April 3, 2024
EP 49 – Secure Browsing and Session-Based Threats
In this episode of Trust Issues, David welcomes back Shay Nahari, VP of CyberArk Red Team Services, to discuss the topic of secure browsing and session-based threats. They delve into the dangers of cookie theft, the expanding attack surface, and the importance of identity security. Shay explains how cookies sit post-authentication and how attackers can bypass the entire authentication process by stealing them. He also discusses how browsers have been designed for consumers, not for the enterprise, and how this creates a fundamental problem in the way we treat and design identities around the usage of browsers… until now. Shay introduces CyberArk Secure Browser, which eliminates cookies from the disk completely and provides an end-to-end control of the flow of identity. The conversation also touches on the expanding attack surface, new identities, and how organizations can protect themselves from session-based attacks. Shay emphasizes the importance of least privilege, monitoring, and an assume breach mindset.
[00:00:25] David Puner: Over 30 years ago, we were introduced to the first web browser and, for the first time, “worldwide” was at our fingertips and seemingly our every whim on demand. Fast forward to the past few years where we’ve witnessed a significant shift in the attack landscape. From stealing clear text credentials to targeting session based authentication.
[00:00:49] David Puner: This trend’s been driven by the widespread adoption of multi-factor authentication, making it harder for attackers to compromise accounts with just passwords, but MFA isn’t a silver bullet. And despite it, session tokens like cookies, API keys and machine certificates can still be exploited to bypass authentication
[00:01:10] David Puner: and gain access to sensitive systems and data. And when it comes to web browsing, an inherent security issue lies in the reality that the browser you’re using at an enterprise level is the same browser that was designed for consumers, which creates a fundamental problem in how we treat and design identities around browser usage.
[00:01:33] David Puner: That is, until now. In today’s episode, we welcome back Shay Nahari, CyberArk VP of Red Team Services for a discussion that spans secure web browsing and session-based threats and the dangers of cookie theft, the expanding attack surface and the importance of identity security as it pertains to information flow and control.
[00:01:55] David Puner: He also covers how organizations can help protect themselves from session-based attacks. Spoiler alert, one of these “can helps” is the newly released CyberArk Secure Browser. We don’t typically talk product here on the podcast, but this one’s kind of a big deal – a game changer, as some in the biz might say.
[00:02:15] David Puner: Google it. Here’s my conversation with Shay Nahari.
[00:02:24] David Puner: Shay Nahari, VP of CyberArk Red Team Services. Welcome back to Trust Issues.
[00:02:26] Shay Nahari: Good to be back here again, David.
[00:02:28] David Puner: Well, thanks for coming back on. We’ve got a lot to talk about today. And we’ll try not to stray too far. But I think for the sake of just warming things up, in one of your previous appearances here, we focused on cookie theft or cookie hijacking, and maybe to set up today’s session-based attack conversation, it makes sense to do a little bit of a recap if you wouldn’t mind. So, what is cookie theft, and how does it enable attackers to bypass authentication methods like passwords, MFA and passkeys?
[00:03:00] Shay Nahari: When you look at authentication, there is really two phases of it, right? There’s the pre-authentication.
[00:03:05] Shay Nahari: What we all know is before the user even authenticate to a service, that usually involve things like passwords, multi-factor authentication, passkeys, everything that we have to validate the authentication permission or the user when, before he logs in. The other side of this is what we call “post authentication,” is what happened after the user logged in.
[00:03:29] Shay Nahari: And that involves things like what happened, where did the user go to, what did he do after you got authenticated. Now, cookies are unique in that they seek post authentication. Cookies are something browser will give you after you validated your identity. So, you’ve given your password, your multi factor authentication, your passkey.
[00:03:50] Shay Nahari: You prove that you are who you say you are. And then you’ve given a cookie, which is another sort of authentication that would stay with you throughout the lifecycle of the session to the website you’re going to. What makes it very attractive for attackers is that that cookie, because it happens after the user already authenticated, if attackers can get a hold of that, they in fact bypass the entire authentication process.
[00:04:18] Shay Nahari: So we, simulating attackers, we’ve kind of shifted to attack those post authentication cookies and other forms of authentication about three or four years ago. Today, when we look at, you know, what threat actors are doing in the wild, we see them heavily focused on those types of authentication – could be cookies, could be other things that I’m sure we’ll talk about later – but that’s where it stands today.
[00:04:41] David Puner: So, it might be worth pointing out that at this point, or at least traditionally, browsers have been designed for consumers, not for the enterprise. Yet, consumers and enterprise users are using these same browsers. Is that the case? And if so, why is that?
[00:04:56] Shay Nahari: That’s exactly the case.
[00:04:57] Shay Nahari: If you think about browsers, not to offend anyone, but you and your mother or even grandmother are using the same piece of software to do different, very different things, right? And it’s a piece of software that was designed for general purpose software, right? It’s supposed to get us access to the internet, to the humans.
[00:05:16] Shay Nahari: And if you think about it, there is no really fundamental security controls in the way it’s designed to handle different users. And that’s always been the case. So, whether you go to watch your kids’ basketball or replays or NBA or any sports activity through browser – whether you connect to top secret system or power utility or anything – you’re still doing it with the same piece of software.
[00:05:40] Shay Nahari: Hence, there is a fundamental problem or fundamental issue with the way we kind of treat and design identities around, again, around the usage of browsers.
[00:05:54] David Puner: So, what does identity have to do with browsers and what does identity have to do with [00:06:00] them being so vulnerable?
[00:06:02] Shay Nahari: Browsers are the interface between the user and whatever target system.
[00:06:06] Shay Nahari: And that system, as I mentioned, could be watching an NBA game, or it could be top secret web application that handles military or power or utility or banking or whatnot. Because the browsers are the interface, they actually handle a lot of the authentication and authorization of the user. So, a lot of, you know, we’re talking about application, they handle all of the identity base, interfacing.
[00:06:32] Shay Nahari: Because of that and because the point we’ve mentioned before that they fundamentally are the same and they, they like a lot of basic security controls, those are prime target for attacks, and there’s a big ecosystem that is around handling browsers and what happened during the authentication process. Just one example of that.
[00:06:52] Shay Nahari: Even if we look back at the latest Okta breach from last year, I’m sure you’ve discussed it in different episodes. I’m not going to repeat that. But even if we look at that, you can see that in that specific case, there were browser recording that contained cookies and sessions that were stored in a Help Desk system.
[00:07:11] Shay Nahari: And those are basically browser recording that allows developer to kind of debug issues. And that resulted, obviously, in the leak of that result in the ability to take over full blown infrastructure of the largest organizations on earth. And again, all steam from browsers, the way they’re handling traffic and what attackers can do when they get ahold of that, whether it’s on the end point, support cases, HR or other methods
[00:07:38] David Puner: As you mentioned, we did have Andy Thompson on beginning of November last year to talk about Okta and really interesting case there. And so, this all sounds like with browsers, there is a glaring Achilles heel to say the least. And we’ll go back to that a little bit later in the conversation, but I wanted to get out to the practical matters here and your team, CyberArk Red Team, conducts adversarial simulations.
[00:08:04] David Puner: And the team’s uncovered some novel ways to abuse browsers. What have they found and what’s resulted from that research?
[00:08:13] Shay Nahari: So again, we’re not the only one looking at browsers. We’ve started seeing shift by out of threat actors looking to exploit browsers because of everything we’ve spoke about before, plus the idea that browsers are designed to run by users.
[00:08:27] Shay Nahari: So, they don’t even require privileges to handle the user identity because they’re designed to be run by regular users. So, we’ve started looking at that and we’ve actually incorporated different type of browser attacks, almost on every engagement that we do. Now, we kind of look at it at different layers, right?
[00:08:47] Shay Nahari: The first one is what do, um, let’s call it “commoditized actors” do? So, how do they handle this? And the idea is to kind of allow organization to test themselves against what I wouldn’t say every actor, but. A lot of the threat actors that they’re facing would probably do a, uh, facing their browser.
[00:09:05] David Puner: By commoditized actors, what do you mean by that?
[00:09:08] Shay Nahari: So a lot of commoditized actors, they try to create general tools that would do that at scale, right? So, if you think of a threat actor that is financially motivated, right? Their goal is to achieve effectiveness by targeting as many targets as they can in a short amount of time that would give them the biggest value.
[00:09:30] Shay Nahari: So, in order to do that, they’re looking in ways to automating – a lot of it is automation. And they found out that they, again, cookies are prime target. So they’ve incorporated a lot of cookie stealing techniques into their malware. And that involves, you know, things like InfoStealer, banking that steal your recession cookies and give attackers access directly to financial institution to allow transaction.
[00:09:52] Shay Nahari: It even talks about ransomware gaining access to cloud consoles. Again, for threat actors, at least the commoditized one, to try to do that at scale and at a certain effectiveness that would give them their ROI. So that’s one aspect of it, to try to emulate commoditized attackers. And what we’ve seen there is a lot of attackers there use, at least in the corporate world, something called DPAPI, which is an encryption mechanism in Windows and Active Directory that handles
[00:10:23] Shay Nahari: and encrypts all those cookies. A lot of the malware today attack browsers by retrieving the DPAPI keys and decrypting the cookies on disk at scale. All right. So that’s type of attack number one that we see, we see a lot.
[00:10:39] David Puner: Okay.
[00:10:41] Shay Nahari: At CyberArk, we also looked at ways to extract or look at cookies at a different place in the browser memory.
Why there? Because of a couple of reasons. Some of the SSL vendors and the identity vendors, they know about those attacks and they don’t write the cookies into disk. What they do, is they keep cookies in memory. They call it ephemeral cookies. So the cookies are valid only during the lifetime of the session.
[00:11:07] Shay Nahari: And as soon as the user closes the browser, that goes away. So, we’ve looked to ways to try to extract that in memory. And we’ve actually developed certain capabilities and tooling around that. Just as a, as an FYI, we’ve actually disclosed that to Google, uh, maintainer of Chrome, Google looked at that and rightfully said, well, it’s not our problem because browsers, again, as we said, are designed to be an interface to the world, but they’re not designed to protect against attacker having access to the box.
[00:11:38] Shay Nahari: So, absolutely agree. This is one fix by Google, but the problem is still there.
[00:11:43] David Puner: Isn’t Google starting to do away with cookies?
[00:11:46] Shay Nahari: Cookies is a general terms to a lot of data that browser stores for persistent data, I should say, that out of stores within the users, what Google and other vendors are looking into mostly coming from privacy concerns.
[00:12:02] Shay Nahari: So, putting security aside for a second, a lot of what are the things that cookies do is they provide ways to track users, obviously to generate revenue from ads. So, Google are fighting that section hard. They’re trying to block what they call third party cookies. So if you’re visiting a site, usually you’re getting cookies that allows other sites to track you.
[00:12:24] Shay Nahari: Imagine you go to watch an NBA game. While you’re going there, the sites might actually give you a cookie saying this guy actually watched a basketball game. That puts you potentially into a certain demographic. sex and other characteristics that even if you now go back to Facebook or Twitter, now you have a cookie that was set from a different thing that you have done that now identifies you and allows you to be targeted very specifically by other, um, other companies.
[00:12:54] David Puner: I certainly know that. I had a broken toilet seat once and I kept seeing those ads for like the next year.
[00:12:59] Shay Nahari: Exactly. By the way, I’ll give you a quick trick unrelated to this. When you search for flights, what you can do is search them in incognito mode. That way incognito, what it does, it doesn’t save cookies to disk.
[00: 13: 11] David Puner: Oh, all right.
[00:13:13] Shay Nahari: This way, you’re getting different prices and the way they’re targeting you is different. Do it a test. Just try to search for solo flights in incognito mode and then in your regular browser and see the differences with and without cookies. You’d be surprised.
[00:13:26] David Puner: Let’s call it a tip. Thank you.
[00:13:27] David Puner: Appreciate that.
[00:13:29] Shay Nahari: So, go back to the Google third party thing. So Google are fighting very hard to block that usage of third party. And that really comes from the privacy concerns. It doesn’t really affect the security aspect. Because we’re talking about different type of cookies, cookies that are fundamental to the way our browsers and our web work.
[00:13:48] Shay Nahari: And those are not going away any time soon. So, separation between tracking protection, talks about privacy, versus fundamental security and functionality that are usually what attackers are going after. And those are your standard post authentication cookies.
[00:14:05] David Puner: It’s a good foundation for session-based threats.
[00:14:08] David Puner: And I think, I want to get back to the browserin a bit, but, how has the expanding attack surface influenced session-based threats in general over the last few years, two years, whatever timeframe you think makes sense here?
[00:14:24] Shay Nahari: So, first, we need to define: What is the expanding attack surface, right? The expanding attack surface really results from a couple of things.
[00:14:32] Shay Nahari: First of all, new identities, as well as new attack surface.
[00:14:36] David Puner: Uh huh.
[00:14:37] Shay Nahari: New identities are things that we either haven’t seen before or haven’t seen the scale of them before. Imagine machine identities. Things that we haven’t even considered. A few years ago, we used to talk to customers, and I’m talking five, six years ago, and then we asked them, you know, how many servers do you have?
[00:14:55] Shay Nahari: What’s your attack surface? How many servers? How many workstations? Today, if you talk to a customer and you ask them, how many servers do they have? They would ask you, you mean right now? Because that will change in five minutes. So, moving away to ephemeral identities that are machine identities that exist for a few minutes.
[00:15:15] Shay Nahari: they do certain tasks and then they go away. But those, within the duration of their lifetime, they still have identities. So that expansion of new identity, the thing that we haven’t thought about, is one thing. The other thing is, again, with the explosion to cloud, there is a lot more machines, a lot of systems that the organization may not have full control of.
[00:15:36] Shay Nahari: Now, you don’t actually host all your systems. You’re very likely not even hosting the majority of your systems. So that, you know, comes with a different type of attack chain, right? Now you also need to worry about, you know, your cloud providers. That’s your responsibility. They give you the, you know, they host your system, but now you’re basically partnering in the security of your systems as well as other vendors that now are joining this, and those two things together kind of expand the attack surface.
[00:16:04] Shay Nahari: With that in mind, new identities and new attack surface brings a lot of new things for an attacker to go after. In fact, I don’t want to make up statistics at the top of my head right now, but I was saying the majority of engagement right now, we find assets and go off assets organizations don’t even know they have.
[00:16:22] David Puner: What’s an example of that?
[00: 16: 24] Shay Nahari: Um, an example to that is maybe a pipeline or a system that was generated as a side effect from other activities they’ve done, right? Let’s say they, they run some sort of a pipeline that builds a system, a femoral system that does something. Part of that, the cloud might generate or bring up other nodes again, without going too much into the weeds, other nodes that are ephemeral to the process that exists only for that duration. And they do things that are part of that pipeline, but the organization didn’t really knew about it, didn’t really provision them and really didn’t intend to secure them.
[00:16:58] Shay Nahari: So for the lifetime of that femoral node, they might have bigger attack surface that they even knew about. And another thing that we, we’ve seen in engagement is customer provision, a domain or provision a system and that subdomain expired. And now you have a subdomain that is attached to your organization that you didn’t even know about or didn’t secure.
[00:17:20] Shay Nahari: So that expansion of attack surface of environments that you may or may not even be aware of as an organization is something you also need to stick to plan for as a CISO, if that makes sense.
[00:17:34] David Puner: Yeah, it just sounds like with all the new identities and all the new attack methods that the ripples get bigger as they go out.
[00:17:42] David Puner: How can organizations help protect themselves from session based attacks?
[00:17:47] Shay Nahari: Yeah, so that’s a big question, so let’s try to break it down. I think a lot of it, without too much of it as a cliche, but a lot of it does come down to least privilege. Those ephemeral identities are created in your environment and make sure that they’re getting the least amount of privileges for the shortest amount of time of their lifespan.
[00:18:07] Shay Nahari: And that allows you to say, you know what, I might not have full control of all of my identities at any given time, but I have a process to ensure that within the lifetime of those identities, they are limited in what they can do. And their lifespan is extremely short. So, even if there is a compromise, then I know that there is a very limited damage that can be done with that.
[00:18:32] Shay Nahari: And the last thing in regarding to general advice is,make that assumption. Make the assumption that something is already compromised. We talked about it, I think in previous episodes, that assume breach mindset and – do security layers – or what happened if a certain identity is compromised at my cloud?
[00:18:48] Shay Nahari: What does it mean for me? Is it a game over? What is the impact of that? And kind of plan the security architect to be built around the assumption that some identity can be compromised. But, you know, if I limit the scope of it, if I limit the lifespan of it, and if I have other controls to ensure that damage is not spread, that’s a good place to be.
[00:19:08] David Puner: Really interesting and also interesting that you use the phrase there, “game over.”
[00:19:13] David Puner: So, if these layers are in place in the right fashion, there hypothetically is, is no game over. Is that right? Or am I overextending myself there?
[00:19:23] Shay Nahari: That’s exactly right. Imagine you have a workload in the cloud that exists for a few minutes. If you design your architect saying, you know, what can that workload do?
[00:19:32] Shay Nahari: I might not be able always to control it. I might not even know that it exists for those duration of time that is getting spawned. What can I do to make sure that even if it’s compromised, it doesn’t really propagate behind what I limit? And that really is the way to go. Obviously on top of that, monitoring and do as much as you can to kind of control those identities, but even monitoring the identities, more than the usage of those identities can bring a lot of value.
[00:19:57] David Puner: To bring the conversation here back to the web browser – and I’ll be transparent here – by the time this episode goes out, the CyberArk Secure Browser will have launched. Typically on the podcast, it’s not about necessarily plugging CyberArk products or capabilities. That being said, this particular solution is kind of central to what we’re talking about here.
[00:20:26] David Puner: Why don’t we start there with…what is secure browsing and how is it an extension of identity security?
[00:20:34] Shay Nahari: When we looked at that, and that’s something that we as, as directing within CyberArk, always kind of take feedback of things that we do and see other actors do, try to feed it back to our product and ask us a few questions.
[00:20:46] Shay Nahari: First of all, is it something that kind of lies in our own mandate, right? Is it our swimming lane? Are we doing something that we’re supposed to be doing? And the answer is yes, because everything we talked about, because it deals with identities. The first answer [00:21:00] was yes, it’s something that we are probably interested in solving.
[00:21:04] Shay Nahari: The second thing is, what can we actually do? And the first thing that comes to mind is again, the cookies, everything we talked about the cookies, we talked about that being a prime target for actors. We talked about that being identity stack surface. And we said, can we eliminate those cookies – as exactly as you ask?
[00:21:23] Shay Nahari: And we figured out the only way to do that is to build our own browser from the ground up. And it’s based on Chromium, but that’s exactly it. And a couple of things that we’ve done there is we’ve eliminated the cookies from the disk completely. Again, I won’t go into details right now. But we’ve kind of eliminated the cookies and made sure that surface is, is no longer exist.
[00:21:44] Shay Nahari: But then we also looked at it from other perspective, from the operational aspect, right? Not just security. How can we, because it’s the interface to the world, because we, everyone are using it for, to access almost every system that we can think of, we also want to incorporate other aspect of identity management to the browser.
[00:22:00] Shay Nahari: So, it’s the ability to allow you secure connection to the cloud, allow you to record a session, to monitor the session, but kind of do it in the way that users are doing it today, which is through the browsers. So, it started from a security discussion, but also kind of naturally evolved into operational value from things that we’ve heard from our customers throughout the years.
[00:22:22] David Puner: How does cookie-less browsing affect the functionality of a web browser – as we understand that functionality from our day to day personal lives and work lives and everything in between?
[00:22:35] Shay Nahari: There’s two answers. From the user perspective, it doesn’t. The user is not even aware that is, there’s no cookies. What the CyberArk Secure Browser does is it eliminates the writing the cookies to disk so that it doesn’t write the cookies in the end.
[00:22:52] Shay Nahari: Because we build the browser from the ground up, we have a way to control and handle the cookies in a much more secure way. As we mentioned at the beginning, we’re addressing browsers for general audience. So, what we’re doing in Secure Browser, we’re kind of addressing or making the browser align to the security boundaries that we have for the enterprise. And even within that, it could be different layers and different policies involved. But one of the major distinction is that we’re taking away the cookies from this. We’re not writing cookies to disk. Therefore, there’s no cookies for attackers to steal.
[00:23:30] Shay Nahari: We’re handling in a different way. We apply Encryption in a different way. We handle it between client and server in a different way, but you can only do that really if you have full control over, over the stack right, over the browser from the operating system. Now, add to add, add to add to it other controls that we may have on the endpoint, like our endpoint privilege management or EPM.
[00:23:54] Shay Nahari: You now have potentially kernel level protection to those things. So really just your way to control the flow of identity, right? We already today control the flow of identity security. When you go to the cloud, that gives you the ability to control the flow of identity end to end all the way from the lowest level of the endpoint kernel through the browser to the transmission of it to the, the identity management and log in and rotating those credentials all the way to the cloud, how that identity is actually being used by the user at the cloud console. So, that gives us really an end to end control of the flow of identity.
[00:24:33] David Puner: So, does secure browsing as you’ve just outlined it … how does it have any similarities or does it have any similarities to Google’s tracking protection?
[00:24:41] Shay Nahari: We’re not really dealing with the same thing because we’re dealing with core security functionality.
[00:24:48] Shay Nahari: A side effect of that is because secure browser eliminates cookies for as a security mechanism, at least eliminates them to the way that we can actually control them, the side effect of that is that a lot of those third party cookies might not be there in the first place for tracking perspective. So, privacy is a great value as well.
[00:25:09] Shay Nahari: But again, the core functionality is to take your enterprise browsing and apply the same control that you would apply to other enterprise grade controls. And you take it to, you know, what potentially is a consumer base software and kind of bring it to apply the same controls that you want to apply on other enterprises, great controls.
[00:25:30] David Puner: Not that I would do this, but if I was to use the secure browser on my work laptop and start doing some flight searches, what kind of prices am I going to get for flights there?
[00:25:39] Shay Nahari: I haven’t tried that. I should try that, but the idea is you can actually, as an enterprise, you can control and create some policies to what you want your users to do to that enterprise browser.
[00:25:51] Shay Nahari: So if you don’t want your users to search for flights to the Bahamas to your secure browsers because you don’t want to limit the attack surface, then you can absolutely do that, which is again, it’s very hard to do at the browser level in other browsers. You can do that. Maybe the firewall level, but again, that gives you an ability to control the identity end to end, not just at the network level, but much, much sooner than that.
[00:26:15] David Puner: So, I should say that if listeners want to learn more about the CyberArk Secure Browser, they can of course go to cyberark.com. How was your team involved in the creation, evolution, ideation, launch, whatever you want to call it with this solution?
[00:26:31] Shay Nahari: First of all, we started back in maybe four or five years ago to even bring that problem to the team. We’ve kind of pointed out this is something we’ve started looking because all the advantage for an attacker perspective, but that brings us, and this is what we foresee other actors to do as well. The idea, or even the brainstorming on what we can do about it was something that my team was involved very early on.
[00:26:54] Shay Nahari: And then throughout the lifecycle and development, we used to kind of get different versions that we say, you know what, we want to take a look at what attackers can do, because I said, cookies are really a big terminology. So, we want to try different attacks. And we, throughout the development of the product, we kind of had a feedback loop where we get it, we try different attacks.
[00:27:14] Shay Nahari: Again, we focus on the security aspect. There’s other teams that are focusing on the operation, on the other value. But we kind of fed back errors and new attacks that we see out there or we think we can do. And we also think, again, the two questions we mentioned, we think it’s something that falls within the boundaries of what CyberArk is here to do.
[00:27:32] Shay Nahari: And we also think there might be a way of doing that if you control the browser. So, we had a constant feedback loop that we saw what attackers are doing and can do. And we fed it back to the product and say, here’s a problem. How can we fix it? And that created a lot of back and forth iterations where we improve the secure browser throughout the eyes of the attackers.
[00:27:54] David Puner: So, other than just straight up security with the secure browser, are there any other benefits for workforce?
[00:28:02] Shay Nahari: Absolutely. So again, this is, I’m wearing the attacker hats. I’m talking security. But as a user hat, I’ve seen some of the operational thing that just, when I looked at it, I said, that’s what identity security or PAM in 2024 should be for, just for an example, you want to kind of manage your cloud session.
[00:28:19] Shay Nahari: You want to connect to everything you’ve traditionally been doing with PAM, but now you’re doing it with browser. So that gives you the ability to integrate to all those systems in a very easy way from within the browser, without going back to legacy protocols and legacy systems. So, there’s a lot of value from, from operational aspects.
[00:28:37] Shay Nahari: And again, by the time this episode air, I think you can probably see demos out there and the browser is launched. So, you can –encourage you to go to cyberark.com and see some demos. Even if you don’t really interested in the security aspect, just from operational aspect, go, go take a look at that.
[00:28:53] David Puner: Is this potentially something that consumers would be able to get their hands on at some point?
[00:28:58] Shay Nahari: That is a great question. And something we’ve been talking a lot internally.
[00:29:04] David Puner: Okay.
[00:29:05] Shay Nahari: I will leave that question open for now. But suffice to say, we’ve been talking about it for a very long time and thinking what would make sense in the broader scope of things.
[00:29:16] David Puner: Excellent. Shay Nahari, VP of CyberArk Red Team Services.
[00:29:20] David Puner: Great to have you on the podcast as always. I’m sure we’ll see you again soon.
[00:29:25] Shay Nahari: Always a pleasure, David.
[00:29:35] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And, let’s see. Oh, oh yeah. Drop us a line if you feel so inclined.
[00:29:53] David Puner: Questions, comments, suggestions – which, come to think of it, are kind of like comments. Our [00:30:00] email address is trustissues, all one word, at cyberark.com. See you next time.