Cybersecurity's Past, Present, and AI-Driven Future
43:43 Share

It's time to hand over cyber security to computers.

Entropy is increasing. They are more apps, more entitles and more actors every single year.

Its exponential growth in the number of public breaches, the size of the breaches, the damage in the breaches, vendors still exploding.

How can they watch out for a bank run that's ordinated by a deep fake campaign?

If this is indeed feed back, this is probably not the only thing they did in that .

two year period. In twenty twenty two, eight point eight billion dollars was lost by consumers alone in the U.

S. How can we build compound businesses from day one? How can you actually build up platform from day one? Even though you .

start who does security?

Nobody does security. The costs launch of this information campaign that AI generated quickly approaching zero.

Now that cybersecurity industry commands a markets of hundreds of billions of dollars, it's easy to forget how this industry was seized to exist. And in a few decades of rapid growth, things have changed a whole lot. So in today's episode, we will take you on to our through the history of security, which can be disentangled from the history of the internet and culture.

This episode was actually recorded at sixteen years camp. Our sessions event, April or infrastructure team frighten some of the top security minds in the industry. And just like any good campfire session today, you'll hear four people talk candidly about what's really keep in out the night from what really happened with the x utils attack to new A I threat vectors that are already impacting companies to empower ing overwork developers and a lot for those both inside and outside the security community.

I hope this episode is a helpful reminder of just how much is change through the year for both offenders and defenders of time sporting computing. So with that will start with travis peak, go founder and C E. O of resources. You'll walk us through how we've really got here. Let's keep things off in one thousand and ninety five.

As a reminder, the content here is for informational purposes only, should not be taken as legal, business tax or investment advice, or be used to evaluate any investment or security, and is not directed at any investors or potential investors in any exigency fund. Please note that a six scenes year in a zoho az may also maintain investments in the companies discussed in this park. Recast for more details, including a link to our investments, please see a six city outcome slash disclosure.

Okay, face zero, the dark ges, the years one thousand and ninety five bilbow number one song gangers paradise, the box office number one was batman forever. And nostalgic. A, for the old people here who does security? Nobody does security.

IT was a totally different world. You have to realize that we didn't have much internet connectivity. Patching wasn't really much of a thing.

Vendors was basically like antivirus in the start of firewalls. Milestones of this dark just time. We have the first death con.

We have the first seso Stephen cats at city corp. So that year they actually had a breach where somebody stole money. And they said, this can never happen again without us having someone to go shop their head off when IT happened.

So this is the first see. So we get the first word macrovision s the first bug down. I came from netscape, as we will get to you, your netscape, to a lot of cool things that moved forward security.

And of course, the hackers movie IT was web one dot. IT wasn't an APP that you went dealt with. IT was a site that you came to. So this is apple site for ninety seven hackers are like these dng people is not like an actual job.

One of the things that really moved from this to the next space web browsers went from, like that apple thing that I just showed you to a place that you go to business, let's scape. Made a lot of those things possible. So they brought forward S.

S. L. They had the first smug bi. They were putting forward a standard of how are going to build up apps on the internet. That standard was java script.

At the same time, we had jba, which was one of the first ways of building ups on the internet from an older company called sun today, known as a facebook checkpoint, was founded in one thousand nine hundred and ninety three from somebody that came directly out of adf and used all of the stuff that they learn to produced the web application firewall. Okay, phase two security is an actual thing, but it's a function of I T. So the year two thousand one, bill board number one is hanging on by a moment.

Box office number one is Harry potter and the source is stone, who does security? IT does security. So context here, this is the start of when we get like big hacking.

So it's not just like a thing that happens once in a while. Businesses have all either moved online or or rapidly moving online. Vendors now is in a bias, firewalls, systems management milestones.

Here, microsoft engineers coined the term equal injection in ninety eight. The first big internet worm that made IT like bad for business was code red. The first patch tuesday was in two thousand and three.

And I don't know if anybody is old like me, we had this y two k thing, which actually like complete nothing burger. But what was interesting about IT is we cared enough about computers and what they do, that we thought I might be a thing. So one of the changes here was bug track and full disclosure.

So back in the day, we had mAiling less bug track, people would send security vulnerability reports and vendors are basically do nothing with IT. They just sit on IT forever. And so there was this big moment at the time full disclosure, where it's like, okay, well, we're just going to put IT, like the full gory details of this thing, enforce action from vendors and then that LED to regular patching cycles.

So microsoft quickly copyright that we also had the first web application security tools. So this is nico and old one from two thousand. One was kind of open story. But this is the beginning of these tools being broadly available. And this is the beginning of what I call the tail wagging the dog when IT comes to vendors and security.

So from some of the folks I talk to you, we basically have these new attackers s and the buyers, in this case IT, were very uneducated about how this works. So it's like you need to have your web port open and needs to be git open. And I can get in and compromise you through that.

I T to understand that very well. So vendors, how did you their part to come and to educate the I T buyers that this is possible? What this look like was basically, I just completely compromised all your systems.

And they said, how did you do that? And then you explain why this web application security is an actual thing and why they need vender solution for IT. Alright, phase two is the risk sign off function.

So the year two thousand four billboard number one is yeah by usher a little john box office is tracked to. This is what phones look like. By the way, these phones will last longer than you will.

These things were like, basically instructive. Who does security? Now we have a security team that does IT.

So this isn't just like a thing that like IT does. IT was some other time. So this is when we start to get the beginning of traditional security activities.

We have microsoft basically get popped in the mouth and they need to do some stuff differently. Tech companies start hiring people that are actually called security vendors now is exploding. So we have in a virus firewall, still email security, web application firewall, dust and SaaS milestones.

Here we had the first use of the term crossed that scripting again by microsoft engineers, oasis, founded in two thousand. One, the first use of the term shift left. I actually thought I was much more recent, but this is a very old term.

And then socks regulation was, I think, the first compliance standard that actually Mandated some security activities. There was a growing community of folks that we're really interested in web security and all what's possible here. And mark kerf, I started this group called o op to basically make this knowledge more socialized so that people knew about IT.

One of the first projects in OS was the OS top ten. And that immediately became like, how can I get my vender shit to be one of the top ten things that people are buying? So this is not get more tel waging the dog.

It's like, oh, my thing should be no in the top five for sure because it's going to help us sell a lot more of IT. Now we have the beginning of the big internet t arms. So at the time, windows basically didn't come with any firewall.

You'd started up. You would get immediately compromised by stuff. The worms here. We're costing a lot of money. So we had like attacks, like a mafia boys dios, in two thousand trip down, like more than one million of the five million us. Servers and costs and estimated two point six billion dollars in damages.

And so for part of this, basically microsoft have these big customers that we're saying, like, hi, we're just getting killed because we're using windows and then this LED to in part to trustworthy computing. Basically, we need to see the light. We can't just keep doing business as is.

Bill gade saw a very early version of a book that microsoft folks were writing on the security practices and basically that LED him to say, like we need to completely change what we're doing. We're losing trust with customers. And then that was the beginning of what we considered traditional security activities.

Today we have throat modeling stride. All these things are being birthed around this time. We also get more compliant.

So P, C, I D, S, S. Version one was written in two thousand four. This Mandated security activities.

Again, vendors are trying to get themselves into the standards so that they can sell more product, right? It's like, okay, what if you're onna deal with payment card data, then you need to do web skinning, for example. Proof point was in example of one of the companies here.

This is founded in two thousand, two still around today, very successful by email security, right? So as soon as you have email being used as widely as IT is today and we also have email viruses, okay, we're going to need in something to a filter out spam and viruses. So proof point started that and then also improve A A big web application firewall is also still around today.

okay? Face three is dev sec kops to the years twenty and thirteen. Bilbo, number one of thrift shop box office number one is iron men with a security. It's everybody's job.

We've collectively decided that basically, security doesn't scale like we've been this sign off function that you have to do with security before you ship your product for the year. And now we're moving to cloud and we're doing continuous deployment and security like I don't know when I do these assessments anymore. So what we do is we basically to take every single developer and tell them, guess what, good news, your security person now.

So we're also getting more and more mega breaches. If you look at the numbers from this time every single year at exponential growth in the number of public breaches, the size of the breaches, the damage in the breaches, vendors still exploding, so E D R, extra firewater detection, all the posture management's deb training bug, bi milestones, the first use of the term dev psych ops s is actually in twenty thirteen. And we have the first C S P M, which gave birth to a massive posture management industry that we have today.

We start to see no before, right? It's like we're going to train developers. Continuest sly developers are going to learn about all of the types of cross size scripting and equal injection with one day, like once per year of training, where they learn IT, then they have immediately forget at the next day.

We also have big bug bounds. So crowd sourcing more and more vulnerabilities in the hopes that the attackers aren't going to use these things to cause massive breaches for us. So much posture management.

So the first was called security posture management. Evident was the first company here. Netflix state also created security monkey, which is basically the open source post management.

And since then, it's just like posture management just exploding all over the place. We have upset posture data security posture management. I don't see posture management S S P M like whatever that bottom posture management is just so much posture management everywhere.

What these things are really good at doing is like going in finding problems after the arty deploy, right? And then you have to go do something about IT because just knowing about risk, you can just tell your boss like, hey, okay, well, here's all the risk that we have. They're going to want you to reduce IT somehow.

And so what we moved to, since this is now developers on our security, is we rip a bunch jury tickets for them when we call IT today. So we also are getting, at this time, job shortage. The first time the job shortage news articles was in twenty fifteen and early twenty sixteen.

We're short of million jobs already in two thousand sixteen, and this is just just piling up more and more. We don't have enough security people to actually do the work that we need them to do. So where does this leave us?

I think that we're entering a new phase face four of security where basically telling developers it's your job, you fix security all the time didn't particularly scale well. I think that, that's becoming very evident today. So years twenty, twenty, blinding lights is number one.

Box office is bad boys for life. Who does security? I think systems do security. What we're doing doesn't scale. We have developed fatigue.

I've hear people tell me all the time, like all we take the posture management and then we just filter out everything is not higher critical. And then we ship those geotek ts to developers training relentingly. Obviously, that doesn't matter how many times we train developers on, like all the secure injection types, they still don't remember IT.

And really, they shouldn't have to. So milestones, one of the projects. They really inform how I see this as limor, the nef lex released in twenty and fifteen. Google launched their identity where proxy in two thousand seventeen, chrome at a password r manager by default back in twenty eight.

And clint gubler, one of my friends and somebody that has done a lot of work in the space, did his talk in twenty twenty one called how to eradicate vitor ability classes. So limor, when I got to ethnic IT, was in twenty seventeen. And I remember just being blown away.

How easier I was for our developers to just get things like certificates without having to select to cyber sweet and pick ypo parameters and rotated and store your private key security IT would just made IT like dead simple. And the benefit of this is that helpers never have to learn about clipt or anything. They just get up for free.

Google has done just probably more work than anybody here. So we're going to upscale people to H D D P S automatically chrome updates itself, which became standard for many other pieces of software. We have these basically like impossible to mess up.

Go lang libraries to handle lot of security things. And actually, my mom sent me this article recently. Mom, so funny.

He knows that I work in security and sends me like everything that has security in and out of wall street journal. And usually it's like something either happened three months ago or it's got nothing to do with me. But this one was written by Larry ellison and it's not very old.

His point is it's time to hand over cyber security to computers, basically just release lesly, hounding the users and like trying to get the users to be smarter. Like IT doesn't work anymore. What we want to get is developers back to just writing up code, like working on the business.

I'm not having to be like security people all the time. So today, if you think about IT, doves have to burn down this never ending pilot, eric tickets. This causes annoying with the security team.

If you had a friend that showed up when they wanted you to do something, you're probably going to start boarding that friend. And we're getting a ton of that. What if instead, if they just use systems, they made good security choices on their behalf, and forget about all of this, like training relentlessly all the time.

So conclusions, I was part of this move from like waterfall to continue us, and then saw this, we just keep stuff onto our developers play, and then saw developers learn to present and avoid security more and more. I think what we should do instead is help them out. Like the very, very busy people.

We should build a system that makes IT fast and and easy for them to go do something they wanted do, and then has security victims the side effect. So it's like when you want your dog to take vitamins, you don't just put vitamins in your hand and offer them to the dog. You put the variations in the peanut butter, and the dog wants the peanut butter. And dog is the variants too. I think this is what we should be doing for our developer users.

Speaking of needing to make things easier for a developers, let's get a sense of what these tags can really look like.

Twenty to me for now, usually in the talk, I like to talk about solar winds, but we actually have a Better example that was gifted to us, the x you feel the attacks, so everybody hear, heard about this by now. But this was some group likely, I think, back by the state that infiltrated an open source, did a compression project called x til.

That was for us, a books, D, J, founder and C, O of socket. So X, U, tales has taken the security industry by storm since IT introduced the back door via open s, which is a critical piece of infrastructure used by millions of servers around the world. Let's hear from for us regarding what really happened there to get a sense of the kind of security offenders were now dealing with in twenty twenty four. I can involve multiple years, multiple contributors, social engineering, the potential first state actors and more.

The way that they did this was just so interesting and it's something that, I mean, look, i'm sad that IT happened, but i'm also like i've been telling you guys about this for so long, I of I satisfied in a way. Finally, here's an example that really caught the imagination of. So what happened here was we had a group like, as I probably stay back, winning over the contributor of the project over several years of work.

So that's like a scale of time, invest in this that we haven't seen in other attempts like this. And then they introduced a sophisticated, though not fall this back, that was aimed at compromising as stage servers. So it's a pretty multilayered vulnerability.

There were multiple personas involved for identities that hadn't been seen anywhere on the internet before. So that kind of is another indication that probably this was someone relatively sophs cared. This isn't just someone doing IT for the lows.

And so probably suggested kind of state back actors here. And then just the way the timeline and kind of some of the stuff that they did also seem indicate that might be like the same people behind solar winds, probably. But again, this is all just kind of speculation.

I want to kind of go into a little bit. You can see just the character of what this attack kind of looks like. So this is individual who ended up committing and releasing the the malicious code.

And this is his first email patch to the main list where they do the development for this project, x utils. And it's interesting. This is just kind of A A totally pointless patch, right? This is like the kind of thing that is a maintain you get all the time someone just drive by dropping in an editor configure file, which is basically does nothing right.

It's a no up in terms of the functionality for project and often times cds from people who just want to get to be able to say that they are contributor to a project that doesn't require any understanding of the project. This is just noise, but you can see their first attempt to kind of get involved in the project. Then they sent another patch a month later, fixing some kind of build problem.

And they also sent a couple of more patches after this one, all totally ignored by the maintainer, who at this point has been maintaining this project for about fifteen, maybe twenty years. This is a long time project. And the guy running IT is just at this point, it's an mainland mode.

It's basically he sort of burned out, he sort of kind of half maintaining IT checking the male in this once in a while, but really not actively working on this anymore. So it's something that a lot of maintainers go through. And so then finally, the maintainers is like, I think three more months after the last email, we see that the maintainer just randomly comes by and merges a couple line change to the project.

That is, the first code from this g 1 individual is actually included the project。 And what I think is interesting about this is all of these other patches were ignored. The patch who emerged as this like trivial two line patch that you can just look at and kind of as an overloaded maintainer, you can look at this and sort of figure out what it's doing and what IT fixes a bug.

cool. Let me just merging and move on. The bigger multi hundred nine pages were ignored, right? Typical, also typical behavior for overloaded, maintained, right.

And then a couple ones go back. And now we see a new character. Enter the picture, this guide, AR kur, and kind of a few emails complaining that some of g otz.

Patches weren't landing. This is often used to pressure maintainers to include code in projects. Patches spend years on this, mAiling less.

There's no reason to think anything is coming soon. So aggressive, right at this point. Remember, his arty landed a few of the patches, but the pressure is building here.

And then this is insert project name, don't maintained. That is the brain of a maintained in's existence. It's the mess kind of issue.

You can open up on a project in my ethie. This has happened to me many times. I had a couple screen shots here.

Is this still being developed? And like on a perfectly active project because their pr wasn't looked at for a little? Is another one on one of my projects? Is this project dead? It's not nice. Don't do this, people. And I think one of the interesting things about this whole situation is that this is another one of the things i've seen change in the way that open source is done is traditionally we think of a project like linux or wordpress or are these big foundation back projects they have the structure appeared at the top where you have one project, one entity with many, many maintainers that are participating in the project.

A lot of times they are paid by their employer to even work on the project and to simmer patches as part of their day job, right? But we see a lot more of as we've shifted into this world of many, many, many dependencies. Lot of tiny dependencies is more of structural like this, where you have an individual with hundred and potentially hundreds of projects that they take care of.

And that was the case here with lacy collin. He had multiple projects that he was managing as an individual maintainer. okay. So let's continue on to this is three months has gone by, he replies, he apologizes for the slowness and he also adds in a bit about how to attend has helped him off list with xe utils.

So probably we have some kind of chat conversation going off list now and they're collaborating more closely, building up the trust. And he says he might have a bigger role in the future, at least with xc util ls. It's clear that my resources are too limited and something has to change in long term.

So the kind of idea has now been planted in his mind that he probably should give access to somebody else to help maintain the project. And again, this all sounds in various because i'm doing you going to talk and I have slides up here. But this is also open source working correctly.

This is thinking about, oh, hey, maybe I am not the best maintainer. If you should hand this off to somebody that's prety Normal as well. At this point, nothing actually in the furious has happened.

By the way, there is no bad code that's been included. This is just being the foundation he see a couple weeks go by. So now we have this character, giga kur, who enters, and this person's much more aggressive and really starts to apply more pressures.

So go over one month and no closer to being merged. Not a surprise. So like dropping in the threads to just sort of neg the maintainer and kind of making feel like is not doing a good job.

Progress will not happen until there is a new maintainer. And then they maintained friendly replies and pushes back and said, I completely lost my interest here, but i've been having some mental health issues, and I have a lot of things going on in my life. But again, maybe g ten have a bigger role in the project.

And so a few months after that, last collin merges is the first commit with g attend as the author, you can see here, and they actually are listed as an auto. This is a pretty innocuous change. And then again, the pressure continues from degar and denis to this other a persona that are both.

They are really just support the idea that g should be made a maintainer. And you can see here, you ignore the patches that are rodding away on this mAiling list right now. You choke your repo.

Why wait until five point four points there to change maintainer? Why delay what your repo needs? right? So applying the pressure. And then again, though, the last one here is great.

Like I can you commit this yourself? Yeah, I see you have recent commits, so just kind of pushing more and more. And then finally, lacy says, again, ja, tn has been really help love list.

He's practically a cotinine already. And then finally, this is the first email about two years after the very first interaction with the mAiling ing list, where jet ten is actually now doing the release notes for the project. He's been made a maintainer. This is the first release going out. So two year kind of effort here.

If this is indeed statement, this is probably not the only thing they did in that two year period, right? Probably have other things going at the same time, right? So we couldn't overreact in a steam that linux is like totally back order, anything like that, but also like probably this isn't the only thing that these folks were working on, right? So the truth is, like somewhere in the middle here.

sophisticated offer pleaching attacks are not the only ones on our hands in twenty twenty four. In fact, the xu tells attack was performed really without A D so let's here from come in T M, bound CEO of double wrong, the way that A I is introducing new throp actors and already impacting real world, says in twenty .

twenty two, eight, twenty eight billion dollars was lost by consumers alone in the us. We've had three, nine billion credential stone by bad actors that same year. And the cost launch a disinformation campaign that AI generated quickly approaching zero. So if you've seen a lava s that are currently pitching about how we can make A E genre videos or we make IT generate AI voices, right, that same sort of stuff is going to the bad gas as well.

And so how are we seeing this manifest today with real world people in real al businesses? So one common scene that has grown super quickly just in the past couple months has been emergence of a lot of deep fake videos, specifically deep fake videos of individual personas. IT could be tailor. Swift could be travel healthy, could also be your C, E, O, and could be your financial institutions chief technology officer. And so what we've quickly been seeing here, right in terms of the landscape, is more and more deep.

Fake videos s being produced in the exact same way, models being trained in a very similar way, the voice being generated in very similar way, and the intention of attack being Operated very similar way, all across different platforms, whether it's youtube, tiktok, any sort of video platform out there were already seen deep fix emerging. This impacts a whole bunch of different sort of individuals, whether its business, whether the celebrities uh, or even political campaigns. Of course, big federal election this year, it's top of mind for everyone.

The good news already happening, and we're seeing IT happened across a lot of different platforms. So I think the biggest thing here that is like this is not necessary tirely novel attacks, surface strider or entirely new thread, right? We've always had social media, we've always had video platforms and we've had bag ags try to create the content to achieve certain means.

I think the main lesson here in terms of what we're seeing is that IT has become a lot easier to do and suggest there's entire markets around fishing kits and there's entire markets around cybercrime in general. We're going to start seeing and we're already seeing that same sort of stuff come around with deep fake technology and impersonation technology. And how do you personalize attacks more, more for your your target victim? I think the biggest thing too is that we're seeing this not only to run scams, but ultimately the surface impacting businesses at large.

Actually just want to talk this morning chatting with some big banks out there. And one of the biggest concerns for them is how can they watch out for a bank run that's orchestrated by a deep fake campaign. We've even seen this effect.

Companies outside the financial sector where a pharmaceutical company had a and personal talk about how ages can be free now and saw that impact the stock Price very, very quickly. It's it's again stuff that has happened before. But what we're seeing in twenty four and what we're expecting in twenty, twenty five and beyond is that this just gets easier and easier to do. And IT gets to the point where IT makes IT really hard to tell what's real or not online.

And it's not just defects. Here's a completely different approach.

This one is A S C O poisoning case. So specifically something that we seen out there a lot for airline industry, finance industry, any industry that has customer support, phone number of things like that, right? We've got the tradition as as you a poison attack where people find a way to get content Operate for any given company.

And what's interesting is basically how well can people start do this and twenty twenty four or seeing a lot of things happening today that they're putting IT on these third party sites that do have great drain ranks, things like microsoft could be linked in. We've seen a lot with hub as well, course and web flow, other platforms like that. And so they're taking adventure, the fact that these are legitimate third party sites with great domain health stuff that google will quickly up rank or any other search and will quickly up rank and they're generating content and conversations on forms.

For example, how do I speak to a live agent at united? How do I speak to live agent at uber? right? And what we see happen here is there a generate a bunch of the spam content across these different third party forms, get them all up and and get them all to dominate that first page of search results. And again, it's just a classic case of, well, they would have stripped this right and generate content. Now they can make a more dynamic with A I and generate A I specifically.

Of course, it's not all dooming room with every opening on offence. There's equal opportunity for defaults here is under so fancy founding C, U. Of luo take us back to when we started in this episode through a historical arc that brings us to a digital era of autonomy. So what do we do now that we're in this new era? And if you happen to be accompany higher in security professionals, should you be thinking about things any differently?

I just want to take you a little bit on a historical journey. All right. So the funny thing is, if you look six years back, we are all ideas. So there's two types of factories. There's a product factory and there's an idea factory.

So what the product factory is, is usually where the cars are born, right, or where windows are made and where the idea factory is, is where we create and design those cars, right? And especially the idea that changed in the a recent years and changed like two years ago, again. So the idea factory looks something like the office, or more like, you know, in the sixties, on the sixties, fifties, there were no computer, so was a really interesting.

And we mostly use typewriters and pen paper. So then a computer came about, and we digitized the office. That was kind of the first step. I B, M, S, A P, oracle, microsoft, old big companies came about and digitize that. So I was step one.

Step two is we cloud fied? I guess the office, I was like a sales force, they kicked IT off and workday and at last, and those are the first cloud company, is so suddenly were in the cloud. So where aw s was born, I think two thousand and four, two thousand and five, that's when we cloud fied IT.

Then something interesting happened as we made IT collaborate right work day is not really collaborate either a sales force, but then suddenly zoom, slack, fig ma, air table, all kind of great companies came about in the two thousand and tens, and suddenly IT became very collaborative. So I was, I was the third change that happen in software, which is pretty ool. Now what changed in the last years as we move from just digitizing in IT to cloud to collaboration, to autonomy, right? So we are creating more and more autonomous software.

And I started, honestly, for the first time, with something like a grammy. L Y. They're like, more like of coal pilots that help you do a job Better. Even I get up this is get up copilot there in the middle. They are not fully autonomous, but they help you do your job Better.

The big trend that we're seeing right now is especially open a eyes bringing out at the end of the year reason models, second reason, and they can initially talk with themselves. And the certain things are really spooky. And we've seen this as well, like devin, that's kind of a new kind of type of software engineer and A I software engineer just like basically codes themselves.

So we are moving from grade ab copilot grammy to actually systems and services to build things themselves. So that is actually a whole new paradise that's changing. And we're like, okay, shoot, how do we equip by ourselves for that? So to summarized, actually that kind of three waves I just call them to, the first wave is the legalization.

The second one is a collaboration. The third one is the autonomy. And now we had the third one. So the interesting thing is that i'm thinking about on a daily basis is apps and access.

Because you think about everything that you are using, those are apps we on zoom and on slag, then we go in S S H into a server, which is also an APP more less than we use get up. So everything's apps absolutely erly our live blood. Without apps, we can do things.

The question is like, you know, I think that we are security professionals need to ask ourselves more and more is how are we gone to manage all those apps uh, with more, more service accounts coming up right, and with like software doing the job themselves. So how do we deal with that? So I love the metro framework. I really love IT.

If you think about identities, they're certain identities on different, so marketing as their identities, right? Marketing ops demand content, customer success has the attracts in each station is a more or less and application or like an entitlement, right? And some of those overlap, right? So for example, customer success and sales overlap maybe in sales force, then design and marketing overlap in fig ma.

And then especially engineering, they're probably like multiple engineering departments if we zoom in and they overlap when IT comes to a especially an entitlement level, different permission that they have access to. So now the interesting thing is that people, which are more those waggons, they jump from one station to another, and each station again, is an apple entitlement. And why I think that this is interesting is, right now, how we think about the world is a world of our back.

Quick interception here. For the uninitiated, rbac means role based access control. So instead of assigning permissions individually, you're granting them based on arrow.

Our bag is not moving stations are bac basically means do you have marketing person and you have access to everything on this marketing tear, even though probably a lot of that stuff you never use? And sales or engineering is especially spooky engineering. You and developed, you have access to all customer data because incident might happen and you need access to IT.

Now on top of that, we have all those service accounts coming up and soon autonomous actors agents coming up that will also, if we still use our bag, get access to all of those things even though they don't need IT. So the concept is i'm a metro station and I need each promotion and taliban just for a short amount of time. And I think especially as complexity raises.

So we we are going from like a hundred actors to a thousand to ten thousand. And although the apps become more complicated, so instead of having just one or two or three metro stations, I will have thousands of metro stations because I can get have access to know ten easy two instances. And just like the granularity and the cloud in the snowflake is going to become more and more and more railer.

The questions like how you wanna managed that? What's the new paradise to manage that? So when I believe how we need to rethink things is security was often seen as analysts, right? Actually, security started as hackers.

Security people were, those people are hacked the networks. And there were the people that were deep in linux with assis ads. And actually most security people were sis ads before, because there was no unity thirty years ago.

And there were two hackers and sudenly, all those kind of great solutions came about, and they said, here's alert. There is an alert. Here is an alert.

And we're onna. Learn about all these things and you can remediate IT very easily. And so I feel like more and more security became an Operating department.

Some thing happened to I T. IT. Used to be the hackers.

And slowly, but suddenly, they became ticket resolve. s. Security became a little bit of alert. resolve. S IT became ticket resolve. S, and I think the new paradise, the unity to think about as we're thinking about entitlements and access as a metro station security and what needs to see themselves as the architects of that metro station more or less, and you know, what develops and infrastructures to full stick teams. So I think the same thing we need to think about I T N security.

I T N security need to become, so to say, infrastructure teams to each department, right? And this kind of moves us back to the security, actually hiring for engineering rather than analysts, especially also, you know, as they I will probably automate most of the analyst work. So that I think a very important inside is when he comes to career development as IT comes to what what type of profile you need to hire and especially engineers and analysts, and building on top solutions that you're buying is very important.

So basically, the premise in this first act is software is becoming an autonomists. IT enables us to create more and more. Because of that, entropy is increasing.

They are more apps, more entitlements and more actors. And so what needs to changes security needs to handle this infrastructure with some type of technology Operations, with some kind of technology infrastructure. So I think that is kind of one important change that we need to see as as this whole market changing.

Now he is a second thing. It's a about startup spider, the way this is like, kind of an appeal to all my entrepreneurs. I believe that we need to build compound businesses from day one.

So what does that mean? So security ceos probably have this problem, that they need to use fifty different tools. And actually last two years, especially as the economy has gone a little bit sesas asked themselves a lot of in terms of like, how can I consolidate and that kind of suck for startups.

At the beginning, I would say something like, okay, we're starting solving this unique pain point but then see so so like yeah but you know I have eighty vendors to manage. And so the question is that I ask myself a ton is how can we build compound businesses from day one? So how can you actually build a platform from day one even though you start up actually counter of people say I need to consolidate that you start actually can consolidate.

So twenty twenty three, the top three priorities for c exos was vender consolidation, optimizing SaaS licensing because of course, you don't want to let people go. You right? I want to kind of first increase your software spent.

So what does IT me for entrepreneurs? The question for entrepreneurs is like, how can able the compound business from they want? We seen this actually done well across many companies.

I think da dog is an awesome company that this is super well more in the develop site for long time, right? They had one product, and then actually they switched and became this kind of layer product for anything observably. With its security observably, infrastructure service ability, application service ability, they were able to build a compound product. And fig ma rethought this whole kind of process of before there was sketch, was the plan.

And what basically fig ma said is like, what is the underlying concept that's the same and across all of those? And how can I build a solution to covers at all? And I think, by the way, the whole kind of thing that we've seen in here is that we had first, a bungling era, by the way, with microsoft, oracle and S A P, people didn't have a lot of applications I said like oracle is doing at all.

That was that at the beginning. And then slowly, with like cloud, especially aw s and asia made that happen. Cloud became so approached by everyone that suddenly, you know, we had all these collars, ation tools come up. I do think we are changing back to an industry of rebundling, especially as we.

Have this autonomous wave coming up, I do believe, I mean, like this is actually a great example of that, is they started with that kind of a point solution, but spread out very aggressively and build a compromised very quickly. So how you to complexity? And then the questions like how much did they protect my insider threat in some way? why? Because go back to the metro station, if they develop access to everything, suddenly this intruder can, just like hop from one station to another, do harm.

So how can we make sure that this kind of Justin time only when you at the station, you actually can have access to IT. Now that gets kinds hard with like millions of permissions. So what I believe is going to happen, and this is something that we are really working on right now with models that come out of the reason.

Basically, I think miles will be able to reason Better than our security analysts in terms of what a certain role should have an access to, right? So basically, an agent on your identity access management system will look into, okay, we had two new tickets where these engineers needed access to this type of databases that live in north america. People automatically ally, update your roads and downed your roles, or at least at the begin, be a coal pilot for you, and suggest, hey, this role should be updated in this way, or those two roles should be merged in that way.

So this is just like a case study where agents will have a huge impact. The bigger story, I think, about security is, is that is enormous complexity and risk. You can never reduce risks to zero.

The cool thing is, if if you move more to an engineering mindset, when you actually find tune your agents and models on top of your infrastructure, you will be able to solve certain problems that you were never able to solve before the rag will look into. okay? Is this privileged access? So basically, the I will be able to think about, you have a million permission, how you gonna tag, whether permission is actually sensitive or not.

IT doesn't always say read only. IT doesn't always say ad access. So the A I will be able to understand, what can understand if that permissionless sensitive or not, right?

So you can reason, okay, this person has privileged access or not, and then this person can also reasonable role and animals, oh, man, you know, you are in sales and you have access to this, right? access. And, aw, yes.

And no one else on your team has that access. So basically, you know, a regular as themselves is how briege is this permission, right? What is you use IT in that permission? And is anyone else that has similar H.

R. S. character? Is six. Do they have that access? And you can already do this now pretty easily, right? This is like kind of more it's not reasoning themselves, but you kind of guide them to go through our steps.

That's what chain of thought means. And the last thing I want to say is like the cool thing about access is IT can be preventative. So he is one thing that we already doing.

If you create a ticket in gera, or if you create a slack message and say, like, hey, can I get this access please in a public channel? Oh, I can detect that you ask for access. And usually the worst that can happen is like back channel access.

What that means, someone gives you access without following processes. Now you can alert yourself that this happen, oh, this person got access without approval. But the Better ways to prevent that from happening in the first place, I think the main take away is there will be lessening less analysts because agents will take over and you need to upscale them to become more engineers or even prompt engineers.

That's going one big thing. The second big thing is, think about now like the world is changing so quickly, what you can do is what you can demand from vendors or what you, as an entrepreneur, can implement when a system can reason by itself. That's the second thing. The third thing is, I believe, because I am passionate about the industry, is that the scope bal identity .

will increase .

over the next couple of years more and more.

All right, that is all for now. Obviously, security is always a room target, a catch, mouse chase through progressively more complex train with more complex tools on both sides. Now if you do have any suggestions for future topics to cover, feel free to reach out to us at pop pitches at asic sense at cop and if you did like these exclusive exerts on my asic N E campfire a sessions event, they should leave us view at rate this podcast 点 com flash intense。 I'll see you next time.