Interview – Jeremy Snyder – Rapid7
NICKY PENNYCOOK [00:00:02] Hello and welcome back, everyone. I’m just going to dive straight in with our next guest who is Jeremy Snyder. Hi, Jeremy.
JEREMY SNYDER [00:00:10] Good morning. Good afternoon. Good evening. Wherever in the world you are joining us from today. Pleasure to be here.
NICKY PENNYCOOK [00:00:16] That’s great, Jeremy. Thank you so much for joining us. So, like everyone else, I’m just going to start with, can you tell us a little bit about yourself and a little bit about the business that you work for?
JEREMY SNYDER [00:00:27] Yeah, absolutely. So I work for a company called Rapid7. Rapid7 is a global leader in cybersecurity with a range of products across many different aspects of cybersecurity. I joined Rapid7 about two months ago as part of the Divvy Cloud acquisition. Divvy Cloud was specifically focussed on public Cloud security, helping customers stay secure on platforms like Amazon Web Services, Microsoft Azure, Google Cloud Platform, et cetera. And now we’re a part of the Rapid7 family and very happy to be here.
NICKY PENNYCOOK [00:00:54] That’s great, thank you. So again we are going to dive into some over questions here. How often do companies or how often do you think companies are updating their security measures?
JEREMY SNYDER [00:01:08] Yeah, not as often as they should. Is the short answer to that. But, you know, the reality is what we see. Depending on the size of the organisation within larger enterprises, which is where our focus is, what we tend to see is kind of an annual assessment of what their security posture and what their security standards are. And what to me is, let’s say slightly concerning about that is back to what I said, it’s not as often as it should be. You know, I think the last speaker said it well, like, these threats are evolving very, very rapidly. And you have no idea what the next attack vector is going to be. And so to that end, I think, you know, this is something that people need to be able to change on a very regular basis. It’s not that they must, but it’s something that they need to be able to change pretty rapidly. Maybe more like once a month, maybe even, you know, ad hoc, if there’s something urgent or pressing that arises. And public Cloud is one of those areas where things are changing so quickly that it’s especially important to be able to revisit that on a regular basis in a public Cloud environment.
NICKY PENNYCOOK [00:02:14] Absolutely, that leads really nicely into my next question for you actually. Are there different types of security situations that different types of Cloud or does one solution cover it all.
JEREMY SNYDER [00:02:29] Yeah. Well, it’s a great question. And I would say, sure, there are different solutions for different Clouds but what I think we’ve seen over the last 7 years of working with large scale enterprises, with massive Cloud footprints is that while there are different solutions for different Clouds. More important is different solutions for different pieces of the security stack, if you will. So when we look at that, what we see is that, you know, there are many different layers. There’s, you know, from the identity layer through, let’s say, the access layer, through the infrastructure into the application to the network traffic, et cetera. Our focus has been on the infrastructure layer and what we’ve seen there is actually a set of commonalities, common patterns and common use cases that our customers are looking to solve for. And it’s primarily around visibility, knowing what we actually have running in the public Cloud, which I think there may be two speakers back, was mentioning this. Right now, this global crisis has been probably the largest single event shift into public Cloud over the last well since the public Cloud came to be a thing. And so to that end, we’re seeing a lot of companies move very rapidly into public Cloud environments and a lot of them don’t necessarily know what all they have. The thing is, these public Cloud environments are globally distributed. They have, you know, dozens of locations around the world that people can be launching applications and infrastructure into. And so it needs to start from a basis of global visibility and then apply on top of that, a set of security standards in line with what the company needs. And those two things on their own are common no matter what public Cloud platform you’re using.
NICKY PENNYCOOK [00:04:09] Thank you for that Jeremy, that was very helpful. And so, obviously, things are changing rapidly at the moment. A months ago, no one could have imagined the situation that we are in now. We talk about moving to the Cloud. Do you think people have perhaps had to rush that along or perhaps have made decisions that aren’t quite right with the way that we’ve had to change and adapt so quickly?
JEREMY SNYDER [00:04:34] Yeah, yeah. It’s a great question and it really raises a very interesting piece of data. So over the last several years, we’ve been surveying companies, whether our customers or just any companies that we meet through a series of Cloud focussed events worldwide. Now, we’ve run this survey to ask people where their primary areas of concern are. And one of the things that we identified is that I think it’s generally acknowledged that there is a skills gap around public Cloud. Not everybody has all of the right people or people with the right set of skills to make this move in kind of a measured way. And so to your question, yeah, I definitely think companies have had to rush things along and rush things along knowing that they don’t know everything they need to account for in making that move. So it’s a time of heightened risk. And I’d say certainly the media has shown that over the last three, four months of lockdown, the number of of attempted attacks has risen dramatically with particular focus on some areas that are perceived to be particularly vulnerable. Things like government services and health care services know telemedicine. That’s had to really rapidly move to online delivery.
NICKY PENNYCOOK [00:05:46] Absolutely. I think for some people, it’s quite scary how quickly they have to move at the moment. So coming on from that point, someone comes to you and asks you, how are you gonna keep my data safe? What would your answer be to that?
JEREMY SNYDER [00:06:03] Yeah. So the way that we think about it is first thing you need to do is take care of the basics that you can take care of from your side and that’s going to cover against more than about 75, 80% of the data breaches on public Cloud platforms over the last several years. And so those basics that I would talk about again, those first two things that I mentioned, visibility and then applying a security standard to it. Inside that security standard, there are some really helpful sets of best practises. You may need something kind of, you know, geographically or industry-specific to your company, but outside of those specific needs, there’s a set of best practises that you can find out there and you can find any number of flavours, things like, you know, top 10 list of what to do to keep your public Cloud secure. But one of the things that I would actually point customers to is like just go grab something as simple as the CIS benchmark, the Centre for Internet Security benchmark. It’s a 40 item checklist or maybe slightly longer on different Cloud platforms. But, you know, it’s about a 40 item checklist of very basic things that you could actually audit your own Cloud environments for in less than a couple of hours. If you did it manually or in a matter of minutes if you did it through an automated system. And that’s where I would really recommend people start cover those basics and it’ll include things like making sure you’re not accidentally exposing assets publicly, making sure you’ve got logging and auditing turned on and making sure that you’ve got, you know, basics around password policies, multifactor authentication and some access controls. All of those types of things are included in those benchmarks and those best practise guidelines. That’s where I would really recommend people start.
NICKY PENNYCOOK [00:07:40] Thanks, Jeremy and we’re nearly out of time but I’ve got one more question here for you and I really want to ask you it. Public Cloud infrastructure is obviously always changing. Can businesses keep up with that change?
JEREMY SNYDER [00:07:53] This is a really classic question and a little bit of a chicken or mouse question. It’s actually something that cybersecurity has been answering this question for decades now. If you think back to it, original viruses and things like that that were sent around an email, it was always can your antivirus scanner keep up with the evolution of viruses. And look what I would say there is. The leading vendors in this space. This is what they specialise in, companies like ourselves, companies like our competitors. It’s our job to keep our tools up to date with what the public Cloud vendors are doing and that’s all we focus on day to day. Our engineering teams are on top of it and hopefully, you know, if we’re not delivering value then customers shouldn’t use us. But this is what we have to do to keep up and keep our customer secure.
NICKY PENNYCOOK [00:08:40] That’s great. Jeremy, thank you so much for joining us today. It’s been really lovely talking to you and hearing a little bit about yourself and what you do and hopefully, we speak again soon.
JEREMY SNYDER [00:08:49] Sounds great. Thank you so much, Nicky. It’s been a pleasure.
NICKY PENNYCOOK [00:08:52] Thank you, Jeremy. Great and so we’ll be back soon with our next guest.