theCUBE + NYSE Wired: Zero Trust Cyber Series | Ori Eisen, Trusona

Clips
More from theCUBE + NYSE Wired: Zero Trust Cyber Series

Ori Eisen

CEO & Founder

Trusona

play_circle_outline GenAI Deepfakes vs. KYC: Realistic Fake Passports, Documents and Voice Cloning

play_circle_outline Ori Eisen on AI-Native Security: How Generative Agents Fuel Mass-Scale Social Engineering and Fraud

play_circle_outline Beyond AI-vs-AI: Privacy-First Identity Verification Using Authoritative Data, Phone Checks, and MITM Defenses

play_circle_outline Focus on protecting enterprises, critical infrastructure, and preventing account takeover

play_circle_outline Go-to-market via partners, MSSPs, and enterprise MSAs; licensed per transaction

Info
Transcript

Ori Eisen, Trusona

Ori Eisen

CEO & Founder Trusona

In this interview from theCUBE + NYSE Wired: Cyber Security Leaders, Ori Eisen, founder and chief executive officer of Trusona, joins theCUBE's John Furrier to discuss how physical-world identity anchors can defeat AI-powered impersonation and fraud. Eisen opens with a stark assessment of the threat landscape: GenAI has lowered the barrier to cybercrime so dramatically that scam losses doubled from $10 billion to $20 billion in a single year, with bad actors now deploying armies of autonomous agents around the clock. Rather than fight AI with AI, Trusona step... Read more

explore Keep Exploring

What is your view of the current state of cybersecurity with respect to generative AI, and does it represent a market opportunity for both defenders and attackers? add

How large is the opportunity for attackers to exploit identity and financial systems (for example via outdated passport processes) given advances in automation and AI, and how adequate are the current infrastructure and tools that protect our money? add

How does your identity‑verification solution prevent AI‑enabled impersonation, and why does it rely on real‑world checks (phone/SIM checks, authoritative records like DMVs, physical assets) instead of storing user data or relying solely on AI/biometrics? add

What are your views on the growing cyber threat to critical infrastructure and what should companies and governments do to respond? add

How does the company generate revenue? add

bolt Powered by CUBE AI

Ori Eisen, Trusona

search

>> Hello, I'm John Furrier with theCUBE here at theCUBE's NYSE studio. Of course, we have our Palo Alto studio connecting Silicon Valley and Wall Street. This is our Cyber Security Leaders series. We feature leaders who are making breakthroughs, enabling the security posture to be embedded into the AI native world we're moving into as the AI infrastructure continues to build out. As generative AI and agents proliferate, more and more security threat vectors appear, the surface areas, everything. Ori Eisen's here. He's the founder and CEO of Trusona. I got a demo yesterday here at the NYSE. Ori, great to see you again.

>> Thank you for having me.

>> Welcome to theCUBE. Thanks for coming on.

>> Thank you, John.

>> In the cybersecurity leads, we've been documenting a lot of things, endpoint protection. Obviously we saw, go back two years ago, RSA, Black Hat, pick your event. AI... Oh, AI's never gone security. They're poo-pooing agents.

>> Yes.

>> Last year, we use agents all the time. This year, oh my God, agents are bad. So we were seeing that cycle of evolution of AI now realized it's now part of the fabric. We see the good guys trying to keep up. The bad guys are also leveling up faster. This is a huge issue. And you have a really unique breakthrough. I saw the demo. We're going to get that in a second. But first, share with me and the audience your vision of the current state of cyber with respect to GenAI as a market opportunity for both sides.

>> Yes. I love AI and I love what AI can do for us, but I also know what it can do for the bad guys. 20 years ago, if I needed to know that your passport is real, all I had to do is take a picture of it, check that the font looks okay, and we're good. As of three years ago, I can make your passport without any skill just by asking for it and prompting for it. And the same KYC methods that big banks and every company you know are still the same. They're from 10 years ago, not taking into effect the whole GenAI deepfake. So AI is amazing and it will change the world, but it's also amazing in the wrong hand, unfortunately. We see the numbers of fraud growing year over year like they've never have. And I don't think it's going to change unless we will change as an industry.

>> Yeah. AI has certainly accelerated the bad guy's ability to spoof credentials. We've seen sim hacks. We've seen all kinds of methods. You can stop gap it, put your finger in the dyke and hope it doesn't break. So it's real. There's no debate. I want to get your thoughts and views on the order of magnitude. So scope the fraud, the hacker. Because your career, you've been fighting cyber crime for-

>> For 25 years....

>> 25 years. I was going to say 30 years, but 25. A long time.

>> Yes.

>> But you've seen the infrastructure and the tools and systems in the past. A lot of them still brittle. Some of them antiquated, outdated. You mentioned an example with the passport. Scope the order of magnitude of how big the opportunity is for the bad guys and the state of the infrastructure and tools that are protecting our money.

>> The first five years I was still learning my craft, so that's why I give myself a five-year discount. I'll start with 30 years ago. I befriended people like Kevin Mitnick and Frank Abagnale. Why? Because they're really, really good at what they were doing, being social engineers. And I wanted to learn, how do you do what you do? And at that time, you had to be them to do what they do. To have the mannerism, the ability, the technical skill to print. Today, I can have a million agents working at my behest all night long while I'm sleeping, sending scripts to people. So it went from, you needed a person with special abilities to be there in person, to hackers who could automate some things, but not the documents, because that required finesse, to now, just tell AI what you want. So imagine you have an army of agents that you instruct them, "Go find vulnerabilities in a process." And I'm not going to talk about Mythos. Talk about what we have today. And you can go to sleep and wake up with a lot of money.

>> So the entrepreneurial regime has always been, "Print money while you're sleeping." The bad guys have it now.

>> Absolutely.

>> They have the secret superpower.

>> Absolutely.

>> They got the keys to the kingdom. They're just a matter of time.

>> Yes. So it's already happening. You'll probably start seeing it in large companies reporting at the end of this year. But in some areas like scams, we already see a jump from 10 billion a year to 20 billion in 12 months. And it's just because of automation and ease.

>> It used to be easy if you were in the tech industry or not, you could kind of see the tell signs. "Oh, that Bank of America or Wells Fargo URL is not the fully qualified domain name." Okay. Most people still didn't know, but most people was, "Oh, it's not... Bad URL." Then you got the bad English from the people like-

>> And what did we give them? Perfect English creation.

>> And now we have image, multimodal capability. So now, to the Frank Abagnale example, the tools to produce-

>> Exactly....

>> the kinds of what were thought impenetrable systems, with physical.

>> Yes.

>> So physical goods are here. This is real and we've all experienced it now. I mean, I get text messages, "John, you want to play a round of golf?" Well, at least now I play golf. I get some other ones like, "Hey, I've been seeing you for coffee in a while." "Okay, what's that number?" Okay, so I don't respond, but most people say, "Who's this?"

>> Exactly.

>> "I got somebody." So there are tricks. We're all seeing it.

>> Yes.

>> What should we be doing and how are you doing this venture to protect us? Take us through the thought process, state of the market, obviously huge, checks the box on the total addressable market.

>> Yes.

>> Your new venture is targeting specific use case. Explain.

>> I'll answer your question from the attack surface like you asked before. If you're a CEO listening to this, I'll start with the first thing you should do. There's 10 things you should do, but let's start with one fire. I won't mention name. They're a company who's traded in this building and they're an airline. Imagine their CEO being interviewed on one of the shows, just like this one, so the bad guys have a perfect sense of his voice. With two minutes of his voice, they can now clone the voice, call the IT help desk off this airline and say, "Hi, I'm the CEO. I need to reset my password quick because I'm getting into a board meeting." What do you do now? When the recording of this was played to the CEO, that person said, "I would've not known that this is not me. This is how good it is." So if you're listening to this, think about all the attack vectors of where GenAI, social engineering can hit you. IT Hubdesk is the number one. Think about groups like Scattered Spider, ShinyHunters. They have taken down the largest brands with one phone call and now go department by department. When you interview with HR, how do you know this person is not from North Korea? When you get an email to finance, "Hey, we're your vendor and we changed our bank account, so please pay us over there." How do you know who just sent that? And the last thing is your customers. There's a crime called account takeover. Let's just say you have a million miles in your flyer account. I call in and I redeem half a million of them. How do they really know it's you? Because of username and password? Come on.

>> Okay. So that's the hack. All right. Talk us through the solutions. I saw your demo yesterday, very strong demo. I gave it my best attempt to throw water on it and it was great. So explain your process.

>> The strategy of the solution is this. If we were to say, "Let's fight fire with fire or AI with AI," we would've lost. Why? Because we don't have the same power as OpenAI to go develop models. No single company can do that anymore. So that strategy is just flawed. What we are doing is the equivalent of a touring test. But for you, John, meaning what? I'm taking two steps back from where the race is going, to a place where AI cannot chase us. What does that mean? AI cannot own your phone and your records in your name. It just doesn't have a phone to begin with. So one of our test is, if you claim to be John, I'm going to text you something to make sure that there is an account with that. The second thing is sim swap attacks, as you ... We asked the telephone company, "Is this phone recently sim swapped?" The next attack these guys do is what's called, Man in the Middle. Someone calls you, say, "Hey, I'm from the bank," but they're actually calling the bank on another line and they're just using you in the middle. We check for that. Then we go to authoritative sources. How do I know that this document is real? I can't tell visually anymore. That was robbed, right? So we are the first company that had access to the DMVs to ask, "Is the data that we just presented to you in your official record?" Now you should ask, "So what?" AI can make a beautiful looking document of you with your face, but it doesn't know, what is the expiration date of your real document? So if you don't have that data, your height, your weight, your eye color, it cannot really match to the source. And I'll stop there. The rest you can see in our demo. But we are checking things that AI cannot chase us in, going back in time.

>> So Trusona is the name. T-R-U-S-O-N-A. Why that name?

>> The fusion of true and persona. To really know who's on the other end. Because I think we are now going to be pushed where the perimeter is the identity on the other end. No longer username and password, no longer MFA, no longer biometrics even. All these things now can be copied and now we really need to know, who is the person.

>> So I might say, Ori, that's too good to be true. It must be fake.

>> Yes.

>> How legit is it? You mentioned the DMV. How did you get those records? What if you're hacked?

>> Yes. Very good.

>> These are questions that I would say, "Okay, prove it."

>> Love it. Let's go slow. First of all, we don't store any of your data as opposed to other vendors who want to build a data asset. It's a mistake. Every company can get hacked. There's two kind of companies, those that were hacked and know it and those that were hacked and simply don't know it. We don't store any of it. Took us 10 years to get through the DMVs because it is a very difficult task to integrate. Even my board member that you know him, Ted Schlein, after two years of this work say, "Why are you doing this? It's never going to work because it's so slow." But I don't want to call it our moat because that is a technical business term. I want to call it what needs to be done to fight this. And we are determined as a team, many of us came from fraud fighting careers. And we know what happens when the money gets stolen, so we don't store any of the data. But I'll say, if you look at who our investors are, who our advisors are, including people like Frank Abagnale, Kevin Mitnick was a user of the software before he passed away. You will see that there is something there and we're putting our money behind it. If you can break it, we'll give you 10,000.

>> And a lot of people are interested. I know a lot of whales that have crypto, crypto wallets. There's a lot of money to be had here. Talk about the physical side of this, because I won't say it's physical AI, but you're using the physical assets as an advantage.

>> Correct.

>> It's part of your secret sauce.

>> Correct.

>> Now you kind of grinded it out with the DMV, but people might not have a driver's license.

>> That's right.

>> So what other mechanisms are you using to help me determine that, "Oh, this is a North Korea call," or what if they come through a different thing? What are some of the details? Share.

>> Let's simulate that you are on a Zoom call interviewing somebody and there is video. First of all, if I was a hacker, I would just turn off my video and say, "Sorry, John, for religious regions, I can't show you my face." And there goes the channel by which you are hoping to detect something is fake. So we are not relying on the hacker to do anything that is not adversarial. The checks that we do go back to the real world because that's where AI cannot be. So it cannot have a phone registered to you. It cannot have a driver license that is real, not just an image that is you. We also use GPS. So as I showed you in the demo, I was literally here in this building telling you I'm visiting today at the New York Stock Exchange. And our software said, "Yeah, Ori Eisen lives not here, he's in Arizona. The IP address is coming out of New York. So he's either using a VPN," which by the way would've told you, but it wasn't, "but he's physically here." And you're like, "Yes, he's right next to me." So when you have all those things crisscross, you cannot waltz into people's account.

>> So passports... What are the docs? Name some of that.

>> We have 2,500 documents in the free demo that all your listeners can go try on our website. We have the top 11, so passport from every country, US driver license, UK driver license, India, Singapore, and so forth. But in our software, we are connected to every country that has mechanism to validate. I'll give you the bad news so you don't have to dig for it. In Zambia, for example, there is no DMV. So I don't have an API to verify their passports. It doesn't exist. So I'll take you as far as I can with the technology that exists.

>> So that's a gap in your system?

>> That is the only gap because it doesn't exist. But as soon as new DMVs come up, we connect to them immediately.

>> You got to check on those. You got to do the work. Talk about the momentum. When was the company founded? What's the status of the company? Obviously, it's a killer solution. It solves a multifactor authentication in spades. I'm sure I want to get to know what that means later.

>> Yes.

>> Share some of this...

>> So the company was started 10 years ago, backed by Kleiner Perkins, Microsoft, and Georgian Partners. We do have some very famous individual investors. We spent the first two years in stealth mode, just to go create all the connectivity. And even then we only had about 20 DMVs and that was not good enough for any bank. So we just kept going and going and going. We're now at 80% because the rest of the DMVs just are not connected yet. So as soon as they will be, we will be with them. The company had a 500% year-over-year growth last year. And again, it's a direct result of what's happening in the market. There might be a war out there in the world right now that causes oil and gas companies to come to us. We've just implemented a giant, like a Fortune 100 in less than four days. And that should tell you everything you need to know about-

>> How many employees do you have now?

>> 16.

>> So small still?

>> It will stay small. AI is a beautiful thing, as I said before.

>> What is the growth strategy?

>> Yes. The growth strategy is, we're going through partners like CDW, Guidepoint, Carahsoft to sell through. And this is my fourth and maybe last startup, I'll give your founders who are listening to this the best advice. I wish I knew it 20 years ago. 20 years ago, I did a company called the 41st Parameter that was eventually acquired by Experian. I wanted to own all the MSAs. And it was not because I was wise, it's because I thought that that is the key to things you can control. Yes, it's good, but you're losing time, and time is money. I'd rather give my partners 20% of the deal, but get the MSA today. That's all I'm going to say.

>> Got it.

>> The growth strategy is not... We do sell direct if you're-

>> So you're on a rapid accelerated-

>> Yes. Through partners....

>> grow through partners. They have customers. They can deploy. -

>> They have an MSA that they can just add us to, as opposed to start a whole new vendor relationship.

>> And just for the founders to know, it's like getting a federal grant.

>> Exactly.

>> It's hard. Getting an MSA is very difficult. So good. Good go to market strategy, lean and mean. Products got scaled to, you mentioned four days. Talk about the integration. Okay. Say I'm sold. Okay. Integrator comes in, co-selling or whatever, sell through, you're enabling them. Okay, I want to do this.

>> Yes.

>> What do I do?

>> Here's what you need to do. The demo that you're pointing people to has our domain in the links we sent. Clearly you don't want to use Trusona.com because your employees don't know who Trusona is, but they know who you are. So the only thing you need to do is add what's called the DNS record that allows us to host pages on your behalf, which is the page that people will see with your domain. That takes about 20 to 30 minutes at most, but you need to open a ticket and it could take two days for a large company-

>> Propagate on DNS.

>> Exactly.

>> Especially DNS.

>> Exactly.

>> A DNS entry. So you're in the infrastructure-

>> That's it. We do the rest.

>> Nothing else is done?

>> You can then take our training if you want to, which is offered as part of the service, like tips and tricks. How to listen to a fraudster if they're putting you on mute. Why are you putting me on mute? Because they're puppeteering the customer, right? So we do teach that-

>> The man in the middle attack.

>> Yeah, things like that. Even though the software catches it, but it gives you as the agent some idea of what's happening. You don't have to do it, but that's another one hour course and you're ready to go. Most people do it from the morning to the evening and they could be on the software.

>> All right. So talk about the conversation with customers.

>> Yes.

>> Do you get a lot of this, it's too good to be true?

>> Yes.

>> And what are some of the competitors saying? Are they shaking their boots? What's the vibe there?

>> Let's start with the customers. I usually pitch to CISOs, or CIOs, or people who run very large help desk. When I was working at American Express, I was sitting in call centers with 10,000 people. So I'm very familiar with the mindset and the churn, and what does it take to do operationally this job well. I stopped... And this is again, people like Ted Schlein have taught me over my career, "Don't tell people your software is great. Let them get to that conclusion on their own." So what I do is what I did with you, John. I said, "I don't want to show you any slides or say... I just want you to use the software. It takes seven minutes. If after that you still have questions, I'll answer them. But every word I will say will sound too fantastic, you'll just say, "That can't be." So let me just show you.

>> It's not vaporware. The phrase that's come up here on our Cube Practitioner Series from end users is, in the gen AI areas, "Demo, not a memo."

>> Yeah. Don't send a memo, show a demo.

>> Show them a demo. Because you can create demos and you can also simulate.

>> Yes. So this is live, this is real. About our competitors, I will say this. The good news and bad news is we don't have competition in the sense that most people still do what we were doing 20 years ago. That space is called IDV or identity verification. And it's essentially scanning a document and trying to ascertain, "Does this look legit?" Those days are over the minute GenAI deepfakes came into the world. I'm working to, again, wake up people to say, "That is not a game anymore. We are now in the identity impersonation game." It's not, "Is this document looking legit?" They all do. But, "Is this John on the other end?" And that's what I want our competitors to also realize, you're not competing with me if you are trying to solve this problem.

>> Your breakthrough idea was to go, as you said earlier, go where AI can't go.

>> Can't go. Exactly.

>> And that was fundamental.

>> Correct.

>> And that was because you-

>> Zig when they zag.

>> Yeah. Zig when they zag. Okay. So what's your vision on how this plays out? What are your focus on? What are you optimizing for? What's going to happen next?

>> I'm a big believer in organizations like InfraGard, that are protecting the very fabric of society. I do think that the cyber wars are not really being seen by ordinary people. For example, dams, knobs being twisted over the internet. I want all companies in the United States first, and I'm very clear about that, to wake up and protect themselves. Because when they go down or when they pay ransom money, unfortunately that money is used for very, very-

>> Reinvested into the team.

>> Unfortunately. So that's my first goal. And I'll do whatever it takes. I sometimes give our software for free if I see that somebody's within a budget cycle. You know how... Anyway, this is Wall Street. You know how the quarter runs the show. After that, I do think that-

>> You're thinking about the enterprises who are essentially under attack.

>> Yes. As we speak.

>> If this was physical world and a helicopter dropped on top of the Bank of America building, they slid down their rope and took over the money, the US government would probably roll some tanks in.

>> You got it.

>> But if you come in digitally-

>> But you don't see it, it's coming-

>> If you come in digitally, they have to create their own mercenary army.

>> You're exactly right.

>> And this is on their tax. They're paying for it.

>> That is exactly-

>> And they're paying taxes.

>> And we are paying for it as a society. I'm not an altruistic guy, I'm a capitalistic guy, but I do see the effect on society when... I think it was Jaguar that was taken down for three weeks, their whole manufacturing line. Now you can still tell me it's a cyber attack. This is the real factory that is being shut down. That is real.

>> Yeah. The definition of critical infrastructure used to be regulated to dams, power grids. Now they include hospitals because of ransomware.

>> Exactly.

>> We all live-

>> Financial markets....

>> critical infrastructure. Basic human rights is, "I have money. I earned it. I want to protect it," but yet they're feeling the pain every day.

>> Correct.

>> You're one text away from getting siphoned out of all of your cash.

>> Unfortunately.

>> This is the current state.

>> That is correct.

>> You agree with that?

>> I do agree with that. I see it every single day. Now, people feel ashamed when they get duped, but I would just say, "Stop. That is not the right thing to do." Anybody now could get duped because the fakes are just so good. You need to build your defenses in a way that can cut through GenAI deepfakes as opposed to just feel, "How come I didn't catch it?" That is not a game we can play anymore.

>> Okay. So every successful company that I've interviewed over the years, they all have kind of one pattern. They either have a platform, a moat, technical moat. You have a nice physical AI moat through your process, which creates a high barrier to entry, a lot of DMV to go get and other sources.

>> Yes.

>> And the ones that are successful have an ecosystem. You get a channel, that's your go to-market.

>> Yes, that's my go-to-market.

>> Are there other partner opportunities that you're envisioning that you would see emerge from your evolution and your trajectory?

>> Yeah. It has not come to fruition yet, but I think what's called the MSSP market, the people who manage security for the middle size companies, are where I'm going to see that growth. So if you have a hundred customers-

>> They have low IT budgets. They're vulnerable.

>> They are. So they can buy my software and tell their customers, "You know what? From now on, when you call to reset a password, we're going to do this extra check so I really know it's you." Because companies, it's not their core competency. They're not going to sit there and think, "How am I going to be protected?"

>> By the way, I would say that as validation to that mission, all the successful Gen AI Edge cases, Edge meaning the network Edge, or the new hyper-converged-like solutions that are either different or breakthrough, are all making it in the mid-market. Because one, the sales cycle's harder for the enterprises or the big hyperscalers, but they're most vulnerable and they have a need-

>> Correct....

>> and are willing to switch because they know the downside is a fatal attack and they know that. And as long as the price point is in range, that's great beachhead. Do you agree?

>> I do, but I don't want to become the MSSP for them that is a semi-local business. I'd rather give-

>> Enable someone.

>> Yeah. Enable somebody, "Go make money, we'll do it together." I'd rather sell to the global 2000 because that's what I know from all my past businesses and go enable. Even when I go through a partner like Akamai, I'm enabling them to sell my software on their MSA. I don't mind that they make money, but they have the relationship and relationship is everything.

>> How do you make money?

>> How do I make money? It is licensed per transaction. And of course, the more you buy, the less it is.

>> The more you buy, the more you save.

>> That's right. Absolutely.

>> That's Jensen's law.

>> Hey, it is our law too. I want to be in his business. But let's put it this way, nobody is not buying because it's expensive, but the checks with the DMVs, unfortunately, that's part of the moat, are expensive. The checks with the telephone companies to see if your sim swap, are expensive. So that's our COGS. But the rest is just software hosting and having a great team that cares about customers.

>> I really appreciate what you do and your mission. It's a really great mission because we want to be protected. We don't have an army. The government should take care of it. I'm a hawk when it comes to cyber warfare. I've been calling it for over 15 years, screaming. Now people get it. But hasn't been... A few of us have been. I appreciate you having... And congratulations on a very-

>> Thank you....

>> big breakthrough and success. Maybe finally get some confidence around my crypto wallet. I probably forgot my keys and have to go figure out where they are, but thanks for coming on. Appreciate it.

>> Thank you, John, for having me.

>> All right. Cyber leaders coming into theCUBE here at our NYSE studios. Again, the cyber landscape isn't a sector anymore. Deep tech is replacing all these categories. Deep tech is all AI infused into everything that we do. One of them is, we'll be native, and that is security. That's going to build on top of the hybrid cloud distributed computing world we live in. And all the applications coming will include the bad guys in there too somewhere. So we're going to need more solutions. And of course, the entrepreneurs are out there doing it, doing our part to bring this content to you. I'm John Furrier, the host of theCUBE. Thanks for watching.