#482 The Browser Is the New Battleground: John Carse on Securing the Modern Endpoint

Episode 482

[00:00:00] 

Mehmet: Hello, and welcome back to a new president of the CTO Show with Mehmet today. I'm very pleased joining me from the US John Carse. He's the field CISO for SquareX. By the way, just for the audience, a hint I had, you know Vivek [00:01:00] Ramachandran previously. He's the CEO of SquareX, and today I'm humbled to have someone also from the team again joining me.

John, thank you very much for being here with me today. Traditional question. Tell me a little more about you, you know, your journey, where you have been before SquareX, and then we can start discussion from there. So the floor is yours. 

John: Sure. I mean, I think that I've been, um, I've been in it for a long time.

I got my first computer in, in 1982 or so. So, um. And then did a lot of work in commercial space at the beginning of my career. But in 2003 I started getting involved with cybersecurity, um, working with the US Navy and. I really didn't have any background in cybersecurity. It really came as part of a network and system management role that I had.

And uh, what came out of it was I needed to secure the system that I was handing over to the Navy, and that's where I started working on cybersecurity and security engineering in particular. [00:02:00] Before coming to SquareX I was at Dyson as their global ciso. I was there for a couple years and then before that I was a CISO for a couple Rakuten companies, both Rakuten Mobile, a mobile network operator based outta Japan and their product company, Rakuten Symphony.

And before that I was uh, at Expedia where I worked as an interim CISO there as well for a few years. So that's most, and then, uh, some other places I've worked at, like JP Morgan Chase, where I ran their security operations and their global vulnerability management. So I kind of have a long history of cyber and it work, 

Mehmet: I.

Great. Thank you again, John, for being here with me today. Now a question, by the way, uh, I know the answer because I've worked with, uh, you know, cybersecurity companies and like global companies, but some people might ask, Hey, we know what a CSO is, but what is a field cso? 

John: Well, you know, I, I'm still trying to work out what a field CISO is as well.

[00:03:00] Um, you know, I think that for me. My career, you know, somewhat spans innovation, leadership, cybersecurity of course. And you know, where that, whether that was building, you know, uh, defense and depth strategies for the US Navy or, uh, reading leading programs in, in regulated environments. A lot. I, I, I gathered a lot of experience in my, and what I feel like my role as field CISO is, is to kind of bridge the gap between internal security research and real world problems that CISOs are having and trying to solve.

Or maybe, uh. Uh, may not know that they have yet. And, and that's where I think the browser security part kind of comes into play. My, my experience, uh, there shows that there are some gaps and, um, yeah, so in my role, I, you know, you know, bring information. Try to try to engage with CISOs [00:04:00] using my experience to do a couple things.

One, help them along the their journey, and then two, if there's any kind of feedback or things that we need to cover gaps on on the product side. I bring that back to engineering as well. I do a lot of evangelism, a lot of podcast webinars and that kinda stuff as well. 

Mehmet: Yeah, absolutely. So again, this is from my, uh, all or experience.

So, uh, you, you can't in a place which I, I. Admire honestly, because you are doing, as you mentioned, both things, being the evangelist for the technology, we know, uh, for, for customers and prospects. And at the same time you are the voice of them to engineering and you know, like, Hey, this what the committee.

Think about that. Like, you know, we, we need to put something together. So I, I, I'm biased by so, so, so, uh, this is why I'm a little bit excited, uh, today to speak to you, uh, here, John. [00:05:00] So, um, you know, as I mentioned, maybe I'm repeating myself. So f was on with me on, on the show. He's the CEO and we talked about it, but.

Let's hear it from someone who's been in the field also as practitioner for a long time, and you know, mentioning that the browser is the new endpoint. So let's try to, you know, little bit, dig more into the kind of a history, um, how things have shifted and why you think that the browser is the new endpoint.

John: Yeah, I think that I was a little surprised by that as well. I think in my previous role I had, um, an intellectual protection program that we were rolling out and we had maybe 144 different items that we were trying to cover off [00:06:00] in this intellectual property protection program. Right. And what I learned was that, um.

You know, a couple of things. One, that, um, that we had way more SaaS apps in our environment than I thought we had. I mean, I think, I thought we had like 200, you know, I didn't, I didn't really have a number, but when we did the audit, we had 230, um, applications that were part of our SSO and MFA and part of our conditional access policies that were sanctioned apps that it had delivered to the organization.

What surprising to me is that we had over 600 apps that were, you know, SaaS apps that were not involved, not integrating into our SSO and our MFA capabilities. And they were not sanctioned apps. So we had a, a large number of unsanctioned apps that were there. And, you know, as I kind of started to, you know, think about like, you know, how is this happening?[00:07:00] 

Um. We started to see, I started to see like this trend, right? And the trend was that, you know, SaaS apps somewhat predominate, uh, enterprise it from a rollout perspective because there's a lot of, lot of intrinsic value that we get from SaaS apps that make it easier for it to deliver capabilities at a really good price point, um, to the organization.

But inherent to that is that. We're not always in the loop when people are adding additional SaaS apps. One of the reasons that's the case is because the brow, the browser has become a great place to deploy software. You know, websites are a great way to deliver value, but that wouldn't have happened if the browser didn't become a more powerful tool.

And as part of that power, you know, the architecture behind a browser allows us to have very efficient memory management, um, render, render through our the extension [00:08:00] architecture. An HTML five render things into the browser, um, much more effectively and much more efficiently, and gives a really good user experience.

And it also, in layman terms, what I mean by the browser becoming the new endpoint is that, is that the inherent capabilities, the technology behind it allows for really, really, um.

Robust applications to be deployed in the browser, which is great for it 'cause it's one less application that needs to be delivered to the, to the endpoint so that, uh, it can. Deliver value to the organization. And as I was saying, uh, earlier, that the SaaS applications are creating a lot of value for it because it, uh, it allows it to both send, you know, bring new capabilities to the user, but also reduces our operating costs [00:09:00] for doing that work.

So there's less engineers that we have to have in place, but the, that wouldn't have been possible if the browser didn't become a more powerful, um. A powerful system that we could, you know, have efficient memory management. You know, we could have, we have different protocols that are running inside of like web R-T-C-G-P-R-C, et cetera, and it allows for a really robust, rich environment.

And if you just kinda look at it. Even in the, in the, you know, like storing data and everything, you know, the browser is where we're interacting with OneDrive or Google Workspace, and that's where our disc is. You know, we have efficient memory management that's happening inside there, but there's not a lot of visibility in what's going on in there in the browser, like we have on the end points.

And a lot of that has to do with, um. You know how we used to deploy software, which were fad apps that were being deployed to endpoints that were inside private data centers or accessing systems and private data centers that were inside a closed [00:10:00] environment in our corporate offices. That's not really how we work today.

Right? And so, uh, as a result, as a result, you know, we have, we have way more data and a lot more places that we need to be controlling. 

Mehmet: Absolutely, I can relate, you know, even from my own behavior, like probably I spent, I can say safely 90% of my time, you know, in, in one of the browsers, right? So, uh, yeah, yeah.

Because yeah. But compared to maybe let's say five, six years ago, yeah, couple of applications, of course, the office applications and so on. But even those today, I. You know, I, I try to access them, uh, from the web because like, it's easy for me to find the file. So, so really I can relate to this now. Um,

we understand that anything which is open wildly, I would say to the internet [00:11:00] has. Risks, right? So, and when we talk about risk in the traditional cybersecurity term, we talk about detection and response, right? So how we can bring this concept to the browser. So, um, how, again, we can explain to someone maybe.

Again, in layman terms that might not, uh, be very familiar with, uh, you know, all the bells and whistles as we say, uh, when we talk about EDR solutions and so on. So how we can, you know, tell them that there's something called browser detection and response. 

John: Sure. I think that the, I think that the, what's really changed in the last, you know, 10 years or so, is.

Again, we had, we used to have corporate offices that we worked in. We had our own private data [00:12:00] centers or data centers that we, you know, had, uh, might be, we had our own data centers and we had our apps that worked inside this very controlled environment over. It lemme say So over, over that time, right?

Over over the last few years, as you know, cloud computing started, ha, you know, started, uh, really kind of growing in like two, mid 2000 to 2006 kind of timeframe. Um, you know, applications started being delivered on the web. The browser got more powerful. What. We've also seen is that people started being concerned about security, but most of the time when they're thinking about security, they're thinking about confidentiality, which started pushing folks into, uh, end-to-end encryption and other kind of technologies to secure those communications between our users using browser-based apps and the SaaS apps that we're providing those [00:13:00] capabilities.

What that did for us. What in this change, this change from private data centers and corporate offices to SaaS apps that are running, uh, end-to-end security, you know, uh, encryption protocols and running on SaaS apps. That change made a lot of what we do to inspect and identify. Malicious or not, um, not sanctioned kind of activities, whether that's insider threats or whatever, that made it harder for us to see what was going on in the environment.

Well, that kind of takes all of our IDS and I. IPS kind of capabilities and our proxy, um, kind of capabilities to kind of steer traffic. Kind of started taking that away from us, um, with respect to how well we can steer traffic in the environment and then see [00:14:00] threats. One of the nice things about the browser is that everything that happens in the browser before it goes into an encrypted tunnel or when it comes back out of encrypted tunnel, everything that's in the browser is somewhat in the clear.

So that gives us an, in a incredible way to see what's happening. As it as information traverses the browser, right? So whether that's a new protocol or someone's being down downloading, um, uh, a file, we can, we can see all of that activity. We can see what context that they're running in, whether they're running into Enterprise OneDrive or they're running in personal OneDrive.

All that information is now available to us in the, in the browser. And then based on that, we can then use our detection response capabilities, whether that's, um, identifying phishing attacks that are being rendered in the browser, whether that's, you know, down getting someone to download something or, uh, trying to take over your, you know, uh, your rights in a, in another application.

You know, you sign in with [00:15:00] Google, then you have OAuth scopes that are being. Um, asked for to get access to your Gmail account or whatever you're, you're accessing. Those, those things are, are now visible in the browser and we can take an action on it. We can also see what extensions are being run and what those extension properties, what the extension's asking for with respect to, uh, permissions and rights.

And we can also control. Those, uh, what software is running in that space? So it's very much like whitelisting or blacklisting like we used to do on the endpoint. Now we have capabilities inside the browser to, to, um, see, you know, communications. We can see OAuth scopes, we can see whether someone's logging in with SSO versus a local, um, you know, their local credentials with a doing password reuse.

Anything that's happening on the wire or inside the browser, we can see. 

Mehmet: Right John, I'm gonna ask the question [00:16:00] that probably even if I'm, people, they'll tell me, are putting your, uh, your sales hat now? But if I buy discovery call, right? So the thing that I need to un uncover with. Anyone, and I do this just like not from a Salish perspective.

I do it as a consultant also as well. So I need to shed some lights on what's going on in the broader space. So we said, yeah, we know there are some attacks. Some of them, they were being with us for a while, like, uh, JavaScript injections and, and such things. So. And I know like as SquareX, you know, you've published some, some security research, uh, and you know, there are some new attacks.

So if I think about endpoint, I'm doing this because probably people will, will be able to relate. So if I think about endpoint, so I think about, yeah, like traditionally. What happens? [00:17:00] Phishing email, someone clicks, you have a payload, it comes on the operating system and it start to do encryption and so on and so forth.

What's happening? What are like the major threats, you know, you've uncovered in that research when it comes to the browser? 

John: Yeah, I think that, um, you know, again, I, I was looking at the Mandiant report last year and this year, and they were, uh, identifying what the key, uh, reasons are for, uh. Attacks to actually be successful.

And when I look at their reasons and I start adding it up, I think about 59%, 60% of the attacks that are successful, that Mandiant's responding to actually traverse the browser for them to, to uh, to start. So there's a user component to it that's, uh, that's required, right? And that, again, if 80% of your time is being spent in the [00:18:00] browser, you're gonna have lots of opportunities to, um, to, you know, attack a user, right?

And, and, and continue your attack chain to hit whatever objective you are as a, as a hacker. Now that, what's interesting is that there's two kind of things that are going on. One is that the, um. One of, one of those things that's going on is that, or some of the research that we're seeing that is, that is interesting, is how well we can hide, um, our social engineering attacks.

Right? And how is it that we can get control over the. A user's, um, you know, profile and make it our own profile so that when they're syncing their passwords back into Google Chrome, uh, that we can take those passwords from them, you know, and we can, we can gather that information so that we can kind of expand our attack into other places.

We can also, uh, do something that we call polymorphic extensions where [00:19:00] we can disable. The an extension, like for example, one password is the ex. You know, we have some videos on this, on our website, but we can, we can disable one password impersonate a login for one password re-enable. We enable one password and let the login to continue, and we can do all that using the extension architecture.

Um, you know, even with MV three, you know, the new, um, uh, manifest, uh, requirements that, um, Google put out, we can still take over profiles and everything. Uh, just from inside the browser. We can also do what we call browser sync jacking, which is, um, you know, using extensions to download. Um, malicious code that we can then run locally.

We can, we can change the dom so that we can say that, so that something that looks, that's actually Google's website. We're rewriting, um, their support message so that we're trying to get folks [00:20:00] to click a, um, a sync action so that we can get this attack to kind of continue. There's so much stuff that's going on inside the browser and, uh, that we can, we can.

We can change how it is that, that the user's experiencing whatever pages that they're downloading by just controlling different aspects of it. So I think that social engineering attacks are gonna get way more, um, sophisticated and that we're, they're going to, uh, be able to, uh, trick users into, you know, giving up their credentials, giving up owas scopes, giving up, uh, control of their local host just by, uh.

You know, you know, manipulating what's happening in the browser. 

Mehmet: Right. How much AI is playing a role, John, here in this? 

John: Well, I think that AI is playing a role in multiple ways. Right? For example, in ai, uh, we're seeing that, um, uh. That, you know, getting from a exploit to A [00:21:00] POC that's happening faster. We're seeing that, uh, phishing attacks and other social engineering contact are getting more, uh, personalized.

Right. And then on the response side, we're seeing, or on the research side, what we're, we're using, uh, you know, defensively we're trying to identify, uh. Write new apps to kind of test our theories on, on, uh, how attacks to occur. So it's helping us in threat research, but we're also seeing people using AI to help them understand what's going on in their environments and taking an action to respond better.

Mehmet: Right. Um, now let's talk a little bit about, you know, SquareX. Again, it's a reminder for, for the folks. So what do you exactly do, uh, at SquareXI mean, as SquareX people know that the browser security company, but, you know, can, can we all elaborate more on, on, on this? 

John: Yeah, so what we, what we do, [00:22:00] what we do at SquareX is that we have a extension that runs in the browser that takes whatever browser you were, you woke up today to use and your favorite, you know, chromium on Linux or, or maybe your favorites, safari on a Mac, whatever your preferences are.

You know, this morning you woke up with a regular browser that you were using every single day, and what we can do with adding an extension into the environment is we can make that an enterprise, uh, secure browser with just deploying an extension, which gives you an incredible amount of visibility and policy and, uh, capabilities inside your browser that secure your, secure your experience on the web.

Mehmet: Cool. So a question again, John, and you, you, we've done this also before, um, CSOs, I'm talking about CSOs who are on the customer side. They have a lot on their plate [00:23:00] when it comes, you know, to prioritizing, you know, the, the, the next thing that they should focus on. Um, I. Why I would say now is the time to really, you know, consider browser security as a priority for them.

I'm not saying that because they have to drop everything else, but this is something they should put it under their radar because of all the threats that you just mentioned. So why, why it should be something they have to prioritize, I would say. 

John: Well, I, I think the reason why they wanna prioritize it is just that, you know, as we mature in our, um, security, right, you know, we add additional capabilities to help us defend our environments better, um, I think that the.

The ground has somewhat shifted under a ciso, meaning [00:24:00] that we, you know, pre COVID we were, people spent time in offices and we had way more data centers. I think that some research I saw that, uh, here in 2025 we're actually going to, uh, shift from, from less than half of our IT spend is gonna be. Um, you know, inside of our own technology, our own data centers, et cetera, to, I think 51% of our spend is gonna be in cloud and most of it in buying applications and SaaS applications, uh, that we're, you know, using inside our environments.

That shift has happened. It's been happening, but what folks haven't realized is that, you know, relying on, uh, your technology that you use for your traditional data center, whether that's, uh, traditional corporate offices, whether that's DLP on the endpoint, EDR, and the endpoint SWG, that because of how we operate today, most of those [00:25:00] interactions are happening in the browser.

And I, and. There is definitely this idea that Ed are gonna protect me. And by no means am I saying rip out your EDR and replace it. Don't rip out SWG and replace it with a browser extension because you still are gonna have attacks that happen from other places that are going to get to your end point.

And you wanna be able to detect and respond to, uh, what's happening on your endpoint. But if we can reduce the efficacy of an attack that's. Progressing through the browser to the user by, uh, threat detection and response capabilities that we have in our product. If we can increase the DLP capability so that we can stop people from copying and pasting out of an enterprise context mm-hmm.

You know, SharePoint into personal chat, GPT or payin or some other, um, nefarious website. And have those DLP [00:26:00] capabilities that are just happening inside the browser. And then we can also do private app access, where we control and, uh, control where, what, who has access to what apps as long as they're in a protected browser.

'cause we're delivering a lot more capabilities on, on websites today than we had before. That's giving you another layer of control, another layer of, of, uh, visibility that you didn't have before. You know, even I remember doing incident responses where we're trying to, um. Gather, you know, the web browsing history from endpoint so that we can kind of reconstruct how, how, how things happened in a particular attack.

You know, with the visibility and granularity that you see in our product. You can, you can. You can see exactly the attack chain that what happened. You can see what was in the clipboard when they pasted it in there. You can see lots and lots of capability. And the best part about it's, it just happens on the, it happens on the browser, right?

[00:27:00] So you don't have any kind of, uh. Latency involved with going through a network choke point before you get access to the internet. It's all happening in the browser. The policies are all right there. So you can protect whether they're online or offline, what on the internet or, you know, just in a, you know, private, private network as well.

So, not sure I'm answering the question, but yeah. You know, from a prior, prior perspective, um. We have a lot, you know, working in remote world, we have way more attack surface that we have to work, we have to work through. And these SaaS apps are, are not gonna diminish in the numbers. They're gonna continue to escalate.

The browser's gonna continue to, uh, grow into our use cases and we're gonna have more and more capabilities that we're being, that are being delivered to us through the browser. 

Mehmet: Absolutely. You answered the question. Uh, John, just also one thing because you mentioned the EDR tools, you mentioned about the DLP tools.

Now some folks might say, Hey, like um, yeah, [00:28:00] but 'cause we are using SaaS applications and the cloud, so we have implemented also the SAS E solutions. So. Like, again, I, I like to take a little bit the Devil Advocate role on it. Sure, sure. Here, yeah. But again, it's for, for of course, educational purposes. So, so what's your take or what you can tell them?

John: Yeah. I think architecturally, again, those sass e kind of capabilities, those casby capabilities, they, they, they do play a role in helping us protect our environments. I think that, that, um. Most of them are working inside context where they're, where they're steering traffic, which is very traditional in thinking when, again, when we had private data centers, uh, private, you know, our corporate offices, and that's where most people were working and that's where our application was deployed.

But what we've seen is that, um. When you're using these capabilities, there's a lot of context that's missed. [00:29:00] Architecturally, they're built for a different kind of problem, and they are good at controlling what's going in and out of a network choke point, but they're not really good at determining whether something's happening, uh, what's exactly happening, what context you're in.

Like, like I said, it, it doesn't know if you're an enterprise. Uh. In an enterprise app or a personal version of an app, like if you have an enterprise agreement with OpenAI for your chat GPT work, great. You're on the right path. However, I. You need to be able to tell whether they're using a personal version of that context as well, so that you're not taking your confidential documents and sticking them into a personal, uh, version of, you know, Chad GPT, right?

Where you're not, you don't have the same kind of, uh. Protections from open AI or Microsoft or, um, Google that you would have inside an enterprise agreement. So that [00:30:00] context matters and that context is somewhat, um, not visible to those traditional solutions. We have a great website, um, um, browser security, and you can go test a number of different kinds of attacks, like, you know, how to, how do you move files, uh, from.

Outside your environment to inside your environment and then back out, you know? So we, uh, we had had this, uh, last mile disassembly or reassembly. Um. Attack that we had at Defcon, uh, last year on the main stage. And in that, in that article, it's like, how do you get files into your environment? Like if you're a hacker, how do you get 'em into your environment?

But we've also had a, um, uh, at BSides in San Francisco a few weeks ago, we also did a disassembly where we were able to exfiltrate data using those same techniques out. But that browser security is a great website to go test your security posture and see if, um. If your tools are working like you expect them to work, you know, are [00:31:00] they really going to block the delivery of, uh, malicious software through the browser?

I think you'll find that you, they don't, right? So having a little bit more capabilities in your browser will be helpful to you. 

Mehmet: Absolutely good to know. Again, I make sure that also these links will, will, will be available for the audience. One thing, John, and this is, you know, usually in cybersecurity is something common.

Uh, when you implement a lot of security, you take little bit from the convenience. Now people get used to, you know, a small, you know, icon in the tray, which is the EDR or something. Not much. It pops up sometimes. So we learned how to survive with it now in the browser, an extension, and if it's, I would say if it's like trying to restrict you a lot, it might give the user a feeling which is not very comfortable.

So like. [00:32:00] I'm sure like you have, you have done good job on this, I mean, as SquareX now, but how, what, what's kind of, I would say balance for this convenience is needed between, you know, keeping the productivity, but at the same time making sure that we're, we are, we are like accessing in a safe and secure manner.

John: Yeah, I think there's two parts of the questions for me. One is user experience, right? I think that one of the, one of the things that always, um, uh, yeah, so there's two things, right? There's user experience, right? And, uh, how does this new tool impact the perceived? How does it impact the perceived usability of your device?

Right? Is it gonna take, uh, CPU time away or is it gonna take memory away and your system is gonna perform worse than it did before you added the security [00:33:00] component? And two, you know, how does it impact, you know, the actual usability of the product? Like, you know, are we blocking sites and stuff that you would wanna use, right.

Um, in, in some ways. So let's talk about the first part first, which is, you know, performance. Again, since we're not going back through a network checkpoint, we network choke point where we're evaluating everything out in the cloud, all the evaluations happening inside of the browser. So the, the. The user experience has impacted almost nbe.

The user will not even be able to tell that the, that a browser extension's there. Right. And a lot of that has to do with how well browsers work today. You know, 'cause I don't know if you know this, but you know, in Chrome, if you go from a, from one tab to another tab or you have a third tab in a fourth tab, it starts putting the other tabs of sleep and releasing memory and not having CPU kind of run it 'cause no one's looking at it.

But the active tab actually has work in it. And our extension [00:34:00] takes advantage of those kinds of memory and CPU capabilities so that we're protecting right, what's there, you know, what's right in front of you. And again, since it's running locally, um, you know, there's no network latency or any other kind of latency that happens on the wire that allows us to protect the envir, the environment.

So it's good user experience. And again, as I was saying, you're using the browser that you wanna use, whether that's. Chrome or Firefox or Safari on a Mac or Linux or Windows buts, it doesn't really matter. So the user experience is just the same user experience that they had earlier that day. Uh, so there's that, that part of it, right?

The second part is that, you know, it all depends on how you deploy everything. Whether you deployed a firewall or you deployed a IPS or you deployed a, uh. Uh, EDR solution. It, it doesn't really, you know, if you start applying policies that you haven't tested, you're gonna have an impact. And for me, as a ciso, as a practicing [00:35:00] ciso, one of the.

One of the things that I've run across many times is every time that I apply a policy and it breaks something or it stops something from working, the first thing they ask me to do is turn off firewall rules, turn off the IPS, turn off EDR so that they can test to see if it's working or not, and then I'm waiting for them to turn it back on, which might be days, weeks, or months be while they, uh.

You know, figure out what to do about the problem, right? So what my suggestion would be if you're going to, uh, you know, uh, increase your security in the browser is take a, take a monitoring, and then block a approach, right? So take a look at what's actually happening in your environment. I think you'll find that there's a lot more activity happening in your environment that you actually realized was happening.

And we have a number of monitoring policies that come out of the box that allow you to get a good feel, like what extensions are being used, what o oco scopes are happening, whether people are using SSO or not, or if they're using MFA or not, or if they're using, [00:36:00] uh, their own, you know, they might be using corporate credentials.

But not part of your SSO. You can see a lot of activity that's happening, where they're going, what chat, GPT, what Gen AI tools that they're using. Um. And what SaaS apps are being used in your environment. You'll get lots and lots, lots of visibility. And then as a security practitioner, you're gonna have to start prioritizing what work you're going to, uh, allow and disallow and talk to those user communities about why they're using X and not y.

Uh, and then, you know, start to shift behavior patterns by applying policies that mitigate or block. There's also, uh, activities like KYC activities in banks or know your customer activities in, in banks, uh, that you know, you're going to want to see a website that's new and we have browser isolation built in so that if you go to a new website, but you really wanna get to it.

We can allow that to happen, but happen off of your network, right? So remote browser [00:37:00] isolation activities, if there are people that are sending you files, um, you could put turn on a policy that, that says it's okay for you to download Excel file, but it can't have any macros. Well, we can disarm those things.

We can rip the macros out so you can see the, the, uh, disarmed version of that PDF or Excel spreadsheet that you downloaded. Or we could even just, uh, show you that Excel spreadsheet in a, in a browser tab. So that you can see that, that, uh, that, uh, isolated Excel file inside of a tab not downloaded into your OneDrive or not downloaded into your, into, onto your endpoint and stuff.

So we have a lot of different ways of kind of mitigating some of them allow you to continue working, meaning they allow you to continue to access websites. Um. And by the way, in our remote browser isolation, our policies flow with that. So our policies already your, you know, the extension's already installed in the browser that we bring up for you in that remote browser isolation.

And then we can do [00:38:00] additional kind of controls inside that, that are even different from what you have on your endpoint. So it's a very, very, uh, very, very long winded answer, but one. You're probably not gonna see a performance hit. You're not gonna, nothing, nothing That's, uh, perce perceivable to the user.

There is a performance hit 'cause it's compute that's happening there. Right. But you know, it's really about how you, how you deliver those controls that are gonna cause you help desk calls and, you know, cause you angst inside your security team. It is by, you know, taking a good approach to how it is that you want to roll out your policies that mitigate the activity that you see once you understand it.

Mehmet: Yeah, so, so the nice thing about, uh, extensions, you know, you don't get the question asked by people usually hack. Yeah. Like, because when you, you talk about any agent that needs to be, or any piece of software that need to be installed, the question is usually how much CPU, how [00:39:00] much memory, so extensions they run within the browser, so.

You know, you, you, you're saved on that side now, as, as we are almost close to, to the end. Uh, with this discussion with you today, John, um, by the way, I, I, I need to like divide this question. So SquareX, you know, and I've, I think I talked, you know, with Vivic less than a year ago and a lot changed like.

What are you enjoying so far with this, you know, fast paced innovation and other than, you know, uh, what's happening with, with SquareX, what also is like also, you know, I would say, uh, exciting you? 

John: So what's exciting me? Um, at SquareX or what's excited me? Just in general, or sorry, both. Well, I think what's exciting me at SquareX is, and one of the reasons I joined the company is that, [00:40:00] is that I was.

As a practicing ciso, I was actually running into problems with how to secure browser the browser. You know, how do I secure access to, um, you know, and particularly, uh, DLP use cases and, uh, how to handle gen ai. I, I really felt I didn't have the tools. Even though I had EDR, even though I had, uh, CASB and SWG tools, and even though I had DLP tools available to me, I really wasn't, I really wasn't able to control the environment the way that I think it needed to be controlled.

Whether people were working remotely or working in the office. How did that work? Um. Some of it were involved just doing things like just changing the network configuration so that the conditional access policies would work better. But what was happening in the browser was a really big gap for me that I [00:41:00] didn't realize was there.

So I think one of the things that excited me about, about SquareX is, you know, being a practitioner and seeing, seeing the gaps that were part of my intellectual protection program that I was running, um. Seeing a product that was actually addressing it was, is exciting to me. You know, I feel like, um, that I felt like I was, um, at a loss.

I had an information gap. I had been told by vendors that this was, uh, gonna work. And then what I also found was that, um, even though I was identifying gaps and I think I had a really good relationship with my vendors, I was seeing that, that, that, that their, I. Not ability to address the gaps, but their, you know, where it was on their prioritization just wasn't there.

So, you know, working with, working with SquareXI was able to see how those were, those gaps that I had were gonna be [00:42:00] closed and that excited me and I felt like that, what's exciting to me about, about working with SquareX is just the part where I get to tell. Other CISOs and other security practitioners about a gap they may not be seeing today.

But I think that is a meaningful gap that we need to control. So talking to other CISOs and educating them, uh, doing webinars and those kinds of things are actually a new skill for me. But it's, but it's been a lot of fun, you know, engaging with, you know, more CISOs and more security practitioners on, on this problem.

Mehmet: Cool. And in general, any anything in cybersecurity exciting you, John, these days? 

John: You know what, what I seem to spend my own time with is, uh, you know, playing around with gen ai, I mean, as, as, as trite that says, I mean, you can't get out of any phone call or any, anything without talking about Gen ai, but Absolutely.

But the truth is that I, [00:43:00] you know. We're at the beginning of this journey with JAI and it seems like a lot of stuff's going on, and it's almost like, um, you know, PCs in the eighties where you had five and a quarter inch discs and three and a half inch discs, and you had eight inch discs, and you have all these little form factors for how computers were gonna run, and, and there's like, there's all this spread of stuff that's happening right now as people try to figure out like what the right, mm-hmm.

What the right uh, approach is gonna be. Before it starts consolidating on something that's meaningful. I think we're lots of explosion right now and, and lots of, uh, lots of stuff to learn, right? From both, like from both a, hey, a practitioner, how do I use this in everyday life? But then how do you protect it as well?

You know, I think that, uh, uh, so, you know, so gen AI is somewhat exciting to me in a number of different ways, usually, uh. Usually I'm trying to figure out like how, how do I, how do I make, um, something that's repetitive that needs [00:44:00] to be done at a, doesn't need to, you know, you don't have PhD. I'm not trying to do PhD work.

I'm probably, probably trying to do eighth grader, you know, kind of work in the us. I mean, a 12-year-old, 15-year-old kind of timeframe. Something that they can do. Uh, that's the kind of work that I'm trying to automate, but that, that, that work is, uh. You know, um, you know, spend, we spend a lot of time inside of it, inside of cyber, inside the business, doing a lot of repetitive work.

How can we use Gene AI to reduce that workload so that we can use our brains for a higher level kind of activities? So I think Gene AI is, you know, really exciting. 

Mehmet: To this point, you know, when, when I start to figure out the power of gen ai, I start to remember like if Gen AI was in my time when I was still like fresh, uh, out of college, I wouldn't find a job because I figured out like all the tasks, you know, because, you know, uh, let's say.

Creating users on [00:45:00] active directory and then, you know, once you do this, do that and now you can, you can automate a bunch of this stuff that we used to do at that time. Right? Yeah. 

John: I used to say the best, the best administrators are the laziest administrators, the ones that like do something and it happens and then they automate it.

Those are the best administrators. 'cause then it's, it's a repeatable, repeatable, quality kind of work. You know? And if, the great thing about code and automation is that you set it up and if you don't get the outcome you want, you can change the code and you can, you know, increase it or decrease your, your efficacy, uh, as you change the code.

And I, and I agree with you, I think that some of, a lot of stuff that we do is, uh, today that we're, we're throwing humans at is actually interpreting. What a human had wrote, you know, what, what a human had wrote in a ServiceNow ticket, for example. If we can have something that can take that away so that we don't have humans doing it, but we can, you know, break it [00:46:00] down into the right steps so that we can automate the request that's being asked of us, we're going to, we're going to make a much, uh, more responsive environment.

To our customers. And then also reduce the headaches that, you know, it people have with, you know, with, or that's the, the rote work that we're asking people to do every day. Or, um, you know, the inconsistency in the quality of that work. If we can do that, we're gonna, we're gonna just have better outcomes.

So I think there's lots and lots of opportunities. Um. For automation and AI and everything today that we just did not have when I was growing up. And you were growing up probably, right? 

Mehmet: Yeah, yeah. Absolutely. You know, like, uh, because as, as someone new, I mean, and we did it even with, with, uh. Next comers.

We used to give them this kind of task, which for me it was torturing, you know, like repetitive tasks. Tasks that actually [00:47:00] can be automated. Yeah. And I was blamed because I was always on the hunt of how I can make this automated. I don't like to do repetitive task, but world have changed a lot and you know, it's good where we are today now.

Um, John, really, I, I enjoyed the conversation like. Time really passed very, very fast. So, but thank you for, you know, the detailed, um, you know, explanations about, you know, the importance of browser security in general, detection and response and, you know, the cool stuff also because, you know. Things changed a lot since, uh, last year.

And you know, when, when people go and check the website, I think they're gonna see a lot of new products that they came within, within SquareX Web, like related to, you know, accessing security. I've seen like the thing you just talked about, you know, getting things in and out and, you know, trying to make sure that.

You have the proper security for that, especially in the age of Gen ai. So thank you [00:48:00] very much, John. John, just final thing where people can get in touch and you know, if they want to learn more, 

John: well, they wanna learn more about SquareX. I mean, obviously you can go to www.sqrx.com, you know, uh, if you wanna get in touch with me, you can hit me up at john@sqrx.com, JO hn@sqx.com.

You can find me on Twitter at johnst or X or whatever we call it today. Um. You know, and yeah, just reach out and, uh, happy to, happy to help you on your journey. 

Mehmet: Cool. Great. Thank you so much, John. So I will make sure all the links, even the ones we, we were, uh, talking about before, they are in the show notes.

If you're listening on your favorite podcasting app, if you're watching on YouTube, you will find that on, uh, in the description. And this is for the audience. This is how usually I end my episodes. So if you just. You know, discover this podcast by luck. I hope you enjoyed it. Uh, if you did, so give me a favor, share it with your friends and colleagues, and if you're [00:49:00] one of the people who keep coming again and again, thank you for doing so.

You're doing fantastic for me this year, like by pushing the podcast in the top 200 charts across multiple countries, I'm so humbled and so grateful for all the support I'm getting from the audience. And as I say, always stay tuned for in new work very soon. Thank you.