July 17, 2024

In this episode of The Virtual CISO Podcast, your host, John Verry, engages in a conversation with Aviv Grafi, CTO and founder of Votiro, as they discuss innovative solutions to combat business email compromise. Join us as we discuss:

  • The mechanisms of business email compromise
  • How malicious files are used in cyberattacks
  • The limitations of traditional security methods
  • The benefits of malicious file reconstruction technology

 

John Verry (00:00.542)
not hit record. So the good news is that it’s now recording. With your blessing, we’ll kick this off. Hey there and welcome to yet another episode of the Virtual CISO Podcast. With you as always, John Verrier, your host and with me today, Aviv Grafi and I hopefully said that right. Hey, Aviv.

Aviv Grafi (00:07.42)
Great. Yeah.

Aviv Grafi (00:22.62)
Hey John, it’s great to be here.

John Verry (00:24.762)
Thanks for coming on. Did I get that right? Aviv, is that the right pronunciation? Excellent. Excellent. So I always like to start the conversation simple. Tell us a little bit about who you are and what is it that you do every day.

Aviv Grafi (00:29.788)
Yes, correct.

Aviv Grafi (00:42.14)
Great. So I’m Aviv Grafi. I’m the CTO and founder of Votero. I’m in the cyber security industry for almost two decades, actually. You know, before it was called a cyber security, it was called IT security. And before that, it was just network security. So I’m about 20 years in the industry and I founded Votero several years ago in order to combat a very special type of attacks. In terms of my background, as I’m based in Tel Aviv, Israel,

I was a high school kind of security geek. And then I went to IDF and worked in intelligence first for several years. Then of course, as you know, as everyone here, I worked for a couple of startups and then I founded what now it’s been called Voture.

John Verry (01:30.014)
Excellent. What’s your drink of choice?

Aviv Grafi (01:35.836)
So actually my drink of choice is called Arak. I’m not sure if you’re familiar with that. That’s a local Anise kind of drink, which is very unique to the Mediterranean kind of area. So it’s very special here. Usually I’m drinking that either with lemonade or with grapefruits.

John Verry (01:54.972)
All right, so you’re the first person who’s given me that answer in 140 episodes. And now I want to go out and buy a bottle of a rack. Is it like a, is it more like a digestive, you know, more in that Campari, Uzo, Sambuca, Fernet, Branca kind of space? All right.

Aviv Grafi (02:08.666)
Exactly.

Yeah, it’s very similar to Uso, I would say, yeah.

John Verry (02:14.94)
Alright, so now I have to find Iraq, A -R -A -K.

Aviv Grafi (02:19.964)
Exactly.

John Verry (02:21.372)
All right, well, it’s now on my shopping list because I love digestives, you know, the Campares and Amaro’s and the things of that nature of the world. So I’ll be looking for that. Thank you. So I think it would be fair to say that, you know, files are foundational to not only computing, but of course, hence for running a business. I think it’s also fair to say that files are unfortunately foundational to any cyber attack. So let’s start pretty simple.

How does a malicious individual use different types of files, both to incent behavior and or take malicious action in an environment?

Aviv Grafi (03:03.612)
So John, as you mentioned, files are the fundamentals of most of the businesses today. And as of that, we are exchanging tons of documents, I mean, between companies. Now, as the bad guy, if I could just control the content and the structure of the document and send that, for example, to my insurance company.

I can do that, right? I can send that to a colleague. I can send that to my doctor. I can send that to my car dealer as like a driver license copy. In fact, as a bad guy, you can see tons of opportunities of injecting malicious files into almost every organization. Now, if you think about what malicious files can do, right, it’s starting from the most simple kind of thing, like convincing someone to do something.

But the more sophisticated attacks actually, in that document, it’s actually embedding a malicious code that in that case, once it’s being opened, the bad guy can execute whatever he wants to do on the target machines.

John Verry (04:13.086)
Yeah, so I think we know that email these days, social engineering is a predominant vector of attack. People don’t think of emails as being files, but they are effectively files, right? So that first file that they send you is an email which then sends you to open up a document or to navigate to a website that’s going to download a document, correct?

Aviv Grafi (04:37.436)
Right, even the email content and attachment like a Word document or Excel spreadsheet, and that can be actually introduce a malicious code, not necessarily just the body of the email, which of course, that’s a file. So that’s for sure. And so we’re talking about either files being downloaded off the web, like, you know, browse to website, but not just email and downloads. If you think about sharing like Box and Dropbox and OneDrive, those…

file sharing and collaboration platforms are being used now to exchange documents. So maybe we started like, you know, 10, 15, 20 years ago with the security for those primary channels or vectors like email and web downloads. But today we have tons of other document exchange platforms and tools that we probably overlooking it.

John Verry (05:30.43)
Yeah, so good. Let’s talk about that. So we know attacks are file -centric. We know that incidents and cyberattacks are just perpetually going up. So we can reason that the things that we’ve been doing to this point haven’t worked all that well. So I’m going to oversimplify this here, and I’ll focus a little bit on social engineering attacks being that they’re the predominant vehicle.

We’ve traditionally used a handful of different techniques to prevent these files from creating problems. So let’s talk about each a little bit and you can tell us what works well and maybe what works not so well. So first thing, like if we’re talking about something coming in through mail, we’ve traditionally tried to do some level of mail filtering. We’re trying to, let’s say, prevent the file from getting to somebody. Where are we at with mail filtering? Does that work, not work? What’s the good and bad?

Aviv Grafi (06:27.26)
You know, so actually you mentioned two things that I want to address. One is that mail filtering should detect the malicious file. We know that in reality, the bad guys can generate tons of malicious documents in minutes. So while the mail filtering should be able to block and to detect and block, they just cannot keep up with the rate of the malicious documents. So it’s not like a feasible thing to find all those new variants.

And that’s why they miss quite a lot. So this is one. The second thing is that email filtering introduce some productivity issue, which we all call it like quarantine or junk folder. Right. I mean, all of us, we got emails and we got phone calls. Hey, sent you something. I’m sure I sent you the, but say, yeah, I didn’t get it. And then you’re trying to find it on the quarantine. Maybe it was falsely labeled as malicious. And then you went to ask the IT.

Hey, I need to get that file. So email filtering doesn’t work both for security, but also to do some productivity issues for a lot of businesses. Even if you think about the simplest method of blinding email filtering, it just lets password protected the attachment. If you password protect the attachment, the email filtering can do nothing, cannot really look into that document and then it just go through.

So, email filtering doesn’t really work, eventually, what we’re seeing these days.

John Verry (07:59.39)
Yeah, I think what you’re implying with the with the mail filtering is that most of the mail filtering uses like antivirus, you know, recognized files, right? So they’ve got a hash of a file. So that’s what you’re saying that it’s hard to keep up with the variance of these files, because if the hashes don’t match much like an AV, then hey, we don’t think this is a malicious file.

Aviv Grafi (08:23.708)
Correct, yeah. And even introducing like a more kind of advanced technique like sandboxing, sandboxing is actually the same thing, is try to detect a bad behavior, a malicious behavior of a document. This also takes time and we know that it can be evaded. And also if you’re taking the AI approach saying, okay, I can detect it by saying this is similar to something we know, yet new stuff can easily come through as I mentioned like.

password protect the malicious payload or just a new variant that the AI hasn’t been learned at yet.

John Verry (09:00.574)
Gotcha. So the next thing that we typically try to do is we try to educate you, right? So the mail filter didn’t catch it, it gets through. So what we’re trying to do at that point is prevent that from being opened and downloading something onto the desktop. Security awareness, education and phishing. Yeah, I think they have limited value, right?

Aviv Grafi (09:27.292)
Yeah, I think the awareness campaigns that we all, you know, we went through those and especially in medium and big organizations. In fact, the idea is we cannot have the technology to stop those malicious documents. So let’s have our users try to detect and stop those malicious attacks. And the poor user cannot really find those things. I mean, definitely within the AI era,

There are no more grammatical grammar mistakes and things that actually you can suspect. And on top of that, even a day or an hour after a successful phishing awareness campaign, just send an email to the organization, say, Hey, there was a problem wiring a paycheck. You need to fill in that form, right? or, Hey, this is your new floor sitting plan starting from next week. I want to know where I’m going to sit. Right.

So eventually you can be tricked. So that’s why, you know, because of detection technology has failed. Now at some point we said, okay, let’s, let’s have the user that maybe they’re more intelligent to play that spot the fishing game.

John Verry (10:44.542)
Yeah, you know, I would say, look, you need a layered approach to security fundamentally. And I think, you know, I’m not suggesting that cyber awareness education or social engineering, excuse me, phishing exercise, you shouldn’t be done. But even in the best run organizations, you know, we typically see, phish rates of, you know, three, 4 % is kind of the lowest that you’re going to see, which means that, you 4 % of the malicious emails hitting someone’s desktop, somebody’s going to click on.

So we know we need to go beyond that. So the next thing we typically do, right, is focus around something on the desktop, like antivirus or endpoint protection of something, which is, okay, well, someone did click on an email and now we have a bad file on our desktop, let’s block it, let’s disable it. What works, what doesn’t work there?

Aviv Grafi (11:35.196)
Yeah, so that work for quite some time. I think that it is definitely a best practice to have an endpoint protection service like either, you know, AVDR. I think the issue is that usually it generates tons, tons of false positives and alerts. We see a lot of organizations, the prospects that we’re talking with, said, look, we cannot cope with the number of alerts and they cannot really apply a real…

you know, remediation or response activities because they cannot really just, you know, plug that endpoint from the network because of the high false positives rate. And then they’re trying to fix it after the fact, after they actually already infected the machine, which at this point it’s possible. But if we can find a solution that we can actually avoid infecting the machine and potentially stealing some data, you should actually go for it. And with the

EDR and definitely with antiviruses, this wasn’t the case because of the high rate of alerts and the inability to really remediate in real time.

John Verry (12:44.862)
Yeah, and then last of course is we need good vulnerability and configuration management. So everything failed to that point. The AV didn’t detect the file. The file is loose. The file is actually on the desktop. But if we have the desktop properly configured, we can and we have all of our applications patched. And maybe it’s a malicious PDF file. And maybe we’ve got the most recent version of Adobe that’s not vulnerable to it. And perhaps we’re not running as local admin. Thoughts there?

Aviv Grafi (13:14.012)
So that’s definitely one of the, I think, the best practices I could also recommend. Definitely work with the up -to -date machine and up -to -date applications, and definitely with the least privileged kind of approach whenever possible. Nevertheless, we know how difficult it is to really release patches and deploy patches on time.

And there are all, there’s always a window. Sometimes it’s days, sometimes weeks, sometimes months until dispatch getting really pushed. And we know that the bad guys are, you know, they’re faster than us. So they’re actually generating those malicious documents, you know, hours after the vulnerability, you know, get published. So while this is the best approach is this is really, I think the most kind of a complex to manage. And as the organization get bigger.

It’s even getting more complex because no one wants to be blamed for patch that was pushed that took down the IT. No one wants to do that, right? They will lose their job in a second.

John Verry (14:18.942)
Yeah, and then we can continue on, right? And then there’s network segregation so that if something does start propagating, we’re minimizing the scope of it. So it’s interesting to me. We started under the premise that malicious activity is often file -based, but yet we’ve kind of talked through a typical stack, and very little of that focus is actually on files. So I get the feeling you’re going to tell me that’s why Votero is a file -focused company.

Aviv Grafi (14:47.26)
Right. So before I started Votero, I was doing pen testing. I was actually doing audits and security audits, and I was traveling around the world and interviewing IT staff and checking system configuration. And after three or four or five days of doing those interviews, usually I was showing the report and also demonstrating how it could hack my client. And usually there was one technique, as we talked earlier, is just sending

a weaponized resume to the HR recruiting department saying, Hey, I want to apply to a position in your company. I know John very, and I would love to, to work for you guys. And, you know, on the other side, there is a guy or lady that needs to do their job. They need to scan hundreds of resumes sometimes every day or week, and they need to open those. So when we cannot tell them, you know, think twice, maybe that’s a malicious actor.

And I think that’s the fundamental of where the problem with the security solutions today, because there is a fine balance between security and productivity. As I mentioned, try to push patch too early. Maybe that’s risky. Let your user spot the phishing, but maybe you will get their work even more complicated and lengthy. So that’s where we all started that I saw that.

You can actually using a malicious document, you can hack almost every organization because they need those documents for the day to day job. And, and we described, you know, that security stack with tons of things. And there was, there was one thing that I thought that worth solving, which is allowing organization to be productive while keeping them safe. And this actually can be achieved through protecting from malicious documents.

John Verry (16:39.07)
So you’ve been doing this a long time. I’ve been doing this a long time. And, you to me, cybersecurity is sort of an endless game of cops and robbers, right? You know, as a new technology emerges and we’re looking at how we’re going to use this technology on a positive way, you know, the bad guys are saying, okay, how can we use this in a malicious way? You know, and as we get better at protecting one type of attack, so back in the day, most attacks were network based. And then we got better at patch and configuration management.

vulnerability management. So then they went to the applications and then we got better at application security and then they went to social engineering and we’re still not good enough at social engineering that they haven’t gone away from that yet. So I think the one constant through this is this concept of a malicious file. So what types of, you know, let’s talk about the types of attacks, right? We have, I think the traditional malicious file attacks, which are the, you know, the word docs, you know, I’ll call them office docs, right? And, and,

PDFs, I think, and script files and things of that nature. I don’t think most people are aware of how many different file types can cause a problem. So talk a little bit about that. And then beyond that, let’s talk about what are some of the emerging attack vectors that you’re seeing.

Aviv Grafi (17:51.164)
Great. So, so first thing, yeah, there are tons of file types. In fact, we in Votero, we understood the problem of that endless game of cops and robbers. And that’s why we’re taking a different approach of how to protect from malicious documents. And remember that HR guy or lady that need to, you know, scan resumes over there. Instead of, I mean, they interested in the content, right? They want to see Aviv’s resume, his job experience, what he wanted to do and stuff like that, his qualifications.

And not necessarily in the actual bits of the document where this is actually the vulnerability resides. So the idea behind what you and we call it content disarmament reconstruction technology is that by taking that PDF resume and regenerating a safe version of that PDF, by taking all the well -known elements like text, like pages, paragraphs, picture, and just regenerating that on a safe template of a PDF.

We could actually, we can deliver a safe version, 100 % safe, right? Because we just regenerated it to the user in real time. And then we can tell, we’re actually telling our customers and we’re telling the end users, open any document you receive because that’s a regenerated document, which actually resolve that problem of cops and robbers, because we’re not trying to chase the bad thing. We know what are the good things in the document. And then we regenerate a safe version of that document.

And this is the idea in terms of how we actually break that game. So this is of course, I think what stands behind what you and then we apply that for all those kind of channels or vectors that you’ve mentioned like email, web downloads. And of course, also we integrated with Teams and Slack and Box and Dropbox. So every document an organization receive actually goes through that technology that generate a safe version of the document.

which looks and feel exactly the same delivered to the user in real time as opposed to sandbox or some other technologies that takes time. And of course that’s close to 100 % because we’re just generating replicas of the document. And we could achieve that by leveraging multiple technologies. You’ve mentioned like social engineering. So of course you can actually lure the user to open a document, but it’s not like.

Aviv Grafi (20:16.124)
the same original document because it does not contain the malicious macro, does not contain the malicious script because we already took care of that. So that’s the idea behind Voturion. That’s how we’re actually breaking that game.

John Verry (20:30.374)
Interesting, a very different approach. A couple questions for you. So,

Does that mean that there is a defined group of file types that you’re working with? So as an example, we talked about Word documents, we talked about Excel documents, we talked about PDFs. What about batch files or text files or SCR script files? Is there a defined list of things that you guys can look at and…

And as I understand it, which it’s almost like an ETL process, right? What you’re actually doing is you’re opening up the document, you’re analyzing its components, and what you’re doing is then only translating that to a second document with the known good components, right? The safe components in it. So from my perspective, I see the same document that I would have seen, but anything that…

could have been bad in the document can no longer be in there, correct?

Aviv Grafi (21:35.132)
Correct, exactly, you described that correctly. And that’s what we do for tons of file types. I mean, we mapped all file types used in business today. Like we talk about the Office files, like Word, Excel, PowerPoints, Visio, images files, PDFs, RDFs, also embedded objects. If you think about embedding Visio within Word document, we’re doing that for archives. We’re doing that for even planning like CAD files, AutoCAD files. So almost every…

file types being used, like almost the 180 file types we support today. And for those, if there is a file that we do not support, of course we have a policy to address that in the product. But basically more than 99 % of the documents used in business today, we know how to process those exactly as I mentioned, because we know how they built, we know how the specification defined the structure, and that’s how we actually learned about how to solve that problem.

John Verry (22:36.158)
Gotcha. So you use the term, so just to differentiate, use the term documents as opposed to using the term files, right? So I would assume that means that something which is intended to be human readable, you know, would be a quote unquote a document. Something which is machine readable, quote unquote, would not be a document. So as an example, an executable file, a binary, a DLL, those types of files would not be files that Botero would be processing. Is that correct?

Aviv Grafi (23:06.3)
Correct. Content disarmament reconstruction focusing on human readable content, but also in some ways, some machine readable content like XML files and stuff like that.

John Verry (23:15.166)
Okay, yeah, JSON, XML, yeah. They’re sort of, they kind of cross over between machine, yeah, I gotcha.

Aviv Grafi (23:17.434)
Yeah, yeah.

Yeah. Yeah. But to be honest, when we talk about that with the customers and prospects, they saying, yeah, but I don’t want to have DLLs or executables in my, you know, transferred in my teams or Slack channel anyway. So we allowing them to block it or to integrate with their existing security stack for executables if they want to do that for certain users. But most of them saying, you know, I’m not expecting to get any executables on Slack. So if it can just block it, the executable, that will be fine. Allowing all the.

documents, human readable content to be secured and transferred safely, I’m fine.

John Verry (23:57.662)
Gotcha. And where do you sit? So are you sitting on desktops? Are you sitting on servers? Where is your software sitting and how does it get triggered when a file is being uploaded, downloaded, accessed, whatever the trigger events are?

Aviv Grafi (24:15.196)
Yeah. So Votero is a cloud -based solution. So we have our cloud, Votero cloud, which all our processing is being done. And then we connect using a native API to, for example, Office 365 or Teams API or Slack API. We connect that cloud to cloud integration. So we triggered whenever a new document or file is being sent to you or being sent by you, that’s the trigger for us. And then we process that in real time.

Of course, we do have a flavor for desktop, so in the form of a browser plugin. So if you want to protect, for example, downloads that actually gets before they get to the browser, we do support that as well. So it’s either cloud or endpoint in the form of a browser plugin.

John Verry (25:04.574)
Gotcha. And then I would assume you have the same challenge that most tools do that. Like you mentioned, a password protected and encrypted file, you know, unless you have the decryption key, you know, that you really can’t, I would assume you can’t view and or reconstruct, you know, a document. Do you support any type of way where as an option, someone would be able to transfer you that password you, and then you would be able to do the same thing and then.

would you be able to re -protect it with the same password?

Aviv Grafi (25:35.196)
Yeah, exactly that. Actually, one of the things we introduce as part of the product, that’s a workflow. So once we find a password protected document or archive, we then notify the user saying, hey, if you’re expecting one, just type in the password here, and then we decrypt it. We’re doing all that magic of reconstructing and regenerating the document and then sharing it with the user in the same way. For example, that email, it gets a password protected email, but just the safe version of that email.

with exact same look and feel. So yeah, I think, we have one of the first solutions actually to introduce workflow for pass protected encrypted content. as we saw that, as, as we mentioned, traditional security system are just being, you know, just blind because they cannot treat any, encrypted content. And usually the IT security, they have two options either to allow all the encrypted, you know, content, you know, just get to the end point. and then they have.

security risk or just to block everything and then they have a productivity risk because eventually as we see a lot of documents being encrypted especially PDFs You know now I’m getting now my PDF got blocked so I need to call the ID helpless Hey, I need to have my encrypted PDF with what you’re we introduced that automatic and self -service workflow to support those kind of use cases

John Verry (26:57.31)
Interesting, interesting. So I’m assuming you’re one of those rare companies that probably doesn’t have to promote the fact that they’re using AI in any way, because it would seem to me that you don’t need AI. All you really need to do is know what is, you need to have a definition of a file structure from the vendor of that file format. And then really what you’re just doing is stripping out anything which,

according to that file structure doesn’t belong there.

Aviv Grafi (27:29.404)
Yeah, so when we started, that’s for sure. We didn’t use AI. It was mainly we followed the specifications, and that’s how we generated the saved documents. But on the last 18 months, we introduced AI. And for those areas that we can’t…

John Verry (27:45.406)
You just did it from marketing. Come on Aviv, you’re just doing that from marketing.

Aviv Grafi (27:49.404)
Yeah, actually, yeah, marketing asks, we have to get AI in their products. Of course, of course. But the way actually the way we use AI is to distinguish between in that specific problem of office macros. Office macros, that’s actually a code. It’s not a structure of a document, right? So the alternative was just to strip off all those macros out of the documents.

John Verry (27:53.71)
Yeah, exactly.

John Verry (28:07.55)
that’s true.

Aviv Grafi (28:17.404)
And when we got to a financial organization, it told us, look guys, that’s really cute, but you cannot really strip out all those macros. We need to have them for our work. So, and that’s where we thought how we could solve it. And AI actually was very handy there because with AI, we could really analyze the macro code and say, yes, this is a legit macro. As we trained a model and say, yes, that’s how you can actually recognize.

a macro that interacts with the disk or network or just a macro that manipulates tables or maybe formulas and charts in Excel spreadsheet. So in fact, AI was helping us tremendously in solving the office macros challenge, which turned to be a big thing when we started to work with big financial organizations.

John Verry (29:04.51)
Yeah, if you think about how much it’s remarkable how much financial analysis takes place in spreadsheets and organizations, it’s nuts. So that’s actually interesting. So, you know, from a machine learning perspective, right, you give it thousands, tens of thousands, hundreds of thousands of files with macros embedded in them. We identify which of those macros, you know, the AI is able to determine which of those macros are.

taking an action that we’ve defined as being potentially risky. Like you said, interacting with the disk, interacting with the network, things of that nature. And as long as, I would assume as long as a macro is focused on just manipulating data within a worksheet, you’re looking at that and going, okay, that should be safe.

Aviv Grafi (29:50.3)
Yeah, in fact, we trained our model to detect benign macros, not necessarily just malicious macros. I think that’s the whole concept about Vartyros technology, that we’re trying to look on the good stuff, not the bad stuff in the document. So by training the model how a legitimate macro and benign macro looks like, we were able to really expedite and really boost the work of detecting…

John Verry (29:58.876)
Mm -hmm.

Aviv Grafi (30:18.04)
good and benign macros. So that’s what we say, okay, yeah, it’s high confident that this is a benign macros and then we keep that macro attached to the Excel spreadsheet. And of course, as I mentioned, as you described, yeah, we could also say, yeah, this is not a legit macro because you see it does something with a disk. It’s more intelligent than that because thanks to the AI, it’s not just a binary decision. So it’s not like a static analysis that used to be like five years ago.

John Verry (30:44.958)
Right, yeah, so a macro that’s simply saving a copy of the data, you know, it is interacting with the disk, but that’s likely a benign file where a macro that would be doing something else with the network stack is probably not. OK, makes complete sense. Anything else in terms of like sort of evolving? Like I’m amazed. The cleverness of the bad guys and like you said, like these.

Aviv Grafi (30:51.118)
Exactly.

John Verry (31:12.062)
using box, using SharePoint, using Dropbox. I the variations are endless, right?

Aviv Grafi (31:22.012)
Yeah, that’s for sure. Because the number of channels and the way to the communication platforms increased dramatically over the last five, 10 years, definitely post COVID area. So we got used to share things like, you know, virtually. So we got tons of new platforms and, you know, talking and sharing documents via Box, Dropbox, Slack, Teams, SharePoint, it’s just got the way easier.

so we saw an increase, significant increase and a number of attacks being carried by those kind of what was previously as a niche platforms. Yeah.

John Verry (32:01.342)
Yeah, what about other attack vectors? I’m just thinking about places where I’m exchanging files with people today that I wasn’t even thinking about three years ago, five years ago. So project management tools. We use a project management tool called Wrike. Wrike has the ability to exchange files through Wrike. What about things like Jira and Confluence? All of these are…

applications that you might be helping organizations validate that those files that are being shared are secure?

Aviv Grafi (32:36.06)
Yeah, actually, if you think about any application that you can actually share documents, usually they have an API. So we have for those who we do not support yet, like, you know, an official connector, we have a Vatura API. So you can integrate almost any platform with Vatura protection. And on top of that, if you think about large companies that are going digital, they allowing their customers to do some stuff online, right? Upload their…

It’s part of a know your customer process upload documents, right? Asking for a loan. Do some stuff online which involve uploading documents to a client facing portal. We see a lot of use cases where companies saying, you know, we’re allowing clients to upload stuff. We have no clue what they upload and then we store it on our S3 bucket in AWS. So we actually helping customers to integrate Voture API with their applications.

And on top of that, we providing also a native security for AWS S3 bucket for every file that lands there. So the number of possible integrations is endless. I haven’t talked yet about Salesforce and some other integrations that we integrated with almost every application that involve files, but here actually is there to make sure that it’s being sanitized before it reached the end user.

John Verry (33:54.334)
Okay, so at the end of the day, if an application has an API that generates an event that’s associated with a file being placed somewhere, you have the ability that can be programmatically set up to communicate that file to your cloud, and your cloud will reconstruct the document and put it back in place for you.

Aviv Grafi (34:15.886)
Exactly. And that process takes milliseconds. I haven’t mentioned that, but because it’s a deterministic process, not trying to wait for the file to do something, not trying to query the huge AI model, that takes milliseconds. And that, I think, is the benefit of using such an approach, which is fast and deterministic, so you can get a safe file within 200 milliseconds for a typical document. And you can have actually your employees and users do whatever they want and work.

and not necessarily deal with the security constraints.

John Verry (34:48.318)
Gotcha, have you guys dealt with the issue? Is there a work around to like legal issues with documents, typically a document’s hashed and we know that’s the exact copy and I’m signing that exact copy. Obviously a legal document can have something malicious in it. Has there been a mechanism by which can somebody, that would be an actually interesting question. Can someone rather than when I get the file,

right, you’re reconstructing it. Could I upload a file to you and then have it be quote unquote, Votero validated so that when someone downloaded it, they would know that it’s gone through your engine, but yet the hashes would match so that from a legal perspective, I’d still have what we need.

Aviv Grafi (35:31.868)
Yeah. So the way that we cope with the legal question is that we storing the original documents for a, for amount of time that can be configurable, obviously, but more than a year. So you can always fetch the original. If for any reason you want to fetch original, you can always fetch it. And if you talk about digitally signed documents, we know how to reconstruct a digital signature and say, yeah, this was originally signed by John. It was a resigned by Vatira after we validated John’s signature.

So in fact, we can actually help users to double check that it was actually being signed originally by John and then reconstruct.

John Verry (36:10.206)
Okay, so I still think my approach is better and I just expect like a 10 % tithing from this point forward. No, all kidding aside though.

Aviv Grafi (36:12.602)
Yeah.

Aviv Grafi (36:16.028)
Yeah, you may join our product team and…

John Verry (36:20.926)
No, no, no, actually, but I do really like that idea, right? Can you imagine that I could upload a file to your engine, you would translate that back down and then I could send that to somebody saying, hey, it’s Votero validated, right? So even if the person receiving it doesn’t have Votero, they still get that validation that this document is clean.

Aviv Grafi (36:45.916)
Yeah, so like a watermark or we’ll able to check it against, yeah. Yeah. Yeah.

John Verry (36:50.11)
Yes. Yeah. Yeah. I mean, like, you know, it would be like, it would be cool to cut sort of become the Xerox of the validated documents. You know what I mean? All right. Like I said, like, you know, don’t look, look, you should end up in a three, 400 foot yacht at some point based on that idea. I’m not going to ask for a lot, maybe 30, 40 foot, you know, something.

Aviv Grafi (37:00.796)
Nice. Yeah. I like that term, the Xerox of the room, literally.

Aviv Grafi (37:14.812)
Yeah. And don’t forget, don’t forget the bottle of Arak.

John Verry (37:18.59)
A bottle? Are you that cheap? Ideas of that nature, I mean those are cases. That’s a case idea. That’s not a bottle idea, Abhi.

Aviv Grafi (37:22.62)
A bottle? A bottle?

I’m gonna, yeah. You’re gonna get a distillery, yeah, no problem. Yeah.

John Verry (37:31.142)
I want a distillery.

Aviv Grafi (37:34.236)
Okay.

John Verry (37:36.094)
All right, I think we beat this up pretty good any any last thoughts anything we missed?

Aviv Grafi (37:42.552)
No, one last thing. I mean, one of the things that we launched just recently is another addition to the product. So we’re not just generating threat free documents. Now we also know how to look into documents and tell the users in the CISO if they have a PII or PCI or PHI in those documents. So not just that we delivering threat free, but also PII free because we now know how to mask and reduct private information.

So it’s actually the organization gets two protection. One is the malware protection. The second is the legal kind of thing if they’re getting private information leaked or getting into the organization.

John Verry (38:17.852)
Okay.

Instead of just masking it or redacting it, can you leave it in there but just let me know so that my data classification mechanisms work?

Aviv Grafi (38:31.644)
Of course, of course, this is an option in the product. Usually we start from the tech only and then the customers say, that works. Okay, now I want to redact for certain users, for example.

John Verry (38:42.782)
Yeah, that’s pretty cool. That’s pretty cool. That’s got a lot of value. I mean, especially as you know, we move into the world of, you know, GDPR, CCPA, and now 15 state standards in the US and how many across the globe. I mean, we have one client that deals with this issue and I think we’re up to like 61 different standards in their privacy program. We help them support, which is just, yeah, it’s just nuts. All right, man, this has been fun. I appreciate it.

If somebody listening thought, hey, this is pretty cool stuff. How would they get in touch with you and Vittorio?

Aviv Grafi (39:16.252)
So Votero .com, that’s the easiest way to schedule a meeting with one of our specialists. And of course, feel free to reach out to me on LinkedIn, Aviv Graphy. And I would love to hear your feedback, love to hear your thoughts. I think that’s at least my primary way to learn the market. I want to have feedback and feel users just sharing their thoughts. That’s the best way to do that.

John Verry (39:39.806)
Sounds cool, man. Thank you again. I appreciate it. And I appreciate you jumping on it. It’s at what, your six hours difference or something like that.

Aviv Grafi (39:45.788)
Yeah, now it’s 6 p in Tel Aviv.

John Verry (39:47.646)
Alright, well, go have some dinner.

Aviv Grafi (39:49.724)
Yeah, well, thank you very much, John. It was really fun. Thank you. Bye -bye.

John Verry (39:52.316)
Thanks, Aviv. Same here.