How can we get closer to a Zero Trust framework with emerging tech like artificial intelligence

Show video

thank you everybody for joining us my name is aaron mellman director of marketing for aidan technologies before we jump into our discussion today about how organizations can get closer to zero trust using emerging technologies like ai i'd like to tell you a little bit about aiden aidan is automating patch management and software deployment to create better security posture for customers we're focused on helping to bridge the gap between it and cyber security so that people and businesses function flawlessly if you'd like to learn more about aiden and how we can help your organization improve cyber hygiene by decreasing vulnerabilities and allowing it teams to focus on critical projects please visit our website meeting.com or you can reach out to me directly via email at aaron.mailman meadain.com and at the end we'll reserve the last 15 minutes of the discussion for any questions that you might have so please make sure to post those in the chat and i'll make sure to get our speakers to answer them for you with that being said i'm going to hand it off to john kinderbog please go ahead and introduce yourself and tell us why you're here hey thanks uh aaron and uh hey everybody out in tv land uh nice to be here we're gonna be talking today about zero trust ai you may know me um as the guy who created zero trust if if you're here you probably have heard of it and want to know more so i created zero trust when i was at forrester research i did eight and a half years there i just finished a four-year stint at palo alto networks where i was the field cto uh focusing on building xero trust networks for clients and now i'm a senior vice president at a company called onto it and we deliver zero trust as a service so it's a managed service uh it's a dutch company and we're moving into the us and i've known those guys for years and years and years uh and i'm going to turn it over to again scott john thank you and aiden folks thank you for having me on this is such an honor and a privilege so i'm scott shefferman a principal uh strategist at eclipsium which is a firmware slash hardware slash network device appliance level of security company i also have my own llc called amanda intelligence affectionately named after my great grandmother uh great story there sometime over a beer so my background is about 20 years doing cyber security everybody says that when they get on a podcast like these uh webinar like that these days but um 15 of that was spent supporting the war fighter uh through systems like spay war and navy and intelligence communities doing cyber security uh on everything from submarines to satellites and everything in between hospitals you name it and then the last seven years or so i've been in what we call the vendor space working for companies like fireeye silence sentinel one and now eclipseium doing everything from incident response engagements directing those global type of security assessments compromise assessments mergers acquisitions ciso 90-day plans you kind of name it i've been a consultant for most of my career in the cyberspace so i'm really looking forward to being here john it's a pleasure to be with you josh as well uh i think you and i met in las vegas a couple years ago at one of the events that you were at and i was speaking at so it's great to be back thank you scott and thanks john um first let me just say i'm honored to be here with both of you um two industry luminaries that have done so much in the field to help people um when i set out to launch aiden we were really doing it with one big thought in mind which was how can we help cios ctos and csus and their teams across the board to feel safer more secure and be able to have their users be more productive um ai has been so important to that mission and the concept of zero trust has also been so important to that mission a little bit about me my background is predominantly in i.t operations i was a consultant in new york had my own consulting business for over 25 years called business technology partners worked with some of the largest banks and financial services institutions also worked with healthcare legal companies large accounting companies and we had an msp that dealt with small medium-sized businesses for many years so i've seen this these challenges from kind of every angle right large companies then small uh in 2018 i went to work for what i figured to be my last customer helen and friedman and i spent a couple of years as a cto in private equity and i learned a lot there as well particularly because at that time not only were we raising a very large fund uh but we were so we're certainly in the limelight a lot and we're under attack you know from time to time of course like all organizations but we also were seeing that the sec was starting to do major examinations uh on private equity and alternative investment management businesses and so that started to really change the landscape and get that entire industry thinking about concepts like xero trust and how to leverage new technologies like ai to fix some of these problems which is actually where i met my co-founder and then ended up taking this journey to build aiden so it's been a really great experience i'm going to kick things off with you john um you are the father of zero trust and you know we know you created it in 2010 as a concept when you were at forester and you know i i really am fascinated by this notion that you made this huge transition from especially thought leader writer analyst to a practitioner a leading practitioner in the industry both with palo alto and now in your own cyber security consultancy business where you're implementing zero trust can you tell us about the transition and tell us a little bit share with everybody you know what it's like to go into the practitioner world after spending a long time in the thought leadership role well you know i was a practitioner first so i was a security engineer architect consultant pen tester network guy all those kinds of things before i went to forester when i joined forrester they said you want to be an analyst sure what's an analyst right so uh i was always sort of uh you know a real life practitioner masquerading as a an analyst and i think that gave me a huge advantage and all the people that we brought in after me were not you know professional thought leaders the way the analyst business had been they were practitioners applying that and helping explain what's going on and so i really started that trend at fourster i was really proud of what it became uh but what you do is you create an idea but then you have to prove that the idea is is doable and so that's why i went to palo alto networks because well they have great technology but also they were the first company who really understood what i was trying to do and supported me and so i built a lot of stuff originally on their backbone and then at at some point i needed to make it more easy to consume so that's why i went over to onto it to deliver it as a managed service so just yesterday we announced zero trust as a service z-t-a-a-s right so that it's easy to consume so that's part of the journey when you have an idea what is that journey gonna be right because you just i think too many times people have great ideas but they leave the idea on the table and don't take it through its entire life cycle and so that's what i wanted to do and and uh zero trust has become such a big buzzword that you know i've lost i don't have any control over it but at the same time that's incredibly gratifying because you know it's so many people are talking about it so many people are doing things related to it at different levels and then so many people are employed by it i've had people walk up to me on airplanes and go hey thanks i have a job because of you and if nothing else you know that just like sends chills down your spine when somebody tells you something like that so um but but there's still more work to do because there's uh really you know bad attackers out there and and you know you guys in vulnerability management or in patch management i've always said trust is a vulnerability so i'm trying to eliminate that and how do we do that in the most automated way right and that's where these concepts of ai and machine learning although we should have a discussion are they different or are they the same how do we consume all these things because zero trust is a strategy that consumes technologies like yours jonathan so it's it's decoupled from technology and uh and technology is always going to change it's always going to get better but we have to have a strategy moving forward and that's what a lot of people have really gravitated towards zero trust because it gives them a vision or strategy that they can then move towards very interesting and i mean i guess i would bring this over to you scott you know john talked about how xero trust is really abstracted from the technology what does xero trust mean to you scott i mean when you're out there in the front lines working with clients i know you're called in on several of these major ransomware attacks and things like that to consult with and help customers get an understanding of what it is they should be doing what does this really mean to you out there in the field well i'll i'll tell you i won't make any bones about it it's for me it's very personal um so i got into this industry hardcore after 9 11 happened and uh and i stayed in that field supporting government warfighter for 15 16 years and josh you and i talked about that so when i wake up out of the bed every morning i'm here to fight the bad guys whoever they are and protect the homeland if that makes sense right it's a lack of better words so 15 16 years supporting the war fighter but in 2012 something interesting happened when the iranians hacked the nmci that's public knowledge event and it threw me for a loop because as much money hundreds of millions we had spent on security what were considered the least sophisticated apt actors back then the iranians completely compromised a very large network a million devices plus and for me that shocked me so i figured out what they did they they were using callbacks that we couldn't see they had ways to move about the network that we weren't tooled for that our requirements were asking us to do and look for with technology someone to work for fireeye because they could see callback technology and you fast forward that through my career on the vendor side since that moment uh when i found out you know i was we were pregnant with my now daughter my my mission came to protect the homeland so you know fire i hit my c understand call back detection and detonation chambers uh silence helped me see and understand predictive ai the ability to predict malware years before it was even written or conceived by the bad guys which is a mind-blowing concept to this day but the power of a narrow way i and that's when i coined that term temporal predictive advantage to describe the advantage that ai has over the bad guys over an entire economy of thousands of bad guys so i you know continues forward today here i am at eclipsium because why because the bad guys are going down low to the hardware to the device which is the center of crush it's the foundation of trust itself and we're talking about zero trust and automation i think we'd be remiss not to talk about the fact that if you can't trust your device at the hardware firmware layer or supply chain layer you have bigger problems all of a sudden right so um that's a kind of a long way to answer the question but to me zero trust being here um it's it's still personal i still want to win i still want to protect my daughter's future uh and these are great things i mean you and i shared that in comments guy right talking about how we care deeply about protecting our families and the country around us and the people that we work with um you know i think that it's very interesting we have the zero trust framework we have had it for now over a decade since john came up with the concept in 2010 we also have ai tools right of research behind this before you write the paper so these things i mean a lot of people can write a blog post and then i like but when you have rigorous research that's the difference of why zero trust took off because i spent two years making sure that there weren't holes in it and that's what people don't realize you know and so it's been a much longer journey than it looks to other people so right and just but outside the world right and i appreciate that yeah but out in the world we've been talking about it since you launched it in industry right and and i guess what i'm saying is we have all these ai tools out there um one that i'm working with today included right and yet you look in the media and i'm waking up every day and reading the headlines like everybody else right in the last i think less than six weeks colonial pipeline cox media right jbs cna financial all paying large ransoms or talking about paying large ransoms right and we just keep getting hit over and over again so so my question and maybe john you'd like to take this one first is do we think that ai can play a role in predicting not just the next malware but where the next attack is likely to happen and lead us to a solution as practitioners where we can get involved and help those companies faster and john i'd love to know if you've seen anything like this or how and when we think this is going to start to happen if you look at the difference between kinetic warfare and cyber warfare the big difference is accessibility right it's the nature of imminence so in in a you know kinetic war like you you look at the first gulf war we saw that saddam hussein was putting troops on the border of kuwait everybody knew he was going to attack kuwait but you just couldn't unilaterally bomb the heck out of you know the uh the iraqi army just to preempt the war but um in cyber security you're directly you're always directly connected to the world's worst bad guy so they have they have the the connectivity to you they have the accessibility they have the tools and techniques so the only thing that's keeping them from attacking you is the will to attack you so i would argue that it's kind of a schrodinger's cat problem you're going to get attacked by a bad guy uh both you know zero and 100 it could be either either or right uh both states exist always at the same time and you can't control that malicious actor on if and when they're going to attack you what you can control is whether or not the attack is going to be successful so we talk about attacks versus successful attacks i'm i i don't you know we can't worry about all the attacks in the world because there's too many that's why i don't worry about attack surfaces i worry about protect surfaces and invert these things and i want to stop successful attacks not every attack because i can't control those maybe some nation state can do that maybe you know you could have what people call offensive security and attack an attacker before they have the ability to attack and preempt it but for my clients who are primarily uh corporations and in in the private sector they can't do that that would be illegal and so and they shouldn't try to do that so what they should do is stop successful attacks from being successful either being disruptive or especially uh stealing data uh data exfiltration i say is the grand strategy of zero trust you have to have a grand strategic um view of the world and the grand strategy is stopping data breaches and if you can do that then you can stop all this other stuff that's going on because why does ran how why is ransomware successful well you know patching people don't patch right uh people don't do good backups and people allow command and control traffic to leave uh leave their environment and connect to something on the public internet and send a symmetric key back and all those three things are are solvable problems it's just that corporations don't typically have the will to solve them and that's why i worked on xero trust was to get to change the incentives internally so that executives would would incentivize the technical people to do the right thing because the average corporation has the very 20th century view of cyber security and that's the reason they're being hacked right they have very traditional methods very traditional tools very traditional architectures they they have flat networks that give once the attacker has purchased they have access to everything and they get to be on there for a long time right so um but we we want to uh we want to protect we want to prevent this successful attack against a particular resource and so in zero trust that's why i've been focusing so much about the concept of a protect surface invert the attack surface shrink it down really small orders of magnitude to something that is that is tiny and easily knowable i learned how to do this because i i did qsa work so uh all we had to protect in in in a pci domain was the cardholder data the pan once we did that that was the limit of the scope and and that taught me how to protect a single binary data string and so you need to break everything down into small solvable chunks otherwise if you do the i found a problem buy technology uh implement the technology find another problem you do that over and over again you will run out of money before you run out of problems so you have to break this down into manageable chunks and most organizations don't do that that was a great it's a great point john and i i do see how zero trust over the years has absolutely been a framework to help reduce risk uh for organizations and shrink it down as you pointed out and and also how you know you're effectively able to obscure things a little bit better through that but when i think about what's just happened right they've now attacked our energy supply they've brought the fight onto our church they've attacked our media they've attacked our meat and our food supply and they've attacked our financial institutions and i don't care how much you shrink down the corporate network they know what they're after they're after what everybody is now deeming sicky right our systematically important critical infrastructure they are going after us on our truth and so scott with all your work in protecting the warfighter abroad mostly and as john even talked about right these fights kinetic ones versus you know cyber security terrorism right but that was abroad this is a fight on our homeland right it's happening on our country every day and i guess what i would like to know scott is what are you seeing out there when you're working with customers what new tools because john was absolutely right right the average organization is working on 20th century technology so help us understand better what can people be doing because no matter how much they shrink the aperture these attackers know exactly what they're after and those critical infrastructure organizations need to figure out how they're going to use modern technology to protect themselves i'd like to hear your perspective on that what are you seeing every day this is one of those questions it's like if you're in a baseball game and somebody throws you the perfect pitch and you know it's going to be a home run before you even swing the like i'm so amped up or dances questions i don't even know where to begin so let me do my best i'll tell you what i feel like the most important advantage is no matter what in any context when it comes to cyber and it's this thing that's invisible that everybody forgets to measure that nobody actually holds as a benchmark that the attackers take full advantage every time and that is time itself and what when we talk about ai and we talk about things that can actually win this battle on the homeland like you're talking about or in your own enterprise the first thing you have to realize is that it takes an attitude shift i'm not going to spend time here but i i do a lot of talking on leadership and on the idea that if we keep telling ourselves it's a matter of if and when or uh but when we assume the breach too often and when those kind of thoughts start to inform our strategy we start to fail in our strategy and how we spend and how we resource and how we fight the problem because we're not leaning forward to solve and be creative and actually think outside the box and win so you have a domain here inside your enterprise that is yours it is way more complex more sophisticated better tooled and more resourced than what the bad guys have people don't think of it that way but it is it's your domain think about like being a linux admin in 1989 or 90 or something you're like this is my domain i know when an anomaly happens i know who my users are i know what my ingress eager says i know my ports protocols and services all these things you know on an admin level you need to apply to the enterprise so when you own your domain if you do a better job at getting faster at doing the things you already know how to do you can start to actually win and you know doing all these instant responses and you do a hot wash after every single one and root cause analysis and you step back and you say what can we make sure doesn't so this doesn't happen again that's what the board wants to know that's the executive summary i used to prepare right the answer is we had the visibility nine times out of ten we had the right logging we had the right tooling we bought all the stuff we even had the right resources and skills and aptitudes but we didn't have is a better measurement of getting faster at operationalizing these things so when it comes to um and getting ahead of the attacker because it's a race against time right now with edr and xdr play sim soar all the threat intelligence all the enrichment we're doing in the cloud and we're keep building up this stack what we're doing is putting time pressure on the bad guy we're winning some of that fight they don't have a 450 day 12 time like they did in 2015. they have something less than 100 days it's still a long time but there are attacks now that can play out in a matter of minutes right and there's automation involved with those attacks and there's scalability and there's liquidity in the malware economy lets any actor get a vpn vulnerability the same time he's getting an rdp vulnerability and and they can get into five different ways if they want to target an organization at any given sunday right so speed matters is what i'm trying to say and so when it comes to ai i have a single litmus and i can give you two examples too if you want the litmus is is my solution or my machine learning allowing me to make a decision that matters fast enough to be in front of that decision to actually interject that kill chain is it moving am i empowered to make that decision as a human fast enough to matter in terms of interrupting a kill chain or an attaching that's actually underway inside the environment right if you you assume the initial breach vpn spearfish whatever then there's this race against time and you have to ask yourself and measure how well you're doing against that adversary at every given junction of that kill chain and this is why ai matters because ai can allow us to make those decisions it can automate the ones that we don't need a human in the loop for and then where you need a human in the loop it can present that and explain itself these days better than it's ever been able to do before we're in a renaissance of explainable ai we're right in the precipice of understanding that i can trust this thing and make a decision that's not going to hurt me that's a low risk decision to making it's high confidence decision and i can actually do something that matters because most of what we spend our time doing is not being done fast enough to matter it's being done because of compliance or business drivers or or because you have like john said you bought too many things you have too much noise you're doing all these things you calling you're calling it low-hanging fruit the actor doesn't care what you call it the actor just cares about what they need to do on their kill chain to get through and so we just have to readjust you know uh one of my favorite cyber movies isn't a cyber movie it's it's uh the imitation game about breaking the nazi amiga code we talked about this in our pre-call but i love that movie as an example of where we need to go because in the movie alan turing is built in building that analog computer called the bomba uh and everybody wants to tear that down there's actually a scene where they try to tear it down because they want more of the three ps of crypto analysis people pencils and paper right and he says in the movie only what if only a machine can defeat another machine and that's where we're at we have to do that i mean i'm doing that on a daily basis and you're doing that and we understand the value of that right i'm not worried about intrusions right so i i make a distinction about intrusions versus breaches breaches is when the the bad thing happens that gets out or that that that uh you know data is stolen intrusions there's going to be lots and lots of intrusions but did they get to something that mattered right did they get to that critical infrastructure did they get to that's the whole concept of a protect surface oh they stole my my public documents that i won't have on the web who cares right so we have to say that everything isn't equal in terms of of the asset value or the data value and then we have to understand that uh they have so many ways to to come in and really where the kill chain where i think the kill chain gets interesting is the actions on objectives and that's where i want to focus because uh you know that's where i can really make a difference from from an automation perspective because i can texture can contextualize data and actually automated i wrote a paper years ago called rules of engagement that talked about that and that's actually implemented into our technology but all these things ai machine learning whatever we call them again it has to be automated that let's get down to it it has to be automated because we can't ever be as fast as they have some of those attacks i've seen a couple of them that take seconds so you can't even process the attack before the attacker is already gone so how how do you do that well you have to have machines to do it and that's i mean that's just where it's going to go and it's not going to put anybody out of business in terms of jobs you know you're not going to lose your job to a machine in cyber security because there's so much need for good people you're just going to quit doing the boring stuff yeah and that's that's something i spend a lot of time trying to convince people of right we're not replacing human engineers with the ai technology what we are doing is enabling them to focus on the high value initiatives and the higher profile stuff within their organizations and actually work with users and spend more time care and feeding figuring out what people's real needs are and listening josh i i i was remiss in not answering your question which was give me an example right tell me tell me how can you can we get to a point where we can predict an attack and i will tell you where i think that's going to happen next right and and and realistically so not pipe dream stuff you know futurama stuff but literally there's there's a lot of threat intelligence platforms and out there and when we talk about threat intelligence there's a thousand different definitions and use cases but one in particular is one that looks to the deep dark web uh close enough to actually see what and actually a command control structure of the bad guys to see okay the initial droppers are in place on this vertical a ransomware campaign about to hit finance is about to hit it's it could be five days or a week or two weeks maybe at the most that you can have that anticipation and that intelligence is there but it takes nowadays it takes human vetting some automation but it takes a lot of vetting to get to that level of understanding and seeing into that c2 infrastructure to know that let's say drydex is about to hit the financial industry uh sometime in the next week and that's actually a real example that i can't speak too much about but drydex is on on a good one right now um you know these vpn vulnerabilities when these vulnerabilities come out and there's a zero day hitting you have about two days to two weeks i know that window by heart i know it across the last 173 cves of the last 10 years of every single vpn appliance that's how many there are these vulnerabilities and that window gets smaller and smaller when credentials are leaked it's a matter of 12 hours to study just yesterday and i i wish i could remember who did it they see the dark web with their own credentials unique credentials they waited to see how long those credentials would be used the average was 12 hours some of 40 weren't used within an hour so when you lose your credentials how fast again back to speed can you actually say i need to reset that account or i need to watch out for this vpn appliance and logging coming in with those credentials that are known leaked so pulling intelligence out off the ground like boots on the ground so to speak from the deep dark web and from cto infrastructure is one way to actually get ahead of really bad events which is what john's talking about the the actual bad thing that happens when the actor turns the encryption on across hundreds of devices in your network that's when the really bad stuff happens that's when entropy starts to happen fog of war and in many different forms of impact not just backups and sensitive data but all sorts of impact happens to the organization if you can get ahead of that let's do it so let's figure out how to automate that let's figure out how to take that information from one person and scale it to an entire vertical so scott i mean that is great and you're seeing examples in the field of huge leaps forward right that ai is now being used in threat intelligence threat hunting really trying to predict where things are happening um now to bring it back a little bit more to the core of the topic at hand which is john maybe you could give us some examples how are you starting to see ai used in implementing or achieving zero trust for organizations that want to protect the house want to protect the crown jewels like the technology that that that the co-founder of the company i'm at now built called event flow does all that because it it it takes these paradigms of log management and sims or analytics puts them together in a custom way gives a lot of context against what's being attacked and so in our world in the world that i'm in now only about one in every hundred thousand events has to be looked at by a human the rest of them can be managed by by the the platform by the machine itself and the more uh events that we see over time the fewer things that have to be uh looked at by a human being so that's that's building on the idea of anti-fragility from to labs so as you get more data you have more knowledge and and you you know some people call that training the machine for machine learning i don't know that all those those metaphors really work particularly well but it does make the machine more useful and better and more accurate and and this is what's happening in the world is that we're all moving towards this realm of automation if you're doing it manually you are automatically going to be too slow just by the fact that hackers don't have change control right so all the things that scott talked about are are cool except that every company has uh uh processes in place because they're worried about breaking something so they have change control and that change control process when you get down to it is really slow and it's much slower than the attacker and it's probably slower than the dwell time that they're that they need to be in to achieve their objective and so we have to automate out of those paradigms the other thing that's that's killing us is we're so afraid of false positive that false positives that will a lot of allow a lot of bad things to come into our environment because we're afraid we might stop that one good thing what if we stop that one good thing oh no i might get fired because i stopped the president's email who cares you shouldn't care about that stuff you should make sure you know everything that's going on in your environment the idea of unknown traffic drives me crazy when i've been looking at people's environments what is that traffic we don't know well then why are you letting it in well it might be good well then that paradigm itself is the problem you don't do that at home right you know you don't have a you don't have a super bowl party and you you you have somebody come in and you go i don't know who that is do you know who that is no but they're getting beer out of the fridge i guess they belong here let's make up the guest room we don't do that in real life why would we do that in our network but we do it all the day all the time because there's perverse incentives in place that say if you stop something good we're going to you know you're going to get in trouble but if you stop something bad you're not no one's going to ever acknowledge that and until we change those incentives we're never going to change the fundamental problem incentives is a really good point also the last time we had a conversation like this with some thought leaders somebody brought up the point that cyber insurance industry is creating almost more of a problem in that they will often want to fund the ransom more so than the cost of doing the remediation and actually building the more zero trust highly resilient and highly effective network strategy right so um that's not helping and then of course we're just funding the attackers to be more enabled to do these attacks on us and perpetrate more offenses you know i saw something the other day that the cyber insurance market is growing by 21 year-over-year expected to reach 20 billion by 2025 and i took note of this yet every insurance industry expert is talking about the fact that they're literally guessing at policy limits and premium costs because they don't really have the data to know how secure or how risk you know how much risk is involved in any one of the companies that their organizations are underlining and i guess i'd put this out to you scott first right you talked about ai being able to accelerate time right and we've talked about ai being able to predict maybe where things are going to happen next do you see a way in which ai can help us identify quickly where there are gaps in the security framework or the security architecture of a particular company yeah no that's a great question so um ai being that it doesn't sleep being that it likes really really big numbers and complex things better than any one human usually is able to uh understand and make decisions from it has a number of advantage like this right speed accuracy um one one of the ways you apply ai because of those attributes is to say okay i have a lot of data everybody's got a lot of data these days coming from all sorts of sensors everywhere and you can let the data find the data kind of a hybrid analytic approach but you can also do better than that you can if you have expertise you can guide the ai in a way that lets you say look um let's say i have 5 000 devices and they're all of the same model but on day 63 after acquiring all these and procuring them 50 of them have shifted fundamentally at the device integrity level and if you didn't take that action and if you don't didn't don't know that you took that action you might have a problem right now is that a security problem is there malicious intent in there do you have a threat underway a risk about to materialize you might not know but one of the things that ai does better than any human possibly can or even a human team can is solve for these kind of a large large data set issues that are complex it's the true software it's true of device integrity it's true of identity somebody was talking about two-factor authentication and the questions there and you know that needs to be necessary yes the two-factor authentication the way it's implemented probably half the time is completely broken and very susceptible to a number of attacks that any attacker targeting the organization can easily bypass end of story how do you get better than that well there comes ai you can do things like understand a human or a machine as it moves through space and time doing the things it does understanding its metadata coming off of that entity and understanding that continuously it is what it says it is so if we don't get to a place where we have continuous authentication authentication and they're therefore authorization to do things the entity is doing we'll never win that war we will always be at a snapshot in time version of authentication and that's failing whether it's two-factor multi-factor any number of factors so we need this continuous ability to do that only ai can do that only ai can understand we as humans and identities in ways for which humans don't even have language for only ai can work around probabilities in ways that humans can learn to accept because via induction over the course of a year i observe test data and i know that it's 97 efficacy you know very low false positives okay now i'm going to relinquish to this ai but ai you know trust with ai let's talk about zero trust like trust of ai is a two-way street humans need to be able to trust through a generational incremental kind of development of an ai project all the way to the end and take risks in that process humans have to be able to say i'm going to relinquish some of my control i don't i might not understand the impacts here i might make a boo-boo and people might get mad at me but you have to start taking these risks and being able to um bring the company along the organization along with you that this is the risk we're taking but this is why we're taking the risk and this is the expected outcome a year from now yeah we get this all the time what if you're what if the ai makes a mistake right well what if the eye does something wrong the benefits definitely outweigh the risks already and it's getting more and more so but to your point scott people have to take those risks um john i do want to bring this over to you somebody put something interesting in the comments and i i want to read it because it's pretty interesting it says it takes it takes at its core simple best practices we're not even getting least privilege diligent patching which as you know i mastered the separation of duties right and separation of duties of micro segmentation this is why nearly all these exploits have happened in reality zero trust is an excellent methodology these data custodians aren't even nearly on the basis they're on the basis so in your mind are there opportunities here for ai to help them get there on the basis yeah sure i mean you know and this is this is the problem because we have human modalities that we're trying to transfer into digital systems that will never work risk is one of them right i don't think we can ever have real risk you can't why is cyber insurance so hard to do because you can never build an actuarial table on cyber right to to completely misappropriate a a quote from talib we don't know how many sides the die has that's being cast so how could we ever define a probability statement or a risk statement i i like to say that risk is danger and we need to mitigate dangerous things uh but people will people still think that they can do the same thing in in the human in digital world that they can do in human world which is uh they can transfer a risk to somebody else but that doesn't work because compliance won't allow it to happen they can accept a risk but that's too dangerous or they can mitigate a risk but if that costs money then i don't want to do it because i really don't care and my risk management people say that that would never happen anyway but no one knows so ultimately we have to get to where all risks or dangerous things are mitigated and we have to have confidence that's why i don't like the trust word the t word right it's a four-letter word in my vocabulary scott we have to have confidence that the system is doing better the problem is human beings if if scott or john make a boo-boo oh they're just human we have that saying right in our vocabulary they're just human if a machine doesn't do exactly what you would expect it to tear that thing up throw the computer against the wall right that it's broken it doesn't know what i want it and we think it's supposed to have intuition like to know what we want how many times were you ever frustrated by some friend or relative who this computer doesn't work the way i think it should well it's only doing what you tell it to do and that's true in ai as well right so the the the the problem is people want to throw it up against the wall when it doesn't do exactly what they think it should and they aren't learning from the things that it's telling them and so yes it's going to be much better at knowing things it's much better crunching numbers is much better at doing things will it be predictive in the way that we think from tv shows like when or movies like minority report i don't think so right because we don't control uh the actions of the attacker but can we know that you know all the known cyber attacks aren't won't be able to be uh you know used against a particular resource that's something that's knowable so we want to take the things that are possibly known and and use those to reduce the amount of things because things that could go wrong because as one friend of mine who is in you know the kind of business you used to be in scott said attackers don't attack well-defended environments because they have to make money they've got a return on investment richard bailey used to talk about creating enough friction uh to make them go somewhere else and and and there's certain nation state attacks where that's not true right but for the most part somebody wants to make some money and uh and uh so yeah make it harder for them to make money and maybe they'll go on to the next victim john that that's an excellent point and actually one one of our advisors uh and investors richard clark was on interviewed on cnn last week and i heard him say his top recommendation was and it wouldn't take much for the white house to do it to be an executive order otherwise but you know make paying these ransoms illegal right i i don't know i see scott shaking his head so maybe this is an interesting one to debate um but it strikes me that if you made paying these ransoms illegal people would have a hell of a lot more incentive to to actually embrace some of these new technologies uh and spend money fixing their environments rather than just thinking if something happens they could pay the ransom if they need to and that they have enough site reliability insurance coverage just you know to kind of the cfo looking at that strategy right or are we are we in the position and then it also strikes me that if you look at the market cap someone else pointed out of all these companies after a ransomware attack whether they paid the ransom or they didn't usually within six months they've recovered at least 50 of their market cap anthony johnson on our last call talked about how he has a group of cisos that just wait for that to happen and then invest so you know there's two factors going on you use the word trust right as a four-letter word john and scott likes the word but whether we call it confidence or trust we keep being afraid of what's happening almost like the other movie that you didn't mention which is terminator where in my mind i remember that scene from terminator where skynet becomes aware right and everybody maybe is a little afraid of the computer getting too smart computers building or fixing other machines which is what we're after but what is it that we have to do right if we don't like dick's recommendation to scott and i'll bring this back to you right to make names ransoms illegal then what is it that we have to do to get companies to have confidence or place confidence in more frequently newer and modern technologies to protect their organizations not just companies organizations nation states government agencies whatever it may be how do we get people to embrace these new technologies yeah it's good a couple parts there um you bring up a good point about offset so if you paid the ransom there goes 10 million 50 million dollars hundred thousand dollars that you could have put towards tech uh it's a good point and you gave to the bad guys and they just got stronger so that's the primary argument there is don't give it to them because it just builds up their their their whole uh incentive and infrastructure however um if you need to regulate this i agree that somebody in the comments said the same thing but when it comes to actually being in the trenches when it's actually you making the decision to pay a ransom or not you're the ceo of colonial pipeline or of ubs and brazil like jbs the thing is uh you don't know until you're in there and no team ransom situations are the same and when you have any i mean classic example obviously is when i worked with all the hospitals that were getting hit by sam sam which is iranian actors in 2015 2016. that was really really bad that's the first time you saw patient life really kind of being jeopardized right but it's true in manufacturing it's true in mission operations it's true in maritime operations it's true in oil and gas it's true in operational environments that safety whether it's to the public like colonial pipeline potentially or to workers or to patients is always the most important thing and you know nobody wants to pay that ransom not a single victim ever wants to make that ransom but these actors are extremely adept at hitting you in many different ways when they hit you it's not just if you don't pay the ransom we won't give you the key that's so 2014 okay this is 2021 it's a whole nother ballgame and these victims are getting crushed a thousand different ways not just one or two right it's affecting their supply chain both upstream and downstream they're third parties um they're holding uh personal information on all the executives and hitting up independently on the phone call making threats to family and friends they're doing all sorts of tactics that you don't get to read about in the newspaper because you're not on the front lines right we get to see the abstracted version of this problem the reality is if there needs to be regulation i which i agree there needs to be it needs to be the form of having organizations be transparent and reporting to a central place so we can all get smarter and identify and attribute these actions so we can get these bad guys and apprehend them but it doesn't mean that we shouldn't pay those ransoms when safety uh uptime or public safety or critical infrastructure uh needs to needs to keep the lights on right um and and i would argue too i have opinions here they're not necessarily not controversial but they're debatable i should say when you pay in bitcoin like colonial pipeline did you have a good chance you can get that money back all you need is a private key and all you need is a warrant or some ability to get that private key off of the bad guy's infrastructure or compute device which is often where these darwinian criminals leave the private keys that's why they got the part of the money back with colonial pipeline because they played in big bitcoin which has a ledger if these same groups are all fraudsters originally they're all the financial groups they're good at mules and money laundering and and uh atms and all sorts of other ways to extract money uh money wires you name there's lots of ways to get money out of an organization but the impact to an organization is just so much broader and nuanced than i think most people understand well i think if there's premeditated thought into using the ransom as a way to track the perpetrators and get the ransom back now i'm much more in agreement with you scott i i personally though do feel that paying ransoms is only there may be some really significant blows we will suffer if we don't pay ransoms but until in my view uh i have to agree with dick on this one until we stop paying ransoms we're just enabling this it's like don't negotiate with terrorists right we we just don't well yeah that's one thing because otherwise encourage the next problem but but that's fine when you're sitting back in richard clark's position but when it's your kid who's been kidnapped then you want to negotiate with the terrorists of course right that's what i feel which is why people say we need regulation because no one's going to in the moment of crisis when their entire balance sheet is when their shareholders profits are on the line or whatever else it is or their kids going to say i don't want to pay the ransom that's why we're talking about adding regulations and and i believe that whatever it is whether it's regulatory or some other kind of incentive based compensation for doing better right like in in the healthcare world somebody in the panel on the comments brought this up we had a program called meaningful use i was a cio in healthcare for seven years meaningful use with the federal government giving grant money to organizations not just to put in electronic health records and integrate them with each other but to use it meaningfully not just to do it but demonstrate you're actually doing it well so i could see some kind of regulatory um and you know incentive program around giving organizations both public ones but also private sector and i think this is where public and private sector need to work together more incentive dollars to be able to go out and finally put these modern technologies in and actually bring their networks from the 20th century into the 21st century and beyond i don't know that enough companies are going to do this proactively with the way that things the way the deck is stacked now with cyber insurance liability companies encouraging them to pay rent but joshua here's the problem right first of all i know you're new to texas but we texans we don't like regulations so you're gonna have to learn to hate regulations as much but these regulations always backfire there's enough money it's just they're not willing to spend the money and somebody made that in the comment the ransom is more than the security budget often and that's the problem and so we don't need the government giving tax dollars to companies to do the right thing that's certainly not good um and and we don't need more regulations because there's too many regulations and they overlap and they compete and all security officers do is spend their time filling out paperwork we need a different set of incentives the best incentive is to make you know file lawsuits class action lawsuits and get ceos fired and board members fired if there's these kinds of events because then they'll take it seriously and and that was what the value of the target breach was the target breach was the most significant uh action that ever happened in cyber security in my opinion because the ceo got fired because of something i t leader didn't do which was allow a data breach and so uh but people don't take cyber security seriously if it costs money and we have to solve that problem it is the most important thing that you're spending money on probably and you don't get it you don't get it because you don't if you're an airplane if you're a airline if if your computer system doesn't go on work doesn't matter if the pilots are there the plane is there the passengers are there plane doesn't get off the ground sorry so people have this 20th century view that um i.t and cyber security

are inhibitors of the business they're just overhead they don't grow the business that's complete and utter nonsense in the modern world they are the foundation to the business until you understand that as a leader then you will always have these problems best best book on that john uh i could not agree more is by my my most important mentor in this industry malcolm harkins wrote a book called protect to enable which is literally speaks to everything you just articulated so well which is how to actually be a leader inside the organization to view security as roi uh and and much more beyond um to enable the entire business to succeed what do we do if our leaders are actually doing a pretty good job and the company gets a hack anyway well what do we so what so if we extract this too much we'll be at the policy level again but i do believe what we do need to do is have a way to automate and centrally report uh sufficiently sanitized data to a central organization government or uh partnership with private industry to understand these the the telemetry coming off of all these victims and be able to better attribute with higher confidence those actors and those nation states that are harboring those those activities uh and you know i don't need to mince words russia harbors looks the other way and even sponsors a tremendous number of the activities that come at uh come out the west come at us in america and unless we have an international pressure put international pressure on russia to say no we need to be able to apprehend these folks we have high confidence attribution we know who the belly button is extradite them you know until we kind of get there we're really going to be the bad guys will always like to understand they always have leverage there's always a way in there's always a way to twist somebody and hurt somebody digitally from afar if you're being protected and that's the root problem um i do agree with john that incentives legal for executives that fail to do due diligence is important but that's a very gray area and my fear there is that the the legal landscape will be so slow to catch on to so much nuance and so much vocabulary and so much it's so hard for them to really understand the dynamics of what being responsible actually is that's been my observation i don't know if i'm right there but it just that's my honest fear about it charlie sorry i just want to point out we have we only have two minutes left okay really two and a half maybe and i want to save a minute for each of you to answer one final or give your perspective on one final comment which is you know and john i'm going to start with you first and scott i'm going to come to you last what is it i'm very excited about ai and it's opportunity to improve what's going on within these companies to help them get better to help them build the solutions that humans are taking too long to get to john what excites you about the future of ai and zero trust well just the ability to automate at scale to get in front of all this stuff right and people use the words shift left all the time but in the military that means left of bang get in front of bang bang is the thing that happens that's bad you want to be left of it which is before the bang happens and so you know getting in front of of the bad thing can only be done because you can take massive data sets and analyze them and so the key thing is and we had this mantra at forester you have data you get insights but you need to take action and too many people take the ai world they get the data the insights and never take the action if you aren't taking action it's not useful so empower your ai to take automated actions because in general the automated action they take is recoverable a a a ransomware attack a data breach they're really well especially data breaches once you've lost the data it's non-recoverable you can rebuild it but the data is going on forever you can never get it back you can never eliminate the impact and yeah the market will self-correct but but that doesn't mean it wasn't a bad thing that's just an excuse to to say ah data breaches aren't a big deal and with a minute left let me bring this over to scott i'm going to give you the last word as lawrence o'donnell says on his show uh scott what excites you about the future of ai and zero trust as you work with your companies i have a six-year-old daughter and i hate when she comes back from school and somebody pushed her over like a bully so i don't like bullies and i look at these criminal actors and some of the nation state supply chain attacks which breaking international norms by any stretch of the imagination i'm pissed and so what excites me about ai is that it's the it is the great equalizer for the good guys because we can put way more resources as good guys towards these problems than the bad guys can they've got a tremendous number of resources they work together extremely well some say even way better than we do as good guys but when that when we start to actually scale ai properly and we actually get good and put our heads together on this as a human race we can figure this out and ai could be the tool that actually it it's a tool it's not an end state ai really doesn't mean anything and you know we didn't have the conversation john next time we will but it's just math and if you use math properly you can scale and you can do awesome things against the bad guy and that's why i'm excited about ai i couldn't agree more scott um thank you and john thank you so much uh this has been a really fun and compelling conversation and it's been my my great honor and thrill to host both of you guys uh and and to have this conversation with everybody thank you for your time today thank you you

2021-06-24

Show video