1 00:00:18,987 --> 00:00:21,146 S1: So for around ten years now, I've been trying to 2 00:00:21,147 --> 00:00:24,227 S1: figure out where all this AI stuff is going, and 3 00:00:24,227 --> 00:00:25,947 S1: I want to talk about what I figured out so 4 00:00:25,947 --> 00:00:29,667 S1: far and what brought me to this conclusion. And I'm 5 00:00:29,667 --> 00:00:31,707 S1: going to do that by sort of taking you through 6 00:00:31,707 --> 00:00:35,387 S1: how I drunk stumbled my way along to this idea. 7 00:00:36,906 --> 00:00:41,267 S1: So background wise, I'm a security person going back to 1999, 8 00:00:41,707 --> 00:00:45,547 S1: spent my whole career doing that offensive security Pentesting web 9 00:00:45,587 --> 00:00:49,066 S1: Appsec threat modeling Vuln management. But I would say my 10 00:00:49,107 --> 00:00:56,187 S1: overall container is essentially security assessment. And going back like 11 00:00:56,187 --> 00:00:59,467 S1: 15 years, when I do a security assessment for a customer, 12 00:00:59,467 --> 00:01:02,386 S1: I do it in an unconventional way. And this is 13 00:01:02,387 --> 00:01:05,027 S1: how I still do it today. I start with like 14 00:01:05,027 --> 00:01:07,587 S1: the CEO and the CEO and like the head of 15 00:01:07,587 --> 00:01:10,667 S1: legal and basically all the top people who like, run 16 00:01:10,667 --> 00:01:14,747 S1: the company, uh, from the very top level. And I 17 00:01:14,747 --> 00:01:17,816 S1: asked them essentially, what is the business? How do they 18 00:01:17,817 --> 00:01:21,577 S1: think about the business? What fundamentally do they do? If 19 00:01:21,577 --> 00:01:24,057 S1: they had to strip everything away? Like what would that 20 00:01:24,057 --> 00:01:27,297 S1: be like? What is the core of it? Right. And 21 00:01:27,297 --> 00:01:29,697 S1: I started getting into like what data comes in, what 22 00:01:29,697 --> 00:01:32,817 S1: comes out, what are their primary outputs. And then I 23 00:01:32,817 --> 00:01:35,137 S1: moved on to the next level of like senior management. 24 00:01:35,137 --> 00:01:37,097 S1: Then I moved through management. Then I talked to the 25 00:01:37,097 --> 00:01:40,617 S1: people on the actual ground who are like actually doing things. 26 00:01:40,617 --> 00:01:44,217 S1: And I start to hear discrepancies. I start to see overlaps, 27 00:01:44,217 --> 00:01:47,177 S1: I start to find all the patterns and I adjust 28 00:01:47,177 --> 00:01:51,297 S1: my questions accordingly. So I basically moved through the whole 29 00:01:51,297 --> 00:01:54,257 S1: structure in that way and try to figure out exactly 30 00:01:54,257 --> 00:01:56,457 S1: what that company is doing and how they're doing it. 31 00:01:57,497 --> 00:02:00,097 S1: So as I keep gathering more and more of this information, 32 00:02:00,097 --> 00:02:03,617 S1: I start filling in like this elaborate diagram for the company. 33 00:02:03,617 --> 00:02:07,337 S1: All their information flows, all their vendors where they're storing data. 34 00:02:07,337 --> 00:02:10,217 S1: And I start to notice things right. And ultimately I'm 35 00:02:10,216 --> 00:02:13,656 S1: figuring out like, what is this company actually look like? 36 00:02:13,776 --> 00:02:16,527 S1: And what's really fun is to have people come in 37 00:02:16,526 --> 00:02:20,007 S1: and so they modify the screen. They say, oh, that 38 00:02:20,007 --> 00:02:23,687 S1: actually doesn't exist anymore. Oh, you forgot this piece. And 39 00:02:23,686 --> 00:02:26,806 S1: invariably after, like the first day, people come in and 40 00:02:26,806 --> 00:02:28,727 S1: they start taking pictures. I'm like, what are you taking 41 00:02:28,727 --> 00:02:30,846 S1: a picture for? And they're like, this is the best 42 00:02:30,846 --> 00:02:34,087 S1: view of the company. I've never seen a clearer understanding 43 00:02:34,087 --> 00:02:37,886 S1: of what we actually do than this diagram here. Like 44 00:02:37,887 --> 00:02:40,727 S1: all the other ones are incomplete, so that's always fun 45 00:02:40,727 --> 00:02:44,166 S1: to see. So after a week or two of this, 46 00:02:44,167 --> 00:02:46,526 S1: I then do the technical assessment, and then I start 47 00:02:46,526 --> 00:02:49,007 S1: asking more and more questions to figure out, hey, so 48 00:02:49,047 --> 00:02:51,286 S1: isn't this a problem? They're like, oh yeah, that actually 49 00:02:51,286 --> 00:02:54,486 S1: is a problem. But the key idea is taking all 50 00:02:54,487 --> 00:02:57,487 S1: this content from all these interviews, including from the highest 51 00:02:57,487 --> 00:03:01,207 S1: level and the lowest level, and getting all that into 52 00:03:01,207 --> 00:03:04,687 S1: a single context so I can start asking questions. So 53 00:03:04,686 --> 00:03:06,886 S1: speaking of security, if you have a company or any 54 00:03:06,887 --> 00:03:10,286 S1: digital assets that you're responsible for protecting, I recommend you 55 00:03:10,286 --> 00:03:12,846 S1: check out one of my favorite companies ever going back, like, 56 00:03:12,887 --> 00:03:16,197 S1: I don't know, 10 or 15 years, which is Project Discovery. 57 00:03:16,316 --> 00:03:18,596 S1: So I've been using their open source security tools like 58 00:03:18,596 --> 00:03:22,677 S1: Sub finder, DNS, HTTP nuclei, and a bunch of other 59 00:03:22,677 --> 00:03:25,436 S1: tools from them for like ten years now. And they 60 00:03:25,436 --> 00:03:28,436 S1: just recently released a cloud solution that takes what I 61 00:03:28,436 --> 00:03:31,157 S1: was doing, like chaining all these commands together on the 62 00:03:31,156 --> 00:03:33,797 S1: command line. And it does it automatically for you. So 63 00:03:33,797 --> 00:03:35,997 S1: you come over here, you put in a domain that 64 00:03:35,997 --> 00:03:37,916 S1: you want to start with. We'll go with like Tesla 65 00:03:37,957 --> 00:03:40,957 S1: because they have an open security program. And you start 66 00:03:40,957 --> 00:03:43,837 S1: that and you start collecting tons of stuff on whatever 67 00:03:43,837 --> 00:03:45,677 S1: target you put in there. So in the background, it's 68 00:03:45,677 --> 00:03:48,437 S1: doing a whole bunch of discovery stuff on the target. 69 00:03:48,437 --> 00:03:52,796 S1: It's finding domains, sub domains, making sure those domains are valid. 70 00:03:53,077 --> 00:03:56,077 S1: It's finding the web applications. It's taking screenshots of those 71 00:03:56,117 --> 00:03:59,877 S1: like login pages. It's finding open ports. It's even getting 72 00:03:59,877 --> 00:04:02,916 S1: the tech stack for every service that you find. So 73 00:04:02,917 --> 00:04:04,717 S1: here are the type of results that you get from 74 00:04:04,717 --> 00:04:06,917 S1: the discovery. And from here you can actually launch a 75 00:04:06,917 --> 00:04:10,117 S1: full scan using nuclei and other tools. Okay. From here 76 00:04:10,117 --> 00:04:13,397 S1: we can actually go into remediation and start actually fixing 77 00:04:13,397 --> 00:04:16,307 S1: these things. So basically they started all these years ago 78 00:04:16,347 --> 00:04:19,307 S1: as Pentester and bug bounty and command line focused, and 79 00:04:19,307 --> 00:04:22,827 S1: now they brought all that functionality together into a full 80 00:04:22,827 --> 00:04:26,027 S1: vulnerability management platform. So definitely go check them out. It's 81 00:04:26,027 --> 00:04:31,787 S1: cloud CIO and thanks to Project Discovery for sponsoring today's video. 82 00:04:32,547 --> 00:04:36,747 S1: So separate from that in a completely different thread on 83 00:04:36,747 --> 00:04:40,227 S1: the consumer side, in 2013, I started to get a 84 00:04:40,227 --> 00:04:43,787 S1: picture of where I thought all this AI tech was going. 85 00:04:43,827 --> 00:04:46,187 S1: At the time I called it IoT, so I wrote 86 00:04:46,187 --> 00:04:48,667 S1: this book in 2016. It's kind of a crappy book. 87 00:04:49,307 --> 00:04:52,546 S1: I don't recommend you read it. Honestly. There's a blog 88 00:04:52,547 --> 00:04:55,467 S1: version of it online on my site, which you should 89 00:04:55,467 --> 00:04:58,627 S1: go check out. It's much better. Typography is much better 90 00:04:58,627 --> 00:05:01,187 S1: as well, so definitely go check it out there. But 91 00:05:01,187 --> 00:05:05,507 S1: the ideas are pretty decent. So the basic concept first 92 00:05:05,507 --> 00:05:09,427 S1: idea is you have digital assistants that know everything about 93 00:05:09,427 --> 00:05:12,747 S1: you and they advocate for you. Then the second piece 94 00:05:12,747 --> 00:05:17,177 S1: is everything gets an API, including people and objects and businesses, 95 00:05:17,737 --> 00:05:21,976 S1: and our digital assistants will also have that. And your 96 00:05:22,377 --> 00:05:26,497 S1: Da basically uses those services to interact with the world 97 00:05:26,497 --> 00:05:30,217 S1: on your behalf and then your Da. The third piece 98 00:05:30,217 --> 00:05:34,577 S1: is augmented reality. It will use all those different services, 99 00:05:34,577 --> 00:05:38,257 S1: all the data from those different APIs, to present to 100 00:05:38,257 --> 00:05:40,977 S1: you inside of your glasses or your lenses or whatever. 101 00:05:40,977 --> 00:05:45,417 S1: It is, the proper context for whatever you're doing, right? 102 00:05:45,817 --> 00:05:49,497 S1: And finally, the last piece is once you have a 103 00:05:49,497 --> 00:05:52,017 S1: company or a business or an individual or family or 104 00:05:52,017 --> 00:05:57,617 S1: whatever with sort of information about them presented at as APIs, 105 00:05:57,937 --> 00:06:01,817 S1: you could then take your AI, whatever the smartest AI 106 00:06:01,857 --> 00:06:05,177 S1: you have with the largest context, and sort of look 107 00:06:05,177 --> 00:06:08,017 S1: down at that entity that you're trying to manage, and 108 00:06:08,017 --> 00:06:10,017 S1: you could give it goals. You could say, I am 109 00:06:10,057 --> 00:06:13,647 S1: trying to achieve this in my family, in my business, 110 00:06:13,647 --> 00:06:17,727 S1: for my county, for my city, for my country. And 111 00:06:17,727 --> 00:06:20,487 S1: then your. I can sort of help you manage that. 112 00:06:20,487 --> 00:06:24,527 S1: So those are the concepts from the book. Then in 2018, 113 00:06:24,527 --> 00:06:26,967 S1: I got a job at Apple doing information security stuff. 114 00:06:26,967 --> 00:06:29,207 S1: But the team I came in with was actually a 115 00:06:29,207 --> 00:06:32,407 S1: machine learning team. So I had to refresh my horrible math, 116 00:06:32,927 --> 00:06:37,087 S1: and I went and did the full Andrew Ng machine 117 00:06:37,087 --> 00:06:40,727 S1: Learning course, which was on YouTube at the time, and 118 00:06:40,807 --> 00:06:45,127 S1: I ended up spending multiple years there at Apple building 119 00:06:45,127 --> 00:06:47,487 S1: out a security product, which they still use today. Pretty 120 00:06:47,527 --> 00:06:52,607 S1: happy about that. But, um, lots of practical experience of 121 00:06:52,847 --> 00:06:57,727 S1: using the ML stuff in the context of security. Um, 122 00:06:57,727 --> 00:07:00,167 S1: so really happy to have come in for that team 123 00:07:00,167 --> 00:07:03,847 S1: at Apple. Then in early 21, I left to go 124 00:07:03,887 --> 00:07:08,287 S1: build Appsec and Vulnerability Management at Robinhood with Caleb Sima. 125 00:07:09,007 --> 00:07:11,887 S1: And there I did a talk at Blackhat about building 126 00:07:11,997 --> 00:07:17,877 S1: vulnerability management based on company context and specifically asset management, 127 00:07:18,357 --> 00:07:20,797 S1: which turned out to be another sort of brick in 128 00:07:20,797 --> 00:07:25,557 S1: this path towards context. So after doing that, I decided 129 00:07:25,557 --> 00:07:29,157 S1: it was time to build things on my own and 130 00:07:29,197 --> 00:07:33,157 S1: do consulting stuff independently. So I went independent with unsupervised 131 00:07:33,157 --> 00:07:36,477 S1: learning in like August of 22. And that was just 132 00:07:36,477 --> 00:07:39,997 S1: a few months before ChatGPT came out. So obviously I 133 00:07:39,997 --> 00:07:44,197 S1: go absolutely insane when I see ChatGPT and I start 134 00:07:44,197 --> 00:07:47,077 S1: calling everyone I know. All my friends got that call, 135 00:07:47,077 --> 00:07:50,437 S1: my mom got that call, everyone got this call multiple times. 136 00:07:50,437 --> 00:07:53,997 S1: I was freaking out, basically saying drop everything, go do AI. 137 00:07:55,517 --> 00:07:57,437 S1: And the first place that my head went with all 138 00:07:57,437 --> 00:07:59,837 S1: this was thinking about the context that I would gather 139 00:07:59,837 --> 00:08:02,517 S1: in these security assessments and thinking about how I could 140 00:08:02,517 --> 00:08:06,037 S1: use this for security, obviously, because that's my background. But 141 00:08:06,037 --> 00:08:10,157 S1: I pretty quickly realized that this was bigger than just security. 142 00:08:10,397 --> 00:08:14,547 S1: It's actually more about the context first. So in March 143 00:08:14,547 --> 00:08:18,707 S1: of 23, I wrote this post called Sspca, which says 144 00:08:18,707 --> 00:08:23,707 S1: everything is about state policy questions and actions. Basically, you 145 00:08:23,707 --> 00:08:26,907 S1: have the current context for the company or the program 146 00:08:26,907 --> 00:08:29,467 S1: or the department, whatever it is you're trying to manage, 147 00:08:29,907 --> 00:08:33,707 S1: you have that current context. Then you have the policy, 148 00:08:33,707 --> 00:08:37,187 S1: which is what you're trying to accomplish. Then you have 149 00:08:37,187 --> 00:08:41,867 S1: the questions that you continuously want the answers to, and 150 00:08:41,867 --> 00:08:45,506 S1: then you have actions or what you know, what we 151 00:08:45,506 --> 00:08:49,786 S1: as people or I could take what we could do 152 00:08:50,026 --> 00:08:53,667 S1: to make that policy happen, make the desired state come true. 153 00:08:54,467 --> 00:08:57,227 S1: So with this, I start feeling like, okay, now I'm 154 00:08:57,227 --> 00:09:00,186 S1: starting to lock this thing in and make it more solid. 155 00:09:01,067 --> 00:09:03,266 S1: So that got decent traction, but I wanted to actually 156 00:09:03,307 --> 00:09:07,066 S1: demonstrate this. So I started working immediately on something more 157 00:09:07,067 --> 00:09:11,456 S1: practical as like a demo. So I did a talk 158 00:09:11,497 --> 00:09:15,017 S1: at Black Hat. I think the following year maybe, and 159 00:09:15,016 --> 00:09:18,337 S1: I put together this fake company called alma. And I 160 00:09:18,377 --> 00:09:21,896 S1: gave it tons of context for, like, everything about the company. 161 00:09:22,016 --> 00:09:25,377 S1: So its mission, how they differentiate from competitors, all their 162 00:09:25,377 --> 00:09:29,217 S1: different products, their goals, where they do business, the risk 163 00:09:29,217 --> 00:09:33,577 S1: register security team and its members and all their skill sets. Right. 164 00:09:33,617 --> 00:09:36,296 S1: The projects that they're working on, the list of applications 165 00:09:36,296 --> 00:09:39,817 S1: are it stack the dev teams, how they push code 166 00:09:39,817 --> 00:09:43,177 S1: like everything about this company. I put it into this file. 167 00:09:44,217 --> 00:09:46,977 S1: So now I can ask questions just like I do 168 00:09:46,977 --> 00:09:49,456 S1: in security assessments. And I was doing this using an 169 00:09:49,457 --> 00:09:53,656 S1: agent back in 23 to basically call this thing. And 170 00:09:53,656 --> 00:09:56,057 S1: the agent would look up all this different tools or whatever, 171 00:09:56,057 --> 00:09:59,536 S1: look at the context. And I could do planning for this. 172 00:09:59,536 --> 00:10:03,817 S1: I could do threat modeling, actually output reports. I could 173 00:10:03,817 --> 00:10:07,177 S1: write emails to auditors, I could respond to one off 174 00:10:07,176 --> 00:10:11,367 S1: security questionnaire questions because, you know, you have a problem 175 00:10:11,367 --> 00:10:14,087 S1: of like you have this database of security answers, but 176 00:10:14,087 --> 00:10:18,326 S1: the question always comes in different. This solves that. So 177 00:10:18,327 --> 00:10:21,167 S1: here's an example of a CISO making a statement about 178 00:10:21,207 --> 00:10:24,367 S1: no more connections to a particular resource. And we're asking 179 00:10:24,367 --> 00:10:27,687 S1: the question should this connection be allowed. And the AI 180 00:10:27,727 --> 00:10:31,167 S1: responds back that, no, this connection should not be allowed, 181 00:10:31,766 --> 00:10:34,807 S1: because the CISO said a minute ago that no more 182 00:10:34,807 --> 00:10:37,727 S1: connections to that particular resource. So you could do really 183 00:10:37,727 --> 00:10:43,006 S1: cool stuff when you have context. And throughout 23, 24 184 00:10:43,006 --> 00:10:45,727 S1: and now into 25, I've been building more and more 185 00:10:45,727 --> 00:10:52,487 S1: stuff that circulates around this central theme of context plus AI. 186 00:10:53,646 --> 00:10:57,886 S1: So later in 23, I built this thing called threshold. 187 00:10:57,886 --> 00:11:00,886 S1: It's an app that takes over 3000 sources on the internet, 188 00:11:01,166 --> 00:11:05,006 S1: tells me how good the context is independent of the source. 189 00:11:05,286 --> 00:11:09,477 S1: And it basically uses context about me It so it 190 00:11:09,477 --> 00:11:12,997 S1: knows what I like. And it's using that as the 191 00:11:12,997 --> 00:11:17,516 S1: level of quality of the ideas, right? The novelty of 192 00:11:17,516 --> 00:11:20,717 S1: the ideas, the number of ideas and having them being 193 00:11:20,717 --> 00:11:24,396 S1: shaped in a particular direction. Right. And I could slide 194 00:11:24,396 --> 00:11:27,436 S1: this lever and it only shows me content that exceeds 195 00:11:28,036 --> 00:11:32,717 S1: a certain threshold of quality. Currently about to launch another 196 00:11:32,916 --> 00:11:35,836 S1: product called Same Page, which is an enterprise product that 197 00:11:35,837 --> 00:11:40,717 S1: helps companies manage pretty much anything based on their company context. Um, 198 00:11:40,997 --> 00:11:43,957 S1: doing a lot of stuff with security programs here. Another 199 00:11:43,957 --> 00:11:46,757 S1: thing I've had for like nine years now, or maybe longer, 200 00:11:46,756 --> 00:11:51,556 S1: is my attack service monitoring system called Helios. And it 201 00:11:51,557 --> 00:11:54,357 S1: started off as basically pure automations, right? This is like 202 00:11:54,357 --> 00:11:58,197 S1: directory stuff, Linux stuff, using a bunch of tools, mostly 203 00:11:58,197 --> 00:12:02,477 S1: from project Discovery and a bunch of custom tooling and 204 00:12:02,477 --> 00:12:05,237 S1: Python and Bash and stuff. So it was very kind 205 00:12:05,237 --> 00:12:09,467 S1: of like a dumb system, very effective. Very fast. Very good. 206 00:12:09,506 --> 00:12:12,587 S1: But what I've done now is I'm turning this into 207 00:12:12,707 --> 00:12:15,586 S1: a complete AI model, and I'm rewriting it to be 208 00:12:15,587 --> 00:12:20,187 S1: context central. So everything goes into a particular location and 209 00:12:20,187 --> 00:12:22,867 S1: I start operating on it from there. So once again, 210 00:12:23,107 --> 00:12:28,066 S1: it's actions running against context. And the last one I'll 211 00:12:28,067 --> 00:12:31,066 S1: mention is like a daily brief for myself. So basically 212 00:12:31,067 --> 00:12:33,107 S1: looks at all these different sources that I have for 213 00:12:33,146 --> 00:12:38,227 S1: like open source intelligence, national security, like really smart people 214 00:12:38,227 --> 00:12:40,067 S1: who could, like, tell what's in the back of a 215 00:12:40,067 --> 00:12:43,067 S1: truck looking at a satellite photo based on the fact 216 00:12:43,067 --> 00:12:46,106 S1: of like the tire treads that are in the grass. 217 00:12:46,467 --> 00:12:49,747 S1: So I follow, you know, hundreds of people like that, 218 00:12:49,747 --> 00:12:51,427 S1: and I know they have good signal. So what I 219 00:12:51,426 --> 00:12:54,187 S1: do is I bring that all together, I do analysis 220 00:12:54,187 --> 00:12:57,386 S1: on it using a bunch of AI, and then it 221 00:12:57,386 --> 00:13:01,587 S1: gives me like the President's Daily Brief. So now I 222 00:13:01,587 --> 00:13:04,787 S1: could say, oh, it looks like this might be happening, um, 223 00:13:04,947 --> 00:13:07,816 S1: which I can start thinking about. I could talk about whatever. 224 00:13:09,896 --> 00:13:13,816 S1: So all these separate areas are kind of loosely revolving 225 00:13:13,817 --> 00:13:18,296 S1: around this concept of context. And I so I feel 226 00:13:18,296 --> 00:13:21,656 S1: like or have felt like for a long time that 227 00:13:21,896 --> 00:13:26,256 S1: this is congealing. It's coalescing into this single theme. Right. 228 00:13:26,497 --> 00:13:29,016 S1: But a couple of weeks ago I'm like, this is 229 00:13:29,016 --> 00:13:33,497 S1: not quite it. This is not quite it. I'm close, 230 00:13:33,497 --> 00:13:36,937 S1: but not not quite there. And I think I have 231 00:13:36,937 --> 00:13:39,737 S1: a much simpler way of describing this now. And that's 232 00:13:39,737 --> 00:13:43,256 S1: what I'm calling this unified entity context. And of course, 233 00:13:43,256 --> 00:13:45,016 S1: that won't be the real name that gets used because 234 00:13:45,057 --> 00:13:48,416 S1: Gartner will name it something and that'll be the new name. 235 00:13:48,817 --> 00:13:53,577 S1: No big deal. If we look at security specifically and 236 00:13:53,577 --> 00:13:55,617 S1: we look at some use cases, we find some really 237 00:13:55,617 --> 00:13:59,617 S1: interesting patterns. So for like a SOC analyst you got 238 00:13:59,617 --> 00:14:01,937 S1: tons of different logs, you got threat Intel reports, you 239 00:14:01,977 --> 00:14:07,766 S1: got identity stuff, endpoint data, all these different sources for 240 00:14:07,766 --> 00:14:09,847 S1: incident response. You've got the same stuff you have to 241 00:14:09,847 --> 00:14:12,486 S1: look at, but it's more focused around, like the narrative, 242 00:14:12,487 --> 00:14:16,326 S1: determining the scope, the timeline, stuff like that. With Pentesting, 243 00:14:16,327 --> 00:14:18,646 S1: you're also gathering tons of data and then trying to 244 00:14:18,646 --> 00:14:20,767 S1: put the pieces together and figure out like what to 245 00:14:20,807 --> 00:14:23,847 S1: go after. Same with Red team, but you're even more 246 00:14:23,847 --> 00:14:27,767 S1: focused on a larger scope, more interested in like the 247 00:14:27,767 --> 00:14:31,247 S1: context of everything and the impact that you can generate. 248 00:14:32,407 --> 00:14:36,247 S1: And with vulnerability management, we need to understand the organization 249 00:14:36,247 --> 00:14:39,927 S1: really well. Otherwise, it's really hard to do remediation, which 250 00:14:39,927 --> 00:14:43,806 S1: is kind of the whole point, program management. You got 251 00:14:43,847 --> 00:14:47,527 S1: to have project management, budgeting strategy, time management, all those 252 00:14:47,527 --> 00:14:51,247 S1: things combined. GRC you have to know what we need 253 00:14:51,247 --> 00:14:53,767 S1: to be compliant with and why. And we have to 254 00:14:53,767 --> 00:14:55,487 S1: know what our gaps are in terms of like the 255 00:14:55,487 --> 00:14:59,887 S1: risk register vulnerabilities, stuff like that. So the common issue 256 00:15:00,767 --> 00:15:04,927 S1: with most of these, really all of these is that 257 00:15:04,927 --> 00:15:07,397 S1: you have to be able to see multiple parts of 258 00:15:07,397 --> 00:15:11,197 S1: the organization all at once in context at the same time, 259 00:15:11,197 --> 00:15:14,277 S1: and then connect those pieces together. This is why security 260 00:15:14,277 --> 00:15:18,717 S1: analysts and incident responders and red teamers are so valuable. 261 00:15:19,037 --> 00:15:22,717 S1: It's not the single task in the problem that's hard. 262 00:15:22,957 --> 00:15:26,597 S1: It's integrating all the different sources to be able to 263 00:15:26,837 --> 00:15:31,717 S1: actually do that task. And I'm going to go a 264 00:15:31,717 --> 00:15:35,517 S1: little deeper into vulnerability management to illustrate this point. Since 265 00:15:35,517 --> 00:15:39,397 S1: I've lived in that hellscape for so long. What is 266 00:15:39,397 --> 00:15:43,956 S1: it that's actually hard about vulnerability management? Is it that 267 00:15:43,957 --> 00:15:46,957 S1: we don't have enough vulnerabilities? Is it that our dashboards 268 00:15:46,957 --> 00:15:50,317 S1: aren't pretty enough? That is not the problem. The problem 269 00:15:50,317 --> 00:15:54,997 S1: is when you have a given vulnerability, what application is 270 00:15:54,997 --> 00:15:59,037 S1: it part of? What engineering team is responsible for that application? 271 00:15:59,037 --> 00:16:03,077 S1: What repo do they work from? What DevOps workflows do 272 00:16:03,077 --> 00:16:06,316 S1: they use? Like how do they actually push code? How 273 00:16:06,317 --> 00:16:08,717 S1: do they fix things day to day? What is the 274 00:16:08,717 --> 00:16:11,397 S1: best way to get a really good fix to the 275 00:16:11,397 --> 00:16:15,117 S1: right person that doesn't annoy them, which causes their manager 276 00:16:15,117 --> 00:16:18,997 S1: to call over security and say stop bothering me. You 277 00:16:18,997 --> 00:16:21,477 S1: might think this is easy to find that person, but 278 00:16:21,477 --> 00:16:26,237 S1: keep in mind things are changing constantly. Reorgs team changes. 279 00:16:26,957 --> 00:16:30,477 S1: Tools are changing like the whole company is constantly in motion. 280 00:16:31,997 --> 00:16:35,997 S1: So here's the question how much of our inability to 281 00:16:36,037 --> 00:16:38,597 S1: do a great job at vulnerability management for the last 282 00:16:38,597 --> 00:16:42,797 S1: 15 years is a security problem, and how much of 283 00:16:42,797 --> 00:16:48,237 S1: it is actually an organizational knowledge problem? And now ask 284 00:16:48,237 --> 00:16:53,277 S1: that for other areas of security. Even crazier, it's not 285 00:16:53,277 --> 00:16:57,757 S1: just security. The software and services industries in general are 286 00:16:57,997 --> 00:17:03,197 S1: all based on asking specific questions to a specific set 287 00:17:03,197 --> 00:17:06,307 S1: of data and giving you an output in like a 288 00:17:06,347 --> 00:17:10,147 S1: kind of a specific type of UI, right? You have 289 00:17:10,147 --> 00:17:14,307 S1: HR data, right? You ask HR questions to the HR 290 00:17:14,347 --> 00:17:18,467 S1: data and they put that in an HR interface. Right. 291 00:17:18,507 --> 00:17:22,186 S1: Same with project management. Right. You have project management data. 292 00:17:22,547 --> 00:17:24,987 S1: You ask those questions. You put it into some sort 293 00:17:24,986 --> 00:17:28,387 S1: of PM UI. Do we really think that these things 294 00:17:28,627 --> 00:17:31,186 S1: are going to need their own separate databases and their 295 00:17:31,186 --> 00:17:34,947 S1: own separate APIs, their own separate tools, their own separate UIs? 296 00:17:35,907 --> 00:17:39,986 S1: I don't think so. I think that all goes away. 297 00:17:40,147 --> 00:17:43,987 S1: And what we end up with is this thing which 298 00:17:43,986 --> 00:17:49,186 S1: I'm calling unified entity context. So if you're an individual, 299 00:17:49,186 --> 00:17:52,186 S1: your history, your belief system, your aspirations, your favorite books 300 00:17:52,186 --> 00:17:56,506 S1: and music, past traumas, salary, high blood pressure, your friends, 301 00:17:56,507 --> 00:18:03,096 S1: your job, your career, family goals, upbringing, medical history. Your agenda, 302 00:18:03,097 --> 00:18:07,976 S1: your calendar, right, your financial goals for that particular day, 303 00:18:08,257 --> 00:18:10,897 S1: like what you're trying to do for this particular year, 304 00:18:11,017 --> 00:18:14,456 S1: getting ready for, you know, a half marathon, whatever it is. 305 00:18:14,777 --> 00:18:17,217 S1: But then, just like with the security program, you can 306 00:18:17,216 --> 00:18:20,337 S1: ask all sorts of questions. Why is my relationship with 307 00:18:20,337 --> 00:18:22,977 S1: my mother in law not working? What can I do 308 00:18:22,976 --> 00:18:26,217 S1: to improve my health? Right. Different questions you can ask. 309 00:18:27,017 --> 00:18:28,897 S1: If you're a company. It's back to the same thing 310 00:18:28,897 --> 00:18:32,976 S1: that we collected with the Alma context goals. The state 311 00:18:32,976 --> 00:18:36,657 S1: of all IT systems. What are my Kubernetes pods doing? 312 00:18:36,657 --> 00:18:41,097 S1: What are all my EC2 instances doing? What's going on GCP? 313 00:18:41,617 --> 00:18:46,216 S1: I want all slack messages, current projects, team members, the 314 00:18:46,216 --> 00:18:48,657 S1: state of HR. How many people are we hiring? How 315 00:18:48,657 --> 00:18:53,057 S1: many people just left? Why did they leave? Desired IRR 316 00:18:53,097 --> 00:18:56,337 S1: for the company. All products that we have, our current 317 00:18:56,337 --> 00:19:00,936 S1: marketing campaigns, all of our competitors, marketing campaigns for their products. 318 00:19:01,417 --> 00:19:05,367 S1: This becomes the baseline for everything. Once you have that, 319 00:19:05,847 --> 00:19:08,326 S1: then you have the smartest AI you have with the 320 00:19:08,327 --> 00:19:13,767 S1: largest context. Look down at the entire thing and soak 321 00:19:13,807 --> 00:19:21,087 S1: it in all at once. Let's think about this from 322 00:19:21,087 --> 00:19:23,887 S1: the attacker defender perspective, because this is another way that 323 00:19:23,887 --> 00:19:27,007 S1: I came at this and I came up with this 324 00:19:27,007 --> 00:19:31,527 S1: thing called Acad, which is AI capabilities for attackers and defenders. 325 00:19:31,726 --> 00:19:35,087 S1: And the basic idea was figure out what the attackers 326 00:19:35,087 --> 00:19:37,127 S1: want to do to us, and let's just make a 327 00:19:37,127 --> 00:19:39,686 S1: list of those so we can defend against them. So 328 00:19:39,686 --> 00:19:42,527 S1: the number one question I get asked is essentially where 329 00:19:42,527 --> 00:19:45,686 S1: do I spend money for cybersecurity. And this Acad thing 330 00:19:45,686 --> 00:19:49,167 S1: is basically a way to answer that is you give 331 00:19:49,167 --> 00:19:51,686 S1: the answer of, well, you think about what they're about 332 00:19:51,686 --> 00:19:53,407 S1: to do to you and you make sure you can 333 00:19:53,407 --> 00:19:56,607 S1: respond to it. So that turned into this project where 334 00:19:56,607 --> 00:20:00,726 S1: I'm gathering tons of these attacker capabilities, and I'm building 335 00:20:00,877 --> 00:20:05,316 S1: a corresponding set of defender capabilities. And we're trying to 336 00:20:05,317 --> 00:20:07,397 S1: figure out like, how do these play off of each other? 337 00:20:08,917 --> 00:20:13,517 S1: So basically the attacker capabilities will be gathering a whole 338 00:20:13,517 --> 00:20:15,837 S1: bunch of data, right? The idea is that when you 339 00:20:15,837 --> 00:20:19,077 S1: run these attacker capabilities or when they run them against you, 340 00:20:19,077 --> 00:20:22,077 S1: they're going to put them into their own version of 341 00:20:22,077 --> 00:20:26,277 S1: your context. They're going to have a target unified entity 342 00:20:26,277 --> 00:20:29,157 S1: context for you, for you as the target, which is 343 00:20:29,157 --> 00:20:33,117 S1: you as a company. Right. And I thought it would 344 00:20:33,117 --> 00:20:35,557 S1: look like this. I thought the most important thing was 345 00:20:35,557 --> 00:20:40,997 S1: actually these capabilities are like the most important. And I'm like, well, 346 00:20:40,997 --> 00:20:44,397 S1: we obviously want to maintain that inside of a state bucket, right. 347 00:20:44,397 --> 00:20:48,477 S1: The unified entity context. So I thought that was that. 348 00:20:48,917 --> 00:20:50,956 S1: But after thinking about it a lot more, I think 349 00:20:50,956 --> 00:20:55,836 S1: it's actually this the accuracy and the freshness of the 350 00:20:55,837 --> 00:20:59,877 S1: target context is actually the most important thing because the 351 00:20:59,986 --> 00:21:03,507 S1: ability to attack and pivot and hinge off of all 352 00:21:03,507 --> 00:21:06,746 S1: this different stuff and, you know, go a different route, 353 00:21:06,986 --> 00:21:12,427 S1: be dynamic, do attacker things and defender things. It all 354 00:21:12,466 --> 00:21:19,107 S1: hinges off the quality of this context. So where this 355 00:21:19,107 --> 00:21:22,827 S1: all takes us is that the top priority of attackers 356 00:21:23,226 --> 00:21:27,747 S1: will be having better USC models of your organization than 357 00:21:27,747 --> 00:21:32,466 S1: you do. So it'll be a competition between your attacker 358 00:21:32,466 --> 00:21:36,987 S1: and you, between who has the most accurate and up 359 00:21:37,027 --> 00:21:44,226 S1: to date context for your company. And this is absolutely insane, 360 00:21:44,226 --> 00:21:48,266 S1: because the very next step is realizing that we have 361 00:21:48,267 --> 00:21:55,267 S1: this entire thing completely backwards. Instead of cybersecurity or finance 362 00:21:55,267 --> 00:21:58,227 S1: or whatever, being at the center, like in this diagram 363 00:21:58,226 --> 00:22:01,336 S1: with context and I being like, oh, how do you 364 00:22:01,337 --> 00:22:05,657 S1: add AI to cybersecurity? Oh, we should gather more context, 365 00:22:05,936 --> 00:22:10,297 S1: you know, so we could do cybersecurity better. Nope. It's 366 00:22:10,337 --> 00:22:16,177 S1: actually the opposite. The context of the entity is everything. 367 00:22:16,297 --> 00:22:21,216 S1: It becomes primary along with the AI that operates. Looking 368 00:22:21,216 --> 00:22:26,417 S1: down at that context, software verticals kind of go away. 369 00:22:27,257 --> 00:22:32,817 S1: Software and service verticals just become use cases. They become 370 00:22:32,817 --> 00:22:38,977 S1: modules on top of unified context. And here's a completely 371 00:22:38,976 --> 00:22:42,977 S1: crazy question to think about. And this is currently like 372 00:22:42,976 --> 00:22:46,377 S1: blowing my mind. It has not stopped freaking me out 373 00:22:46,377 --> 00:22:49,856 S1: since I started thinking about this. What if all of 374 00:22:49,857 --> 00:22:55,177 S1: our decisions are only hard because we actually lack context? 375 00:22:55,577 --> 00:22:59,007 S1: What if the fog of war Is the thing that 376 00:22:59,007 --> 00:23:04,086 S1: makes things difficult. Think about a junior analyst being asked 377 00:23:04,087 --> 00:23:07,767 S1: if some connection is malicious or not, and they've got 378 00:23:07,807 --> 00:23:11,327 S1: like 27 different sources they can pull from all these 379 00:23:11,327 --> 00:23:15,967 S1: different repositories Google Docs, slack or whatever, and you're just like, 380 00:23:16,847 --> 00:23:18,806 S1: have at it. Good luck. I need to know if 381 00:23:18,807 --> 00:23:21,887 S1: this is dangerous or not. This is going to be really, 382 00:23:21,887 --> 00:23:25,257 S1: really hard for a junior analyst, you know, with 1 383 00:23:25,257 --> 00:23:29,847 S1: or 2 years experience, even three years experience. But now 384 00:23:29,887 --> 00:23:35,327 S1: imagine a principal analyst comes along to assist the junior analyst, 385 00:23:35,327 --> 00:23:40,167 S1: and they build them this elaborate timeline of everything that happened. 386 00:23:40,407 --> 00:23:45,927 S1: They take all the logs, they study them for 27 hours, 387 00:23:46,087 --> 00:23:50,887 S1: and they build this giant, complex visual map. Then this happened, 388 00:23:50,927 --> 00:23:54,287 S1: then this, this log in CrowdStrike that maps to this 389 00:23:54,287 --> 00:23:57,957 S1: log in Palo Alto, blah, blah, blah. Connect all the dots. Oh, 390 00:23:57,997 --> 00:23:59,637 S1: this is when the attacker did this. This is when 391 00:23:59,637 --> 00:24:02,236 S1: the attacker did this. That's when this happened. So it 392 00:24:02,236 --> 00:24:04,277 S1: looks like this person is actually the same person as 393 00:24:04,317 --> 00:24:08,917 S1: that person. And you could see it clearly. Now can 394 00:24:08,956 --> 00:24:13,756 S1: the junior analyst answer this question. Yes they can. They 395 00:24:13,757 --> 00:24:16,436 S1: could probably just be like, what are you talking about? 396 00:24:16,476 --> 00:24:20,997 S1: Oh that's obvious. I mean, yeah, look, obviously it's malicious 397 00:24:20,997 --> 00:24:24,677 S1: because you see the story right here. It's a narrative. 398 00:24:24,677 --> 00:24:29,397 S1: It's a story because of the context. Now watch this. 399 00:24:29,837 --> 00:24:32,596 S1: Maybe that doesn't even require a junior SOC analyst to 400 00:24:32,597 --> 00:24:35,397 S1: answer that. That could be an intern. That could be 401 00:24:35,397 --> 00:24:40,157 S1: somebody still in college who's barely learned any security at all. 402 00:24:40,677 --> 00:24:43,436 S1: And you're like, hey, so you're vaguely aware that there's 403 00:24:43,476 --> 00:24:47,397 S1: a security like concept and like, bad things are bad. 404 00:24:47,436 --> 00:24:50,197 S1: They're like, yeah, I guess it's like, well, what if 405 00:24:50,196 --> 00:24:54,237 S1: I showed you this diagram here and all these are 406 00:24:54,236 --> 00:24:57,186 S1: different logs that happened? Do you think that connection right 407 00:24:57,186 --> 00:25:04,667 S1: there is actually malicious? They're like yeah, obviously. So maybe 408 00:25:04,667 --> 00:25:09,387 S1: the problem isn't the difficulty of the task, but the 409 00:25:09,387 --> 00:25:13,707 S1: difficulty of filling in the context that paints the picture. 410 00:25:16,627 --> 00:25:19,907 S1: I think this is absolutely true. And it's why I 411 00:25:19,907 --> 00:25:24,026 S1: think unified entity context actually ends up being the most 412 00:25:24,027 --> 00:25:30,267 S1: important thing for the management of anything. An ice cream 413 00:25:30,307 --> 00:25:41,746 S1: truck business, the local city council group, right? A gardening collective, right. 414 00:25:42,067 --> 00:25:48,347 S1: A city government, a state, a country, a federation of planets. Basically, 415 00:25:48,387 --> 00:25:51,826 S1: I can use its understanding of the entity of the 416 00:25:51,827 --> 00:25:55,307 S1: thing that you care about to lower the difficulty of 417 00:25:55,307 --> 00:25:59,857 S1: most decisions because it can take snapshots of the current 418 00:25:59,857 --> 00:26:02,817 S1: state that's relevant to the decision that needs to be made, 419 00:26:03,657 --> 00:26:06,537 S1: and put it in context, in a timeline, in a 420 00:26:06,537 --> 00:26:12,377 S1: narrative that makes it obvious what you should do right. 421 00:26:12,577 --> 00:26:15,217 S1: If you think about the fog of war for like 422 00:26:15,216 --> 00:26:21,417 S1: a genius general. Oh, where's the enemy attacking? We don't know, sir. Okay. 423 00:26:21,456 --> 00:26:23,137 S1: How many troops do we have? We're not sure. We're 424 00:26:23,137 --> 00:26:27,577 S1: cut off from, uh, communication lines. How many troops do 425 00:26:27,577 --> 00:26:31,777 S1: the enemy have? We're not exactly sure. Somewhere between 10,000 426 00:26:31,777 --> 00:26:37,577 S1: and 100,000. Okay, cool. That requires genius of that, general. 427 00:26:38,537 --> 00:26:42,216 S1: That requires genius because they're operating in so much uncertainty. 428 00:26:42,497 --> 00:26:46,696 S1: When you bring that uncertainty down, you could pull a 429 00:26:46,696 --> 00:26:49,737 S1: private into that room and be like, okay, we know 430 00:26:49,736 --> 00:26:53,576 S1: the exact current state of everyone. What should we do? 431 00:26:53,617 --> 00:26:57,847 S1: And the private walks in is like, shouldn't we just 432 00:26:57,847 --> 00:27:00,407 S1: blow up that truck? Since that's the most important thing 433 00:27:01,407 --> 00:27:03,447 S1: and it has all the special plans in it, and 434 00:27:03,446 --> 00:27:06,647 S1: it has the special device in it. Should we just 435 00:27:06,647 --> 00:27:09,367 S1: blow that up? And everyone's like, yeah, exactly. That's exactly 436 00:27:09,367 --> 00:27:13,367 S1: what we should do. It requires genius. If you don't 437 00:27:13,367 --> 00:27:16,567 S1: have the information, it does not require genius if you do. 438 00:27:18,206 --> 00:27:20,966 S1: So the natural question is what does this mean if 439 00:27:20,966 --> 00:27:25,247 S1: this is correct? Well, if you're building a company, I 440 00:27:25,247 --> 00:27:29,247 S1: think you need to be thinking very carefully about how 441 00:27:29,247 --> 00:27:32,687 S1: to get access to unique data for your customers. You 442 00:27:32,686 --> 00:27:35,446 S1: might have the best phone management scanner, but if your 443 00:27:35,446 --> 00:27:39,967 S1: competitor partners with someone who provides unique data, or they 444 00:27:39,966 --> 00:27:44,007 S1: have unique data themselves for some other reason and they 445 00:27:44,007 --> 00:27:47,487 S1: have access to the customer's team structure, their GitHub repos, 446 00:27:48,127 --> 00:27:52,247 S1: their HR, you know, workday, they know employees coming, they 447 00:27:52,247 --> 00:27:55,957 S1: know all the org changes. They know all the dev pipelines. 448 00:27:56,196 --> 00:28:00,757 S1: They know which application corresponds to which dev team and 449 00:28:00,757 --> 00:28:06,677 S1: which developer. You are going to lose. It doesn't matter 450 00:28:06,677 --> 00:28:09,157 S1: how good your scanner is, if they know more about 451 00:28:09,157 --> 00:28:12,196 S1: the customer than you do, you're going to lose. So basically, 452 00:28:12,196 --> 00:28:15,276 S1: avoid getting beat by someone who knows more about the 453 00:28:15,277 --> 00:28:20,197 S1: customer's organization than you do. If you're in VC or 454 00:28:20,236 --> 00:28:23,837 S1: you're really any kind of investor, I'd be looking at 455 00:28:25,037 --> 00:28:28,877 S1: companies that are thinking deeper into this context and are 456 00:28:28,877 --> 00:28:33,117 S1: thinking about USC early, how to make it themselves if 457 00:28:33,117 --> 00:28:35,517 S1: they have to, how to partner with someone who's making 458 00:28:35,517 --> 00:28:39,197 S1: it up. I don't think you should look for people 459 00:28:39,197 --> 00:28:41,197 S1: who are trying to build the actual USC, because I 460 00:28:41,197 --> 00:28:43,556 S1: think that is so big, it's going to be most 461 00:28:43,557 --> 00:28:47,477 S1: likely the giant players that are doing it. But I 462 00:28:47,477 --> 00:28:50,357 S1: would say avoid betting on companies that ignore this deep 463 00:28:50,357 --> 00:28:54,747 S1: context threat and are probably going to lose as a result. 464 00:28:56,387 --> 00:28:59,106 S1: And if you're a defender and you're trying to figure out, 465 00:28:59,147 --> 00:29:03,507 S1: like what I do, I build. To improve my cybersecurity program, 466 00:29:04,227 --> 00:29:08,227 S1: you should start building your own unique context for your company. 467 00:29:08,587 --> 00:29:13,827 S1: Your attackers are going to have a version of context 468 00:29:13,827 --> 00:29:16,546 S1: for your company. They are going to have a unique 469 00:29:16,747 --> 00:29:21,227 S1: world model of you, and your version of that unique 470 00:29:21,267 --> 00:29:26,187 S1: world model needs to be better than theirs. And finally, 471 00:29:26,587 --> 00:29:28,867 S1: if you're just trying to figure out where things are going, 472 00:29:29,187 --> 00:29:34,547 S1: just imagine this whole AI state management, unified entity context 473 00:29:34,587 --> 00:29:36,747 S1: thing as a lens that you could use or not 474 00:29:36,747 --> 00:29:41,586 S1: use to interpret new AI developments. Basically, one way of 475 00:29:41,587 --> 00:29:45,227 S1: interpreting the news about AI that hopefully makes some sense. 476 00:29:46,627 --> 00:29:48,066 S1: Thanks for your time and I'll see you in the 477 00:29:48,067 --> 00:29:48,587 S1: next one.