WEBVTT - AICAD: Artificial Intelligence Capabilities For Attack & Defense 0:00:00.880 --> 0:00:05.040 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:05.080 --> 0:00:09.960 national security, AI, technology and society, and how best to 0:00:10.000 --> 0:00:17.520 upgrade ourselves to be ready for what's coming. So I 0:00:17.520 --> 0:00:19.640 want to talk today about how to think about AI 0:00:19.640 --> 0:00:23.200 and cybersecurity, and specifically how to think about and what 0:00:23.239 --> 0:00:27.360 to build regarding AI for cybersecurity. There are a million 0:00:27.360 --> 0:00:30.159 different directions you could go, and you only have so 0:00:30.160 --> 0:00:32.159 much time and so many resources. So I want to 0:00:32.159 --> 0:00:35.400 give a possible direction here. So I want to frame 0:00:35.400 --> 0:00:39.760 everything today by asking and answering two questions. One, how 0:00:39.760 --> 0:00:43.440 does software and security change when we add agents, and 0:00:43.440 --> 0:00:46.800 how should we prioritize our efforts on adding AI and 0:00:46.800 --> 0:00:50.120 agents to our cybersecurity program? So these are the main 0:00:50.120 --> 0:00:52.279 ideas I want to talk about that. I'll kind of 0:00:52.320 --> 0:00:55.600 bring us around to answering those questions, and these ideas 0:00:55.600 --> 0:00:57.680 build on each other. So we're going to take one 0:00:57.680 --> 0:01:00.600 at a time. The first one is the concept of 0:01:00.760 --> 0:01:04.200 intelligence pipelines, which is a way to visualize workflows within 0:01:04.200 --> 0:01:07.440 a business. Second one is Theory of Constraints, which talks 0:01:07.440 --> 0:01:10.759 about how systems struggle to do things at scale and 0:01:10.800 --> 0:01:13.560 like where the blocker is. The third one is something 0:01:13.560 --> 0:01:16.560 I call AI state management, which is how I see 0:01:16.680 --> 0:01:21.080 I actually replacing most software. And the final one builds 0:01:21.080 --> 0:01:24.640 on all of those. And that's the AI security attack 0:01:24.640 --> 0:01:28.319 and defense framework. So let's start with something I call 0:01:28.319 --> 0:01:32.720 intelligence pipelines. So I started thinking about intelligence pipelines in 0:01:32.720 --> 0:01:37.880 the context of how AI will replace human workers. So 0:01:37.880 --> 0:01:43.480 these are explainable visualized workflows that show how business processes 0:01:43.480 --> 0:01:47.360 require human level intelligence. So imagine like you have someone 0:01:47.360 --> 0:01:50.600 named Mark and they work at a company called claim. Right. 0:01:50.600 --> 0:01:53.040 And this is what his day looks like, right. He 0:01:53.040 --> 0:01:55.480 does all these different tasks that you see in this diagram. 0:01:56.200 --> 0:02:00.320 The brain icons are where his human action is required. 0:02:00.320 --> 0:02:02.760 And let's say this is a world without AI agents. 0:02:02.760 --> 0:02:05.280 So this is where this is human work. This is 0:02:05.280 --> 0:02:08.360 things that only humans can do. And Mark is a 0:02:08.360 --> 0:02:12.400 really good employee because he could do 124 of these 0:02:12.400 --> 0:02:17.079 claims per week, and he has an 87% quality score. 0:02:17.160 --> 0:02:19.680 And it's really hard to find people like Mark. So 0:02:19.680 --> 0:02:21.600 he makes a lot of money. They give him nice 0:02:21.600 --> 0:02:25.960 perks because they don't want Mark to leave, because 124 0:02:25.960 --> 0:02:31.680 claims a week 87% quality. So that's insurance. This one's 0:02:31.680 --> 0:02:35.359 for a medical company. This is called Badspot. And Badspot 0:02:35.360 --> 0:02:40.639 is a company that reviews moles in person using licensed dermatologists. Now, 0:02:40.680 --> 0:02:44.120 Kim is one of the dermatologists here, and she sees 0:02:44.160 --> 0:02:49.560 212 patients a week, has 92% accuracy. And again, it's 0:02:49.560 --> 0:02:52.320 really hard to find employees as good as Kim. And 0:02:52.320 --> 0:02:54.560 the key point here is that the only reason we 0:02:54.560 --> 0:02:59.200 have jobs at all is because of these blue icons, right? 0:02:59.680 --> 0:03:03.640 These blue brain icons are the specialty. They are the 0:03:03.680 --> 0:03:09.240 geniuses of like general human intelligence that somebody can do 0:03:09.639 --> 0:03:12.560 what Mark could do and Kim can do. Right? Is 0:03:12.560 --> 0:03:16.200 it a new spot? Analyze the mole. Was it dangerous before? 0:03:16.200 --> 0:03:18.720 You have to do these manual checks. This is human work. 0:03:18.720 --> 0:03:21.800 This is why we all have jobs, right? Otherwise, this 0:03:21.800 --> 0:03:24.600 would have just been like a script or automation. We've 0:03:24.600 --> 0:03:27.840 had programming and automation for years and years and years, decades. 0:03:28.639 --> 0:03:30.960 But there are certain things that only humans can do, 0:03:30.960 --> 0:03:33.119 and that's what these blue icons are. So I just 0:03:33.120 --> 0:03:36.840 want to stress that again, the only reason we have 0:03:36.840 --> 0:03:40.880 jobs is because somebody is paying us to be one 0:03:40.880 --> 0:03:44.520 of these blue icons. We as humans are inside of 0:03:44.520 --> 0:03:47.000 a workflow that looks like this. And I'm trying to 0:03:47.000 --> 0:03:49.440 get you to think of your job in terms of 0:03:49.440 --> 0:03:52.440 these workflows, because this is exactly how AI is going 0:03:52.480 --> 0:03:55.190 to think about your job, right when it comes to 0:03:55.230 --> 0:03:59.150 optimize it. Air quotes optimize. We don't normally think of 0:03:59.230 --> 0:04:03.310 our jobs or our pipelines or our workflows in terms 0:04:03.310 --> 0:04:06.470 of a visual flow like this. This is exactly how 0:04:06.510 --> 0:04:10.390 McKinsey is going to think about it, or KPMG or 0:04:10.430 --> 0:04:15.150 any random consultancy that comes in to optimize air quotes. 0:04:15.750 --> 0:04:19.789 Your company and your department and your team and your workflows. 0:04:20.270 --> 0:04:22.390 They're going to say, okay, tell me exactly what it 0:04:22.390 --> 0:04:25.349 is that you actually do. And they're going to produce 0:04:25.350 --> 0:04:27.590 some sort of visual. It's going to look something like 0:04:27.589 --> 0:04:32.550 this for your job. Your team's job, your department. And 0:04:32.589 --> 0:04:35.710 actually a collection of them will be your company. So 0:04:35.710 --> 0:04:37.670 you have to start thinking about this. That's why this 0:04:37.670 --> 0:04:40.430 is the first concept here. So this one's for a 0:04:40.430 --> 0:04:44.109 military intelligence company. So you have to look at satellite 0:04:44.110 --> 0:04:46.469 photos and do a bunch of analysis and then create 0:04:46.510 --> 0:04:49.710 narratives around them and write the report. So just like 0:04:49.710 --> 0:04:52.430 the other workflows, you see the different pieces and you 0:04:52.430 --> 0:04:57.390 see why they require human right? This is intelligence. You know, analysis. 0:04:58.029 --> 0:05:00.510 And Amir is the best at his job because he 0:05:00.510 --> 0:05:03.789 could do 12 of these assessments per week, and his 0:05:03.830 --> 0:05:07.390 accuracy is really high. It's 84%. This is an attacker 0:05:07.910 --> 0:05:11.990 organization based out of Eastern Europe. Let's say this is 0:05:11.990 --> 0:05:15.950 their primary attack workflow. Again, this is a company called 0:05:15.950 --> 0:05:18.950 cyber Attacks or whatever. So they find targets. They run 0:05:18.950 --> 0:05:22.830 recon tools. Again, these are things that manual security testers 0:05:22.830 --> 0:05:26.870 will have been doing for quite some time. And again, 0:05:26.910 --> 0:05:30.109 you can't just script everything right. You can script a 0:05:30.110 --> 0:05:31.950 lot of this stuff, but a lot of it requires 0:05:31.950 --> 0:05:36.470 the blue icon of human intelligence and human thought. And 0:05:36.470 --> 0:05:39.430 that's again why we are employed. So you've got to 0:05:39.430 --> 0:05:42.510 find and filter targets because they can only do so 0:05:42.510 --> 0:05:45.150 many assessments. Right. They got to run a bunch of 0:05:45.150 --> 0:05:48.310 recon tools. They attempt to exploit what they find, and 0:05:48.310 --> 0:05:52.750 then they try to do various tasks afterwards, like expand, uh, 0:05:52.750 --> 0:05:57.310 you know, get initial access, sell the initial access, you know, uh, 0:05:57.430 --> 0:06:01.110 gain persistence laterally, move things like that. So the core 0:06:01.110 --> 0:06:04.630 idea here is that human work can be broken down 0:06:04.630 --> 0:06:09.430 into workflows like this. Humans don't normally see things this way, 0:06:09.710 --> 0:06:13.430 but I can guarantee you this is how companies coming 0:06:13.430 --> 0:06:17.670 to replace you will see things. And unfortunately that's going 0:06:17.670 --> 0:06:21.350 to include your management. Right. That's going to include the 0:06:21.350 --> 0:06:24.109 C team and the board. They're going to be like, 0:06:24.110 --> 0:06:26.950 why can't we just do this with AI. So there 0:06:26.990 --> 0:06:29.429 are going to be thinking about how to make this 0:06:29.430 --> 0:06:32.750 kind of diagram for the work that you do, for 0:06:32.750 --> 0:06:34.630 the work that we all do. And by the way, 0:06:34.630 --> 0:06:39.510 like a year ago, uh, AI consulting. Yeah, this is 2024, 0:06:39.630 --> 0:06:43.550 I believe might have been 2023. I'm pretty sure it's 2024. 0:06:44.029 --> 0:06:50.589 McKinsey's consulting for AI was already 40% of their business, 40%. 0:06:50.630 --> 0:06:53.990 This is according to New York Times. So this thing 0:06:53.990 --> 0:06:56.390 is coming fast for us. So that was the first concept. 0:06:56.430 --> 0:06:58.910 Next one is Theory of Constraints, which a lot of 0:06:58.910 --> 0:07:02.550 you probably have already heard of. And it relates directly 0:07:02.550 --> 0:07:05.909 to the intelligence pipelines we just talked about. So the 0:07:05.910 --> 0:07:08.230 Theory of Constraints basically says that you should stop trying 0:07:08.230 --> 0:07:12.670 to optimize everything simultaneously, because not all problems are actually 0:07:12.670 --> 0:07:15.670 hurting you the same amount. It says the biggest thing 0:07:15.710 --> 0:07:18.870 hurting you is the slowest point in your overall workflow. 0:07:19.390 --> 0:07:22.630 Or as Goldratt puts it, your overall output is equal 0:07:22.630 --> 0:07:26.030 to the output of your worst piece, and that's what 0:07:26.030 --> 0:07:29.110 you should address first. My friend Joel works at OpenAI, 0:07:29.310 --> 0:07:30.910 and he works on a team that tries to figure 0:07:30.910 --> 0:07:33.790 out how to make AI benefit defenders as much or 0:07:33.790 --> 0:07:37.400 more than attackers, and we do a couple of 3 0:07:37.400 --> 0:07:40.270 or 4 hour walks a month. And one of these 0:07:40.270 --> 0:07:44.110 walks many, many months ago, he gave me like religion 0:07:44.110 --> 0:07:47.470 on this. In his mind, everything comes down to what 0:07:47.710 --> 0:07:51.750 Constrains attackers the most right now as well as defenders. 0:07:52.110 --> 0:07:56.630 And how is AI going to change or unblock those constraints? 0:07:56.630 --> 0:07:59.510 And his quote is attackers aren't constrained by a lack 0:07:59.510 --> 0:08:03.110 of access. They're drowning in access. Instead, it's the human 0:08:03.110 --> 0:08:08.390 labor currently required to exploit that access. That's the limit. 0:08:08.390 --> 0:08:11.710 Remove that and we are effed. And again, that's my 0:08:11.710 --> 0:08:14.990 friend Joel Parish. So think about that. We don't have 0:08:15.030 --> 0:08:18.030 a target problem and we don't have an access problem. 0:08:18.030 --> 0:08:21.030 We are stuck at the exploit phase. Right. And if 0:08:21.030 --> 0:08:24.750 you think back to those pipelines and workflows, you can 0:08:24.790 --> 0:08:28.550 kind of like put a little red mark around one 0:08:28.550 --> 0:08:31.350 of these brains, one of these blue brains, and you 0:08:31.350 --> 0:08:34.350 can actually make one of them red or something and say, 0:08:34.350 --> 0:08:37.470 this is the one that's really hurting us. Now start 0:08:37.470 --> 0:08:40.030 to think about AI. Now start to think about AI 0:08:40.070 --> 0:08:45.110 agents and saying, can we spin up 10 or 100 0:08:45.150 --> 0:08:48.710 or 1000 or 1 a million agents to help with 0:08:48.710 --> 0:08:53.270 this one particular spot, which, based on the theory of constraints, 0:08:53.270 --> 0:08:57.670 massively speeds up the entire pipeline because that was the blocker, 0:08:57.710 --> 0:09:00.870 that was the constraint. So thinking back to our pipelines 0:09:01.190 --> 0:09:03.670 and again, you want to think about what your pipeline 0:09:03.670 --> 0:09:07.710 looks like, right. For your productivity, your security workflows. Think 0:09:07.710 --> 0:09:12.030 about where they're currently constrained and how your constraints compare 0:09:12.030 --> 0:09:16.990 to your attacker constraints. Core idea here is to ask 0:09:16.990 --> 0:09:21.150 how AI will affect those constraints for both you and 0:09:21.150 --> 0:09:26.910 your adversaries. And once those constraints get unblocked, where does 0:09:26.910 --> 0:09:30.790 it get blocked next? Right. And how can we use 0:09:30.790 --> 0:09:36.670 agents to consecutively just keep unblocking or even apply the agents? 0:09:36.710 --> 0:09:39.069 I mean, kind of breaking away from the concept of 0:09:39.429 --> 0:09:42.270 theory of constraints, but you could kind of find all 0:09:42.270 --> 0:09:46.700 the blue icons and just say, hey, let's scale the 0:09:46.700 --> 0:09:49.940 crap out of this and let's try to increase our 0:09:49.940 --> 0:09:53.140 quality scores at the same time. So we were talking 0:09:53.140 --> 0:09:58.980 about 124 assessments previously. We're talking about 84% quality level. Well, 0:09:58.980 --> 0:10:01.380 if we actually have those metrics we actually have a 0:10:01.380 --> 0:10:04.699 workflow like this. We actually have a diagram. Well it 0:10:04.700 --> 0:10:08.080 just becomes a numbers game. Okay. Can we do a 0:10:08.080 --> 0:10:13.380 thousand assessments instead of 100. Can we take the 84% 0:10:13.380 --> 0:10:17.460 quality level to 85% or is it only 79%. But 0:10:17.460 --> 0:10:20.380 we're doing a thousand, so it's still worth it, right? 0:10:20.420 --> 0:10:22.900 Those are the types of questions people are going to 0:10:22.900 --> 0:10:25.020 be asking when they start doing this. So before we 0:10:25.020 --> 0:10:28.140 go into the next piece, I want to quickly cover 0:10:28.260 --> 0:10:30.580 my definition of agents because we're going to talk about 0:10:30.580 --> 0:10:34.620 agents a decent amount. So lots of different definitions out there. 0:10:34.620 --> 0:10:38.380 And I think it's good to level set before proceeding. 0:10:38.820 --> 0:10:41.500 So I think it's an AI system component that's capable 0:10:41.500 --> 0:10:47.059 of autonomously taking multiple steps towards a goal that previously 0:10:47.059 --> 0:10:49.660 would have required a human right. And if you break 0:10:49.660 --> 0:10:52.980 that down, it's a component, right? It's not all of AI. 0:10:53.020 --> 0:10:57.380 It's a piece of AI. It's autonomously pursuing multiple steps. 0:10:57.980 --> 0:11:02.500 So autonomously. So it's given a goal and it's autonomously 0:11:02.700 --> 0:11:06.860 chasing that goal by taking multiple steps on its own. 0:11:06.900 --> 0:11:09.820 That's the autonomous part. That's the goal part. And the 0:11:09.820 --> 0:11:12.380 last part is kind of the most important steps that 0:11:12.380 --> 0:11:17.339 could only be done by human previously. Right. So this 0:11:17.340 --> 0:11:22.740 means not scripting, not automation, not basic programming. Because if 0:11:22.740 --> 0:11:25.900 that were the case, it would already be scripted, right? 0:11:26.100 --> 0:11:28.980 So one or more of these steps that it's taking 0:11:29.020 --> 0:11:32.579 autonomously towards the goal can only have been done by 0:11:32.580 --> 0:11:37.620 human previously. And I think my overall favorite definition of 0:11:37.620 --> 0:11:42.900 AI is actually technology that does something cognitive that previously 0:11:42.900 --> 0:11:45.340 could have only been done by humans. So it's kind 0:11:45.340 --> 0:11:47.860 of in that mind frame. The next idea I want 0:11:47.900 --> 0:11:49.620 to talk about is a frame of thinking I've been 0:11:49.620 --> 0:11:52.340 thinking about for like the last six months or so, 0:11:52.380 --> 0:11:56.900 which I call AI state management. So the idea is, 0:11:57.179 --> 0:12:01.220 AI's ultimate form, or one of its ultimate forms, is 0:12:01.220 --> 0:12:04.819 to collect and understand the current state of a system 0:12:04.820 --> 0:12:09.180 to capture and articulate the desired state. You know, we 0:12:09.179 --> 0:12:10.940 know what the current one is. Now. We want to 0:12:10.940 --> 0:12:14.700 know how we wish it looked, and then use however 0:12:14.700 --> 0:12:21.420 many pieces of intelligence or agents, or thinking or reasoning 0:12:21.420 --> 0:12:23.620 or whatever you want to call it, which is basically 0:12:23.660 --> 0:12:29.140 AI to help us go from the former to the latter. Again, 0:12:29.140 --> 0:12:33.380 collect and understand the current state capture and articulate the 0:12:33.380 --> 0:12:38.700 desired state, and then use intelligence, automated intelligence AI. I 0:12:38.700 --> 0:12:42.059 didn't think that was actually an acronym, but, um, that 0:12:42.059 --> 0:12:46.980 was accidental, but. Yeah. Automated intelligence. Artificial intelligence is what 0:12:46.980 --> 0:12:50.700 it really means. But you're using all those tools available, 0:12:50.700 --> 0:12:56.579 reasoning agents, context, all of that to go from the 0:12:56.580 --> 0:12:58.740 state that you're in to the state that you want 0:12:58.740 --> 0:13:02.020 to go into, right. The state that you wish you were. 0:13:02.620 --> 0:13:08.699 This is an extremely powerful universal use case for AI 0:13:08.740 --> 0:13:11.220 as it gets more and more advanced, especially as it 0:13:11.220 --> 0:13:15.020 gets larger and larger context. Because even a small company, 0:13:15.020 --> 0:13:17.620 you can't fit everything into the context we currently have. 0:13:18.300 --> 0:13:20.760 The latest model that just came out has a 10 0:13:20.760 --> 0:13:24.860 million token context, but even that is not big enough 0:13:24.860 --> 0:13:28.420 to hold, you know, the full state of an IT system, 0:13:28.420 --> 0:13:30.820 the full state of the business, the full state of 0:13:31.059 --> 0:13:33.940 all employee activity. Like that's a lot of stuff. Plus 0:13:33.940 --> 0:13:36.260 you have to update it right every five minutes, every 0:13:36.260 --> 0:13:40.140 ten minutes, every 30s every hour. However often are you 0:13:40.140 --> 0:13:43.179 going to do. It takes a lot of context. This 0:13:43.179 --> 0:13:47.140 is the ultimate idea, the main concept here. Current state. 0:13:47.260 --> 0:13:50.700 Desired state. How do you transition? So in order to 0:13:50.700 --> 0:13:52.940 do this, you need to have a massive amount of 0:13:52.940 --> 0:13:55.699 data as I just talked about. And that state has 0:13:55.700 --> 0:14:00.460 to be updated as often as possible, maybe easier for 0:14:00.460 --> 0:14:03.780 a smaller company still. Actually not possible for a smaller 0:14:03.780 --> 0:14:07.979 company today, but soon it will be. But for larger enterprises, 0:14:08.340 --> 0:14:12.220 extremely non-trivial. We're talking about if you wanted a really 0:14:12.220 --> 0:14:16.780 high resolution state, I mean, that would have to be terabytes, 0:14:16.820 --> 0:14:20.340 at least gigabytes depending how much you summarize. But what 0:14:20.340 --> 0:14:22.580 you build is your current state, your desired state, and 0:14:22.580 --> 0:14:27.820 then you ask questions continuously as your main form of 0:14:27.820 --> 0:14:32.740 managing the program. And you finally get to recommendations from 0:14:32.740 --> 0:14:36.900 the system. It's really powerful and it's not really theoretical. 0:14:37.180 --> 0:14:41.420 I actually built a system like this in 23. So 0:14:42.260 --> 0:14:47.260 the contents of the context are of course everything. This 0:14:47.260 --> 0:14:50.260 is everything about the system. But the advantage is you 0:14:50.260 --> 0:14:54.260 can feed it your goals, your logs and your projects 0:14:54.260 --> 0:14:57.780 and your budget and your team. And what are people 0:14:57.780 --> 0:15:00.540 currently working on? What is the current status? All of 0:15:00.540 --> 0:15:02.660 this stuff, you know, all those stand up meetings or 0:15:02.660 --> 0:15:05.460 all those planning meetings that all kind of goes away? 0:15:06.020 --> 0:15:10.020 It's just data inside of this context. And I want 0:15:10.020 --> 0:15:11.780 to take a look at how it all fits together. 0:15:11.780 --> 0:15:13.980 So like I said, I built a system like this 0:15:14.180 --> 0:15:20.420 back in 23, very early after I guess ChatGPT came out. 0:15:20.580 --> 0:15:24.580 I started building this system, and it's a working system 0:15:24.820 --> 0:15:28.940 that uses this using a fictional company called alma. So 0:15:28.940 --> 0:15:32.500 I started off with tons of context about this fictional 0:15:32.500 --> 0:15:39.050 company history, mission, goals, projects, risks. Team members budget, all that. 0:15:39.050 --> 0:15:42.410 And then I said, okay, what questions do I actually 0:15:42.410 --> 0:15:47.090 want to ask about this? Because I do. My background is, uh, 0:15:47.130 --> 0:15:51.330 information security. So cyber security. And, uh, I've been doing 0:15:51.330 --> 0:15:54.530 a lot of security consulting, a lot of security assessment, 0:15:54.570 --> 0:16:00.490 a lot of security program management. And I have essentially 0:16:00.490 --> 0:16:04.530 been using this system before I came out, because it 0:16:04.530 --> 0:16:08.609 doesn't really require AI. It just requires really good questions 0:16:08.610 --> 0:16:11.130 and a really good understanding of the company. And I 0:16:11.130 --> 0:16:14.090 was doing that manually without AI. And now with AI, 0:16:14.690 --> 0:16:18.210 it's completely ridiculous. So let me show you some of it. 0:16:18.250 --> 0:16:21.330 So here's one of the most common questions that we 0:16:21.330 --> 0:16:23.730 get when we're managing a program. What is the list 0:16:23.730 --> 0:16:26.610 of projects that we're working on? And here's the answer. 0:16:26.650 --> 0:16:29.850 Notice the fact that I just gave it an echo. Right. 0:16:29.890 --> 0:16:32.210 This is a command line version of the system. But 0:16:32.210 --> 0:16:34.210 give me a list of the projects we're working on, 0:16:34.210 --> 0:16:38.170 along with a ten word summary. Okay. And now here's 0:16:38.170 --> 0:16:40.290 all of our projects. This is the type of thing 0:16:40.290 --> 0:16:42.930 that would take quite a while to get an answer on. 0:16:43.210 --> 0:16:45.770 If you're a manager or your director or the VP 0:16:45.770 --> 0:16:48.290 or whatever, and you're like, hey, what are we currently 0:16:48.290 --> 0:16:52.250 working on? Not too many places, unfortunately, have like an 0:16:52.250 --> 0:16:54.450 intranet that you can go to and just like get 0:16:54.450 --> 0:16:58.210 the current list. Turns out that things old, there's actually 0:16:58.210 --> 0:17:00.850 four versions of it. There's competing versions of it because 0:17:00.850 --> 0:17:03.210 some other team is doing the same thing. Actually, it 0:17:03.210 --> 0:17:05.250 lives in this Google doc. Oh wait, we got rid 0:17:05.290 --> 0:17:08.290 of that Google doc. That one's deprecated. Now go check 0:17:08.290 --> 0:17:10.850 this new one. Oh, it's also in confluence. Oh did 0:17:10.850 --> 0:17:14.890 you check Jira. Like it's a total mess. Here you 0:17:14.930 --> 0:17:18.810 are asking the single unified AI context and it gives 0:17:18.810 --> 0:17:22.730 you the answer. Here's another common one. What are our 0:17:22.730 --> 0:17:27.210 metrics that are related to our projects? How are they related? 0:17:27.530 --> 0:17:29.330 This is the type of thing. This is a giant 0:17:29.330 --> 0:17:32.410 blue icon. This is mental work that a human on 0:17:32.410 --> 0:17:35.449 your team must do to try to figure this out. 0:17:35.450 --> 0:17:38.290 This thing just instantly mapped it. Just like that. Instantly 0:17:38.290 --> 0:17:42.530 told you we are working towards fixing these metrics or 0:17:42.530 --> 0:17:46.290 improving these metrics. And that's why we're doing these projects 0:17:46.690 --> 0:17:49.050 like that. Here's another one. We start with the risks, 0:17:49.050 --> 0:17:51.369 and we want to see how those risks relate to 0:17:51.369 --> 0:17:56.050 our projects. Right. So we have our risk register in here. 0:17:56.050 --> 0:17:59.410 And we could see why we're working on particular projects 0:17:59.410 --> 0:18:02.250 because of these risks. And we have a mapping for that. 0:18:02.250 --> 0:18:04.330 So now we have a breakdown of why we're working 0:18:04.330 --> 0:18:06.690 on what. And we can ask questions like are we 0:18:06.690 --> 0:18:09.770 focusing on the right things with our efforts? Here I'm 0:18:09.770 --> 0:18:14.410 asking about remediating critical vulnerabilities on crown jewel systems. Look 0:18:14.410 --> 0:18:17.770 how clean this narrative is, right? Here's our progress on 0:18:17.770 --> 0:18:21.369 remediating critical vulnerabilities on crown jewel systems. Cool. This is 0:18:21.369 --> 0:18:22.850 the type of thing you can just copy and paste 0:18:22.850 --> 0:18:25.409 this and send it on to a leader or whoever 0:18:25.410 --> 0:18:27.290 you need to send it on to, assuming they have 0:18:27.290 --> 0:18:30.130 the access to see it. And yeah, shows a consistent 0:18:30.250 --> 0:18:33.410 reduction in the time taken to remediate critical vulnerabilities on 0:18:33.410 --> 0:18:37.889 crown jewel systems, improving from 21 days in October 22nd 0:18:38.250 --> 0:18:41.770 to less than six days by March 2024. That's a 0:18:41.770 --> 0:18:44.010 cool narrative and you've got the data right there. This 0:18:44.010 --> 0:18:47.570 is total critical remediation, and this one we're calling a 0:18:47.570 --> 0:18:50.970 pattern to actually output the graphable data. And this is 0:18:51.010 --> 0:18:54.290 for something called fabric, which I'll put a link to 0:18:54.330 --> 0:18:56.690 this video right here. Should be over my head or something. 0:18:56.770 --> 0:19:01.850 So this one says create a TRC graph. So now 0:19:01.890 --> 0:19:04.730 look at that. If you recognize that that's actually CSV. 0:19:04.930 --> 0:19:07.410 Guess what you could do with CSV. Boom. Now you 0:19:07.410 --> 0:19:10.889 have graph data you can add to any tool to 0:19:10.930 --> 0:19:13.810 get an instant visualization of progress over time, to put 0:19:13.810 --> 0:19:16.810 it in a presentation or whatever that just flew out 0:19:16.810 --> 0:19:21.050 of the eye automatically in a couple of seconds, right? 0:19:21.090 --> 0:19:23.410 So those are pretty cool. That's like level one. Cool. 0:19:23.810 --> 0:19:27.130 Let's move on to level two of pretty cool. And 0:19:27.130 --> 0:19:29.169 I can give you a million more examples because you 0:19:29.170 --> 0:19:32.210 can literally just ask anything of the system, and as 0:19:32.210 --> 0:19:34.449 long as it's somewhere in the context, it's going to 0:19:34.450 --> 0:19:37.850 make all the connections itself, right. But those don't truly 0:19:37.850 --> 0:19:41.370 show the power of telos file structure, which, uh, again, 0:19:41.410 --> 0:19:44.050 that's another project you could check out here, uh, which 0:19:44.050 --> 0:19:47.890 I put together a while back. But if you want 0:19:47.930 --> 0:19:50.570 to see the actual power of this, level two is 0:19:50.570 --> 0:19:53.649 where it starts. So let's look at at a more 0:19:53.690 --> 0:19:57.250 advanced example of like a what if question. So I 0:19:57.250 --> 0:20:01.370 tell the system that Nadya is leaving, uh, which she isn't, 0:20:01.369 --> 0:20:04.609 but I tell it to help me readjust things based 0:20:04.609 --> 0:20:08.250 on project priorities. And here's what it gives me. And 0:20:08.250 --> 0:20:10.130 keep in mind, the more detail I have in the 0:20:10.130 --> 0:20:13.290 team section about skill sets and experience, the better this gets. 0:20:13.490 --> 0:20:16.290 But look at this. Nadya is leaving the team and 0:20:16.290 --> 0:20:19.770 I need to give her projects to someone and or 0:20:19.770 --> 0:20:23.090 get additional help. Use your expertise as a risk professional 0:20:23.490 --> 0:20:26.850 to help me reassign her work and or get additional 0:20:26.850 --> 0:20:31.649 help keeping in mind our risks and priorities, especially our 0:20:31.650 --> 0:20:35.850 critical projects like that's a little bit unnecessary. Like, you 0:20:35.850 --> 0:20:38.570 can actually not give it that context and it's still 0:20:38.570 --> 0:20:43.210 going to figure it out. Look at this. Reassign this 0:20:43.210 --> 0:20:47.450 project to this other person. Assign this one to this 0:20:47.450 --> 0:20:50.530 other person. Hire a contractor to do the WAF install. 0:20:50.530 --> 0:20:53.609 And it's got reasoning for this. Keep in mind what 0:20:53.609 --> 0:20:57.930 we're asking is a complete and absolute cybersecurity expert. Okay. 0:20:57.970 --> 0:21:00.810 So it knows the different skill sets. It knows the 0:21:00.810 --> 0:21:04.730 different requirements. So it's giving us advice on what to outsource, 0:21:04.970 --> 0:21:08.409 what to do later. Just completely defer and what to 0:21:08.490 --> 0:21:12.450 prioritize in which person to give it to. That's insanely helpful. 0:21:12.690 --> 0:21:15.810 Insanely helpful. So what about adding new stuff to the context? 0:21:15.850 --> 0:21:18.770 How do you update the program? Well, because AI is 0:21:18.770 --> 0:21:20.810 seeing the whole picture, you could just add it to 0:21:20.850 --> 0:21:24.530 the bottom of the context. And if you're using Rag, 0:21:24.570 --> 0:21:27.810 you just add an additional entry. If you're using, you know, 0:21:27.850 --> 0:21:30.410 a single file or you're using CAG or you're using 0:21:30.450 --> 0:21:33.369 whatever you're using, you can simply append to it. You 0:21:33.369 --> 0:21:35.209 don't have to go in and clean and keep the 0:21:35.210 --> 0:21:40.969 thing perfectly, you know, upkept and maintained, because when it 0:21:40.970 --> 0:21:45.250 reads the update, it'll realize that that supersedes the previous thing. 0:21:45.330 --> 0:21:47.010 As long as you have like a timestamp, which we 0:21:47.010 --> 0:21:50.690 do here. So this is how you can update progress, 0:21:50.690 --> 0:21:54.970 for example, on a KPI, you know, July 2024 Criticals 0:21:54.970 --> 0:21:57.209 are now being fixed in nine days. So what I 0:21:57.210 --> 0:21:59.850 added here are a few lines with new metrics updates, 0:22:00.130 --> 0:22:03.370 bottom items here. And guess what? When I run my 0:22:03.369 --> 0:22:06.970 previous question, here's the graph that it produces. Look at that. 0:22:06.970 --> 0:22:11.210 It added new items to the graph to the CSV output, 0:22:11.730 --> 0:22:14.170 because we added them to the context. And the I 0:22:14.210 --> 0:22:16.450 just figured out okay, we're going to update the graph. 0:22:16.450 --> 0:22:18.410 So now let's see how powerful the system is for 0:22:18.410 --> 0:22:22.570 knocking out very time consuming everyday tasks for any security program. 0:22:22.609 --> 0:22:25.360 I mean, like so much of security is actually just 0:22:25.359 --> 0:22:29.200 doing this stuff, responding to auditors. Here, I'm telling it, 0:22:29.200 --> 0:22:32.440 I need a narrative on critical vuln remediation times for 0:22:32.440 --> 0:22:37.120 an external auditor. Not only wrote the narrative, but added 0:22:37.119 --> 0:22:39.960 in our actual numbers, it just wrote it with all 0:22:39.960 --> 0:22:44.000 the numbers already intertwined. This is the type of thing 0:22:44.000 --> 0:22:47.800 that can derail somebody in the security program for hours, 0:22:48.440 --> 0:22:50.560 or a couple of days to go and find all 0:22:50.560 --> 0:22:54.000 this data, see, pull from the different things or whatever. 0:22:54.160 --> 0:22:58.280 Like this just takes massive time away from security teams 0:22:58.280 --> 0:23:00.679 to be able to do this. So think about how 0:23:00.680 --> 0:23:03.880 much time an AI like this actually saves. And here's 0:23:03.880 --> 0:23:06.360 one for the executive team. And notice how it changes 0:23:06.359 --> 0:23:09.800 the tone according to who you're actually making the report for. 0:23:10.200 --> 0:23:12.160 And the more detail you put in the context file 0:23:12.160 --> 0:23:17.280 around sensitivities, reporting preferences, or in the reporting pattern you 0:23:17.280 --> 0:23:20.159 use for each audience, the better this output is actually 0:23:20.160 --> 0:23:22.760 going to be. So you can set these up for 0:23:22.760 --> 0:23:27.280 as many groups as you regularly report to, right? Internal team. 0:23:27.280 --> 0:23:32.080 The board. Auditors, internal, external, whoever. So those are pretty cool. 0:23:32.720 --> 0:23:37.120 Level three. Now let's look at some insanely helpful functions 0:23:37.119 --> 0:23:40.280 that will save even more time. So by a show 0:23:40.280 --> 0:23:44.520 of hands, who likes security questionnaires? Okay, let the record 0:23:44.520 --> 0:23:48.480 show nobody. This is absolutely insane. This is another section 0:23:48.520 --> 0:23:51.840 of the tlos file, the context file that I created 0:23:51.840 --> 0:23:55.840 for this fictional company. Okay. It's a set of updates 0:23:55.840 --> 0:23:59.680 to Alma's IT infrastructure and security controls. And just like 0:23:59.680 --> 0:24:02.840 everything else, look how casually these are written. This is 0:24:02.840 --> 0:24:07.560 like a logbook migrated from Google Workspace to Office 365, 0:24:07.920 --> 0:24:12.120 with MFA enabled for all users. It's not in a schema, 0:24:12.119 --> 0:24:14.879 it's not in a format. It's got a basic time 0:24:14.920 --> 0:24:18.959 stamp there. Rolled out Sentinel one on 50% of corporate 0:24:18.960 --> 0:24:23.560 laptops in August of 2020. That's all you need to say, right? 0:24:23.840 --> 0:24:26.399 And you see how I've got a history here. Okay. 0:24:26.440 --> 0:24:30.480 All the way back to July 2019. Basically, we're a 0:24:30.480 --> 0:24:33.479 soup sandwich. Back then, admin accounts still not required to 0:24:33.480 --> 0:24:39.480 use Toofar company laptops. No, MDM everyone is admin. It's it's, 0:24:39.640 --> 0:24:44.440 you know, mass chaos pandemonium. And then as the updates 0:24:44.440 --> 0:24:47.680 start going down through the months, it starts to get 0:24:47.680 --> 0:24:51.080 better and better. And this is just it's just a logbook. 0:24:51.080 --> 0:24:53.040 So now the question is we're being asked by a 0:24:53.040 --> 0:24:56.919 customer what percentage of endpoints are protected by endpoint protection. 0:24:57.160 --> 0:24:59.480 How often are you asked stuff like this in a 0:24:59.480 --> 0:25:02.920 security questionnaire all the time. And they'll ask it in 0:25:02.920 --> 0:25:05.040 a different way each time. So you can't have like 0:25:05.080 --> 0:25:08.760 a static question and static answer if you're in vendor management. 0:25:08.760 --> 0:25:11.960 You've been down that road before. So here's the answer 0:25:11.960 --> 0:25:13.879 written in a form we can copy and paste directly 0:25:13.880 --> 0:25:18.399 to the customer. All came back from alma, the AI system. 0:25:18.400 --> 0:25:22.240 Here's another one asking how much our infrastructure is US based. 0:25:22.640 --> 0:25:24.600 I asked to give me an answer for both cloud 0:25:24.600 --> 0:25:27.760 and on prem, and to give the response in an 0:25:27.760 --> 0:25:31.840 email gives me the 100% answer that comes from our 0:25:31.840 --> 0:25:36.600 Tlose context file. So we just recently got this where 0:25:36.600 --> 0:25:39.120 all of our stuff, all of our cloud environments, all 0:25:39.160 --> 0:25:42.640 our different AWS regions, all of our, you know, on 0:25:42.640 --> 0:25:46.080 prem stuff, it's all US based. That was an update 0:25:46.119 --> 0:25:48.359 that at the bottom of the Telos file, keep in 0:25:48.359 --> 0:25:51.000 mind the context file up here could have been the 0:25:51.000 --> 0:25:53.760 worst answer because that's the old stuff. But now that 0:25:53.760 --> 0:25:57.360 we have that updated, the answer is now 100% and 0:25:57.359 --> 0:25:59.120 we have it perfectly in an email, we can just 0:25:59.119 --> 0:26:01.840 send that to somebody. And ultimately we're heading towards being 0:26:01.840 --> 0:26:05.920 able to ask questions like these. How should we move 0:26:05.920 --> 0:26:09.160 from our current to desired state? Going back to that idea, 0:26:09.160 --> 0:26:13.280 we talked about what should be in our desired state, right. 0:26:13.320 --> 0:26:17.280 That that's a, you know, big brain question. Big brain 0:26:17.400 --> 0:26:20.120 question what should be in our desired state that you 0:26:20.119 --> 0:26:23.120 actually don't see in there? How about this? How will 0:26:23.160 --> 0:26:28.520 attackers exploit our desired state? Right. Natural. Follow on. How 0:26:28.520 --> 0:26:31.680 should we change that desired state to make it less exploitable? 0:26:31.720 --> 0:26:36.080 All looking at the same unified context. So the insane 0:26:36.080 --> 0:26:40.240 thing about this is realizing that most software is kind 0:26:40.240 --> 0:26:43.200 of the same in cyber. We're pulling in data from somewhere. 0:26:43.200 --> 0:26:45.800 We're trying to pull signal out of that data, and 0:26:45.800 --> 0:26:48.119 we try to do something with it. Right. But it's 0:26:48.119 --> 0:26:52.480 exactly the same with productivity apps or B2B processing or whatever. 0:26:52.760 --> 0:26:54.760 It's all the same. So the core idea here is 0:26:54.760 --> 0:26:58.440 that when the AI understands where we are and where 0:26:58.440 --> 0:27:01.520 we want to go, it can help us get there. 0:27:01.520 --> 0:27:04.280 And that's where this entire program management thing that I 0:27:04.280 --> 0:27:07.840 just showed you that I just demoed, that's real AI system, 0:27:07.840 --> 0:27:10.160 like it's sitting right here. I can ask you questions. 0:27:10.720 --> 0:27:13.560 And obviously my context file for this thing was a 0:27:13.560 --> 0:27:17.000 few hundred lines, right? I think it eventually got to 0:27:17.040 --> 0:27:20.920 a few thousand lines. But as the AI systems scale right, 0:27:20.960 --> 0:27:24.560 we've already got millions of tokens available. This is just 0:27:24.560 --> 0:27:26.800 going to get easier and easier to do at larger 0:27:26.800 --> 0:27:29.119 and larger scales. So we're going to be able to 0:27:29.119 --> 0:27:32.040 do the same kind of stuff even for a company. 0:27:32.680 --> 0:27:34.800 So this next idea is kind of a culmination of 0:27:34.800 --> 0:27:37.600 all of this in a way to prep for attackers 0:27:37.880 --> 0:27:41.239 in a more tactical way. Like what exactly are they 0:27:41.280 --> 0:27:44.000 going to launch at us, and how can we get 0:27:44.000 --> 0:27:46.600 ready for that? So the whole concept starts with asking 0:27:46.600 --> 0:27:50.480 one question what do attackers wish that they could do 0:27:50.480 --> 0:27:53.920 to us? What can they do now? What can they 0:27:53.920 --> 0:27:56.720 do in like six months from now? And what can 0:27:56.760 --> 0:27:59.879 they do in 18 months or 24 months or 36 months? 0:28:00.280 --> 0:28:03.520 And obviously, you can't know exactly the answers to those 0:28:03.520 --> 0:28:07.240 because you don't know what text exists at that time. 0:28:07.480 --> 0:28:09.600 You don't know how advanced the AI is going to be, 0:28:09.640 --> 0:28:13.120 how good agents are going to be. Right. But we 0:28:13.119 --> 0:28:18.389 can start with a giant list of attacker capabilities, some 0:28:18.430 --> 0:28:20.950 of which they have already, some of which they're about 0:28:20.950 --> 0:28:24.630 to get, some of which are coming soon and some 0:28:24.670 --> 0:28:27.150 of which are distant in the future. But if we 0:28:27.150 --> 0:28:30.949 start with what we know, the ideal is with what 0:28:30.950 --> 0:28:34.189 would be devastating to us. I'll give you an example 0:28:34.190 --> 0:28:39.229 of devastating to us. They can instantly identify all open 0:28:39.230 --> 0:28:43.510 services on the entire United States at any given time, 0:28:44.230 --> 0:28:49.790 and can launch an attack against all of those services simultaneously. 0:28:49.790 --> 0:28:53.750 Any of those attacks that get inside and are successful, 0:28:53.750 --> 0:28:58.830 they can pivot within 30s to compromise other systems internally. 0:28:59.310 --> 0:29:02.710 They can instantly crawl around and find all the different, uh, 0:29:02.710 --> 0:29:06.550 stuff like an advanced human red team. They could figure 0:29:06.550 --> 0:29:10.110 out what the business does, uh, what their most sensitive, uh, 0:29:10.110 --> 0:29:13.469 talking points are. Their most sensitive, like worst case scenarios 0:29:13.470 --> 0:29:17.950 are and it could right then the exploit where and 0:29:17.950 --> 0:29:22.750 the ransomware and the ransom notes and the verbiage and everything. 0:29:23.230 --> 0:29:26.150 And then it could actually call with AI and start 0:29:26.190 --> 0:29:29.430 negotiating the ransom because it already has the stuff. It's 0:29:29.430 --> 0:29:31.510 all zipped up. Oh, and by the way, they're already 0:29:31.510 --> 0:29:34.430 selling to all the different information brokers at the same time. 0:29:34.910 --> 0:29:38.750 And this took them four minutes. Okay. And they could 0:29:38.750 --> 0:29:43.110 do that to an entire country. That is science fiction 0:29:43.110 --> 0:29:45.830 right now. That is science fiction because we're talking about 0:29:45.830 --> 0:29:55.070 millions upon millions of IP addresses, web locations, APIs, websites, 0:29:55.230 --> 0:30:01.590 attack surface components, basically. Um, so IPS services, uh. Net 0:30:01.630 --> 0:30:04.270 ranges like think of how much work you have to 0:30:04.270 --> 0:30:06.870 do to actually go and do that in a short 0:30:06.870 --> 0:30:09.550 amount of time. Think of how much infrastructure you would 0:30:09.550 --> 0:30:14.270 have to have. So in this list, these capabilities are 0:30:14.310 --> 0:30:18.030 further down the list. So the idea of like, okay, 0:30:18.070 --> 0:30:21.950 look at a very small startup with ten people and 0:30:21.950 --> 0:30:26.150 find their infrastructure, find their subdomains, determine what open services 0:30:26.150 --> 0:30:30.550 are available, see if any open services are for sensitive services. 0:30:31.150 --> 0:30:35.070 Get back a list of those within ten minutes. Okay, 0:30:35.510 --> 0:30:38.990 that might be possible today. That might be possible in 0:30:38.990 --> 0:30:41.790 less than ten minutes. Uh, fairly soon. It depends on 0:30:41.790 --> 0:30:44.110 the capability of the attacker, but it's a type of 0:30:44.110 --> 0:30:47.070 thing that's within the realm of possibility. Further down the 0:30:47.070 --> 0:30:50.150 list is doing that for a larger company or doing 0:30:50.150 --> 0:30:53.910 it in five minutes instead of ten minutes. So now 0:30:53.910 --> 0:30:57.950 what you start to see is the better the tech gets, 0:30:58.110 --> 0:31:02.510 the more realistic these things become. You start moving down 0:31:02.510 --> 0:31:07.110 the list of capabilities until you start moving towards the 0:31:07.110 --> 0:31:10.990 sci fi worst case scenario I gave you in the beginning. 0:31:10.990 --> 0:31:15.750 So we basically start with this giant list of attacker capabilities, 0:31:16.150 --> 0:31:19.790 some of which they already have and most of which 0:31:19.790 --> 0:31:22.510 are not possible yet. For each one we collect a 0:31:22.510 --> 0:31:24.910 bunch of information for it, some metadata that will help 0:31:24.910 --> 0:31:27.910 us like figure out how it might be used against us, 0:31:27.910 --> 0:31:31.190 or how difficult it could be, like cost or talent, 0:31:31.190 --> 0:31:34.630 or scalability or constraints or whatever. Because this is what's 0:31:34.630 --> 0:31:37.990 going to determine how, when the tech improves, which parts 0:31:37.990 --> 0:31:40.070 of these are going to change. And here's what makes 0:31:40.070 --> 0:31:42.830 this thing so powerful. When I talk to companies who 0:31:42.830 --> 0:31:45.870 are thinking about cybersecurity and AI, the number one question 0:31:45.870 --> 0:31:49.750 I hear is what should we build? What should we build? Like, okay, 0:31:49.750 --> 0:31:51.709 I hear about agents, so I build agents. What do 0:31:51.710 --> 0:31:55.510 I build agents to do? What should they defend? Should 0:31:55.510 --> 0:32:00.270 they monitor like they don't know where to start? So 0:32:00.270 --> 0:32:02.790 this framework is a really good answer to that. It's 0:32:02.790 --> 0:32:06.030 basically saying, here's what's going to be thrown at you 0:32:06.030 --> 0:32:09.550 because here's what the attacker wants to do. So what 0:32:09.550 --> 0:32:11.790 are you doing to be ready for each of these? 0:32:12.630 --> 0:32:16.030 So you basically take this attacker capabilities. That's why it's 0:32:16.590 --> 0:32:20.990 Acad right. It's for defense as well. You use this 0:32:20.990 --> 0:32:25.590 attacker capabilities map to build your defense right. The same 0:32:25.590 --> 0:32:28.790 way that they're using AI to power this list of 0:32:28.790 --> 0:32:32.550 capabilities and move down the capabilities list. You could be 0:32:32.550 --> 0:32:35.910 doing exactly the same for defense. So what we end 0:32:35.910 --> 0:32:39.710 up with is an AI cyber infrastructure that basically looks 0:32:39.710 --> 0:32:44.110 like the attackers. We are constantly assessing ourselves. Basically, we 0:32:44.110 --> 0:32:49.190 are executing everything on this attacker capabilities list as a 0:32:49.190 --> 0:32:53.830 unified engine. It's a continuous kind of like a continuous 0:32:53.830 --> 0:32:58.550 red team type situation. Or in the current, you know, parlance, 0:32:58.550 --> 0:33:03.630 it's essentially a attack surface management or external attack surface management. 0:33:04.110 --> 0:33:08.150 But really that starts to merge with automated pen testing. 0:33:08.310 --> 0:33:12.790 Automated red team attack. Surface management. Like all these things 0:33:12.790 --> 0:33:17.470 start to merge into this AI powered execution of these 0:33:17.470 --> 0:33:21.070 attacker capabilities. And it's just continuous. And the same thing 0:33:21.070 --> 0:33:23.710 that the attackers are doing is what the defender has 0:33:23.710 --> 0:33:26.750 to be doing to themselves so they can get there first. 0:33:26.750 --> 0:33:29.670 As we get this capability up and running, the entire 0:33:29.710 --> 0:33:34.950 game becomes two things making sure we're adding new techniques 0:33:34.950 --> 0:33:39.070 to look for, right? So we're making this thing smarter. 0:33:39.110 --> 0:33:43.030 We're making it more knowledgeable, right. New techniques, new attack 0:33:43.030 --> 0:33:48.070 surface new services to watch out for, you know, new 0:33:48.070 --> 0:33:51.750 ways of finding information, whatever new threat Intel and making 0:33:51.750 --> 0:33:55.430 sure we find our issues. The second one here, making 0:33:55.430 --> 0:33:59.469 sure we find our issues and fix them faster than 0:33:59.510 --> 0:34:02.190 our attackers. Right. So this is a race. This is 0:34:02.190 --> 0:34:06.540 a giant game where they are running the Acad system. 0:34:07.020 --> 0:34:12.460 We are running our own Acad system, this automated continuous 0:34:12.460 --> 0:34:17.420 red teaming system that knows everything about our company. Right? 0:34:17.460 --> 0:34:19.859 Going back to the context thing. They're going to have 0:34:19.860 --> 0:34:24.020 this this giant context that knows everything about us too, right? 0:34:24.180 --> 0:34:27.500 But they have a disadvantage. They should have a disadvantage 0:34:28.060 --> 0:34:32.340 that they don't know all of our internal configs, hopefully. Right. 0:34:32.380 --> 0:34:34.580 So we should be able to move faster than them. 0:34:34.940 --> 0:34:36.819 But we have to start by building the same thing 0:34:36.820 --> 0:34:40.380 that we know they are building. So both attackers and 0:34:40.380 --> 0:34:46.140 defenders basically end up building a world model of our company. 0:34:46.780 --> 0:34:49.459 What we do, what we care about, what matters to us, 0:34:49.460 --> 0:34:52.859 what our weaknesses are, what's most valuable that we have 0:34:52.860 --> 0:34:56.500 to different types of attackers, and what we must avoid 0:34:56.500 --> 0:34:59.580 at all costs. Then we are looking at the capabilities 0:34:59.580 --> 0:35:03.259 map to see what new capabilities are coming online as 0:35:03.420 --> 0:35:07.060 a result of the advancing AI, we could say, okay, well, 0:35:07.700 --> 0:35:10.700 we don't have to defend against that yet. For example, 0:35:10.860 --> 0:35:14.540 we don't have to defend against an attacker that can 0:35:14.540 --> 0:35:19.580 see every single change and attack it within five seconds. 0:35:20.219 --> 0:35:22.820 We do not have to defend against that right now. 0:35:22.980 --> 0:35:26.500 That would cost tens of millions of dollars. We would 0:35:26.500 --> 0:35:29.860 have to hire a massive staff. We would have to 0:35:29.980 --> 0:35:33.939 massively scale our automation. It would be an investment that 0:35:33.940 --> 0:35:36.860 would sink the company, most likely because the company needs 0:35:36.860 --> 0:35:40.339 to be building products. They can't spend that much on security. 0:35:40.980 --> 0:35:43.540 So that's like a thing we don't have to worry 0:35:43.540 --> 0:35:46.100 about yet, because we know the attacker doesn't have it 0:35:46.100 --> 0:35:49.580 yet either. That's why this map is so important, because 0:35:49.580 --> 0:35:53.220 we could say as the tech starts improving, we could say, 0:35:53.219 --> 0:35:56.140 you are here, right? You are here on this level 0:35:56.140 --> 0:35:59.219 of like what is possible in the world given the 0:35:59.219 --> 0:36:03.260 current state of automation, given the current state of AI, right? 0:36:03.300 --> 0:36:06.500 So we're looking at the capabilities map to see the 0:36:06.500 --> 0:36:10.140 new capabilities coming online as a result of advancing AI. 0:36:10.260 --> 0:36:13.020 And we could say, okay, yeah, this is where we 0:36:13.020 --> 0:36:15.739 need to be currently. This is where we need to 0:36:15.739 --> 0:36:19.420 be thinking about coming up soon, because we know that's 0:36:19.420 --> 0:36:22.700 what our attackers are about to get. So it's not 0:36:22.700 --> 0:36:25.300 just what you need to build, but it also helps 0:36:25.300 --> 0:36:28.939 you inform you know when to make what investment of 0:36:28.940 --> 0:36:32.340 what size in what area. So I'm still talking to 0:36:32.580 --> 0:36:35.060 a few people about how much of this I should 0:36:35.060 --> 0:36:37.380 actually release, but I'm pretty sure attackers are going to 0:36:37.380 --> 0:36:40.660 figure this out anyway. So I think the priority needs 0:36:40.660 --> 0:36:46.219 to be on enabling defenders. We've got over 60 capabilities 0:36:46.219 --> 0:36:50.420 so far for attackers and around 40 so far for defenders, 0:36:50.420 --> 0:36:53.900 because even though the defenders should be using the attack 0:36:53.900 --> 0:36:57.620 map as well, there are also defender capabilities. And this 0:36:57.620 --> 0:37:00.540 is something Jason Haddox and I talk about a lot. 0:37:00.580 --> 0:37:02.660 And I think his idea was to start with a 0:37:02.660 --> 0:37:06.420 defender side basically like what is the what are the 0:37:06.420 --> 0:37:10.620 core things like automated SoC and uh, you know, incident 0:37:10.620 --> 0:37:12.940 management and stuff like that. What are those things that 0:37:12.940 --> 0:37:16.819 we could use current AI to just improve? Um, so 0:37:16.820 --> 0:37:19.580 I think we're we're thinking about the combination of the 0:37:19.580 --> 0:37:23.420 two together. And, uh, yeah, we've got 60 attacker, 40 0:37:23.460 --> 0:37:27.980 defender right now. And, uh, looking to release this within, uh, 0:37:27.980 --> 0:37:32.380 30 to 60 days, uh, depending on a few outstanding conversations. 0:37:33.060 --> 0:37:35.660 So what I love about it is it can give 0:37:35.660 --> 0:37:38.940 us tremendous focus. We can base our efforts on what 0:37:38.940 --> 0:37:41.700 we expect to face in the real world. And based 0:37:41.700 --> 0:37:44.779 on the combination of what AI is possible and what 0:37:44.780 --> 0:37:48.819 the attacker wishes they can execute. So what I love 0:37:48.860 --> 0:37:51.980 about this is how it can just give us tremendous 0:37:51.980 --> 0:37:55.620 focus as defenders, right? We can base our efforts on 0:37:55.620 --> 0:37:58.819 what we can expect to face in the actual world 0:37:58.820 --> 0:38:02.860 from our attackers. And based on this combination of what 0:38:02.900 --> 0:38:07.020 AI is possible and what the attacker wishes that they 0:38:07.020 --> 0:38:09.340 could do to us. So I want to end by 0:38:09.340 --> 0:38:11.980 answering the two questions we started with. How does software 0:38:11.980 --> 0:38:15.500 and cybersecurity change? When we add AI and specifically agents, 0:38:15.500 --> 0:38:21.980 it changes everything. It replaces human intelligence in workflows, right? 0:38:22.020 --> 0:38:24.620 And it does so at a scale that addresses the 0:38:24.620 --> 0:38:28.860 theory of constraints problem for attackers, making them far more capable. 0:38:28.860 --> 0:38:31.219 That's what's going to allow them to move through these 0:38:31.219 --> 0:38:36.780 stages of the attacker capabilities map. Right. It is solving 0:38:36.780 --> 0:38:40.700 this the various pieces of the theory of constraints. Second 0:38:40.700 --> 0:38:44.380 question how should we prioritize our efforts around adding AI 0:38:44.420 --> 0:38:49.500 agents to our cybersecurity program? Start by building your AI 0:38:49.540 --> 0:38:52.819 state management system. Now I'm calling this like a UCC, 0:38:53.420 --> 0:38:57.500 a unified company context. And there's a million companies working 0:38:57.500 --> 0:39:00.299 on this, right? Microsoft has their own version. You know, 0:39:00.340 --> 0:39:03.860 Databricks is working on theirs. Splunk is probably working on theirs. 0:39:03.860 --> 0:39:06.899 I imagine the game is about to become bringing all 0:39:06.900 --> 0:39:10.060 company data into a thing that I can see and 0:39:10.060 --> 0:39:12.540 hold in its brain all at once. I'm calling it 0:39:12.540 --> 0:39:16.140 UCC Unified Company Context. But who knows what Gartner is 0:39:16.140 --> 0:39:18.980 going to call it? Like, everyone's just going to like, 0:39:19.020 --> 0:39:22.779 figure this out, uh, fairly soon. So you've got to 0:39:22.780 --> 0:39:26.500 start building this thing now because your attackers are going 0:39:26.500 --> 0:39:30.419 to be building a UCC for you, which all their 0:39:30.420 --> 0:39:34.140 attacker tools are going to then use to attack you 0:39:34.580 --> 0:39:38.339 on a continuous basis. If you weren't vulnerable this morning 0:39:38.340 --> 0:39:41.140 at 9 a.m., maybe you will be at noon. It's 0:39:41.140 --> 0:39:44.899 going to check again when something they learn that you 0:39:44.900 --> 0:39:47.540 just acquired a new company, you have a new attack surface. Oh, 0:39:47.580 --> 0:39:50.779 maybe they'll now attack you now because of that. Maybe 0:39:50.780 --> 0:39:53.940 they learn things through your bug bounty. Maybe. Whatever it is, 0:39:53.940 --> 0:39:57.730 the context and the situation on the ground continues to change. 0:39:58.010 --> 0:40:01.490 So they're going to have this world model of you. 0:40:01.969 --> 0:40:04.649 You need to have a better one. That's the trick 0:40:04.650 --> 0:40:07.650 of this. And the second thing you want to be 0:40:07.650 --> 0:40:10.689 doing with this context that you have is figuring out 0:40:10.690 --> 0:40:13.530 what your desired state is and what your current state is. 0:40:13.570 --> 0:40:16.810 And this is going to allow you to say things like, 0:40:16.810 --> 0:40:22.489 what should I fix first? Vulnerability prioritization. I've been in 0:40:22.489 --> 0:40:27.489 the vulnerability management space forever, and it's so frustrating to 0:40:27.690 --> 0:40:30.489 try to figure out how to prioritize a vulnerability. And 0:40:30.489 --> 0:40:34.330 people are like trying to put that information inside the 0:40:34.330 --> 0:40:38.009 vulnerability itself with like a CVE rating or something. You 0:40:38.010 --> 0:40:41.209 can't get the prioritization from the vulnerability itself. It has 0:40:41.210 --> 0:40:47.050 to come from the context of where it's affecting something, right? 0:40:47.090 --> 0:40:50.850 The company itself. So this UCC is going to be 0:40:50.850 --> 0:40:54.969 the context for doing vulnerability management So you're talking about 0:40:54.969 --> 0:40:57.969 current state to desired state. You're going to say, I 0:40:58.010 --> 0:41:02.009 don't want any critical vulnerabilities in my crown jewel systems. 0:41:02.410 --> 0:41:06.850 That's one of my items in my desired state. Now 0:41:07.010 --> 0:41:09.290 when you ask the question, what can I do to 0:41:09.330 --> 0:41:12.850 make that real? It will then say, well, based on 0:41:12.850 --> 0:41:15.810 the fact that you have these vulnerabilities and these things 0:41:15.810 --> 0:41:18.290 in your risk register, and the fact that we know 0:41:18.290 --> 0:41:21.330 all these dev teams and we know what dev teams 0:41:21.330 --> 0:41:24.169 are using, what GitHub repos, and we know what code 0:41:24.170 --> 0:41:27.850 changes go in and we know who owns what applications. 0:41:28.010 --> 0:41:29.650 This is the holy grail. This is the thing that 0:41:29.930 --> 0:41:32.810 management has never had which you will have due to 0:41:32.850 --> 0:41:36.330 unified company context. You'll then be able to find the 0:41:36.330 --> 0:41:39.930 actual vulnerability that can be fixed by the actual developer 0:41:40.250 --> 0:41:42.410 in the actual code repo, and you can submit your 0:41:42.410 --> 0:41:45.450 own PR and just have them approve the PR right. 0:41:45.489 --> 0:41:47.049 This is the type of thing that you could do 0:41:47.050 --> 0:41:52.770 with this unified company context. So the next piece is 0:41:52.770 --> 0:41:57.330 start working on your set of defender capabilities. Based on. 0:41:57.370 --> 0:42:01.570 Now you have your own context. You understand the attacker 0:42:01.570 --> 0:42:03.850 context that they're going to be moving through as this 0:42:03.850 --> 0:42:09.610 tech tree improves. And now you can start improving your system. 0:42:09.610 --> 0:42:13.530 You can start assessing yourself continuously using these same exact 0:42:13.530 --> 0:42:19.610 techniques and using your own internal UCC. And if you 0:42:19.610 --> 0:42:23.130 do that, I think you're going to be in extraordinary shape. 0:42:23.130 --> 0:42:25.250 That's what I want to share today, and we'll see 0:42:25.250 --> 0:42:29.129 you in the next one. Unsupervised learning is produced on 0:42:29.130 --> 0:42:33.530 Hindenburg Pro using an SM seven B microphone. A video 0:42:33.530 --> 0:42:36.450 version of the podcast is available on the Unsupervised Learning 0:42:36.450 --> 0:42:39.609 YouTube channel, and the text version with full links and 0:42:39.610 --> 0:42:44.890 notes is available at Daniel Missler newsletter. We'll see you 0:42:44.890 --> 0:42:45.490 next time.