Reactive to Proactive Risk Reduction with Automox's Director of Solutions Engineering

Summary

In this episode of Product Talk, Steph Rizzuto and Katherine Chipdey discuss how Automox is leading the industry shift from reactive to proactive risk reduction. They highlight the importance of proactive risk reduction and how Automox's solutions, such as Worklets and Automated Vulnerability Remediation (AVR), are helping customers in this shift. They also mention the introduction of AskOtto, a generative AI tool, and its impact on automating tasks. The conversation emphasizes the need for better communication and collaboration between IT and security teams to improve security posture.

Episode Transcript

Steph Rizzuto: Hi guys, welcome to another episode of Product Talk. I am your host, Steph Rizutto. I'm on the Product Management team here at Automox, and I am joined today by Katherine Chipdey. She is my partner in crime with AVR amongst other things. Katherine, why don't you go ahead and introduce

Katherine Chipdey: Yeah. So Steph, Partner in Crime. My name is Katherine. You know, I've been at Automox for about three and a half years now. So it feels like 15 years in the old startup world, which is exciting, but it's been really fun, right? I head up solutions engineering now in alliances. So a lot of what Steph and I go through is the actual conversations we have with these prospects and customers, like what's their pain, what are they going through and how can we ideally help in the best and most efficient way possible? So yeah, it's been a good time.

Steph Rizzuto: So we're recording this on the day of the big Microsoft outage and it feels like we should just say something about it. Like in solidarity, this kind of crazy thing has happened. This single point of failure that that's happened that has just kind of crippled things globally, know, like flights, flights landed, hospital operations, just all kinds of things. You know, when

Katherine Chipdey: massive scale.

Steph Rizzuto: It first broke, I was on Slack and I saw a bunch of team members talking about like, Hey, what can we do? know, like we could blog post up that will help people. Is it something we could like put into a Worklet? And I mean, unfortunately this isn't anything that can be really solved programmatically. Like these companies are going to have to go in intervene manually on all the endpoints. which is just, I don't know. It's crazy. It's a scary day for, I think the industry as a whole.

Katherine Chipdey: Yeah, yeah, it's definitely eye opening, right? It's it's tough to say more about it besides, know, give yourselves some grace, look after each other. You know, it's going to be a tough few hours or days for a lot of these companies. So, you know, any type of moral, physical support you can you can provide for each other, I think is the best way to go about this. And you can keep talking, right? A lot of what I've seen as far as some of the help with like BitLocker key recovery, which has been an extra layer of frustration for teams, fixes and solutions are coming from IT and security managers talking to each other forums. So we'll keep you all in the loop too, as Steph mentioned and get through this one.

Steph Rizzuto: Yep, definitely. Okay. To our regularly scheduled program today, Katherine and I are going to talk about how Automox is leading kind of the industry shift from reactive to proactive risk reduction. it's something that like I hear Katherine talk about frequently and often, it's exciting. Let's do it. Let's talk about it. Go ahead, Katherine jump right in.

Katherine Chipdey (03:15.682) I mean, I do love this topic. Anyone that's anyone that talks to me has probably heard about this, but I think it's interesting because like you don't often get a shift that big in a product vertical or in a space, right? Like we saw it with, you know, the firewalls and EDR tools, the whole cloud native autonomous zero trust shift,

That was like 10 years ago at this point, right? Maybe even longer. And so I think the fact that the remediation or action engine side of the house, now we know too well what's going wrong. How are we fixing that? The attention that side is getting is really exciting and specific to what you mentioned, Steph, like that proactive risk reduction piece is one of my favorite ways that I see people utilizing Automox to implement, right? Cause if you just take a step back and you look at that story, hey, the security detection, know, attack surface management, vulnerability prioritization, like all those tools have increased speed alert volume, right? Like we know what's wrong. And so past few years it's been, okay, well now how do I fix that? And you're kind of taking that list of problems and you're trying to fix it

You know, maybe you're trying to use better tools. Maybe you're trying to use some automation to fix it. But like that big shift we saw when Automox came to the space as that first cloud native tool, you know, with the automated policies was how do I set like a baseline of compliance that I feel comfortable with to proactively reduce that. Right. And so, that's a pretty massive shift. If you look at that versus people being like, I don't want to patch because I'm worried it's going break my machines or something's going to happen.

Steph Rizzuto: reboot and stuff like that. What do you think, what do you see as one of like our biggest besides obviously are the automated patching piece, but beyond that, what are some tools that you see that we offer that customers are using that are helping to like drive that shift and really kind of change the landscape?

Katherine Chipdey: Yeah. Yeah, I mean, I think from an Automox specific standpoint, like Worklets, obviously, which we've talked about a lot in our forums and to customers Worklets which is that configuration management piece is incredibly powerful just because to your point, right, everything that's not patchable is still a massive issue for customers and all these tools they've typically had like a group policy or, you know, specific expensive config management tools are super inconsistent and very, very hard to implement and use. And so when you kind of take that aspect of, here's how we're proactively reducing risk with our patch policies and the SLAs we're putting in place. How can I also do that with certain security settings on my device? Right? Like a great example being password complexity or account lockout settings, or, you know, on my corporate devices, I don't want people to be able to use their USB. So it's all these types of like configuration changes folks can do.

And if you look at vulnerability scanners as well, and a lot of the main issues they're showing, like I always talk about flash, right? Because anytime a customer like they grunt and they're like, yeah, I can't get this thing out. And it's giving me like 10,000 vulnerabilities just by having it in the environment. So it's not just patching, but remove that and keep it out of my environment, right? That's kind of the important thing.

like that proactive risk reduction has allowed for, I'm not just like remediating a ton of stuff. And then it goes back up when patch Tuesday happens. And then, you know, it goes back up if there's a zero day or it goes back up. If, know, somebody changes a config on their device, I'm keeping it at that baseline because I'm always keeping flash out of the environment. I have registries edited to where they need to be. I'm remediating zero days with the click of a button because those fixes are created by this platform.

So I think Worklets is a massive piece. And then what you and I work on a lot too, right? AVR, that (Automated Vulnerability Remediation) is kind of like that process shift between, like even when we started here three and a half years ago, the sentiment was IT security teams, very different. And I have always, I've always been a little grumpy about that statement because like, okay, maybe, right? It tends to be that way historically.

Katherine Chipdey: But I don't think it should be right. And I think a lot of teams are in agreement of how do we start like proactively talking between those teams? How do we shift from that security team reactively passes a list of issues to IT and how do we work together to set policies that make both lives easier, right? Communication seamless.

Steph Rizzuto: how do we bridge the gap between IT and security? That's definitely one of the aims when we set out to do AVR, one of the key outcomes that we wanted to address. Here's what's wrong. Now fix it, fix it in an automated fashion and be able to communicate that back to the security team that, you know, this is what the steps that you've taken to do those kinds of things.

Katherine Chipdey: Because like when you interview those customers, what's the process that they typically told you they're doing today? It's kind of funny,

Steph Rizzuto: Yeah, it's super, it's super all over the place too. Super manual. And I feel like this helps them communicate better. And I don't want to say get along better, but kind of, you know, it kind of helps them get along better. Maybe two, two segments that don't always, you know, see eye to eye or get along super well. And now we have this tool in place that can kind of automate some of that. And the security folks can see how much

Katherine Chipdey: Yeah, there's an aspect of it.

Steph Rizzuto: the IT team is doing and how they're reducing the risk. So I think that's really important and really powerful part of the integration that we have with Rapid7.

Katherine Chipdey: Yeah. Cause think about it, right? It's like these teams and the way that this process was set up was like kind of a losing battle from the beginning, right? You've got teams putting a ton of time and resources and effort into finding these. And then they're like, why is my risk not going down? Right? Like this is a, this is a bad look. They don't feel like they're improving their security posture, but on the flip side of it, you know, you've got these IT teams that have been given like maybe this is too aggressive to say, but like truly miserable tools to use to do that, right? It's just a losing battle as far as volume. It's physically impossible for humans to take care of that number of volume themselves. And so, you know, they feel super overwhelmed, underappreciated as well. You know, so it's not even really the team's issues. They've kind of just, it was set up that

Steph Rizzuto: Yeah, inherently the hamster on the wheel feeling. Another thing that we've kind of implemented semi recently, I guess, really it was like nine or 10 months ago is we introduced AskOtto into the workload process, kind of our first dive into, you know, generative AI and trying to, to help users. remember when we first launched it,

Katherine Chipdey: Yeah, yeah, boulder up the hill.

Steph Rizzuto: I did like a series of interviews after with people who were kind of early adopters and it was so interesting to see the feedback there. had people who use AI all the time to never use it, but like consistently what we heard is you're taking something that took me an hour before to do. And now it takes me, you know, 10 minutes. I'm able to people who maybe weren't so strong in scripting. I'm able to like automate these tasks. Oh yeah. Same.

So I just feel like we're just consistently delivering things that are trying to go to this core problem. And like you said, the shift that we're having and it's pretty, it's cool to be a part of that. It really

Katherine Chipdey: Yeah, 100%. Right. doesn't it doesn't happen every year. Right. Or with a product by far. And so, you know, this is especially a space that I feel like hasn't been given a lot of grace, right. As far as that remediation goes. And it makes sense. Like visibility comes first. You don't know what you don't know. But

The onus is on executives and boards and the CISO is becoming a lot more business oriented and finance oriented, right? Which is an interesting shift. And so to your point, like watching how folks adopt that I mean, can you like AI in patching and configuration? Like we were still setting up servers to patch our servers, right? And that endless cycle. and you know, the VPN dependency with this, this vertical in this, you know, product segment. you know, the point of being able to go plain text, Hey, I need to do something, having script and being able to automate that across thousands of devices, safely is, is pretty incredible.

Steph Rizzuto: Well, Katherine, you have any final thoughts that you want to share with our Product Talk viewers?

Katherine Chipdey: You know, I think just going back to that premise of like really interesting ways the industry is shifting that Automox is leading and like how our customers are a big part of that, right? You're the adopters and you're the ones steering that ship. I would just say like keep communicating with us, right? Step to your point. You've talked to a ton of people, ton of customers. My team talks to everybody looking at making that shift. Like I can't stress how open and excited everybody is to keep innovating, right? And I would hate to such big changes and leaps being made and that like slowed down at all. Like let's keep going after that, right? Keep letting us know where your businesses are trying to go, where you're feeling pain. And let's do the thing together, you know?

Steph Rizzuto: Yeah, I like it. Katherine bringing the energy this morning. All right, guys. Well, thank you for tuning in and I will see you next month. Bye, Katherine. Bye.

Katherine Chipdey: Thanks everyone. Thanks for having me, Steph.