and best in class. So that’s why that inter-op is so important.

Den Jones:
Yeah, absolutely and I’ve done several implementations of what some people will call zero trust, but I remember at Adobe we basically had to strong-arm three companies and say hey, you will work together or you will not be part of this solution and it was hard. We at least had power and name brand behind us, but I can’t imagine how some like City of San Jose is going to turn around and get the same success or the same leverage. It’s really tricky. So it really is upon us as organizations to try and look at companies that we can partner with.
Now AI, AI is all over the news, Dave. So let’s talk about some AI and machine learning and all that stuff. Specifically with DNSFilter, how valuable is things like machine learning and AI to you guys?

Dave Raphael:
It’s beyond valuable. If you look at what differentiates us, it is the use of machine learning extensively. It is baked into our DNA at this point since 2018. That’s literally been a linchpin of our convergence of all of the threat research. We bring in close to a hundred data feeds, both open source, and we pay for a lot of the high-end players that people have heard of, but we also have extensive amounts of machine learning techniques, whether it’s statistical models or recurrent neural networks, etc. We’re applying a litany of techniques to categorize things and to ensure that our true false-positive rates stay where they need to ’cause the last thing we’re going to do is bot the wrong things. And we’re about a seven-day average ahead of the competition in data feeds in terms of identifying zero-day URLs for zero data malware. I’ll let the cat out of the bag little. Our labs team is always working and improving that and we’ve got some new technologies that are more like 500 to 1000 hours ahead of anything out there. And so-

Den Jones:
Wow.

Dave Raphael:
… The name of our game is machine learning and how we’ve managed to productionize that and put that into the market.

Den Jones:
Awesome. Now, from an AI perspective, what do you see… so how do you see AI benefiting the attackers and then how do you see AI benefiting the defenders?

Dave Raphael:
Huh, boy, that’s actually something I’ve been exploring for months now. There’s a couple different ways I’m looking at that one. One is obviously from a social engineering perspective, the ability to craft contextual messaging to folks becomes not free but very low cost, relatively speaking. So whether that’s targeted or even just looking at not having grammar problems and spelling issues that come with a lot of these attacks in the past that we’re part of how we helped recognize them to begin with. I think that’s just one simple example. I think that we’re going to see a lot more. Even outside of the commercial GPT offerings, I think even we’re going to see some of the large syndicates investing their own time in training the GPT-4 type of things for their own purposes because they’re very sophisticated and for every dollar we spend on security, I believe, in IT budgets, they’re spending $90 something. They outspend us like crazy. [inaudible 00:20:19] that.

Den Jones:
Yeah.

Dave Raphael:
On the defense side, I think there’s… this one’s tricky. One of the things that makes our technology work is that it’s fast at scale. So you can answer lots of questions very quickly and in the compute world, we’re always trading electrical costs essentially for answers. And one of the challenges I see currently with any mass scale application with something like a ChatGPT, is you’re spending a lot of pennies, so to speak, for every question that you ask and so that makes it pretty tough to create anything that’s market viable from a cost perspective. On little proof of concepts, you can do some pretty cool stuff today with hey, what do you think about this domain? And you know you can say can you give me a dossier of the people that might be connected to it? It’s cool. So that angle, from a research perspective and having almost like an army of minions to be able to go gather information, pretty powerful. So I currently see it as much more favoring the attacker side than the defender side at the moment.

Den Jones:
Yeah, yeah, unfortunately. I was reading how script kiddies are using this stuff to really build some serious malware and then they don’t have to be as skilled. And I think it’s interesting in the industry the level of skill required for an attacker to get into the market of whether they’re doing ransomware or other stuff, is they don’t have to be as skilled as they used to be. So you’re getting more people joining the market as attackers and unfortunately as defenders, we still have a skills gap like we have to be more skilled than ever before.
And then the other thing is there’s way more tools than ever before and I think a trap that CISOs fall into quite often is they’ll go through the whole, say the SANS book of How to Build a Security Program and they’ll be okay, what tools have I got for vulnerability management, what tools have I got for this, what tools? And eventually they end up buying more tools than they have staff and you deploy your tools and you leverage 5% of their capability and you don’t get the value out of it. Your budget’s crazy, your staff are overworked, and then, like you say, the bad guys, there’s so many of them, they just need to get it right 1% and they’re in, and we got to get it right almost all the time to keep them out.

Dave Raphael:
Well, I’ll tell you one area I haven’t thought of yet, but you just made me think of, when I was thinking about the whole SOC staffing problem, etc., I haven’t read much, but I’d be curious to pull on that thread a little to see how the ChatGPT type approaches are working for SOAR and how we could potentially do some work there. So that one’s pretty interesting ’cause one of the biggest… as you know, whether you staff or partially outsource a SOC, there’s the whole SIEM-SOAR dilemma and do you staff more coder types or do you go with more GRC type? It’s almost like a spectrum, in which you can product skew accordingly. So that could be an interesting application to be fair, that I haven’t thought of yet.

Den Jones:
Yeah, it’s funny. I think a lot of us are still jumping in to figure out how and where AI is going to benefit the defenders, especially given staffing constraints and budget constraints and all those things. You’re trying to get an advantage that we’ve not had before and it is tricky. Now, so on that topic, so what do you think, we went through Covid, work from home, we’re still doing a lot of remote work, what do you think has risen to the top of concern for most cyber professionals?

Dave Raphael:
I think a massive acceleration in what we thought was going to be the transition to zero trust. I think it’s kind of like I go back to the cloud analogy. It’s taken us a long time to go from heavy on-prem to on-prem’s almost like oh wow, you do on-prem? And I think that… imagine if you just cut three years and pick an arbitrary number out of that cycle, I think that pain has been the solutions and the combinations of the solutions and the inter-op and all the things we talked about. I just don’t think we’re where they needed to be to fully support those transitions, so I think it’s a scramble in a lot of things. So I could put a lot of pressure on the actual implementation pace of how all of that was evolving. That being said, I still think most of it is natural course otherwise.

Den Jones:
Yeah, it’s funny. The whole remote access business, I think, was interesting because people ran to their existing vendors and basically doubled down on that investment that they already had, even if that wasn’t in their best interest because they had no choice. So I’m hoping, I say from a Banyan perspective, we are hoping as people get to the third year of any of those renewals that they’re beginning to look at what’s the smarter way to do this. Wide open VPNs and enabling that because people are working from home doesn’t necessarily, it’s not their smartest play from a security perspective.
Now, I was going to ask you, the move to the cloud has been huge for most companies, what would you say is DNSFilter’s strongest offering from a cloud perspective? So people have moved to the cloud. DNSFilter helps them in what kind of ways?

Dave Raphael:
I would actually say that we have been not immune, but there’s not a ton of correlation to be fair. We do have some customers that are using us for serverless protects and putting DNS protection in between their services architectures and whatnot, but outside of that, there’s not a lot of… DNS is so universal and hasn’t shifted a lot to be fair that it’s fit naturally wherever people are moving from, on-prem to cloud, they just lift and shift, whether it’s our relay or running roaming client, etc. It certainly pushed our roadmap a bit on supporting things like hypervisor and those sort of things for the people that are doing thin client style IT work.
So we’ve had to do a little bit of work there, but for the most part we’ve been… we were born during the cloud era to begin with. We actually operate a ton of on-prem, by the way, because in order to support a very fast anycast network, you have to be everywhere and to do that, that means you’re living on data centers, so we’re like 80 data centers around the world. So we have a mix of cloud and lots of on-prem.

Den Jones:
Awesome. And so some generic questions I was thinking of as you were talking there. One would be, what advancements within the cyberspace have you been keeping an eye on other than the AI, other than zero trust, is there anything else that you’re paying attention to that you think is exciting?

Dave Raphael:
Yeah, I’ve got a particular fascination at the moment with privacy in terms of what we’ve seen on the consumer side and how that’s going to manifest in the corporate side. I’m not seeing a lot of people talking about it so much, but what I’m measuring is sentiment and reactions around that. The fact that we’re creating this situation where we’re being more and more careful with our home deployments and making sure we have the right postures for our personal world and becoming aware of what all the big players have done with our information, but I think there’s just a whole another surface around the corporate mass, if you will, that takes a fairly promiscuous approach when it comes to security inside of a certain trust zone, even if it’s zero trust, there’s an overlay and I’m very interested to see how that evolves ’cause I think we’re going to see a similar revolution that is somewhat bottoms-up where we saw in the iPhone back in, what was it, 2009, somewhere around there.

Den Jones:
Yeah.

Dave Raphael:
All of a sudden, all the executives started showing up with iPhones and said I need this and everyone goes no, no, there’s no hardware encryption like the Blackberry, you can’t use this on the network, and then enough execs got angry and hence now we have the iPhone or Android as the total dominant-

Den Jones:
Corporate devices.

Dave Raphael:
… Yeah, so I think there’s going to be similar things with privacy.

Den Jones:
Yeah and it’s funny because I kept thinking years ago, ’cause I used to run identity and access management in Adobe long time ago, going back to 2004, I remember talking to people about biometric authentication and I remember years before then, mid ’90s, I was working with Novelle in little Compaq fingerprint readers as a way to log in and people were totally against it and they’re all like, “Oh, you can’t use fingerprint, you can’t use finger.” Eventually what happens, that consumerization caught up, got ahead and then really forced enterprises to say oh, wait a minute, this is valid, we can use this. So Windows Hello for Business, biometrics on my Apple devices.
It seems to me that the consumerization of something really pushes the conversation forward within a lot of enterprises. And the privacy thing, I think it’s only getting worse and more alarming as more companies get involved. And even, you’ve got the big social media companies and stuff, but I think the reality is because we are working from home more, that means enterprises have way more information about the location of their employees than they ever had before and how they handle that, I think is something people need to be thoughtful about and I’m-

Dave Raphael:
Yeah, I’ll just build one quick thing on there. So the consumerization part, one of our strategies is we have a consumer offering. We acquired a company Guardian that actually powers the Brave web browser and we’ve been integrating that technology into our business offering and part of that’s going to empower URL filtering. In the enterprise world, URL filtering means breaking open the SSL chain and getting in there. As a security person, I don’t know about you but it makes me sick, that we’ll crack open SSL, right, like come on. This is just counterintuitive that we’re trying to provide more security and there is no argument that that means to tell you that improves security by cracking it up.

Den Jones:
Yeah.

Dave Raphael:
And so one of the things we’re working on extensively is how do we do the same types of protections without cracking it open? And so I think that’s an example of the consumers are going to be all over this and it will matriculate its way back over to the business side.

Den Jones:
Yeah, that’s the same argument with packet inspection in general. The reality is backhauling traffic, inspecting traffic, for me, the value adds to your security risk, isn’t that significant for the cost of what the thing is? The cost, anything from performance to just the operational cost of the equipment you need to go and do that, it’s crazy. So I’ve dodged that bullet as often as I could, I always try to avoid getting into the packet inspection business. I don’t think it really is that valuable in the end.
So as we wrap up, Dave, a couple of things. One is I want you to give one piece of advice up and coming new security professional, you’ve been in the security game for quite a while, what one piece of advice would you give someone who’s just getting started in their career?

Dave Raphael:
It’s generic to not just security, I would say that, the patterns that exist in terms of the principles and foundational theory of operation, learn those. They haven’t changed. They’re just in different shapes. It’s like that old expression around everything becomes a poor imitation of the UNIX. The reality is we stand on the shoulders of giants, go find out what the history behind it all is and understand those pieces of how we got here and how it’s really a natural repetition. So cycles repeat, don’t skip the steps of learning the fundamentals, they’re still important and they really actually haven’t changed.

Den Jones:
Yeah. No, that’s awesome, that is awesome. And just for clarification, everyone, when Dave said was giants not giant who happens to be our CEO, ’cause if you stood on his shoulders, you’d probably break his bloody back ’cause he’s not that strong a fella to be fair.
Now, I would say one thing, I was pondering on this quite a bit. We go through your employee reviews and you talk about accomplishments and stuff a lot, but the one bit of advice I always think about when I certainly go through a review cycle is not just what you do is important, but how you go about your business is really, really important. And I think especially in this world where we’re under pressure a lot, I think for me I’m a bit of a class clown, I like to joke around a lot, I like to work hard and play hard, but the one thing for me is that how do we go about our business is fewer times I might’ve seen people being rewarded in enterprises for being assholes and idiots to other people, so how we do our business, I think, is important.
So if I was a new kid starting my career all over again, I think I’d probably take that on board and say, “Yeah, I’m going to be inquisitive, I’m going to learn, I’m going to work my ass off, but I’m also going to be collaborative. I’m going to leave my ego at the door and a lot of those lessons.” If I could grab the 20-year-old Den Jones again, I’d smack him in the face twice and tell him to pay attention to how he behaves. Obviously, now I’m older, I’m an older guy now, so I’m obviously very well-behaved and I’m totally, totally responsible, don’t let anyone else tell you otherwise, so yeah.
So hey, Dave, thank you very much. It’s been a pleasure having you on the show. Just I want to end with where can people go and learn more about DNSFilter?

Dave Raphael:
Oh, DNSFilter.com. Yeah.

Den Jones:
God, that was too simple, huh?

Dave Raphael:
Yeah.

Den Jones:
Geez. You know you could have been like, Banyan-

Dave Raphael:
Go into our resources. We’ve got loads of blogs, we have a lot of great stuff on there. Strongly recommend it.

Den Jones:
Awesome, and people who want to learn more about Banyan go to Banyan Vines. Oh no, wait, fuck, that’s the other team. Don’t go to Banyan Vines. If you search and you see Banyan Vines, skip past all of them, go about 30 clicks down, you’ll see banyansecurity.io. Made it simple, just like Dave. Dave, thank you very much, it’s a pleasure. Take care.

Dave Raphael:
Thank you, Dan. Appreciate it. Thank you so much.

Speaker 1:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

 

Close Transcript