RSA Innovation Sandbox Finalist: Bedrock Security with CEO, Pranava Adduri

[00:00:00] Hey, it's Andrew. Just quickly before we start this episode, I want to tell you about one of my

[00:00:03] favorite podcasts, the Secure Ventures podcast. The host Kyle McNulty interviews cybersecurity

[00:00:09] founders about what they are building. I enjoy it because Kyle focuses on their technology,

[00:00:14] what it solves, why they build it, where it fits in the market. Also listeners can understand

[00:00:19] the why of these startups. In some ways is a great compliment to my own podcast where I

[00:00:23] focus on the go-to-market side, not the technology side. He set some great guests on

[00:00:27] recently. For example, the CEO of Reality Defender when they talked about the ins and

[00:00:32] outs of deep fate detection. He's had the co-founder and CEO of Go Security and also

[00:00:37] the co-founder radical Chris Peterson, who was incidentally a founder of LogRhythm.

[00:00:42] They talk about the role of AI in the sock. This is not a paid promotion. I just simply

[00:00:46] enjoy what Kyle is doing with his interviews and get a lot out of them. Check it out.

[00:00:50] It's the Secure Ventures podcast. Now on with this episode.

[00:00:58] Welcome to the Cybersecurity Go-To-Market podcast for a special showcase episode where we're talking

[00:01:11] to leaders of the companies selected for the 2024 RSA Conference Innovation Sandbox. These are

[00:01:17] the very, very few. In fact, only 10 companies of all the hundreds, if not over a thousand

[00:01:23] judges looked at that have been selected as the most innovative startups in cybersecurity

[00:01:28] today. I am your host, Andrew Monahan. Today we're talking with Pranava Aduri,

[00:01:33] CEO and co-founder of Bedrock Security. Pranava, welcome to the podcast.

[00:01:37] Andrew, thanks for having me. Excited to dive in today.

[00:01:41] Yeah. I love doing these episodes. We get to get these innovative companies and understand

[00:01:46] what you're all about and give you a chance to showcase ahead of next week. We're recording

[00:01:50] the week before RSA. So ahead of next week, showcase what you're up to. For me, it's

[00:01:55] fascinating to hear what's going on in the very cutting edge of cybersecurity these days.

[00:02:00] So first question for you, Pranava though is where in the world did you have your first

[00:02:05] sandbox? Let's see. I was born in India, but I spent my first five years in Libya before

[00:02:11] immigrating to the States. Libya was an interesting upbringing. We were in a colony

[00:02:16] where the company that my dad worked for had bought over a bunch of consultants to help

[00:02:21] the Libyan government build their steel process. So I grew up there,

[00:02:25] immigrated to the States when I was five and then bounced around the Bay Area since.

[00:02:29] Never had Libya as a place that someone grew up. I'm happy to share some of the countries

[00:02:35] I lived in when we get together at some point, but nothing quite as dramatic as Libya though.

[00:02:41] So that's fantastic. It was a last thing I'll say on that. It was a very charmed

[00:02:47] little bubble where I grew up because the company that my dad was working for,

[00:02:54] they'd created a colony of folks. Some of my fondest memories were there.

[00:02:59] I don't know if it's still the case, but when people went to work in Saudi many years ago

[00:03:05] as an expat, you lived in like a compound. It was all walled off and it was all the expats

[00:03:09] in one place. I'm sure it's progressed a lot since those days, but it sounds like

[00:03:13] it's almost her thing. Let's move forward there and partner with you to bedrock.

[00:03:17] What is the story of the founding of your company?

[00:03:21] Well, here's a fun fact. My co-founder and I actually used to be rivals. He worked at

[00:03:25] a competing company to where I was employed. Both of us worked in the data protection world

[00:03:31] and both of us worked on distributed storage systems because we were building

[00:03:37] durable storage for helping data protection initiatives for companies.

[00:03:41] These would be scale out backup systems. Ganesh is a gifted engineer and whatever we built,

[00:03:49] he actually would reverse engineer on his side and he'd figure out where the file system would

[00:03:53] have faults and he'd engineer scenarios and competitive bake-offs such that our system

[00:03:59] would run into trouble. Imagine trying to compete with someone like that. I'm glad I'm

[00:04:03] not competing with them anymore. Rivals turned co-founders.

[00:04:06] How did you connect though? I get you're competing, but how did you go,

[00:04:10] you're the one that did that against us?

[00:04:13] We didn't know each other. I didn't know him by name. We knew that someone was on the other

[00:04:19] side of figuring things out and we were just like, who is this guy? After the fact,

[00:04:23] we got connected through our investor. After the fact, when we were trading stories about

[00:04:28] going head to head, then we realized that it was actually him.

[00:04:32] I bet there was mixed emotions when you realized it at the start.

[00:04:36] Honestly, it was relief. It was? Okay.

[00:04:38] It was relief that we weren't competing anymore.

[00:04:41] That's great. I love that. That's so funny. The chances of it happening though,

[00:04:45] of actually getting connected realizing that's what you're both doing are pretty slim.

[00:04:49] So that's an interesting little way to get together there.

[00:04:53] Yeah. We got started in 2022 and it's been a really fun journey since.

[00:04:58] All right. What is the problem that you're solving and who cares about it?

[00:05:02] So the problem that we're solving is that in today's enterprises, there's a lot of data.

[00:05:09] In fact, what I like to say is data is growing exponentially. It's the amount of data being

[00:05:14] created. Also the change in that data as well. There's new types of data coming in all the time.

[00:05:19] So data is growing and changing exponentially. The hard bringers at that first was cloud.

[00:05:24] It made it really easy to create data and move it around, share it. Now with Gen.AI,

[00:05:29] we're about to see another uptick in terms of the amount of data being generated and created.

[00:05:33] And so while that curve is exponential, the security teams, the GRC teams,

[00:05:38] the keepers of trust and ensuring that organizations are using this data responsibly

[00:05:42] and keeping them out of the news, those teams grow linearly and that gap is fundamentally

[00:05:47] the risk. The problem has been to date, the way for teams to keep pace with that data,

[00:05:54] these are really built for an era where data was in terabytes. We're in the world of petabytes

[00:05:59] now. So none of these technologies are really scaling for today's environments. And as that

[00:06:03] data is rapidly changing, all of these are rule-based architectures. I like to use the

[00:06:07] analogy of stencils, right? If you have a circle-shaped stencil, a square-shaped stencil,

[00:06:12] and you're trying to use those two shapes to go match all the complicated changing shapes

[00:06:16] that are coming out right now, you're going to have a lot of issues in terms of missing

[00:06:19] things, but also having false positives as well. So there's a lot of burden on these teams

[00:06:23] in terms of keeping up with this data. So the opportunity and where we want to help organizations,

[00:06:29] the problem that we want to take ownership of is helping them keep pace with that data,

[00:06:33] learning that data as it's coming in, understanding what's most important to the

[00:06:37] business, and at the end of the day, really helping prioritize what are the biggest risks

[00:06:42] that a security team needs to be focused on and how do they remediate those risks?

[00:06:46] Not just giving them alerts, but how do you actually get them to a good state where

[00:06:51] they're not carrying that risk anymore? So that's the problem and solution. And a lot of the people

[00:06:56] that we work with are security teams, GRC teams, and data governance teams.

[00:07:01] And these people, as you say, have had tools for many years to help with understanding what

[00:07:05] data they have, understanding how to classify it, and therefore apply policies and rules to them.

[00:07:11] What is the big innovation that you're bringing that the judges would have seen and go,

[00:07:15] this might just be the way to correct this problem?

[00:07:19] Yeah, I like to use an analogy for the core bits of technology that we bought to market.

[00:07:26] We call it bedrock AI, AI reasoning. AI is actually a set of three technologies.

[00:07:30] The first is you can't protect what you can't see. And when it comes to the many petabytes

[00:07:36] of data that other organizations have, being able to even see and get a sketch of what

[00:07:41] we're dealing with, that's a foundational problem. A lot of the technologies that were built

[00:07:45] for yesterday's volumes of data, they can't even keep up with these petabyte scale environments.

[00:07:50] So step one, how do you actually go do the scan without breaking bank? That's step one.

[00:07:55] I'll give you a point of comparison. We recently onboarded a consumer AI company.

[00:07:59] They had 16 petabytes of data. We onboarded them in four days for less than the cost of

[00:08:04] an RSA ticket, RSA ticket, right? By contrast, some of the, like if you think about some of

[00:08:09] the current vendors and even some of the legacy vendors, we had another prospect. They had a

[00:08:13] 500 terabyte environment. To scan that 500 terabyte environment, they were quoted 75k, right?

[00:08:20] So we scanned an environment that was 32 times larger for 35x less the cost. And so the key

[00:08:27] innovation there is the ability to go across these very large scale environments with a

[00:08:31] highly distributed architecture. And we call that technology adaptive sampling, right?

[00:08:36] The ability to blast across these environments and make sense of what's there.

[00:08:39] Now you've mapped out the environment. The second step is making sense of what's actually

[00:08:44] important to the business. If I came to you with 16 petabytes of data inventory,

[00:08:49] you would not know what to do with that and neither would I. So next step is figuring out

[00:08:53] what's actually important and material to the business. The key innovation there, if you're

[00:08:57] using rules to try and make sense of that, again, you're going to be in a whole lot of

[00:09:01] pain. We're going to be dealing with a lot of false positives. The key, what we want to be

[00:09:05] able to do is use the latest in AI to learn what data is most important to the business.

[00:09:09] And so the example I like to use here, if I told you that W2s were considered restricted

[00:09:15] and offer letters were considered restricted, right? You have those two sample points.

[00:09:19] Then I show you 1099 forms, right? Even though you've never seen a 1099 before,

[00:09:24] by looking at the content, you can reason about the fact that that's probably also restricted.

[00:09:28] So imagine doing, imagine a system that is operating 24 seven across all of your data

[00:09:33] stores and learning globally, doesn't have to sleep and is constantly understanding what

[00:09:39] is important to the business. And that way as data is changing and it's growing,

[00:09:43] this system can actually keep up. So that's the key difference from rules to reasoning.

[00:09:47] And then finally, we've sketched out the environment at these massive scales.

[00:09:51] We've turned it into a heat map that tells you where the most important data is at any

[00:09:55] given point in time. The third step is how do you protect the red hotspots on that heat map?

[00:09:59] How do you figure out what are all the ways an adversary could get to that data?

[00:10:02] What are the internal usages of that data that might be opening up the company to regulatory risk?

[00:10:07] Then not only do we find them, we'll actually give you a containment for it. How do you

[00:10:11] actually remediate that problem? How do you get rid of that risk? So not only visibility,

[00:10:15] but also getting them to remediation. So AIR is actually a combination of all three

[00:10:19] of those technologies. So what I heard, Pran, about to go back just quickly, one was the speed

[00:10:24] to be able to go and assess what people have. If it takes someone to study five days,

[00:10:30] you're painting the bridge, right? It's changed so much in that period of time,

[00:10:33] you might as well just start again. I heard about using reasoning and AI to make sense of

[00:10:39] all the petabytes of data that an organization is going to have and do it so you don't have

[00:10:43] to teach it every last bit of data or documents out there. We'll use reasoning

[00:10:47] to figure that out. And the final one is look at those hotspots and focus on those to say,

[00:10:53] these are the bits that we actually really have to think about and figure out how

[00:10:56] we protect if the attackers are going to get there to different routes.

[00:10:59] Pran Vandermyde That's right. And each of those has a name. The first one is adaptive sampling.

[00:11:04] The second is reasoning instead of using rules. So AI reasoning error. The third,

[00:11:10] the ability to protect that data. The visual you can think about as you find

[00:11:13] the red hotspots on the map. Imagine being able to ring fence that data. We call those

[00:11:18] trust boundaries. And if that data is ever leaving those ring fences or if someone gets

[00:11:23] access to data within those ring fences, that's not supposed to. That's when we notify and also

[00:11:28] help you contain that problem or mediate that violation. So the third one is called trust

[00:11:32] boundaries. I forgot to mention the name. Chris Bounds So trust boundaries, let's go a little

[00:11:35] bit deeper on that if you don't mind. I mean, when I hear trust boundaries or boundaries or

[00:11:39] things like that, I go back to good old DLP days of saying, well, something ran out the

[00:11:43] door yesterday. You got to figure out what happened to it. Can you enforce them in real

[00:11:47] time? Do people want to enforce them in real time? How does that work?

[00:11:51] Yeah, so we actually did a lot of surveying with DLP practitioners. As we built up Bedrock,

[00:11:59] what we learned was that blocking in line can be very disruptive to the business.

[00:12:05] So the philosophy that we take is find if, for example, someone did share something sensitive

[00:12:11] external to the business, right? The key is to rapidly detect that, bring that context to

[00:12:16] the data owner that, hey, this file was shared out. It's violating this particular control

[00:12:21] because of the reasoning we can actually tell you why it actually is a violation of that

[00:12:25] control in a much more understandable way. And then we can actually present to them,

[00:12:29] click here to block, to unshare right away or give a justification for why this is required.

[00:12:35] So in that sense, rapid detection and containment is in line with how a lot of

[00:12:40] people are thinking about how they want to protect that data, right? Versus direct

[00:12:44] blocking, it can be seen as a business disruptor. Oh yeah, most DLP deployments are in DLM mode,

[00:12:51] not DLP mode. They're monitoring things that go on. But essentially what you're saying though

[00:12:55] is you're bringing the context and also the speed to understand what's happening

[00:13:00] that perhaps in the old way of doing things, you'd find out a week later,

[00:13:03] a month later that something happened. Right. And another part about this is

[00:13:07] the other issue that we hear with traditional implementations of DLP,

[00:13:11] the burden always falls on the security team to review. Whereas here, we're actually taking it

[00:13:16] to the data owners, right? The people that are actually doing the sharing, they actually have the

[00:13:20] context. Right. And so that workflow tends to actually, that workflow actually tends to get

[00:13:26] better resolutions without burdening the security team as much. Well, they'll be happy with

[00:13:30] that. They don't need more alerts. That's for sure. Amen to that. What are the big

[00:13:35] goals for Bedrock for 2024? Yeah, Andrew, we built tech that we're super excited about.

[00:13:42] And in the field, customers have been thrilled with the results that they've been getting

[00:13:47] and the time to value that they've been seeing. For 2024, we're coming to market

[00:13:51] in a big way. So you'll be seeing us a lot more. You'll be hearing about us a lot more.

[00:13:56] 2024 is our go-to-market year. That's awesome. And at RSA next week,

[00:14:01] except for the wild and exuberant celebration for winning the sandbox,

[00:14:05] what else have you got planned for the rest of that week?

[00:14:08] So for us, we have, there's outside of the innovation sandbox, there's a couple of,

[00:14:16] we'll be doing another, RBC is actually hosting a little bit of an expo as well.

[00:14:21] We'll be showcasing there. And outside of that, lots of coffee meetings with folks.

[00:14:26] So privileged to be meeting these folks and really excited to be sharing Bedrock with them.

[00:14:32] Well, it's certainly an exciting time for you, your co-founders, the company,

[00:14:36] you've got the sandbox, you've got, looks like you're investing, go to market for the

[00:14:40] rest of the year. I really truly wish you every bit of good luck for next week and success

[00:14:44] for the rest of the year and beyond. Thank you, Andrew. And we'd love to have

[00:14:49] folks come out and meet us at the innovation sandbox kiosk as well. So we'd love to show

[00:14:55] people more. And I'll put your LinkedIn into the show notes, Parnava. Is there another way you

[00:15:00] want people to get hold of you? Dropping a LinkedIn connect would be amazing.

[00:15:04] We're responsive there. And my email is also Parnava, first name at bedrock.security. So

[00:15:10] please drop us a line. We'd love to see it RSA. That's awesome. Look forward to it.

[00:15:13] Thank you, Andrew. Thanks Parnava.

[00:15:27] It will mean a lot to me and to the continued growth of the show if you'd help

[00:15:31] get the word out. So how do you do that easily? There are two ways. Firstly,

[00:15:36] just simply send a link to a friend, send a link to the show, to this episode. You can email it,

[00:15:43] text it, Slack it, whatever works for you and is easy for you. The second way is to leave

[00:15:48] a super quick rating. And sometimes that can seem complicated. So I've made it as easy for

[00:15:53] you as I can. You simply have to go to rate this podcast.com slash cyber. That's rate this

[00:16:01] podcast.com slash cyber and explains exactly how to do it. Either of these ways will

[00:16:07] take you less than 30 seconds to do, and it will mean the world to me. So thank you.