Subscribe
Share
Share
Embed
In this inaugural episode of the Core Strength Podcast, we sit down with Assaf Keren, CISO of Qualtrics, to discuss the reality of modern network security and why it’s far from a solved problem. Assaf shares how the industry has drifted away from foundational network knowledge as cloud and SaaS abstractions took over, leading to a dangerous gap in understanding how data actually flows. We explore why many security teams treat network security as a checkbox exercise, how responsibility for network security has shifted to network teams and vendors, and why truly mature implementations remain rare despite decades of tooling innovation.
The conversation dives into what it really takes to build strong network security in a hybrid world, from understanding topology and segmentation to aligning controls with real threat models. Assaf explains why attackers are about to gain a massive advantage with AI-driven reconnaissance, making proactive network visibility and control more critical than ever. We also cover practical steps to improve maturity, the importance of asset awareness, and why going back to fundamentals rather than chasing shiny tools may be the most important move security leaders can make in the years ahead.
The conversation dives into what it really takes to build strong network security in a hybrid world, from understanding topology and segmentation to aligning controls with real threat models. Assaf explains why attackers are about to gain a massive advantage with AI-driven reconnaissance, making proactive network visibility and control more critical than ever. We also cover practical steps to improve maturity, the importance of asset awareness, and why going back to fundamentals rather than chasing shiny tools may be the most important move security leaders can make in the years ahead.
Creators and Guests
What is The Core Strength?
Welcome to The Core Strength Podcast, a place for network security professionals who care about getting the basics right. Each episode brings together experienced practitioners to share insights, stories, and practical lessons from the field.
Welcome to the Core Strength podcast. Every piece of data you create, every system you rely on, and now every AI agent you deploy, it all runs through one place, the network. The network is the foundation. On Core Strength, we bring together people who actually secure modern networks. Security engineers, network architects, leaders, and builders.
Richie Hartnett:Together, we break down how it really works. The decisions, the trade offs, and the lessons learned from operating at scale in the real world. Let's get into it.
Ross Haleliuk:Assaf, welcome to the podcast. Super happy to have you.
Assaf Keren:Happy to be here. How are you doing?
Ross Haleliuk:Doing fantastic. I'm really excited about this conversation. There aren't many conversations happening about network security, and it's definitely something that's that's very much needed. So as a way to kick this off, let's start by talking about how we got where we are today. I think several weeks ago when we talked, you mentioned Han Solo, and I was able to look up the quote you've referenced when in Star Wars, Han Solo talks about forces, hockey religions, and ancient weapons.
Ross Haleliuk:And it surely feels like what people think network is today as well. How did we end up here? Why do people say that network security is outdated? And when they say that, what do they actually mean?
Assaf Keren:So I think that there has been I wouldn't call it a dumbing down of network and network security, but there's definitely been a shift in the in the knowledge that is needed to to get into the security world and and to do security work. And when I started doing security work, I'm I'm not gonna date myself here, but let's say it was more than twenty years ago, you got into security through either through network or through programming or risk governance policy, those kinds of things. And a lot of what you needed to know was how the network is gonna behave. Like, a lot of us got started by deploying IDSs. And to deploy an IDS, you need to understand what network looks like, and you need to understand the OSI model, and you need to write rules and send different protocols, etcetera.
Assaf Keren:And somewhere along the line of modernization, as we've had more and more tools do this for us and we've had more and more companies shift to the cloud, we lost that knowledge and the appreciation of that knowledge. And because of that, when you step into a a modern security operations center, the level of know how on network and how the network works and how to configure things and is is almost nonexistent. They know a lot more about containers. They know a lot more about cloud infrastructure, which is great When but we kinda lost the muscle as an industry on this this very important piece of how we manage data transmission and and entry into our product, etcetera. And some would say that's a good thing because there is such a good obstruction there right now in the cloud environment, in other places that you don't need to know as much in the cloud or the SaaS providers are doing it for you.
Assaf Keren:There is something to be said about understanding the basics.
Richie Hartnett:If we were to look at where companies are today, and I know you've worked across a number of different companies, and if we're kind of being brutally honest about across these different companies, what is the average network security maturity look like today? You know, what comes to mind for you? What have you seen?
Assaf Keren:I think that, again, brutally honest, the level of network security this day and age is more dependent on the maturity of the network team than it is on the maturity of the security team. When it comes to security, a lot of the security teams have relegated the network the NetSec work to checkbox compliance. So I need to do this thing. I need to review a rule. I need to do this thing.
Assaf Keren:I need to make sure that things are are okay in my management portal rather than a deep understanding. There are really strong network teams out there, and there are amazing concepts that have creeped into our life with the advent of cloud computing, where you can do more strict network management, crosses from the third layer to the seventh layer with stuff like HCO and Envoy proxy at the seventh layer, but but also GLBs and and and routers and cloud routers that that are more application context based. If I need to count the number of truly modern, inspiring network and network security implementations I've seen, it's a small number of companies that actually get there.
Ross Haleliuk:And why is that?
Assaf Keren:Because it's hard. Because network is one of those things that either works or doesn't work. And when it doesn't work, everything breaks down. When it works, then nobody thinks about it. Because you need to at least the security team, need to prioritize where you're going to put your your buck.
Assaf Keren:Look. Even in this space, okay, let let's take even something that is a bit more modern. And then then let's say firewalls. Okay? Firewalls have been with us for a long long time, and there have been a bunch of companies that made a lot of money and next gen firewalls.
Assaf Keren:Next gen firewalls are what? 20 years old now? Fifteen, twenty years old now? So, like, maybe it's time to to for next gen next gen firewall, which was like the next gen firewall is an application aware firewall. Like, that that's what we we deployed.
Assaf Keren:The but let's say something a bit more modern. Let's take web application firewalls, for example. Even there, most security teams have offloaded the management of their web application firewalls to their SaaS vendors. And where you had and I'm not gonna name specific vendors here because I don't wanna get in trouble, but where you've had bespoke WAF companies that were selling WAF solutions and appliances. If you remember, we used to have these things that came in p in pizzas or in in two free use, and you put them in a data center.
Assaf Keren:Like, that's the olden days, and connect them to stuff. So we you would sell appliances that that have a web application firewall on it, you have to understand the topography of the environment, the web cache firewalls are almost all of them has been relegated into a checkbox feature into in the CDN. And the CDN vendors are are running most of the web application firewall. Now that is that a bad thing? No.
Assaf Keren:They probably have more understanding of network, and they probably have more understanding of attacks than most companies out there. But is it okay for security teams not to understand their web application protection stance because somebody else is doing it for them? Probably not. And but when you think about all of the things that security teams need to deal with and and the growing apparatus that security teams need to deal with. Because if you would go to fifteen years ago, network and web cache file was a big, big thing because it was one of the five things that security team had to do.
Assaf Keren:And now you have CSPMs and SSBMs and ASPMs and, like, an explosion in business apps and this explosion of things. And so it's easy to go and say, okay. Network, somebody else is doing it, and they're doing it okay because it's up and running, and I'm not seeing a ton of attacks. And even denial of service attacks, which is something that we've seen a lot of, let's say, five years ago, are less prevailing today because of the the fact that we do have good content distribution networks, and we all do have cloud vendors that are managing that and and kind of subsidizing that for security teams.
Ross Haleliuk:So it sounds like network is a solved problem then.
Assaf Keren:No. It's not. I wish it was. The much like driving, which is gonna be something that none of us do in ten years because our cars will drive for us, we still need to be able to take the wheel in our hands and be able to drive. And the end and transparent truth is that the easiest way to get into an environment is through the network.
Assaf Keren:And not having the understanding of how your network is built and what protections you have and what are the right protections in place, etcetera, is I wouldn't say a dereliction of duty, but it is a risk factor that a lot of people are not taking into account when they are building their security programs right now.
Ross Haleliuk:It's interesting because when you're talking about networks, you're primarily talking about cloud and the modern environment. But the reality is that probably 95% of the enterprises I don't know what the exact number is, but the vast majority of the enterprises are hybrid. Barely anyone, unless you've started over the past, like, five to seven years, is going to be cloud only.
Assaf Keren:I yes. And and the the seam there is not a is not a good seam. Like, those are a lot a lot of the the risks that we have is in the the traverse between on prem switches to cloud switches and how you deploy. And and even more than that, like, one of the things that have been really interesting to see when when you look at cloud migrations, the cloud and and I told you, like, I've there there is a lot to do with modern network implementation and and security for modern network implementations where they are cloud native. Most companies don't do that because they they are bound to their on prem network architecture.
Assaf Keren:So what they're creating is actually a copy of their on prem network architecture in the cloud, and that's suboptimal. And that becomes very, very complicated very, very fast. I not gonna share too much detail because, you know, confidentiality and stuff like that. But the places where I've seen the the biggest impact to to companies is where they had a network configuration that bit them in the ass during an incident. And they didn't know it about it.
Assaf Keren:Didn't know anything about it. They didn't know it was there even. But bad network configuration can be detrimental to the level of extinction for for companies, And this shift into the cloud is a dangerous shift because you're either creating two different network architectures that need to talk to each other, or you're creating a non optimal network on the cloud because you're beholden to a hybrid system and you wanna keep things the same way. Does that make sense? Or am I talking nonsense?
Richie Hartnett:No. It does make sense. And I think when people talk about network security and talk about some of the challenges there, they often talk about implementing, like, the fundamentals. Right? And I think as you look at network security, there's so many different layers, so many different tools, so many different ways to implement those fundamentals.
Richie Hartnett:So you as a security leader, as you're thinking about the best implementation for your network security, what are some of those fundamentals that you touch on?
Assaf Keren:One, I think it's important that we understand the basics. I've had an argument once. Almost 10 ago, I had an argument with somebody, and we were talking about hiring a SOC analyst. And I wouldn't hire a SOC analyst that didn't understand the the OSI seven layer model. Because in my mind, that's part of the basic knowledge of a SOC analyst is to understand the layers, even though some of them are pretty obtuse these days, but fine.
Assaf Keren:The I think understanding the basics, I think understanding what connectivity goes, what are the bulkhead patterns that we're creating in the environment to prevent a cascading failure. If something happens in one environment and we wanna keep other environments safe, how do you build speed bumps into the network environment to prevent something from being able to traverse your entire like, to west traverse really, really quickly. The whole conversation around east to west, north north south, defense and dev, how are you generally speaking, and this is not a network security statement, this is a security statement, but I think it it ties into network security as well. In in my mind, security is a problem of coverage and efficiency. So the question is, how are you covering all of the risks within the network environment, and how efficient are is the tooling that you have in place to combat the threats that you've defined that you wanna fight?
Assaf Keren:And that can be done through different measures. It can be done through if you're really aware afraid of denial of service attacks. Do you have a scrubbing center? Do you not have a scrubbing center? Do you have a CDN?
Assaf Keren:Do you not have a CDN? Do you have do you have the reaction response mechanisms in place if something happens to do it? If you're interested in web attacks, do you have a web cache firewall? Do you have the right rules in the web cache firewall? If you are multi cloud or hybrid, how do you create a trusted architecture between different zones and different areas?
Assaf Keren:How do you manage your BGP? How do you manage your DNS? Like, it is so many companies lost parts of their business because they had one DNS provider and no fault back, and that DNS provider went away. Like, what kind of BCP do you have? Do you have excessive routing?
Assaf Keren:Non there there is so much there. I I think the definition is what what are the threats that I'm worried about, and then do I have coverage to understand them, and do I have efficiency? Do I can is is what I have in place efficient in managing that threat or that risk?
Ross Haleliuk:It's interesting because you're you've stated a few things that sound somehow contradicting to me. You said that people are not paying enough attention to the fundamentals. There is not enough expertise and not enough attention to layers, like, such as network. But then you've also said that we are not seeing that many, network layer attacks. And yet you've also said that network is the easiest the easiest path to get into the company.
Ross Haleliuk:How can all of those things be true at the same time?
Assaf Keren:Well, I think yeah. I said we're seeing less DDoS attacks, and we're probably not seeing less DDoS attacks. We're just seeing if you go and talk to Cloudflare or Akamai or AGO, whatever CDN company, they'll tell you or or Google or Amazon or Microsoft Microsoft that that that that are that are fronting most of the traffic on the Internet, they'll tell you that they're seeing a lot of DDoS attacks. They're just managing them, where this was a much bigger problem five years ago or ten years ago. And I think that that is part of the promise of what a modern architecture can look like if we go down that path.
Assaf Keren:But that is one problem in a set of different problems. I'm not I don't I don't think we're seeing less in other places. Actually, we can't have a conversation now this day and age without discussing AI. Right? Of course.
Assaf Keren:We are on the verge of a world where the biggest defense mechanism in the security world is gonna be non relevant, and that is security by obscurity. Now people will tell you security by obscurity is not good, and you shouldn't count on obscurity, and and that's not how things happen, and it's been a really bad practice for a long long time if you do it, and I agree. But still, a lot of companies, knowingly or unknowingly, are being saved by the fact that attackers cannot identify and find and don't have the bandwidth to go and attack everything in the environment. Unlike all of us that work in a corporate governance structure, attackers don't have anybody telling them not to use JGPT or agentic models or Grok or a Chinese model or what or DeepSeek or whatever. And they're going to use it for nefarious reasons.
Assaf Keren:And the same way, it's now much easier for me to write a ton of email back to my my kid's school because I don't need to think about it, and I'm just operating my agent to go and answer automatically in places. The attackers are going to be able to scan everything and attack everything. And so the while there is archaic or arcane, I don't know, knowledge that's missing, We're sitting in front of a few years where the attackers will have the upper hand when you think about attack financial dynamics of attacks. And financial, not in the sense of how much money it costs, but in the sense of how much bandwidth attacking teams are gonna have versus defending teams. And we're going to need, as an industry, to shift into a much more robust stance in proactively managing the exposure that we have, and that starts with the network.
Assaf Keren:We talk a ton about vulnerability management, but the the first way to remove vulnerability is not to expose something that shouldn't be exposed to the Internet. Like, that's number one. So really the management of of assets and the setting of network topology, understanding what connects to what, what are the paths that we have, do we have the right things in place, that's gonna be so much important so much more important in the next couple of years because it will take time for us as an industry to ramp up and and bring the same technology or similar technology in the hands of defenders. And that's not because there aren't startups or companies or teams are thinking and building those capabilities because it takes us time. It it is we are more reluctant to go and and adopt those technologies.
Assaf Keren:And that will those two years are frightening. Probably the long term is more optimistic, but those two years are frightening. Two, three years are frightening. And as part of that, definitely a conversation around network management and and it's gonna be more important. DDoS probably has a problem right now.
Assaf Keren:Now, I've said this, and two days from after this gets published, we're gonna see a huge DDoS attack that will take half of the East Coast or something like that, but I hope not. But generally speaking, less of a problem now because we've created good structures in place to combat it.
Richie Hartnett:And when you think about from the attacker side, their ability to do more with less, you know, when I think about it, the network layer, what that means for controls, like, first thing that comes to mind is segmentation. Right? Like, making the assumption that someone's in your network and ensuring that they can't traverse through it. What else comes to mind for you? Like, what kind of concepts concepts around around the network level become more important when we think about controls in this new era?
Assaf Keren:I'm I'm sorry. I'm repeating myself, but I think going back to first understanding your network stance and how information or how packets flow from one place to another. Understanding your North North to south infrastructure and how things get from an untrusted network into a trusted network. Understanding your East West infrastructure and how things traverse across your environment. Segmentation is a path or a way to do that.
Assaf Keren:There are other things that you can do. You can you can go all in Envoy and do app to app. Not even segmentation. Just very, very clear app to app topology that is very strict and structured. That that's something you can do.
Assaf Keren:Understanding where attacks come from and what attackers can attack. So it's both the exposure of your your applications and the application stack on top of the network, but it's also the exposure of the network infrastructure itself. All the way to completely non network stuff, but how are you protecting your admin console on your favorite cloud? Or how are you protecting your admin console on your on prem, which are also going like, if somebody opens up a a backdoor VPN into your environment, you might wanna wanna know about it because somebody just created a way to go into your environment without you knowing. So there is a lot there to to think about.
Assaf Keren:I think it goes back to structural architectural, like, what are we afraid of? And map that out, and then base what what are they talking about? Shut up. And then I got into the business of installing IDSs and and writing IDS rules and and developing stuff and and and sitting down with the network team and learning BGP and and other things. And it was eye opening to me to know how much I didn't know.
Assaf Keren:I created a lot of really good relationship with really good people. Some of the best network engineers I've met in my life worked in that specific unit. We should be friends. We should share knowledge. We security people should should completely admit that there are things that we don't know and that other people know better than us.
Assaf Keren:And I think most people this this is gonna be a spicy sadly, this is gonna be a spicy comment. Most people, network engineers and developers, would want to do the right thing given the opportunity to do the right thing. We need to create space, time, and support for them to do that. And the baseline, oh, they don't wanna do the right thing because they're lazy, or they don't wanna do the right thing because they don't care about security, or they don't wanna do the it's not true. But usually, it is because they are overworked, underinvested in, and we have not built the right visibility, tooling, and capability for them to do the right thing.
Assaf Keren:And they will gladly build the best network out there that is the most secure network out there, given the chance. I might not be able to go to RSA after this conversation because I'll be burning the steak.
Richie Hartnett:That was good. We needed a spicy, a
Assaf Keren:soft take there on the podcast. I have more spicy takes, but I am I'm not sure now, like
Ross Haleliuk:Yeah. I mean, like, look, it is it is very interesting. In fact, I I think I've read the comment the other day that in the past, the majority of the network changes were driven by the performance needs. But today, in a lot of the environments, it's the security needs and security policies that are driving network changes in network management. To what degree do you think that's actually the case?
Assaf Keren:No. I think it's a mix. I think and also depending of the organization. There is also a lot of times, we will do things for the sake of compliance, not for the sake of security. So you'll have compliance check boxes that make you do something that isn't certainly the right thing to do, but because the the certification you're going after or the regulation that that you're being imposed is was written 15 ago and not updated since, then then you're doing things that you shouldn't be doing.
Assaf Keren:But I I think that it's a fifty fifty mix between performance, uptime, reliability, and security. It can be a bit different in different places, in different organizations, different zones. Like for us, for example, our our gov environment is probably more skewed towards security requirements than our commercial environment because there are higher there is a higher level of scrutiny and higher level of architectural changes that need to happen for governments to live because that's part of the the certification. That's the right thing to do. But the but different businesses, different requirements, I think.
Ross Haleliuk:Assaf, as we are moving towards the close of the conversation, the one last topic I would really like to deep dive into is the question of security maturity as it relates to the network. And specifically, in practical terms, what does a company that is looking to get more mature, that is looking to improve their state of security on the network layer, what does that company need to do? You know, there is obviously a lot of talk about investing into fundamentals and and and AI and and so on and so forth. But what does that journey look like? Where do they start?
Ross Haleliuk:What are maybe different stages or different levels that they should be thinking about as they're going through them?
Assaf Keren:I I'm gonna sound like a broken record, but that's okay. That means that that I'm keeping the same line here. It's really like the phase the baseline is understanding what you have, understanding where it is, and seeing what are the key role rules that that pertain to that place and or that network and build the fret model and look at the efficiency and coverage of the controls that you have versus that fret model. That's the baseline. The more you're able to start thinking about how do I create this efficiency for coverage for efficiency.
Assaf Keren:Because like I said, security bug security is not gonna work anymore. And we start pretty proactive on these things that a lot of us know are in the environment, but we don't have time or muscle to go and fix. Now, we're not none of us are gonna get a lot more budget because attackers now are able to go and and utilize AI models. We need to start using AI models as well in order to free up our people to really tackle the important things.
Ross Haleliuk:One last question for you, Assaf. As we are talking about network security, and it's 2026, What are you excited about as it relates to network, as it relates to the fundamentals, as it relates to really companies focusing on the basics and the controls that they should be focusing on?
Assaf Keren:I'm excited about asset management. I'm excited about really doing the basics well and and driving that efficiency up. I think there is way too much sparkling things that let's fix the core problems, the core big problems that we have as an industry and do it in a way that is cost efficient and the time to value is is fast.