1 00:00:00,880 --> 00:00:05,040 S1: Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 2 00:00:05,080 --> 00:00:09,960 S1: national security, AI, technology and society, and how best to 3 00:00:10,000 --> 00:00:12,640 S1: upgrade ourselves to be ready for what's coming. 4 00:00:17,120 --> 00:00:20,640 S2: All right, welcome to Unsupervised Learning. This is Daniel Miessler, 5 00:00:20,640 --> 00:00:23,640 S2: and I'm happy to have Matt Mueller here from tines. 6 00:00:24,280 --> 00:00:25,600 S3: It's a pleasure to be here Daniel. 7 00:00:26,200 --> 00:00:29,280 S2: Awesome. Yeah. Looking forward to this conversation. Um, I've heard 8 00:00:29,280 --> 00:00:32,920 S2: so much about the company and, uh, happy to hear 9 00:00:32,920 --> 00:00:36,040 S2: more about, uh, what it's actually about what problem you're 10 00:00:36,040 --> 00:00:40,440 S2: trying to solve. Um, I really like to start there with, uh, 11 00:00:40,440 --> 00:00:44,199 S2: the problem. What do you see as being the problem around, 12 00:00:44,240 --> 00:00:47,479 S2: I would say security in general, but also, how are 13 00:00:47,479 --> 00:00:51,840 S2: security problems being magnified by AI stuff? 14 00:00:52,720 --> 00:00:55,560 S3: Yeah. So I'll maybe start with the original problem, uh, 15 00:00:55,560 --> 00:00:58,480 S3: that our founders were trying to solve. They, uh, were 16 00:00:58,480 --> 00:01:02,300 S3: security operations Professionals who had, you know, done security work 17 00:01:02,340 --> 00:01:05,100 S3: at companies like DocuSign and at eBay and some other 18 00:01:05,100 --> 00:01:12,700 S3: large places. And they were extraordinarily frustrated by the just 19 00:01:12,740 --> 00:01:17,180 S3: a sheer amount of manual labor involved in actually responding 20 00:01:17,220 --> 00:01:19,740 S3: to security incidents. Right. Like if you think about what 21 00:01:19,780 --> 00:01:24,500 S3: a traditional security operations center or SOC does, they receive 22 00:01:24,500 --> 00:01:26,940 S3: an alert. They have to go research that alert in 23 00:01:26,940 --> 00:01:30,060 S3: a whole bunch of different places. Uh, and, you know, 24 00:01:30,100 --> 00:01:33,140 S3: take a number of manual steps just to decide if 25 00:01:33,140 --> 00:01:35,060 S3: that's a true positive, right. They have to do work 26 00:01:35,060 --> 00:01:37,419 S3: just to decide if they have to do work. Um, 27 00:01:37,459 --> 00:01:40,259 S3: which is an enormously frustrating place to be. And so 28 00:01:40,300 --> 00:01:43,300 S3: they were looking out on the market for some kind 29 00:01:43,300 --> 00:01:45,940 S3: of automation tool, uh, that could help them ease that 30 00:01:45,940 --> 00:01:49,380 S3: burden and not seeing one that they wanted. They ended 31 00:01:49,380 --> 00:01:52,620 S3: up building Tynes. Uh, and, you know, starting out sort 32 00:01:52,620 --> 00:01:55,420 S3: of first and foremost as this tool to solve a 33 00:01:55,420 --> 00:01:59,060 S3: lot of the SoC, uh, problems around, you know, inefficient, uh, 34 00:01:59,060 --> 00:02:01,880 S3: you know, alert management and, you know, burnout and all 35 00:02:01,880 --> 00:02:05,640 S3: those sorts of things. And what we've discovered over time, 36 00:02:05,640 --> 00:02:08,320 S3: which I think has been really cool, is that the 37 00:02:08,320 --> 00:02:13,360 S3: SOC is not the only team in cybersecurity that needs automation, right? 38 00:02:13,400 --> 00:02:17,680 S3: Turns out there's inefficiencies everywhere. Um, another really fascinating thing 39 00:02:17,680 --> 00:02:22,880 S3: that we've that we've learned over the years, uh, is that, uh, 40 00:02:22,880 --> 00:02:25,480 S3: automation is actually a lot easier than I think a 41 00:02:25,480 --> 00:02:27,040 S3: lot of people give it credit. Right? Like a lot 42 00:02:27,040 --> 00:02:31,680 S3: of traditional automation tools, required learning Python, learning coding languages, 43 00:02:31,680 --> 00:02:34,920 S3: having very, very deep systems knowledge in order to be 44 00:02:34,960 --> 00:02:37,600 S3: able to get automation done. Um, and so with the 45 00:02:37,600 --> 00:02:40,560 S3: rise of AI, what we're seeing is, you know, people 46 00:02:40,560 --> 00:02:42,760 S3: that have automation ideas, right? Like, I think if you 47 00:02:42,760 --> 00:02:45,120 S3: ask almost anyone, they have ideas about how they can 48 00:02:45,120 --> 00:02:48,520 S3: make their job easier, right? They just haven't in the 49 00:02:48,520 --> 00:02:52,280 S3: past necessarily been able to express that. Um, and now with, 50 00:02:52,280 --> 00:02:55,440 S3: with tools like, I like no code. Uh, no code. 51 00:02:55,440 --> 00:02:58,280 S3: Workflow builders, these folks are able to, you know, build 52 00:02:58,280 --> 00:03:01,810 S3: those automations like like they haven't before. Um, so, yeah, 53 00:03:01,810 --> 00:03:03,970 S3: I would say the pain point that that Tignes has 54 00:03:03,970 --> 00:03:06,730 S3: been trying to solve is, you know, everybody who has 55 00:03:06,730 --> 00:03:09,210 S3: ever had to, you know, push a file from point 56 00:03:09,250 --> 00:03:12,650 S3: A to point B manually has a pain that Tignes is, 57 00:03:12,690 --> 00:03:13,690 S3: is trying to solve. 58 00:03:14,290 --> 00:03:18,050 S2: Yeah. Interesting. Yeah. One way I've been thinking about this 59 00:03:18,050 --> 00:03:21,929 S2: is like, what would you do with five times more staff? 60 00:03:22,770 --> 00:03:23,330 S3: Right. 61 00:03:23,370 --> 00:03:26,690 S2: Right. So it's like we know what we want to do. 62 00:03:26,730 --> 00:03:29,889 S2: We're constrained by how many eyes and hands that we 63 00:03:29,889 --> 00:03:35,089 S2: actually have and brains. Right? So I mean, all these 64 00:03:35,090 --> 00:03:38,930 S2: things could be done manually. The question is, you know, 65 00:03:38,970 --> 00:03:40,970 S2: do you have the people to do it? Do you 66 00:03:40,970 --> 00:03:44,330 S2: have the people to create the automations to do it? 67 00:03:44,850 --> 00:03:47,610 S2: And it just seems like, um, I'm a big fan 68 00:03:47,610 --> 00:03:51,290 S2: of Theory of Constraints, and the constraint is usually people 69 00:03:51,290 --> 00:03:54,370 S2: in time that they have to focus on these problems. 70 00:03:55,050 --> 00:03:57,330 S3: Absolutely. And I think, you know, one of the things 71 00:03:57,330 --> 00:03:59,550 S3: that we're also learning as well. And this is where 72 00:03:59,870 --> 00:04:02,670 S3: AI has been such a such a fascinating new addition 73 00:04:02,830 --> 00:04:06,990 S3: is that it's constraint around, uh, knowledge as well. And like, 74 00:04:07,150 --> 00:04:10,270 S3: even if you have, uh, all the people that you want, 75 00:04:10,470 --> 00:04:13,990 S3: security teams have just such a fractured ecosystem that they're 76 00:04:13,990 --> 00:04:17,190 S3: responsible for protecting, and it's virtually impossible to become an 77 00:04:17,190 --> 00:04:20,630 S3: expert in every single system that you're responsible for. Right? 78 00:04:20,670 --> 00:04:23,550 S3: And so, you know, again, what we see is, you know, 79 00:04:23,589 --> 00:04:25,950 S3: these these people that are experts, they free up all 80 00:04:25,950 --> 00:04:28,950 S3: this time. Great. Maybe I know exactly what I want 81 00:04:28,950 --> 00:04:31,550 S3: to do in AWS, but we just acquired a company 82 00:04:31,550 --> 00:04:34,750 S3: that has a GCP environment. Um, and now I have 83 00:04:34,750 --> 00:04:37,230 S3: to learn an entirely new, different cloud provider. Right. And 84 00:04:37,230 --> 00:04:39,430 S3: I'm just not going to be as good in that. Yeah. Um, 85 00:04:40,029 --> 00:04:42,349 S3: and that's where I think AI tooling has been really, 86 00:04:42,350 --> 00:04:46,630 S3: really helpful, uh, to make that context switching less of 87 00:04:46,630 --> 00:04:48,150 S3: a cognitive load for people. 88 00:04:48,630 --> 00:04:53,270 S2: Mhm. Yeah. One thing I'm worried about is this addition 89 00:04:53,270 --> 00:04:55,830 S2: of staff to uh attacker teams. 90 00:04:56,230 --> 00:04:56,590 S3: Mhm. 91 00:04:56,630 --> 00:04:59,170 S2: Right. So if you have an entire team, let's say 92 00:04:59,170 --> 00:05:02,490 S2: it's 100 people. And five of the people are like really, 93 00:05:02,490 --> 00:05:06,570 S2: really good and really dangerous. What happens when AI tooling 94 00:05:06,570 --> 00:05:10,250 S2: or automation or agents or whatever it is turns that 95 00:05:10,250 --> 00:05:14,450 S2: into like 30 or 50 of the best people and 96 00:05:14,450 --> 00:05:19,289 S2: it turns the other like 80 into like 800. And 97 00:05:19,290 --> 00:05:21,730 S2: this is what I think the agents are actually going 98 00:05:21,730 --> 00:05:26,650 S2: to do for both us as defenders, but more importantly, attackers. 99 00:05:27,089 --> 00:05:29,370 S2: So the time that it would have taken them to 100 00:05:29,410 --> 00:05:34,890 S2: find our mistake goes from like days or hours to 101 00:05:34,930 --> 00:05:39,250 S2: like maybe minutes. And so we have to be doing 102 00:05:39,250 --> 00:05:41,529 S2: something on the defense side to counter that. 103 00:05:42,690 --> 00:05:47,810 S3: Absolutely. And for me, it's it's been interesting watching how 104 00:05:47,810 --> 00:05:52,410 S3: attackers have been thinking about AI. Um, Sophos actually just 105 00:05:52,410 --> 00:05:56,170 S3: published a report recently with some analysis around how attackers 106 00:05:56,170 --> 00:05:58,390 S3: are using AI. And if you look back a couple 107 00:05:58,430 --> 00:06:01,589 S3: of years, there were a lot of headlines that I think, uh, 108 00:06:01,589 --> 00:06:02,950 S3: you know, they were valid at the time, right? We 109 00:06:02,950 --> 00:06:05,909 S3: just didn't know what generative AI was, was truly capable of. 110 00:06:06,070 --> 00:06:07,790 S3: And so there was a lot of concern that I 111 00:06:07,830 --> 00:06:12,029 S3: was going to invent all these brand new kinds of attacks. 112 00:06:12,310 --> 00:06:15,790 S3: And that really hasn't happened. Right. Instead, what we're seeing 113 00:06:15,790 --> 00:06:20,150 S3: is attackers are using AI much the same way defenders are. Hey, 114 00:06:20,150 --> 00:06:24,510 S3: make my email sound a little better, right? Um, you know, uh, 115 00:06:24,790 --> 00:06:28,469 S3: make my phishing page, uh, you know, generate 14 different 116 00:06:28,470 --> 00:06:31,750 S3: varieties of landing page for me. Um, and so where 117 00:06:31,750 --> 00:06:34,109 S3: we're seeing attackers start to use AI a lot more 118 00:06:34,110 --> 00:06:38,430 S3: to your point, is increasing their velocity, right? Um, and 119 00:06:38,430 --> 00:06:42,070 S3: so to my mind, you know, again, as defenders, you know, 120 00:06:42,110 --> 00:06:44,109 S3: there's only so much time and attention that you can 121 00:06:44,150 --> 00:06:47,190 S3: that you can afford to put into problems. Um, let's 122 00:06:47,190 --> 00:06:49,549 S3: not worry about, you know, types of attacks that haven't 123 00:06:49,550 --> 00:06:52,630 S3: been invented yet, right? Let's worry about the ones that 124 00:06:52,630 --> 00:06:55,750 S3: are occurring today and how those are evolving. Um, you know, 125 00:06:55,850 --> 00:07:00,410 S3: our our security teams, uh, can really build defenses against 126 00:07:00,410 --> 00:07:03,770 S3: attacks that don't exist yet. Um, but we can sort 127 00:07:03,770 --> 00:07:07,530 S3: of see how those attacks are becoming faster. Right? How, uh, 128 00:07:07,650 --> 00:07:11,690 S3: the the, you know, the translations are becoming better and better. Uh, 129 00:07:11,690 --> 00:07:14,490 S3: and so the bar for fooling our employees is, is 130 00:07:14,530 --> 00:07:17,210 S3: getting lower. Um, it means we need to be able 131 00:07:17,210 --> 00:07:20,530 S3: to react faster. Uh, we need to be able to react, uh, 132 00:07:20,570 --> 00:07:23,570 S3: in a more, uh, you know, we need to be 133 00:07:23,570 --> 00:07:25,570 S3: able to adapt a little bit better, right? Like, we 134 00:07:25,570 --> 00:07:30,250 S3: can't just apply rigid playbooks to every single security scenario. Um, 135 00:07:30,450 --> 00:07:32,650 S3: and so, you know, to me, it's a little bit 136 00:07:32,650 --> 00:07:36,010 S3: of an AI arms race. Um, and, you know, I 137 00:07:36,010 --> 00:07:39,450 S3: think for us as, as defenders, in my view, applying 138 00:07:39,490 --> 00:07:42,489 S3: AI in the places where attackers are also applying it, 139 00:07:42,490 --> 00:07:44,650 S3: that seems to make, you know, make the most sense, 140 00:07:44,650 --> 00:07:47,050 S3: at least today, right, with today's models. And that that 141 00:07:47,050 --> 00:07:50,050 S3: answer could change in, you know, three days, right, when 142 00:07:50,050 --> 00:07:53,250 S3: some new foundation model gets released that, uh, that changes 143 00:07:53,250 --> 00:07:54,970 S3: the game. But at least with today's models, I think 144 00:07:55,100 --> 00:07:58,140 S3: that's that's where I sort of see things evolving right now. 145 00:07:58,180 --> 00:08:01,340 S2: Yeah. I really love this point that you're making because 146 00:08:02,100 --> 00:08:08,340 S2: the the reality is and it actually goes to pre 147 00:08:08,340 --> 00:08:10,060 S2: AI as well. It's like, are you going to hire 148 00:08:10,060 --> 00:08:13,060 S2: this super hacker person who's going to like all these 149 00:08:13,060 --> 00:08:17,220 S2: new techniques and new ideas and advanced attacks and like 150 00:08:17,700 --> 00:08:19,860 S2: the day to day job of like a CISO or 151 00:08:19,860 --> 00:08:22,900 S2: the day to day job of a defender is so 152 00:08:23,020 --> 00:08:27,739 S2: nuts and bolts, it's like we okay, is a log 153 00:08:27,780 --> 00:08:30,460 S2: being generated for step one. 154 00:08:30,740 --> 00:08:31,020 S3: Right? 155 00:08:31,060 --> 00:08:33,220 S2: Can we even like if you take like a bunch 156 00:08:33,220 --> 00:08:37,060 S2: of minor attacks, can we even know if this attack 157 00:08:37,059 --> 00:08:39,900 S2: is being waged against us? Do we have any sort 158 00:08:39,900 --> 00:08:43,540 S2: of detection capability? Right. That's one question. And then the 159 00:08:43,540 --> 00:08:48,420 S2: question is like, is that log going anywhere where someone 160 00:08:48,420 --> 00:08:51,380 S2: could potentially see it, a system or a person or 161 00:08:51,380 --> 00:08:55,040 S2: anything like that? Okay. That's cool. That's a nice second level. 162 00:08:55,080 --> 00:08:59,520 S2: Is anyone actually looking at it? Okay, that's three. And 163 00:08:59,520 --> 00:09:02,000 S2: three doesn't even guarantee what you need. Which is are 164 00:09:02,000 --> 00:09:05,120 S2: they going to do something about it. And like these 165 00:09:05,120 --> 00:09:08,840 S2: basic workflows are like everything. And if you look at 166 00:09:08,880 --> 00:09:13,120 S2: like a ciso's job, it's managing the budget. It's managing 167 00:09:13,120 --> 00:09:18,679 S2: this basic workflow of like logs and processing and, you know, uh, 168 00:09:18,679 --> 00:09:22,960 S2: workflows coming through the security operations. Um, and it's politics 169 00:09:22,960 --> 00:09:26,520 S2: and stuff like that. And it's like, it's not hacker movies. 170 00:09:26,520 --> 00:09:29,280 S2: It's really just these fundamentals that we have to do 171 00:09:29,280 --> 00:09:34,000 S2: more consistently and at scale. Um, so I really like 172 00:09:34,000 --> 00:09:36,800 S2: that point. What do you see as like the, the 173 00:09:36,800 --> 00:09:39,000 S2: biggest challenges for CISOs right now? 174 00:09:40,000 --> 00:09:42,199 S3: Yeah, I mean, for CISOs right now, I think there 175 00:09:42,200 --> 00:09:44,559 S3: are there are two halves to the challenge. The first 176 00:09:44,559 --> 00:09:49,160 S3: is securing AI for their enterprises. Uh, and the second 177 00:09:49,160 --> 00:09:52,920 S3: one is how to apply AI for security. Um, you know, 178 00:09:52,960 --> 00:09:56,180 S3: if you look at the first problem, um, it's been 179 00:09:56,179 --> 00:09:59,579 S3: really interesting to see the CISO role evolve from sort 180 00:09:59,580 --> 00:10:04,020 S3: of a self-acknowledged the team of no, uh, to, you know, 181 00:10:04,059 --> 00:10:08,819 S3: really trying to enable the business. Um, we definitely saw, 182 00:10:08,860 --> 00:10:11,820 S3: you know, when when, you know, for like ChatGPT first launched, 183 00:10:11,820 --> 00:10:15,660 S3: for example, there was some team of no, uh, mentality there, right? 184 00:10:15,700 --> 00:10:19,660 S3: And what happened? Every single employee just worked around the 185 00:10:19,660 --> 00:10:22,460 S3: constraints that the security team tried to throw up. Um, 186 00:10:22,700 --> 00:10:25,179 S3: and so now what we see are CISOs starting to, 187 00:10:25,220 --> 00:10:27,500 S3: you know, I think the CISOs that are that I 188 00:10:27,500 --> 00:10:30,980 S3: see that are least stressed about AI are the ones 189 00:10:30,980 --> 00:10:35,260 S3: that have, you know, started to adopt frameworks around usage, right? Helping, 190 00:10:35,300 --> 00:10:39,939 S3: you know, not just setting barriers for their organization, um, 191 00:10:39,940 --> 00:10:42,420 S3: but working with them to understand, like, hey, what are 192 00:10:42,420 --> 00:10:44,860 S3: the risks that we're taking on, right? And like, honestly, 193 00:10:44,860 --> 00:10:49,300 S3: even just showing where AI doesn't necessarily succeed as well today. Right? 194 00:10:49,340 --> 00:10:51,820 S3: It's not saying no, you can't use it. It's actually 195 00:10:51,820 --> 00:10:56,000 S3: working to demonstrate. Okay, this use case seems interesting, but 196 00:10:56,000 --> 00:10:58,520 S3: may not actually be the most helpful output, right? We're actually, 197 00:10:58,559 --> 00:11:00,840 S3: you know, if we have a chatbot, can it be 198 00:11:00,840 --> 00:11:05,520 S3: fooled into giving away free airline tickets, for example? Right. Um, yeah. Uh, 199 00:11:05,520 --> 00:11:08,920 S3: and will that be held up in court? Answer is yes. Uh, so, 200 00:11:08,960 --> 00:11:10,760 S3: you know, I think when it comes to securing AI 201 00:11:10,880 --> 00:11:15,240 S3: for the business, um, you know, it's it's been actually 202 00:11:15,240 --> 00:11:18,200 S3: almost a little bit refreshing to see CISOs adapting more quickly, 203 00:11:18,200 --> 00:11:21,200 S3: I think, than they have to to other technology stacks. Um, 204 00:11:21,920 --> 00:11:23,559 S3: and sort of saying like, hey, this is our this 205 00:11:23,559 --> 00:11:27,120 S3: is our next big frontier chance to serve as a 206 00:11:27,120 --> 00:11:29,800 S3: trusted advisor to the business, right? Like, we can reset 207 00:11:29,840 --> 00:11:31,800 S3: a little bit on, on some of the other, you know, 208 00:11:31,800 --> 00:11:34,400 S3: technology shifts and and just say like, right, we're we're 209 00:11:34,440 --> 00:11:38,120 S3: now helping the business, uh, and helping the business understand 210 00:11:38,240 --> 00:11:41,360 S3: what and when and where it wants to take on risk. Um, 211 00:11:41,960 --> 00:11:45,200 S3: when it comes to applying security within or applying AI 212 00:11:45,240 --> 00:11:49,400 S3: within the security organization. That's where I think there's going 213 00:11:49,400 --> 00:11:51,680 S3: to be a very interesting balance. One of the things 214 00:11:51,679 --> 00:11:53,940 S3: that we're starting to hear now is that boards are 215 00:11:53,940 --> 00:11:57,820 S3: mandating that teams within an organization figure out how to 216 00:11:57,860 --> 00:12:03,900 S3: use AI. And, you know, when it comes to cybersecurity defense, 217 00:12:04,100 --> 00:12:08,059 S3: AI is useful for a lot of different scenarios, but 218 00:12:08,059 --> 00:12:10,900 S3: not necessarily every scenario. Right. You have to balance the 219 00:12:10,900 --> 00:12:12,780 S3: fact it's, you know, I sort of, you know, if 220 00:12:12,780 --> 00:12:14,820 S3: you're if you're building the plane while flying it, you 221 00:12:14,820 --> 00:12:17,219 S3: have to make sure a wing doesn't fall off when 222 00:12:17,220 --> 00:12:19,820 S3: you're adding, adding a different technology. Right. And so I 223 00:12:19,820 --> 00:12:23,540 S3: think for CISOs who are, who are adapting AI for 224 00:12:23,540 --> 00:12:26,580 S3: cybersecurity defense, I think that's going to be a really 225 00:12:26,820 --> 00:12:29,460 S3: interesting sort of balance to strike of saying, yes, we 226 00:12:29,460 --> 00:12:31,740 S3: need to go experiment with AI. We need to go 227 00:12:31,740 --> 00:12:34,260 S3: figure out where it's useful for us, but also recognize 228 00:12:34,260 --> 00:12:38,100 S3: that the consequences if you know, if AI fails for defense, 229 00:12:38,500 --> 00:12:41,620 S3: it may be a little higher stakes, right? Because now 230 00:12:41,620 --> 00:12:44,420 S3: we're talking about actual like, you know, data protection, right. 231 00:12:44,460 --> 00:12:47,579 S3: And potential data breach issues. Um, and so I do 232 00:12:47,580 --> 00:12:50,620 S3: think that CISOs have their work cut out for them, uh, 233 00:12:50,620 --> 00:12:53,390 S3: you know, in that regard, uh, when they when they 234 00:12:53,429 --> 00:12:55,630 S3: have to go be the ones that are applying and 235 00:12:55,670 --> 00:12:58,350 S3: using AI versus setting guidelines for other teams. 236 00:12:58,830 --> 00:13:03,110 S2: Sure. Absolutely. So why why do you think boards are 237 00:13:03,110 --> 00:13:05,270 S2: pushing companies to adopt AI? 238 00:13:06,910 --> 00:13:10,309 S3: I think it's, uh, you know, sort of the in 239 00:13:10,350 --> 00:13:13,310 S3: a lot of ways, boards have always pushed companies to 240 00:13:13,350 --> 00:13:15,990 S3: be more efficient. Right. To to make sure that they're 241 00:13:15,990 --> 00:13:20,390 S3: they're maximizing the effectiveness of their team. Um, no board 242 00:13:20,390 --> 00:13:22,830 S3: of directors is going to say, you know, it looks 243 00:13:22,830 --> 00:13:25,470 S3: like you have a pretty, uh, bloated workforce that really 244 00:13:25,470 --> 00:13:29,990 S3: isn't doing much. That's fine. Right. Um, and, you know, 245 00:13:30,030 --> 00:13:33,030 S3: now there's a new tool at hand, right? Which has 246 00:13:33,030 --> 00:13:38,150 S3: a lot of promise, uh, to, you know, uh, displace 247 00:13:38,150 --> 00:13:41,110 S3: some of the grunt work that teams have to do. Um, 248 00:13:41,670 --> 00:13:44,870 S3: you know, again, I don't think most people at this 249 00:13:44,870 --> 00:13:48,670 S3: point are seriously contemplating replacing the bulk of their staff 250 00:13:48,670 --> 00:13:51,690 S3: with AI. You know, it's it's, you know, it's a 251 00:13:51,690 --> 00:13:54,370 S3: fear that certainly has been heard and talked about a lot. 252 00:13:54,410 --> 00:13:58,290 S3: But I think the reality is the focus now is, hey, 253 00:13:58,370 --> 00:14:02,089 S3: give your, your team access to these tools. Um, see 254 00:14:02,090 --> 00:14:05,090 S3: what they can do. Right. See if they can increase their, 255 00:14:05,130 --> 00:14:08,569 S3: their own efficiency here. Um, and so to me, what 256 00:14:08,570 --> 00:14:11,890 S3: this translates to is we will ultimately be more effective 257 00:14:11,890 --> 00:14:14,850 S3: as a business, not necessarily by replacing our staff, but 258 00:14:14,850 --> 00:14:18,170 S3: by making it so that, you know, their individual productivity, uh, 259 00:14:18,170 --> 00:14:21,570 S3: extends a little bit further. Right. Um, or, um, you know, 260 00:14:21,610 --> 00:14:24,330 S3: another lens of this is we know that the business 261 00:14:24,330 --> 00:14:28,050 S3: of doing business inherently involves a lot of toil. What 262 00:14:28,050 --> 00:14:31,450 S3: would our designers what would our security professionals? What would 263 00:14:31,450 --> 00:14:34,330 S3: our HR people be doing, uh, if they weren't just, 264 00:14:34,370 --> 00:14:38,130 S3: you know, sort of doing daily, daily document processing tasks, right? 265 00:14:38,170 --> 00:14:41,810 S3: Like what creativity could we unlock for the organization? Um, 266 00:14:41,850 --> 00:14:44,250 S3: so I think it's it's fair, honestly, for boards to, 267 00:14:44,290 --> 00:14:47,090 S3: for boards to push companies on these things. Um, yeah. 268 00:14:47,290 --> 00:14:49,210 S3: I think the only failure mode is if they say 269 00:14:49,370 --> 00:14:53,670 S3: you must adopt AI. No exceptions. Uh, even if you 270 00:14:53,670 --> 00:14:56,310 S3: find a use case that models today's models aren't necessarily 271 00:14:56,310 --> 00:14:58,710 S3: ready for yet, right? Like that could be the the 272 00:14:58,750 --> 00:14:59,630 S3: only danger there. 273 00:14:59,670 --> 00:15:01,310 S2: Yeah, that's what I was going to say is there's 274 00:15:01,310 --> 00:15:03,790 S2: probably some push as well that says just get it 275 00:15:03,790 --> 00:15:07,110 S2: into product so we can market it because everyone else 276 00:15:07,150 --> 00:15:09,990 S2: is talking about it. But I think it's probably like, 277 00:15:10,030 --> 00:15:13,390 S2: I don't know, 75, 25 in the direction of like 278 00:15:13,430 --> 00:15:15,230 S2: find efficiencies, like you said. 279 00:15:15,710 --> 00:15:20,350 S3: Yeah, absolutely. And you know, definitely the the early days 280 00:15:20,350 --> 00:15:23,350 S3: of AI adoption, I think was a lot more, you know, 281 00:15:23,390 --> 00:15:26,030 S3: this model of and now we have AI, right. Like, 282 00:15:26,030 --> 00:15:28,110 S3: well for what you just kind of added a wrapper 283 00:15:28,110 --> 00:15:31,630 S3: around around a chatbot. Right. Um, and you know, for us, 284 00:15:31,670 --> 00:15:34,470 S3: at times as we were thinking about adding AI into 285 00:15:34,470 --> 00:15:36,310 S3: our product, I mean, we started out as a as 286 00:15:36,350 --> 00:15:39,190 S3: a no code workflow builder. Um, we took a look 287 00:15:39,190 --> 00:15:42,870 S3: at some of the early AI pushes, and we ended 288 00:15:42,870 --> 00:15:46,550 S3: up with something like 50 failed experiments, uh, to integrate 289 00:15:46,550 --> 00:15:49,490 S3: AI into our platform because we didn't just want it 290 00:15:49,490 --> 00:15:53,970 S3: to be yet another chatbot, right? That looks cool as demoware, 291 00:15:54,010 --> 00:15:57,250 S3: but doesn't actually add any value for anybody. Um, it 292 00:15:57,250 --> 00:16:00,130 S3: requires some thoughtfulness to make sure that, you know, you 293 00:16:00,130 --> 00:16:02,090 S3: can't just slap AI on something and say, oh, great, 294 00:16:02,090 --> 00:16:03,970 S3: this is now a better product, right? Like, it actually 295 00:16:03,970 --> 00:16:07,290 S3: requires deep thought and integration to make AI useful. 296 00:16:07,930 --> 00:16:12,450 S2: Yeah, and that's a great transition. We've set a pretty good, uh, 297 00:16:12,490 --> 00:16:16,810 S2: baseline here for what's happening in industry. So for the 298 00:16:16,810 --> 00:16:20,730 S2: problems that we talked about, uh, difficulty of automation, basically 299 00:16:20,770 --> 00:16:25,890 S2: a constraints on, you know, work that could be done 300 00:16:25,890 --> 00:16:27,970 S2: by security teams because of just the size of the 301 00:16:27,970 --> 00:16:30,370 S2: team and the stuff they're working on. So how is 302 00:16:30,410 --> 00:16:32,210 S2: time specifically addressing these? 303 00:16:33,170 --> 00:16:36,090 S3: Yeah, we're addressing it through a couple different layers. The 304 00:16:36,090 --> 00:16:41,450 S3: first is, uh, recognizing that just about every single security 305 00:16:41,450 --> 00:16:45,250 S3: team has a different, uh, adoption maturity level when it 306 00:16:45,250 --> 00:16:48,750 S3: comes to AI and also different constraints. Um, and so 307 00:16:48,790 --> 00:16:51,230 S3: our number one design principle was, you know, don't be 308 00:16:51,230 --> 00:16:55,430 S3: prescriptive in how people use AI within your platform. Um, 309 00:16:55,470 --> 00:16:58,230 S3: a very. And so, you know, one of the very first, uh, 310 00:16:58,270 --> 00:17:04,550 S3: integrations we built was, uh, we called it an automatic transform. Um, 311 00:17:04,550 --> 00:17:06,670 S3: and basically what this was, is, you know, a lot 312 00:17:06,670 --> 00:17:09,950 S3: of what people use times workflows for is to, you know, 313 00:17:09,990 --> 00:17:13,070 S3: take data from one system, transform or manipulate it in 314 00:17:13,070 --> 00:17:17,110 S3: some way, and then move it into another system automatically. Um, and, 315 00:17:17,150 --> 00:17:20,390 S3: you know, if you don't want to learn the necessary, 316 00:17:20,430 --> 00:17:22,710 S3: like all the ins and outs of some arcane like 317 00:17:22,750 --> 00:17:25,990 S3: JSON schema. It turns out AI is actually really good 318 00:17:25,990 --> 00:17:29,270 S3: to understand. You know, given a JSON input you tell AI. 319 00:17:29,270 --> 00:17:32,389 S3: I would like to extract these four fields, transform the 320 00:17:32,390 --> 00:17:35,270 S3: data in this way, and then output it in this format. Um, 321 00:17:35,910 --> 00:17:37,389 S3: and so the first, you know, so one of the 322 00:17:37,390 --> 00:17:40,350 S3: first integrations we built was this was this automatic transform 323 00:17:40,350 --> 00:17:46,869 S3: where I would actually, uh, generate Python. Um, and uh, 324 00:17:46,869 --> 00:17:49,920 S3: you know, so now your workflow, it still looks like 325 00:17:49,920 --> 00:17:52,800 S3: the same, you know, deterministic workflow that you built by 326 00:17:52,800 --> 00:17:55,800 S3: hand before. But now you've got one additional piece here 327 00:17:55,800 --> 00:17:58,440 S3: that you didn't have to build by hand. Um, you're 328 00:17:58,440 --> 00:18:00,639 S3: still having you know, Python is deterministic, right? If you 329 00:18:00,640 --> 00:18:02,560 S3: give the same input to a function, it'll produce the 330 00:18:02,560 --> 00:18:06,240 S3: same output. Um, and, you know, so we, we balanced 331 00:18:06,280 --> 00:18:07,679 S3: the kind of what we saw as the best of 332 00:18:07,680 --> 00:18:10,360 S3: both worlds there where, yes, you don't have to write 333 00:18:10,359 --> 00:18:12,560 S3: that Python. You don't even have to know, like what 334 00:18:12,560 --> 00:18:15,320 S3: Python does. You just need to validate that when you 335 00:18:15,320 --> 00:18:17,639 S3: put out, you put the input in, you get the 336 00:18:17,640 --> 00:18:20,400 S3: output that you expect. And so, you know, for teams 337 00:18:20,400 --> 00:18:24,400 S3: that are sort of nervous about integrating AI or uh, 338 00:18:24,400 --> 00:18:27,800 S3: maybe really early in their their maturity journey, we wanted 339 00:18:27,800 --> 00:18:29,919 S3: to give them a first step. Right. Something that had 340 00:18:29,920 --> 00:18:31,679 S3: a lot of guardrails on it that was safe to 341 00:18:31,720 --> 00:18:35,080 S3: play around with. Um, we also have the ability to 342 00:18:35,119 --> 00:18:38,760 S3: just integrate, uh, a straight up AI prompt, uh, into 343 00:18:38,800 --> 00:18:41,800 S3: into your workflows as well, um, where, you know, if 344 00:18:41,800 --> 00:18:44,640 S3: you're maybe more comfortable with, you know, prompt engineering or 345 00:18:44,680 --> 00:18:49,500 S3: using those sorts of things, um, you could actually then go, uh, 346 00:18:49,500 --> 00:18:51,980 S3: you know, give it almost any input you wanted and 347 00:18:51,980 --> 00:18:54,060 S3: get any output you wanted structured, unstructured and so on 348 00:18:54,060 --> 00:18:57,899 S3: and so forth. And then more recently we launched a 349 00:18:57,900 --> 00:19:03,580 S3: tool called workbench. Uh, and workbench is basically our way 350 00:19:03,580 --> 00:19:08,100 S3: of addressing the fact that most chat tools are their 351 00:19:08,100 --> 00:19:11,740 S3: best when they have access to your data. Right. Um, 352 00:19:11,780 --> 00:19:16,180 S3: there's this inherent tension between, uh, sending your most sensitive 353 00:19:16,220 --> 00:19:20,700 S3: business contextual information, uh, to a third party vendor, um, 354 00:19:20,700 --> 00:19:23,020 S3: and also making sure that AI is useful for you. 355 00:19:23,180 --> 00:19:25,980 S3: So when we launched workbench, uh, we made sure that 356 00:19:25,980 --> 00:19:30,500 S3: the AI models that we were using were actually completely private, uh, 357 00:19:30,500 --> 00:19:33,700 S3: to the, you know, the tenant that was running them, right? 358 00:19:33,700 --> 00:19:35,620 S3: There was no logging of the data. There was no 359 00:19:35,619 --> 00:19:38,419 S3: sending the data across the internet. Um, and it enabled 360 00:19:38,460 --> 00:19:41,780 S3: teams that had previously had constraints around sending data to 361 00:19:41,820 --> 00:19:44,500 S3: third parties be able to say, oh, right now I 362 00:19:44,500 --> 00:19:47,479 S3: can actually connect my uh, my AI models to the 363 00:19:47,480 --> 00:19:49,720 S3: tools that I use, uh, in a way that's safe 364 00:19:49,720 --> 00:19:52,160 S3: in a way that complies with my policies. Um, and 365 00:19:52,160 --> 00:19:55,879 S3: now we can finally take advantage of that true combination 366 00:19:55,920 --> 00:19:59,720 S3: like that, that that ideal combination of large language models 367 00:19:59,720 --> 00:20:03,000 S3: that have the context, that have the business data and 368 00:20:03,000 --> 00:20:03,840 S3: feel good about it. 369 00:20:04,440 --> 00:20:07,359 S2: Nice. And what were the types of operations that they 370 00:20:07,359 --> 00:20:10,400 S2: were doing with those, uh, prompts and Llms was that 371 00:20:10,400 --> 00:20:15,040 S2: data transforms? Was that analysis, um, benign or malicious, that 372 00:20:15,040 --> 00:20:15,840 S2: type of stuff? 373 00:20:16,600 --> 00:20:19,800 S3: Yeah, I think one of the big use cases that people, uh, 374 00:20:19,800 --> 00:20:25,240 S3: often start out with is around, uh, phishing analysis. Um, the, the, 375 00:20:25,240 --> 00:20:28,359 S3: the phishing ecosystem, if you will, has evolved a lot 376 00:20:28,359 --> 00:20:30,840 S3: over the years where you used to be able to 377 00:20:30,880 --> 00:20:34,040 S3: check for things like a suspicious link or suspicious IP 378 00:20:34,040 --> 00:20:36,640 S3: address or, you know, malicious attachment in an email and 379 00:20:36,640 --> 00:20:40,200 S3: that told you whether or not it was phishing. Nowadays, uh, 380 00:20:40,200 --> 00:20:44,080 S3: business email compromise is one of the biggest attack vectors 381 00:20:44,080 --> 00:20:46,980 S3: that we see. And often it's simply, you know, somebody 382 00:20:46,980 --> 00:20:51,820 S3: impersonating your CEO or impersonating somebody at your organization. And, 383 00:20:51,859 --> 00:20:53,340 S3: you know, I mean, I get these all the time 384 00:20:53,340 --> 00:20:56,859 S3: from from the times CEO, allegedly. Right. Saying, hey, Matt. Right. 385 00:20:56,940 --> 00:21:00,180 S3: It is me, your CEO. Uh, please provide your phone 386 00:21:00,180 --> 00:21:02,619 S3: number to me. Right. And they're they're looking for for 387 00:21:02,619 --> 00:21:05,860 S3: additional context there. Um, and it turns out that's a 388 00:21:05,859 --> 00:21:10,660 S3: really hard problem for traditional tools to be able to solve. 389 00:21:10,940 --> 00:21:13,580 S3: A human can look at that message and sort of 390 00:21:13,980 --> 00:21:17,140 S3: instinctively understand that this is phishing, right? Your tier one 391 00:21:17,140 --> 00:21:18,900 S3: SoC analyst can look at that and be like, oh, right. 392 00:21:18,900 --> 00:21:21,619 S3: That's that's obviously not the CEO. But how do you 393 00:21:21,619 --> 00:21:24,540 S3: explain that to code? Right. How do you explain that 394 00:21:24,540 --> 00:21:27,580 S3: to a very strict workflow tool? Because asking for a 395 00:21:27,580 --> 00:21:30,100 S3: phone number is something people do all the time, right? 396 00:21:30,140 --> 00:21:33,580 S3: It's the context of this conversation, uh, that results in 397 00:21:33,619 --> 00:21:35,460 S3: that not being, you know, it results in it being 398 00:21:35,460 --> 00:21:39,820 S3: malicious versus versus benign. And large language models, of course, 399 00:21:39,859 --> 00:21:45,200 S3: are pretty darn good at understanding intent, understanding, you know, 400 00:21:45,320 --> 00:21:48,280 S3: the nuances of some of those things. Um, and so 401 00:21:48,520 --> 00:21:51,640 S3: for security operations teams that would get, you know, reports 402 00:21:51,640 --> 00:21:54,280 S3: of phishing that they would have to go analyze. Um, 403 00:21:54,320 --> 00:21:56,600 S3: you know, there was a certain bulk of them that 404 00:21:56,600 --> 00:21:58,760 S3: had to be done by humans just because, like, the 405 00:21:58,760 --> 00:22:01,600 S3: rules that they set just couldn't catch them, particularly in 406 00:22:01,600 --> 00:22:04,000 S3: the Bec case. And so now what we're seeing is, 407 00:22:04,040 --> 00:22:06,560 S3: you know, these AI analysis tools are being able to, 408 00:22:06,600 --> 00:22:08,840 S3: you know, you can use them for a verdict. Um, 409 00:22:08,840 --> 00:22:11,040 S3: or you can just say, hey, I actually want you 410 00:22:11,040 --> 00:22:14,119 S3: to extract the intent of this message, and I'll combine 411 00:22:14,119 --> 00:22:16,600 S3: that with some other signals that I have, right? Like 412 00:22:16,640 --> 00:22:19,480 S3: mix and match AI and, you know, maybe a threat 413 00:22:19,480 --> 00:22:23,119 S3: research or a threat intelligence database that I have to say, oh, 414 00:22:23,440 --> 00:22:26,400 S3: this sender is actually in our database, as you know, 415 00:22:26,400 --> 00:22:29,920 S3: being potentially risky. Uh, combine that with, uh, you know, 416 00:22:29,960 --> 00:22:33,560 S3: the intent of this message being asking for contact information 417 00:22:33,800 --> 00:22:36,840 S3: and now you instantly have not just a yes, this 418 00:22:36,840 --> 00:22:40,200 S3: is malicious verdict. You also have insight into the intent 419 00:22:40,200 --> 00:22:43,800 S3: of the threat actor. Right. And um, with workbench in particular, 420 00:22:44,130 --> 00:22:47,490 S3: This is where analysts can now iterate on that. Right. And, 421 00:22:47,530 --> 00:22:48,889 S3: you know, going back to like what would you do 422 00:22:48,890 --> 00:22:51,050 S3: with the additional time that you can that you can 423 00:22:51,050 --> 00:22:55,609 S3: save now they're able to, you know, pivot into additional investigation, right. 424 00:22:55,650 --> 00:22:58,689 S3: And say, okay, if I know this was the attacker's intent, 425 00:22:58,690 --> 00:23:00,609 S3: what else can I learn about the attacker? What else? 426 00:23:00,650 --> 00:23:03,369 S3: You know, what else would this attack look like? Right. Maybe, 427 00:23:03,410 --> 00:23:06,410 S3: you know, maybe we received this one report. What would 428 00:23:06,410 --> 00:23:09,689 S3: it look like if it had succeeded with a different user? Right. 429 00:23:09,730 --> 00:23:13,290 S3: And can I go investigate that now? So, so much 430 00:23:13,290 --> 00:23:16,129 S3: less time spent on triage, more time actually spent asking 431 00:23:16,130 --> 00:23:18,810 S3: the questions of like, who is attacking me? What can 432 00:23:18,810 --> 00:23:20,810 S3: I do about it? How do we know that we're safe, right? 433 00:23:20,850 --> 00:23:23,889 S3: And moving beyond to the things that actually require some 434 00:23:23,890 --> 00:23:25,330 S3: some human thought and creativity? 435 00:23:26,050 --> 00:23:30,649 S2: Yeah, that makes sense. Yeah. Something you said earlier was 436 00:23:30,650 --> 00:23:33,649 S2: really interesting. You're talking about data transforms. And like, I 437 00:23:33,690 --> 00:23:37,450 S2: spent a lot of time, uh, different companies dealing with this. 438 00:23:37,490 --> 00:23:44,149 S2: It seems like it's not just, um, augmenting augmentation with 439 00:23:44,150 --> 00:23:46,950 S2: stuff that humans were doing that times could help with, 440 00:23:47,510 --> 00:23:53,230 S2: but also things that, um, like, um, data pipelines. Um, 441 00:23:53,510 --> 00:23:56,510 S2: and I was also thinking about, uh, and you probably 442 00:23:56,510 --> 00:23:59,270 S2: aren't I you got to focus when you're a product, 443 00:23:59,270 --> 00:24:04,109 S2: you got to focus. But, um, quality checks and security checks, 444 00:24:04,869 --> 00:24:06,830 S2: you kind of have the same sort of vibe. You 445 00:24:06,830 --> 00:24:09,790 S2: have things coming in and you're moving through a set 446 00:24:09,790 --> 00:24:15,070 S2: of steps for checking, for validation, for quality, for whatever 447 00:24:15,070 --> 00:24:17,070 S2: you could do. And if you add AI to that, 448 00:24:17,070 --> 00:24:19,310 S2: you could have like judgment in there at any of 449 00:24:19,310 --> 00:24:23,590 S2: those steps. So, I mean, um, it seems like you're 450 00:24:23,590 --> 00:24:29,030 S2: very much focused on security. Um, but are you seeing 451 00:24:29,030 --> 00:24:33,190 S2: people use it for, um, more like broad use cases, 452 00:24:33,190 --> 00:24:36,750 S2: like quality and stuff like that, because, I mean, this 453 00:24:36,750 --> 00:24:39,270 S2: is everywhere in it. It's everywhere in business. This is 454 00:24:39,270 --> 00:24:43,650 S2: just business in general needs these sort of workflows at scale? 455 00:24:44,530 --> 00:24:48,090 S3: Yeah, absolutely. Um, and, you know, I at the end 456 00:24:48,090 --> 00:24:49,970 S3: of the day, it feels like almost every problem boils 457 00:24:49,970 --> 00:24:53,970 S3: down to either case management or data management. Right? And so, um, 458 00:24:54,010 --> 00:24:57,010 S3: you know, especially in the data management world, um, you're 459 00:24:57,010 --> 00:25:00,730 S3: you're exactly right. This is where, you know, uh, we 460 00:25:00,730 --> 00:25:03,890 S3: can use tie ins, and we see customers using tie ins, uh, 461 00:25:03,890 --> 00:25:06,609 S3: to remove some of the toil and burden off of, 462 00:25:06,650 --> 00:25:11,290 S3: you know, just managing those, those pipelines, everything from, um. Hey, 463 00:25:11,330 --> 00:25:15,010 S3: what do we expect this log source, uh, to be, 464 00:25:15,050 --> 00:25:20,530 S3: you know, like, producing, right? Like, do we actually, you know, uh, AWS, uh, 465 00:25:20,650 --> 00:25:24,410 S3: loves to subtly change the shape of CloudTrail logs. 466 00:25:24,450 --> 00:25:25,330 S2: Totally. 467 00:25:25,690 --> 00:25:27,889 S3: You know. Right. And there's no there's no big announcement. 468 00:25:27,890 --> 00:25:30,290 S3: It's just one of these days, I've noticed that a 469 00:25:30,290 --> 00:25:33,010 S3: fewer of my logs are getting classified correctly. Right? And, like, 470 00:25:33,010 --> 00:25:35,890 S3: why is that? Um, and so that's where, you know, 471 00:25:35,930 --> 00:25:39,130 S3: tines and, you know, AI implementation within tines can, can 472 00:25:39,130 --> 00:25:43,070 S3: serve as that sanity check. Um, we also see customers 473 00:25:43,070 --> 00:25:46,510 S3: using tie ins to integrate with, uh, you know, some 474 00:25:46,510 --> 00:25:49,790 S3: of their, some of their other data management platforms, particularly 475 00:25:49,790 --> 00:25:53,350 S3: around hot and cold. Uh, you know, data stacks. Right. 476 00:25:53,390 --> 00:25:57,270 S3: And like, you know, in the context, you know, of doing, 477 00:25:57,310 --> 00:26:00,270 S3: for example, a security investigation, um, you know, you may 478 00:26:00,270 --> 00:26:02,949 S3: only have 30 days worth of logs that are that 479 00:26:02,950 --> 00:26:06,070 S3: are like hot, hot, right? And, like, actively accessible. And, 480 00:26:06,230 --> 00:26:09,310 S3: you know, you have all the rest in Amazon S3. And, um, 481 00:26:09,550 --> 00:26:11,270 S3: you know, you need to be able to pull them. 482 00:26:11,270 --> 00:26:14,870 S3: This is something where tines can help make that retrieval process, uh, 483 00:26:14,869 --> 00:26:18,550 S3: and rehydration process a lot more, a lot more simple. Um, 484 00:26:18,550 --> 00:26:21,669 S3: and so yeah, we're absolutely seeing people using tines as 485 00:26:21,670 --> 00:26:25,430 S3: sort of, you know, the meta orchestration and monitoring layer 486 00:26:25,590 --> 00:26:29,149 S3: on top of these data pipelines that they're building because, uh, yeah, 487 00:26:29,190 --> 00:26:31,590 S3: at the end of the day, you know, there's the 488 00:26:31,590 --> 00:26:34,070 S3: number of people that have data pipelines that don't have 489 00:26:34,070 --> 00:26:37,149 S3: a data engineering team is a lot larger than, uh, yeah, 490 00:26:37,190 --> 00:26:38,910 S3: the teams that do, unfortunately. Right. 491 00:26:39,230 --> 00:26:41,570 S2: Yeah, that makes sense. And as far as like AI 492 00:26:41,730 --> 00:26:44,290 S2: and security wise, what are the main use cases that 493 00:26:44,290 --> 00:26:44,850 S2: you're seeing? 494 00:26:46,010 --> 00:26:50,010 S3: Yeah, I mean, AI is, uh, you know, what we're seeing, uh, 495 00:26:50,010 --> 00:26:54,489 S3: used a lot is again, sort of, uh, either, you know, 496 00:26:54,530 --> 00:26:59,169 S3: extracting context. Um, you know, we're we see threat intelligence 497 00:26:59,170 --> 00:27:02,050 S3: teams are using AI in a couple of different, really 498 00:27:02,050 --> 00:27:05,570 S3: interesting ways around reporting. The first is, you know, when 499 00:27:05,570 --> 00:27:09,210 S3: you consume, uh, threat intelligence reporting that has been produced 500 00:27:09,210 --> 00:27:12,850 S3: by another organization being able to extract indicators and all 501 00:27:12,890 --> 00:27:15,649 S3: that sort of stuff. Um, but then when you are 502 00:27:15,770 --> 00:27:19,609 S3: actually producing, reporting, uh, there's a lot of different consumers 503 00:27:19,609 --> 00:27:21,409 S3: of that, some of whom are human and want a 504 00:27:21,450 --> 00:27:24,850 S3: PDF and some of whom are computers and can't read 505 00:27:24,850 --> 00:27:28,450 S3: a PDF, right. Uh, and so being able to use 506 00:27:28,450 --> 00:27:32,610 S3: these capabilities to produce multiple different kinds of, you know, 507 00:27:32,609 --> 00:27:35,290 S3: intelligence distribution, I think has been a really to me, 508 00:27:35,290 --> 00:27:37,810 S3: that was sort of an unexpected but really fascinating use 509 00:27:37,810 --> 00:27:40,900 S3: case to see, um, of like, oh, right. It's not 510 00:27:40,900 --> 00:27:43,620 S3: just about reading data, right? It's about producing the data 511 00:27:43,619 --> 00:27:47,020 S3: that our, you know, translation of data. Really, uh, for 512 00:27:47,020 --> 00:27:49,020 S3: for the right audience. Um, so. 513 00:27:49,020 --> 00:27:52,940 S2: You have, like, a little piece of useful intelligence and 514 00:27:52,940 --> 00:27:56,260 S2: you have, um, yeah. I did a lot of work 515 00:27:56,260 --> 00:27:59,740 S2: on this, uh, at Apple, actually, with the threat Intel team, 516 00:27:59,740 --> 00:28:03,500 S2: they have this little nugget of intelligence, and their customers 517 00:28:03,500 --> 00:28:07,540 S2: are like, whatever, 19 different customers, including, like, global security, 518 00:28:07,540 --> 00:28:10,100 S2: which is physical security. And then you have all these 519 00:28:10,100 --> 00:28:13,300 S2: different product teams and software teams, and they all care 520 00:28:13,300 --> 00:28:14,540 S2: about something different. 521 00:28:14,940 --> 00:28:15,340 S3: Right? 522 00:28:15,380 --> 00:28:18,300 S2: And that's a workflow combined with AI that you could 523 00:28:18,300 --> 00:28:20,619 S2: just produce those 19 different artifacts. 524 00:28:20,900 --> 00:28:24,540 S3: Right? Exactly right. The CISO just wants to know, basically, 525 00:28:24,540 --> 00:28:26,380 S3: are we vulnerable? Have we been hit right. And that's 526 00:28:26,380 --> 00:28:28,939 S3: that's about it. Um, and the SoC may want to 527 00:28:28,980 --> 00:28:31,220 S3: know a little bit more technical detail and so on 528 00:28:31,220 --> 00:28:33,660 S3: and so forth. Um, so yeah, that to me, that 529 00:28:33,660 --> 00:28:36,460 S3: has been a really fascinating use case of, you know, 530 00:28:36,500 --> 00:28:39,460 S3: it's it's avoiding toil, but not in the way that 531 00:28:39,560 --> 00:28:41,520 S3: everyone thinks, right? Like you still, as the human, are 532 00:28:41,520 --> 00:28:44,840 S3: putting your creativity into this report and developing the nuance 533 00:28:44,840 --> 00:28:47,960 S3: and understanding, and then AI is helping you translate that 534 00:28:47,960 --> 00:28:49,320 S3: into a different context. 535 00:28:49,960 --> 00:28:53,400 S2: Yeah, that makes sense. So is workbench the main the 536 00:28:53,400 --> 00:28:56,080 S2: main thing that you guys are working on and talking 537 00:28:56,080 --> 00:28:58,680 S2: about right now? Tell us more about that. 538 00:28:59,360 --> 00:29:04,920 S3: Yeah. Workbench uh, is definitely something that has really taken off, uh, 539 00:29:04,920 --> 00:29:07,520 S3: in our customer base. Uh, and again, I think a 540 00:29:07,520 --> 00:29:09,880 S3: lot of that is the fact that, you know, uh, 541 00:29:10,120 --> 00:29:11,640 S3: a chat tool is a chat tool, right? There's a 542 00:29:11,640 --> 00:29:13,840 S3: lot of those out there in the world. Um, but 543 00:29:13,880 --> 00:29:17,360 S3: what tines provides is that private and secure access and 544 00:29:17,360 --> 00:29:21,400 S3: the context and integration, uh, with all of your other 545 00:29:21,400 --> 00:29:25,600 S3: data and most importantly, your other tines, workflows. Um, and 546 00:29:25,600 --> 00:29:30,040 S3: so the way we're seeing people now start to use workbench, uh, is, 547 00:29:30,200 --> 00:29:32,600 S3: you know, sort of almost like dipping in and out 548 00:29:32,600 --> 00:29:37,160 S3: of using deterministic automation and also using a chat interface 549 00:29:37,160 --> 00:29:40,540 S3: for their, for their analyst. So in an incident, um, 550 00:29:40,540 --> 00:29:43,700 S3: you know, an analyst may go into workbench and say, 551 00:29:43,700 --> 00:29:47,180 S3: I received this alert, please analyze it, recommend some next 552 00:29:47,180 --> 00:29:48,900 S3: steps for me. Right. And one of those next steps 553 00:29:48,900 --> 00:29:52,260 S3: might be, you know, this account looks like it's been compromised. 554 00:29:52,260 --> 00:29:56,260 S3: You should probably lock this account. And you say okay, great. Uh, 555 00:29:56,260 --> 00:29:59,500 S3: workbench allows you to trigger other workflows that have been 556 00:29:59,500 --> 00:30:02,540 S3: built within tines. And so I don't have to worry 557 00:30:02,540 --> 00:30:09,700 S3: about I maybe hallucinating the endpoint, uh, of our identity provider. Right. Or, uh, mistaking, 558 00:30:09,740 --> 00:30:11,500 S3: you know, like, if, you know, there's a bunch of 559 00:30:11,500 --> 00:30:13,700 S3: other people in tines named Matt, I don't have to 560 00:30:13,700 --> 00:30:15,420 S3: worry that it's going to grab the wrong Matt. Right? 561 00:30:15,420 --> 00:30:20,420 S3: Like I can actually delegate that task to a deterministic workflow, 562 00:30:20,700 --> 00:30:21,980 S3: and then it comes back to workbench. 563 00:30:22,020 --> 00:30:22,660 S2: That's great. 564 00:30:22,700 --> 00:30:26,820 S3: That's great. And workbench says, uh, you know, great. We've 565 00:30:26,820 --> 00:30:28,500 S3: done that part. Here's, you know, would you like me 566 00:30:28,500 --> 00:30:30,140 S3: to write up an incident summary? Right. And you can 567 00:30:30,140 --> 00:30:33,340 S3: close out this case. Um, and so really giving people, 568 00:30:33,380 --> 00:30:37,300 S3: you know, a much more explicit way of working through 569 00:30:37,340 --> 00:30:41,880 S3: common tasks, delegating to automation where necessary. Um, but, you know, 570 00:30:41,880 --> 00:30:44,000 S3: this is still very much, you know, a sort of 571 00:30:44,040 --> 00:30:47,239 S3: a co-pilot sort of use case. Um, one of the 572 00:30:47,240 --> 00:30:50,560 S3: things we're really excited right now is excited about right 573 00:30:50,560 --> 00:30:53,920 S3: now is, uh, you know, some of the agentic AI 574 00:30:54,280 --> 00:30:58,960 S3: capabilities that, um, you know, we're we're starting to see some, uh, 575 00:30:58,960 --> 00:31:03,440 S3: people using tines for sort of basic agentic AI stuff. Um, and, 576 00:31:03,480 --> 00:31:05,840 S3: you know, in the same way that we didn't necessarily 577 00:31:05,840 --> 00:31:08,600 S3: want to rush and be the first people to integrate 578 00:31:08,640 --> 00:31:12,320 S3: a chat interface just to say we had AI Agentic AI, 579 00:31:12,360 --> 00:31:15,960 S3: I think has had, uh, maybe an evolution, uh, in 580 00:31:15,960 --> 00:31:19,360 S3: terms of our understanding of what an AI agent actually is, right? 581 00:31:19,400 --> 00:31:22,880 S3: And what constitutes agentic AI and so on and so forth. Um, 582 00:31:23,040 --> 00:31:28,000 S3: and now that these have more stable definitions, uh, we're 583 00:31:28,040 --> 00:31:31,400 S3: investing in figuring out what agentic AI looks like when 584 00:31:31,400 --> 00:31:34,400 S3: it comes to tines as well. So that's something that, uh, I, 585 00:31:34,640 --> 00:31:36,640 S3: you know, we're, we're starting to get some internal sneak 586 00:31:36,640 --> 00:31:39,700 S3: peeks on, uh, and it's, uh, it's pretty exciting. 587 00:31:40,420 --> 00:31:42,820 S2: All right. Could you possibly, uh, show us a demo 588 00:31:42,820 --> 00:31:43,580 S2: of workbench? 589 00:31:44,340 --> 00:31:48,180 S3: Yeah, absolutely. I'd be delighted to, um. Let's see. Hopefully 590 00:31:48,180 --> 00:31:52,900 S3: I have the correct screen pulled up here. Um, but 591 00:31:52,900 --> 00:31:57,860 S3: this is the the workbench interface, and you can see here, uh, 592 00:31:57,860 --> 00:32:02,260 S3: you know, it's a fairly classic chat interface. Um, and 593 00:32:02,700 --> 00:32:06,660 S3: if you treat it just like any other chat bot, uh, 594 00:32:06,660 --> 00:32:10,500 S3: you'll get fairly generic. Lem answers. Um, so in my 595 00:32:10,540 --> 00:32:13,820 S3: in my previous role, I worked in security operations, uh, 596 00:32:13,820 --> 00:32:18,340 S3: at Coinbase. Um, and we dealt with phishing all the time. 597 00:32:18,340 --> 00:32:22,060 S3: We dealt with incidents, um, you know, and, uh, you know, 598 00:32:22,100 --> 00:32:25,060 S3: got got attacked all the time. So, um, let's imagine 599 00:32:25,060 --> 00:32:27,500 S3: here that I, you know, have received reports that the 600 00:32:27,540 --> 00:32:32,420 S3: domain Coinbase is, is phishing. And I'm looking to learn more. Um, 601 00:32:32,820 --> 00:32:43,590 S3: can you tell me if Coinbase So.com is phishing. And 602 00:32:43,590 --> 00:32:45,750 S3: it'll think for a second. But you'll notice here that 603 00:32:45,750 --> 00:32:50,190 S3: because we are only talking to the LLM, it gives 604 00:32:50,190 --> 00:32:52,870 S3: us a fairly generic answer, right? I don't have any 605 00:32:52,910 --> 00:32:55,630 S3: specific information. Um, and so because. 606 00:32:55,670 --> 00:32:57,750 S2: This has got a training cut off date, right. This 607 00:32:57,750 --> 00:33:01,510 S2: is like it only knows so much. It's not an 608 00:33:01,510 --> 00:33:03,630 S2: expert on domains. 609 00:33:04,070 --> 00:33:08,350 S3: Exactly, exactly. And you know, this is good generic advice, right? 610 00:33:08,390 --> 00:33:10,030 S3: Like you should always check to see if it's an 611 00:33:10,030 --> 00:33:15,350 S3: official Coinbase domain. Um, but as I start connecting tools, uh, 612 00:33:15,590 --> 00:33:18,950 S3: things can get a little bit more interesting. So now 613 00:33:18,950 --> 00:33:23,590 S3: if I ask it the same question, if Coinbase is 614 00:33:23,590 --> 00:33:31,630 S3: so.com is phishing. It's going to look a little bit different, right? 615 00:33:31,670 --> 00:33:34,030 S3: It knows that one of the tools available to it 616 00:33:34,030 --> 00:33:37,770 S3: is URL scan. Um, and so now, rather than just 617 00:33:37,770 --> 00:33:41,410 S3: giving me a generic answer, it's actually going to use, uh, 618 00:33:41,410 --> 00:33:46,250 S3: URL scan. Um, and because it's searched for URL scan 619 00:33:46,250 --> 00:33:48,810 S3: and found a result, it actually knows to then retrieve 620 00:33:48,810 --> 00:33:52,490 S3: that result as well. It's kicking these things off automatically 621 00:33:52,490 --> 00:33:55,810 S3: because these are read only actions, right? Like no system 622 00:33:55,810 --> 00:33:59,290 S3: is going to change because, uh, you know, because it 623 00:33:59,330 --> 00:34:02,610 S3: called these tools. Um, we also have the ability, you know, 624 00:34:02,650 --> 00:34:05,090 S3: if there's a, you know, a write action or a, 625 00:34:05,090 --> 00:34:09,210 S3: you know, potentially destructive action, it'll ask you to confirm, uh, 626 00:34:09,210 --> 00:34:12,529 S3: before before it takes that action. But these are read only, right? 627 00:34:12,570 --> 00:34:16,010 S3: And so now that we've pulled back, uh, some URL 628 00:34:16,050 --> 00:34:18,610 S3: scan results, we can officially confirm that this is a 629 00:34:18,610 --> 00:34:22,170 S3: phishing site, right? With the most up to date data. Um, and, 630 00:34:22,210 --> 00:34:24,330 S3: you know, if you've been on URL, scan, com, you 631 00:34:24,330 --> 00:34:27,530 S3: know that there's a lot of data that they pull back. Um, 632 00:34:27,530 --> 00:34:30,969 S3: and this sort of provides this very quick, uh, insight 633 00:34:30,969 --> 00:34:35,830 S3: into URL scan. Um, and so, you know, this is 634 00:34:35,830 --> 00:34:39,469 S3: this is something where, you know, security teams, uh, in 635 00:34:39,469 --> 00:34:42,029 S3: the past, if they wanted to use all of these 636 00:34:42,030 --> 00:34:45,710 S3: different tools, uh, they had kind of one of two choices. 637 00:34:45,710 --> 00:34:48,109 S3: They could either have a lot of different panes of 638 00:34:48,110 --> 00:34:51,150 S3: glass open, uh, or they could, you know, sort of 639 00:34:51,190 --> 00:34:54,230 S3: do like a one time enrichment into, you know, a 640 00:34:54,270 --> 00:34:57,029 S3: case that came in. Right? Um, I may not know 641 00:34:57,070 --> 00:34:59,670 S3: ahead of time what tool I want to use in 642 00:34:59,670 --> 00:35:02,750 S3: order to investigate something. Uh, and so what workbench lets 643 00:35:02,750 --> 00:35:05,069 S3: us do is say, okay, now, you know, we can 644 00:35:05,070 --> 00:35:07,390 S3: pick some of the tools that are, you know, tools 645 00:35:07,390 --> 00:35:12,310 S3: that are at our disposal, get the latest data. Um, and, uh, 646 00:35:12,310 --> 00:35:15,390 S3: you know, ultimately, uh, you know, get that sort of 647 00:35:15,510 --> 00:35:19,390 S3: much more dynamic, uh, you know, uh, interface without without 648 00:35:19,390 --> 00:35:20,910 S3: ever having to leave workbench. 649 00:35:21,190 --> 00:35:23,790 S2: Yeah. They just asked the question normal way. They don't 650 00:35:23,790 --> 00:35:26,550 S2: think about the tools that would be required to answer 651 00:35:26,550 --> 00:35:27,390 S2: it correctly. 652 00:35:28,150 --> 00:35:31,109 S3: Exactly. Um, and, you know, let's imagine that, you know, 653 00:35:31,150 --> 00:35:34,029 S3: we're not using URL scan. We're using a different, uh, 654 00:35:34,090 --> 00:35:37,730 S3: Service provider to to analyze fishing. I don't have to 655 00:35:37,730 --> 00:35:40,690 S3: know anything about that service provider. Right? Like, all I 656 00:35:40,690 --> 00:35:45,010 S3: have to know is what information the AI has extracted 657 00:35:45,410 --> 00:35:48,370 S3: in order to be able to make to make that determination. Um, 658 00:35:48,810 --> 00:35:50,489 S3: and so for us, this is, you know, again, sort 659 00:35:50,489 --> 00:35:52,250 S3: of feels like one of the best of both worlds 660 00:35:52,250 --> 00:35:55,290 S3: when it comes to chat assistance, right? Like, you can 661 00:35:55,290 --> 00:35:58,890 S3: get the, uh, validated data from the latest, uh, trusted 662 00:35:58,890 --> 00:36:01,650 S3: data sources. Um, you don't have to know any of 663 00:36:01,650 --> 00:36:04,890 S3: the technical details behind it. You remain in full control 664 00:36:04,890 --> 00:36:07,770 S3: over what sources are connected, when actions are taken, and 665 00:36:07,770 --> 00:36:10,730 S3: so on and so forth. Um, but ultimately, you know, 666 00:36:10,770 --> 00:36:13,689 S3: it just sort of removes that cognitive burden of having to, 667 00:36:13,730 --> 00:36:16,410 S3: you know, contact switch between a bunch of different systems. 668 00:36:16,890 --> 00:36:19,049 S2: Yeah, that makes sense. I really liked what you were 669 00:36:19,050 --> 00:36:23,330 S2: saying before when you were talking about building the workflows. Um, 670 00:36:23,969 --> 00:36:28,370 S2: where you seamlessly pivoting between when you need intelligence and 671 00:36:28,370 --> 00:36:33,290 S2: when you need the consistency of like a legacy or 672 00:36:33,330 --> 00:36:36,589 S2: what did you call it? Um. Deterministic system. 673 00:36:36,630 --> 00:36:37,710 S3: Yeah, exactly. 674 00:36:37,750 --> 00:36:40,870 S2: Yeah, that's that's really, really important because when you talk 675 00:36:40,910 --> 00:36:44,390 S2: about scale, you talk about processing terabytes of data. That's 676 00:36:44,390 --> 00:36:46,910 S2: not an LMDh thing, right? Right. You got to you 677 00:36:46,950 --> 00:36:49,870 S2: got to pivot to traditional tech there. Uh, I thought 678 00:36:49,870 --> 00:36:53,230 S2: that was really interesting. Well, this is, um, this is awesome. 679 00:36:53,270 --> 00:36:55,750 S2: What else is, uh, coming out? What else should people 680 00:36:55,750 --> 00:36:58,710 S2: know about that? You're, um, either have out now or 681 00:36:58,710 --> 00:36:59,590 S2: releasing soon. 682 00:37:00,550 --> 00:37:02,830 S3: Yeah, some of the stuff coming out soon, we're, you know, 683 00:37:02,870 --> 00:37:07,150 S3: we're adding, uh, a lot more into workbench. Uh, and, 684 00:37:07,190 --> 00:37:10,830 S3: you know, right now, a lot of this, uh, interface is, uh, 685 00:37:10,830 --> 00:37:13,870 S3: text based. Um, we've heard a lot of requests from 686 00:37:13,870 --> 00:37:15,790 S3: our customers that they'd like to be able to do 687 00:37:15,790 --> 00:37:18,629 S3: more with documents and images. Um, so that is, that 688 00:37:18,630 --> 00:37:22,109 S3: is coming very, very soon here. Um, and then, you know, 689 00:37:22,190 --> 00:37:24,109 S3: the other thing, uh, and, you know, if I look 690 00:37:24,110 --> 00:37:27,710 S3: at here at this, uh, workbench builder or, excuse me, 691 00:37:27,710 --> 00:37:31,029 S3: this story builder, uh, tab, um, right now we have 692 00:37:31,030 --> 00:37:35,160 S3: an AI action that includes just a prompt right where 693 00:37:35,160 --> 00:37:39,600 S3: I can maybe generate some some output. Um, as we 694 00:37:39,600 --> 00:37:42,600 S3: start looking, uh, you know, over the next few months 695 00:37:42,600 --> 00:37:47,520 S3: at how agentic, I, uh, you know, interfaces with, uh, 696 00:37:47,520 --> 00:37:51,239 S3: both traditional workflows as well as, you know, uh, copilot 697 00:37:51,239 --> 00:37:54,880 S3: chat workflows. Um, this is going to, uh, this is 698 00:37:54,880 --> 00:37:57,919 S3: going to evolve, and, uh, I'll leave, uh, I'll leave 699 00:37:57,920 --> 00:38:01,520 S3: the tease, uh, at, uh, you know, at, uh, you know, 700 00:38:01,560 --> 00:38:04,200 S3: saying that there's going to be more than just workbench, uh, 701 00:38:04,200 --> 00:38:06,000 S3: for sure, uh, over the next few months when it 702 00:38:06,000 --> 00:38:06,640 S3: comes to AI. 703 00:38:07,680 --> 00:38:11,440 S2: Fantastic. And where can people find out about you? Uh, 704 00:38:11,440 --> 00:38:12,560 S2: the website and everything. 705 00:38:13,040 --> 00:38:16,719 S3: Yeah. Folks, go to Tynes. T I n e s.com. Uh, 706 00:38:16,760 --> 00:38:19,600 S3: they can find us there. Um, and if they want 707 00:38:19,640 --> 00:38:22,239 S3: to get a taste of of all of this, uh, 708 00:38:22,280 --> 00:38:24,600 S3: what we've shown today, what we've talked about, we have 709 00:38:24,600 --> 00:38:27,640 S3: a free community edition. It's free for life. Uh, you know, 710 00:38:27,680 --> 00:38:30,680 S3: comes with a whole bunch of different features. Um, and, 711 00:38:30,719 --> 00:38:33,380 S3: you know, I have my own community edition tenant that 712 00:38:33,380 --> 00:38:37,140 S3: I actually use for personal stuff outside of work as well. Um, 713 00:38:37,420 --> 00:38:41,580 S3: we've had people use their, uh, tenants to actually, uh, 714 00:38:41,860 --> 00:38:44,180 S3: build to do a fantasy football draft, which I thought 715 00:38:44,180 --> 00:38:47,580 S3: was interesting. Um, and, uh, yeah, we want people to 716 00:38:47,580 --> 00:38:51,540 S3: be able to experience, uh, you know, experience, uh, what's, uh, 717 00:38:51,540 --> 00:38:52,820 S3: you know what? All we're building. 718 00:38:53,580 --> 00:38:57,140 S2: Very cool. Well, Matt, I enjoy the conversation. I think 719 00:38:57,140 --> 00:39:00,460 S2: this is, uh, super interesting. And, uh, look forward to 720 00:39:00,540 --> 00:39:01,739 S2: talking to you in the future. 721 00:39:02,300 --> 00:39:04,820 S3: Likewise. Thanks so much, Daniel. I really appreciate the conversation. 722 00:39:04,860 --> 00:39:05,660 S2: All right. Take care. 723 00:39:05,980 --> 00:39:06,540 S3: Cheers. 724 00:39:08,300 --> 00:39:13,140 S1: Unsupervised learning is produced on Hindenburg Pro using an sm7 microphone. 725 00:39:13,940 --> 00:39:16,219 S1: A video version of the podcast is available on the 726 00:39:16,260 --> 00:39:19,939 S1: Unsupervised Learning YouTube channel, and the text version with full 727 00:39:19,940 --> 00:39:25,460 S1: links and notes is available at Daniel Mysa.com newsletter. We'll 728 00:39:25,460 --> 00:39:26,300 S1: see you next time.